Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: [PATCH v2] audit: add feature audit_lost reset
Date: Thu, 15 Dec 2016 19:22:19 -0500	[thread overview]
Message-ID: <1803050.hqkP3u55ii@x2> (raw)
In-Reply-To: <CAHC9VhQwVKTmFnYUmOAHSv5RfPs_BYaHcpzxcMyMfWm-kKuHXA@mail.gmail.com>

On Thursday, December 15, 2016 3:39:16 PM EST Paul Moore wrote:
> On Sat, Dec 10, 2016 at 6:52 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > Add a method to reset the audit_lost value.
> > 
> > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > will return a positive value repesenting the current audit_lost value
> > and reset the counter to zero.  If AUDIT_STATUS_LOST is not the
> > only flag set, the reset command will be ignored.  The value sent with
> > the command is ignored.
> > 
> > An AUDIT_LOST_RESET message will be sent to the listening audit daemon.
> > The data field will contain a u32 with the positive value of the
> > audit_lost value when it was reset.
> > 
> > See: https://github.com/linux-audit/audit-kernel/issues/3
> > 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > 
> >  include/uapi/linux/audit.h |    2 ++
> >  kernel/audit.c             |    8 +++++++-
> >  2 files changed, 9 insertions(+), 1 deletions(-)
> > 
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 208df7b..6d38bff 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -70,6 +70,7 @@
> > 
> >  #define AUDIT_TTY_SET          1017    /* Set TTY auditing status */
> >  #define AUDIT_SET_FEATURE      1018    /* Turn an audit feature on or off
> >  */ #define AUDIT_GET_FEATURE      1019    /* Get which features are
> >  enabled */> 
> > +#define AUDIT_LOST_RESET       1020    /* Reset the audit_lost value */
> > 
> >  #define AUDIT_FIRST_USER_MSG   1100    /* Userspace messages mostly
> >  uninteresting to kernel */ #define AUDIT_USER_AVC         1107    /* We
> >  filter this differently */> 
> > @@ -325,6 +326,7 @@ enum {
> > 
> >  #define AUDIT_STATUS_RATE_LIMIT                0x0008
> >  #define AUDIT_STATUS_BACKLOG_LIMIT     0x0010
> >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
> > 
> > +#define AUDIT_STATUS_LOST              0x0040
> > 
> >  #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT     0x00000001
> >  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> > 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index f1ca116..19cfee0 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -122,7 +122,7 @@
> > 
> >     3) suppressed due to audit_rate_limit
> >     4) suppressed due to audit_backlog_limit
> >  
> >  */
> > 
> > -static atomic_t    audit_lost = ATOMIC_INIT(0);
> > +static atomic_t        audit_lost = ATOMIC_INIT(0);
> > 
> >  /* The netlink socket. */
> >  static struct sock *audit_sock;
> > 
> > @@ -920,6 +920,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> > struct nlmsghdr *nlh)> 
> >                         if (err < 0)
> >                         
> >                                 return err;
> >                 
> >                 }
> > 
> > +               if (s.mask == AUDIT_STATUS_LOST) {
> > +                       u32 lost = atomic_xchg(&audit_lost, 0);
> > +
> > +                       audit_send_reply(skb, seq, AUDIT_LOST_RESET, 0, 0,
> > &lost, sizeof(lost));
> I'm not sure it makes much sense to both return the lost value as a
> netlink return code as well as send a separate netlink message back to
> the controlling task with the same information.  What I meant earlier
> was that we would emit an audit record, similar to
> audit_log_config_change(), so that the audit log would not only have
> information that the status count was reset, but also the subject
> information necessary to associate the action with an individual.
> 
> Does that make sense?

I'm planning to replace all the config change logging with the 
audit_log_task_simple function I sent so that we have everything. Can we go 
ahead and pull that in so that we can start using it?

Thanks,
-Steve

> > +                       return lost;
> > +               }
> > 
> >                 break;
> >         
> >         }
> > 
> >         case AUDIT_GET_FEATURE:
> > --
> > 1.7.1
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit

  reply	other threads:[~2016-12-16  0:22 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-10 11:52 [PATCH v2] audit: add feature audit_lost reset Richard Guy Briggs
2016-12-15 20:39 ` Paul Moore
2016-12-16  0:22   ` Steve Grubb [this message]
2016-12-16  0:50     ` Paul Moore
2016-12-16  3:12       ` Steve Grubb
2016-12-16  3:39         ` Richard Guy Briggs
2016-12-16 22:47           ` Paul Moore
2016-12-16  3:59     ` Richard Guy Briggs
2016-12-16  3:54   ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1803050.hqkP3u55ii@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox