Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] make set_loginuid obey audit_enabled
@ 2006-06-12 11:48 Steve Grubb
  2006-06-13 21:39 ` Amy Griffis
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2006-06-12 11:48 UTC (permalink / raw)
  To: linux-audit

Hi,

I was doing some testing and noticed that when the audit system was disabled,
I was still getting messages about the loginuid being set. The following patch
makes audit_set_loginuid look at in_syscall to determine if it should create
an audit event. The loginuid will continue to be set as long as there is a context.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>


diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c
--- linux-2.6.16.x86_64.orig/kernel/auditsc.c	2006-06-10 14:01:20.000000000 -0400
+++ linux-2.6.16.x86_64/kernel/auditsc.c	2006-06-10 14:00:14.000000000 -0400
@@ -1275,18 +1275,23 @@ void auditsc_get_stamp(struct audit_cont
  */
 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
 {
-	if (task->audit_context) {
-		struct audit_buffer *ab;
+	struct audit_context *context = task->audit_context;
 
-		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
-		if (ab) {
-			audit_log_format(ab, "login pid=%d uid=%u "
-				"old auid=%u new auid=%u",
-				task->pid, task->uid, 
-				task->audit_context->loginuid, loginuid);
-			audit_log_end(ab);
+	if (context) {
+		/* Only log if audit is enabled */
+		if (context->in_syscall) {
+			struct audit_buffer *ab;
+
+			ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+			if (ab) {
+				audit_log_format(ab, "login pid=%d uid=%u "
+					"old auid=%u new auid=%u",
+					task->pid, task->uid, 
+					context->loginuid, loginuid);
+				audit_log_end(ab);
+			}
 		}
-		task->audit_context->loginuid = loginuid;
+		context->loginuid = loginuid;
 	}
 	return 0;
 }

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] make set_loginuid obey audit_enabled
  2006-06-12 11:48 [PATCH] make set_loginuid obey audit_enabled Steve Grubb
@ 2006-06-13 21:39 ` Amy Griffis
  2006-06-13 22:08   ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Amy Griffis @ 2006-06-13 21:39 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

Steve Grubb wrote:     [Mon Jun 12 2006, 07:48:28AM EDT]
> I was doing some testing and noticed that when the audit system was disabled,
> I was still getting messages about the loginuid being set. The following patch
> makes audit_set_loginuid look at in_syscall to determine if it should create
> an audit event. The loginuid will continue to be set as long as there is a context.

Do we really want to do away with these records?  The loginuid is used
in several records that can be logged even with syscall auditing
disabled, e.g. AUDIT_CONFIG_CHANGE records generated by AUDIT_SET
operations.

It seems like we would want the LOGIN records for a complete trail of
what happened.

> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> 
> 
> diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c
> --- linux-2.6.16.x86_64.orig/kernel/auditsc.c	2006-06-10 14:01:20.000000000 -0400
> +++ linux-2.6.16.x86_64/kernel/auditsc.c	2006-06-10 14:00:14.000000000 -0400
> @@ -1275,18 +1275,23 @@ void auditsc_get_stamp(struct audit_cont
>   */
>  int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
>  {
> -	if (task->audit_context) {
> -		struct audit_buffer *ab;
> +	struct audit_context *context = task->audit_context;
>  
> -		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> -		if (ab) {
> -			audit_log_format(ab, "login pid=%d uid=%u "
> -				"old auid=%u new auid=%u",
> -				task->pid, task->uid, 
> -				task->audit_context->loginuid, loginuid);
> -			audit_log_end(ab);
> +	if (context) {
> +		/* Only log if audit is enabled */
> +		if (context->in_syscall) {
> +			struct audit_buffer *ab;
> +
> +			ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> +			if (ab) {
> +				audit_log_format(ab, "login pid=%d uid=%u "
> +					"old auid=%u new auid=%u",
> +					task->pid, task->uid, 
> +					context->loginuid, loginuid);
> +				audit_log_end(ab);
> +			}
>  		}
> -		task->audit_context->loginuid = loginuid;
> +		context->loginuid = loginuid;
>  	}
>  	return 0;
>  }
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] make set_loginuid obey audit_enabled
  2006-06-13 21:39 ` Amy Griffis
@ 2006-06-13 22:08   ` Steve Grubb
  0 siblings, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2006-06-13 22:08 UTC (permalink / raw)
  To: Amy Griffis; +Cc: linux-audit

On Tuesday 13 June 2006 17:39, Amy Griffis wrote:
> It seems like we would want the LOGIN records for a complete trail of
> what happened.

When audit is enabled, I think so. Otherwise they spam the console because 
that's what syslog does with them. With audit disabled, you can already make 
other changes with no record. This patch just makes it consistent with all 
the other pieces.

-Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-06-13 22:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-06-12 11:48 [PATCH] make set_loginuid obey audit_enabled Steve Grubb
2006-06-13 21:39 ` Amy Griffis
2006-06-13 22:08   ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox