From: Amy Griffis <amy.griffis@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] make set_loginuid obey audit_enabled
Date: Tue, 13 Jun 2006 17:39:55 -0400 [thread overview]
Message-ID: <20060613213955.GA30658@zk3.dec.com> (raw)
In-Reply-To: <200606120748.28174.sgrubb@redhat.com>
Steve Grubb wrote: [Mon Jun 12 2006, 07:48:28AM EDT]
> I was doing some testing and noticed that when the audit system was disabled,
> I was still getting messages about the loginuid being set. The following patch
> makes audit_set_loginuid look at in_syscall to determine if it should create
> an audit event. The loginuid will continue to be set as long as there is a context.
Do we really want to do away with these records? The loginuid is used
in several records that can be logged even with syscall auditing
disabled, e.g. AUDIT_CONFIG_CHANGE records generated by AUDIT_SET
operations.
It seems like we would want the LOGIN records for a complete trail of
what happened.
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
>
>
> diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c
> --- linux-2.6.16.x86_64.orig/kernel/auditsc.c 2006-06-10 14:01:20.000000000 -0400
> +++ linux-2.6.16.x86_64/kernel/auditsc.c 2006-06-10 14:00:14.000000000 -0400
> @@ -1275,18 +1275,23 @@ void auditsc_get_stamp(struct audit_cont
> */
> int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
> {
> - if (task->audit_context) {
> - struct audit_buffer *ab;
> + struct audit_context *context = task->audit_context;
>
> - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> - if (ab) {
> - audit_log_format(ab, "login pid=%d uid=%u "
> - "old auid=%u new auid=%u",
> - task->pid, task->uid,
> - task->audit_context->loginuid, loginuid);
> - audit_log_end(ab);
> + if (context) {
> + /* Only log if audit is enabled */
> + if (context->in_syscall) {
> + struct audit_buffer *ab;
> +
> + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> + if (ab) {
> + audit_log_format(ab, "login pid=%d uid=%u "
> + "old auid=%u new auid=%u",
> + task->pid, task->uid,
> + context->loginuid, loginuid);
> + audit_log_end(ab);
> + }
> }
> - task->audit_context->loginuid = loginuid;
> + context->loginuid = loginuid;
> }
> return 0;
> }
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
next prev parent reply other threads:[~2006-06-13 21:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-12 11:48 [PATCH] make set_loginuid obey audit_enabled Steve Grubb
2006-06-13 21:39 ` Amy Griffis [this message]
2006-06-13 22:08 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060613213955.GA30658@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox