From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexander Viro Subject: Re: Audit issue Date: Thu, 8 Nov 2007 09:19:26 -0500 Message-ID: <20071108141926.GA28304@devserv.devel.redhat.com> References: <200710301248.24261.sgrubb@redhat.com> <200710301907.29505.sgrubb@redhat.com> <20071030231525.GG12499@devserv.devel.redhat.com> <200710311740.19981.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <200710311740.19981.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wed, Oct 31, 2007 at 05:40:19PM -0400, Steve Grubb wrote: > On Tuesday 30 October 2007 07:15:25 pm Alexander Viro wrote: > > On Tue, Oct 30, 2007 at 07:07:29PM -0400, Steve Grubb wrote: > > > On Tuesday 30 October 2007 03:04:54 pm Eric Paris wrote: > > > > why is it acceptable to mandate audit=1 in gurb but not to mandate > > > > 'don't use auditctl -e 0' ?? ???? > > > > > > Its not that audit=1 is mandated. Its recommended. In the other case, > > > temporarily taking the audit system offline should in no way impair the > > > ability to start auditing again. It is required that an admin be able to > > > track any users in the system if they are accessing files or attempting > > > to make privileged calls. > > > > Ahem... If you have it disabled for a while, what's going to do the > > tracking until you reenable it? Have fun... diff --git a/kernel/audit.c b/kernel/audit.c index f93c271..83227f8 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -70,6 +70,7 @@ static int audit_initialized; * 1 - auditing enabled * 2 - auditing enabled and configuration is locked/unchangeable. */ int audit_enabled; +int audit_ever_enabled; /* Default state when kernel boots without any parameters. */ static int audit_default; @@ -340,8 +341,10 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sid) state, old, loginuid, res); /* If we are allowed, make the change */ - if (res == 1) + if (res == 1) { audit_enabled = state; + audit_ever_enabled |= !!state; + } /* Not allowed, update reason */ else if (rc == 0) rc = -EPERM; @@ -965,6 +968,7 @@ static int __init audit_init(void) skb_queue_head_init(&audit_skb_queue); audit_initialized = 1; audit_enabled = audit_default; + audit_ever_enabled |= !!audit_default; /* Register the callback with selinux. This callback will be invoked * when a new policy is loaded. */ @@ -992,8 +996,10 @@ static int __init audit_enable(char *str) printk(KERN_INFO "audit: %s%s\n", audit_default ? "enabled" : "disabled", audit_initialized ? "" : " (after initialization)"); - if (audit_initialized) + if (audit_initialized) { audit_enabled = audit_default; + audit_ever_enabled |= !!audit_default; + } return 1; } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index bce9ecd..250f00f 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -70,6 +70,7 @@ #include "audit.h" extern struct list_head audit_filter_list[]; +extern int audit_ever_enabled; /* AUDIT_NAMES is the number of slots we reserve in the audit_context * for saving names from getname(). */ @@ -814,7 +815,7 @@ int audit_alloc(struct task_struct *tsk) struct audit_context *context; enum audit_state state; - if (likely(!audit_enabled)) + if (likely(!audit_ever_enabled)) return 0; /* Return if not auditing. */ state = audit_filter_task(tsk);