From mboxrd@z Thu Jan  1 00:00:00 1970
From: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: logging changes in tty logging status
Date: Thu, 14 Nov 2013 09:16:15 -0500
Message-ID: <20131114141615.GN24236@madcap2.tricolour.ca>
References: <20131113200418.GD16367@madcap2.tricolour.ca>
	<9487947.oMiZKbm04c@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <9487947.oMiZKbm04c@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, Nov 13, 2013 at 03:22:49PM -0500, Steve Grubb wrote:
> On Wednesday, November 13, 2013 03:04:18 PM Richard Guy Briggs wrote:
> > Hi Steve,
> > 
> > I'm reviewing audit_receive_msg() and noticing that the AUDIT_TTY_SET
> > case doesn't log a configuration change.  Should it?
> 
> Yes, it should. Any change in config should be recorded with subject, old 
> value, new value, and results. It should match other config change events.

So perhaps something like this, but should probably re-structure the
code to make it cleaner and re-factor a formatting function...

Any opinion on the labels/tags?

diff --git a/kernel/audit.c b/kernel/audit.c
index 7b0e23a..cba0109 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -829,18 +829,36 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	case AUDIT_TTY_SET: {
 		struct audit_tty_status s;
 		struct task_struct *tsk = current;
+		struct audit_buffer	*ab;
 
 		memset(&s, 0, sizeof(s));
 		/* guard against past and future API changes */
 		memcpy(&s, data, min(sizeof(s), (size_t)nlh->nlmsg_len));
+		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE);
+		audit_log_format(ab, " old.audit_tty_status.enabled=%d"
+				 " old.audit_tty_status.log_passwd=%d",
+				 tsk->signal->audit_tty,
+				 tsk->signal->audit_tty_log_passwd);
+		audit_log_format(ab, " new.audit_tty_status.enabled=%d"
+				 " new.audit_tty_status.log_passwd=%d",
+				 s.enabled, s.log_passwd);
 		if ((s.enabled != 0 && s.enabled != 1) ||
 		    (s.log_passwd != 0 && s.log_passwd != 1))
-			return -EINVAL;
+{
+			audit_log_format(ab, " res=0");
+			audit_log_end(ab);
 
+			return -EINVAL;
+}
 		spin_lock(&tsk->sighand->siglock);
 		tsk->signal->audit_tty = s.enabled;
 		tsk->signal->audit_tty_log_passwd = s.log_passwd;
 		spin_unlock(&tsk->sighand->siglock);
+
+		audit_log_format(ab, " res=1");
+		audit_log_end(ab);
+
+
 		break;
 	}
 	default:

> -Steve

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545