From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Subject: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format
Date: Thu, 10 Jan 2008 15:25:23 -0200
Message-ID: <1199985923.7836.63.camel@klausk.br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: eparis@redhat.com, "sgrubb@redhat.com" <sgrubb@redhat.com>, "Linux-audit@redhat.com" <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Steve, as we talked earlier through IRC, ausearch/aureport are expecting
the kernel anomalies messages to have auid=3D uid=3D gid=3D fields (in th=
is
order). This quick patch changes the ANOM_PROMISCUOUS message to the
correct format (as already used by ANOM_ABEND).

Applies on 2.6.24-rc7 from the audit.git tree
=EF=BB=BF
--=20
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center

--

Fix ANOM_PROMISCUOUS message to the format as expected by
audit userspace: auid=3D%u uid=3D%u gid=3D%u [...]

Signed-off-by: Klaus Heinrich Kiwi <klausk@br.ibm.com>
---
 net/core/dev.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 0848da3..cd49cd0 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_devi=
ce *dev, int inc)
 							       "left");
 		audit_log(current->audit_context, GFP_ATOMIC,
 			AUDIT_ANOM_PROMISCUOUS,
-			"dev=3D%s prom=3D%d old_prom=3D%d auid=3D%u ses=3D%u",
+			"auid=3D%u uid=3D%u gid=3D%u dev=3D%s prom=3D%d old_prom=3D%d ses=3D%=
u",
+			audit_get_loginuid(current->audit_context),
+			current->uid, current->gid,
 			dev->name, (dev->flags & IFF_PROMISC),
 			(old_flags & IFF_PROMISC),
-			audit_get_loginuid(current->audit_context),
 			audit_get_sessionid(current->audit_context));
=20
 		if (dev->change_rx_flags)
--=20
1.5.3.7