All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <paul.moore@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Checking for audit_enabled in the kernel
Date: Tue, 14 Nov 2006 15:57:23 -0500	[thread overview]
Message-ID: <455A2DB3.7040206@hp.com> (raw)
In-Reply-To: <200611141401.48925.sgrubb@redhat.com>

Steve Grubb wrote:
> On Tuesday 14 November 2006 12:48, Paul Moore wrote:
> 
>>I'm trying to find a way to quickly determine if auditing is enabled and it
>>looks like the only real way to do that is to declare audit_enabled as an
>>extern and check the variable directly.  Is there some interface for this
>>that I am missing?
> 
> A good example of how to do this is in audit.h:
> 
> static inline int audit_ipc_obj(struct kern_ipc_perm *ipcp)
> {
>          if (unlikely(!audit_dummy_context()))
>                 return __audit_ipc_obj(ipcp);
>          return 0;
> }
> 
> __audit_ipc_obj is the real function that does the actual work. The 
> audit_dummy_context() function uses current, so it may not be suitable to use 
> on events that come from netlink. In that case, we'd need a new function that 
> takes a task struct.

>From what I can tell audit_dummy_context() is really only useful in detecting if
  syscall auditing is enabled (it always returns true if CONFIG_AUDITSYSCALL is
not checked at compile time) and not audit in general.  I'm pretty sure I want
something that depends on audit in general and not just syscall auditing.

-- 
paul moore
linux security @ hp

      parent reply	other threads:[~2006-11-14 20:57 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-11-14 17:48 Checking for audit_enabled in the kernel Paul Moore
2006-11-14 19:01 ` Steve Grubb
2006-11-14 19:07   ` Steve Grubb
2006-11-14 20:57   ` Paul Moore [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=455A2DB3.7040206@hp.com \
    --to=paul.moore@hp.com \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.