From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH V4] audit: add feature audit_lost reset
Date: Thu, 09 Feb 2017 09:50:01 -0500 [thread overview]
Message-ID: <20092427.pZjD69TQYp@x2> (raw)
In-Reply-To: <20170209140657.GM26855@madcap2.tricolour.ca>
On Thursday, February 9, 2017 9:06:57 AM EST Richard Guy Briggs wrote:
> On 2017-01-13 10:48, Steve Grubb wrote:
> > On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote:
> > > Add a method to reset the audit_lost value.
> > >
> > > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > > will return a positive value repesenting the current audit_lost value
> > > and reset the counter to zero. If AUDIT_STATUS_LOST is not the
> > > only flag set, the reset command will be ignored. The value sent with
> > > the command is ignored. The return value will be the +ve lost value at
> > > reset time.
> > >
> > > An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> > > daemon. The message will be a standard CONFIG_CHANGE message with the
> > > fields "lost=0" and "old=" with the latter containing the value of
> > > audit_lost at reset time.
> >
> > This passes testing and event looks good.
>
> Did you create a formal test for it or just test it manually?
I tested this by building a kernel and testing it by hand.
-Steve
> > Acked-by: Steve Grubb <sgrubb@redhat.com>
> >
> > This clears the way for audit-2.7.1 release today.
> >
> > -Steve
> >
> > > See: https://github.com/linux-audit/audit-kernel/issues/3
> > >
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > > There is a merge conflict anticipated with the exclude filter
> > > FEATURE_BITMAP patch (ghak5)
> > >
> > > v2:
> > > Switch from AUDIT_GET to AUDIT_SET
> > > Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
> > > Return +ve lost value, reply AUDIT_LOST_RESET msg to sender
> > >
> > > v3:
> > > Switch, from reply to sender, to queue to audit log
> > >
> > > v4:
> > > Switch from LOST_RESET to CONFIG_CHANGE log msg
> > > Re-add AUDIT_FEATURE_BITMASK
> > >
> > > ---
> > > ---
> > >
> > > include/uapi/linux/audit.h | 6 +++++-
> > > kernel/audit.c | 8 +++++++-
> > > 2 files changed, 12 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > index c8dc97b..3f24110 100644
> > > --- a/include/uapi/linux/audit.h
> > > +++ b/include/uapi/linux/audit.h
> > > @@ -326,15 +326,19 @@ enum {
> > >
> > > #define AUDIT_STATUS_RATE_LIMIT 0x0008
> > > #define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
> > > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
> > >
> > > +#define AUDIT_STATUS_LOST 0x0040
> > >
> > > #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
> > > #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> > > #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
> > > #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
> > >
> > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
> > > +
> > >
> > > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT |
> > > \
> > >
> > > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > > AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> > >
> > > - AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> > > + AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> > > + AUDIT_FEATURE_BITMAP_LOST_RESET)
> > >
> > > /* deprecated: AUDIT_VERSION_* */
> > > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
> > >
> > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > index 57acf25..25dd70a 100644
> > > --- a/kernel/audit.c
> > > +++ b/kernel/audit.c
> > > @@ -121,7 +121,7 @@ u32 audit_sig_sid = 0;
> > >
> > > 3) suppressed due to audit_rate_limit
> > > 4) suppressed due to audit_backlog_limit
> > >
> > > */
> > >
> > > -static atomic_t audit_lost = ATOMIC_INIT(0);
> > > +static atomic_t audit_lost = ATOMIC_INIT(0);
> > >
> > > /* The netlink socket. */
> > > static struct sock *audit_sock;
> > >
> > > @@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> > > struct nlmsghdr *nlh) if (err < 0)
> > >
> > > return err;
> > >
> > > }
> > >
> > > + if (s.mask == AUDIT_STATUS_LOST) {
> > > + u32 lost = atomic_xchg(&audit_lost, 0);
> > > +
> > > + audit_log_config_change("lost", 0, lost, 1);
> > > + return lost;
> > > + }
> > >
> > > break;
> > >
> > > }
>
> > > case AUDIT_GET_FEATURE:
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2017-02-09 14:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-13 8:26 [PATCH V4] audit: add feature audit_lost reset Richard Guy Briggs
2017-01-13 15:48 ` Steve Grubb
2017-02-09 14:06 ` Richard Guy Briggs
2017-02-09 14:50 ` Steve Grubb [this message]
2017-02-09 15:49 ` Richard Guy Briggs
2017-02-09 15:52 ` Steve Grubb
2017-02-09 17:10 ` Richard Guy Briggs
2017-01-18 20:00 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20092427.pZjD69TQYp@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.