From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] loginuid change logging details
Date: Mon, 03 Feb 2014 11:40:18 -0500
Message-ID: <1680756.PSuA4J7jzE@x2>
References: <cover.1389996576.git.rgb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <cover.1389996576.git.rgb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, January 17, 2014 06:34:56 PM Richard Guy Briggs wrote:
> I missed posting this before the holidays.  I discovered this while adding
> other information to other message types.
> 
> It seemed to me that loginuid changes were significantly missing context
> references.  This patch adds that.  Is this sufficient, or is there more
> information missing too?  If this is sufficient, stop reading this cover
> letter and review the patch.  If it is not sufficient, keep reading
> below...
> 
> The question has been raised that perhaps we should be switching this to use
> audit_log_task_info() istead which adds a whole lot more information about
> this task.
> 
> In the existing message
> 	pid
> 	uid
> are already given, before
> 	old-auid
> 	new-auid
> 	old-ses
> 	new-ses

I'd rather have old-auid/ses and auid/ses so that I don't have to expand 
everything to start looking for 'new-' variants. think of all the values as 
current as of when the syscall completes successfully and the proposed values 
if denied.

-Steve


> The function audit_log_task_info() gives:
> 	ppid
> 	pid
> 	auid
> 	uid
> 	gid
> 	euid
> 	suid
> 	fsuid
> 	egid
> 	sgid
> 	fsgid
> 	tty
> 	ses
>         comm
> 	exe
> 	res
> .
> 
> So,
> 	pid
> 	uid
> are in the right order, along with
> 	new-auid (auid)
> 	new-ses (ses)
> but if we give the
> 	old-auid
> 	old-ses
> values first, then call audit_log_task_info(), the old values will preceed
> 	pid
> 	uid
> .
> 
> Is this re-ordering acceptable to gain more information and reduce code
> duplicity?
> 
> 
> Richard Guy Briggs (1):
>   audit: log task context when setting loginuid
> 
>  kernel/auditsc.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)