From: Amy Griffis <amy.griffis@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] make set_loginuid obey audit_enabled
Date: Tue, 13 Jun 2006 17:39:55 -0400 [thread overview]
Message-ID: <20060613213955.GA30658@zk3.dec.com> (raw)
In-Reply-To: <200606120748.28174.sgrubb@redhat.com>
Steve Grubb wrote: [Mon Jun 12 2006, 07:48:28AM EDT]
> I was doing some testing and noticed that when the audit system was disabled,
> I was still getting messages about the loginuid being set. The following patch
> makes audit_set_loginuid look at in_syscall to determine if it should create
> an audit event. The loginuid will continue to be set as long as there is a context.
Do we really want to do away with these records? The loginuid is used
in several records that can be logged even with syscall auditing
disabled, e.g. AUDIT_CONFIG_CHANGE records generated by AUDIT_SET
operations.
It seems like we would want the LOGIN records for a complete trail of
what happened.
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
>
>
> diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c
> --- linux-2.6.16.x86_64.orig/kernel/auditsc.c 2006-06-10 14:01:20.000000000 -0400
> +++ linux-2.6.16.x86_64/kernel/auditsc.c 2006-06-10 14:00:14.000000000 -0400
> @@ -1275,18 +1275,23 @@ void auditsc_get_stamp(struct audit_cont
> */
> int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
> {
> - if (task->audit_context) {
> - struct audit_buffer *ab;
> + struct audit_context *context = task->audit_context;
>
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> - if (ab) {
> - audit_log_format(ab, "login pid=%d uid=%u "
> - "old auid=%u new auid=%u",
> - task->pid, task->uid,
> - task->audit_context->loginuid, loginuid);
> - audit_log_end(ab);
> + if (context) {
> + /* Only log if audit is enabled */
> + if (context->in_syscall) {
> + struct audit_buffer *ab;
> +
> + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> + if (ab) {
> + audit_log_format(ab, "login pid=%d uid=%u "
> + "old auid=%u new auid=%u",
> + task->pid, task->uid,
> + context->loginuid, loginuid);
> + audit_log_end(ab);
> + }
> }
> - task->audit_context->loginuid = loginuid;
> + context->loginuid = loginuid;
> }
> return 0;
> }
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
next prev parent reply other threads:[~2006-06-13 21:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-12 11:48 [PATCH] make set_loginuid obey audit_enabled Steve Grubb
2006-06-13 21:39 ` Amy Griffis [this message]
2006-06-13 22:08 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060613213955.GA30658@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.