From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <pmoore@redhat.com>
Subject: Re: [PATCH 2/2] audit: log failed attempts to change audit_pid
	configuration
Date: Thu, 24 Sep 2015 16:12:18 -0400
Message-ID: <3543168.OGyCZ6dDtT@sifl>
References: <206b0f415832c9fde6befaa13a7b6efe916d1ba4.1442494593.git.rgb@redhat.com>
	<1897d9f5007c4212aac4095b7fa2491e44cc880f.1442494593.git.rgb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1897d9f5007c4212aac4095b7fa2491e44cc880f.1442494593.git.rgb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
Cc: v.rathor@gmail.com, linux-kernel@vger.kernel.org, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, September 18, 2015 03:59:59 AM Richard Guy Briggs wrote:
> Failed attempts to change the audit_pid configuration are not presently
> logged.  One case is an attempt to starve an old auditd by starting up a
> new auditd when the old one is still alive and active.  The other case
> is an attempt to orphan a new auditd when an old auditd shuts down.
> 
> Log both as AUDIT_CONFIG_CHANGE messages with failure result.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit.c |    8 ++++++--
>  1 files changed, 6 insertions(+), 2 deletions(-)

This patch tends to reinforce the idea of a hijack message instead of a ping 
message.  Unfortunately, we can't use audit_log_config_change() to generate 
the hijack message as it queues the record, but you get the idea.

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 3399ab2..65dcd45 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -883,12 +883,16 @@ static int audit_receive_msg(struct sk_buff *skb,
> struct nlmsghdr *nlh) pid_t requesting_pid = task_tgid_vnr(current);
>  			u32 portid = NETLINK_CB(skb).portid;
> 
> -			if ((!new_pid) && (requesting_pid != audit_pid))
> +			if ((!new_pid) && (requesting_pid != audit_pid)) {
> +				audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
>  				return -EACCES;
> +			}
>  			if (audit_pid && new_pid &&
>  			    audit_ping(requesting_pid, nlmsg_hdr(skb)->nlmsg_seq, portid) 
!=
> -			    -ECONNREFUSED)
> +			    -ECONNREFUSED) {
> +				audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
>  				return -EEXIST;
> +			}
>  			if (audit_enabled != AUDIT_OFF)
>  				audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
>  			audit_pid = new_pid;

-- 
paul moore
security @ redhat