From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: [PATCH 1/2] audit: create audit_log_task_simple function
Date: Wed, 30 Nov 2016 14:25:40 -0500
Message-ID: <5386284.xmcPCoNQr9@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-58-29.rdu2.redhat.com [10.10.58.29])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id uAUJQpvV005539
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Wed, 30 Nov 2016 14:26:52 -0500
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

The audit subsystem has 2 general kinds of audit events, syscall auditing
and hardwired audit events. Syscall auditing records quite a lot about the
process because it doesn't know ahead of time what is important to the
current syscall. For hardwired events, the information recorded can be
greatly reduced.

This patch adds a new function, audit_log_task_simple, which should be used
for most cases because it sticks to what is necessary for "hardwired"
events. It provides pid, uid, auid, tty, session, context, comm, exe.

Signed-off-by: sgrubb <sgrubb@redhat.com>
---
 include/linux/audit.h |  5 +++++
 kernel/audit.c        | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..eaf7615 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -159,6 +159,8 @@ static inline void	    audit_log_secctx(struct audit_buffer *ab, u32 secid)
 extern int audit_log_task_context(struct audit_buffer *ab);
 extern void audit_log_task_info(struct audit_buffer *ab,
 				struct task_struct *tsk);
+extern void audit_log_task_simple(struct audit_buffer *ab,
+				struct task_struct *tsk);
 
 extern int		    audit_update_lsm_rules(void);
 
@@ -213,6 +215,9 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
 static inline void audit_log_task_info(struct audit_buffer *ab,
 				       struct task_struct *tsk)
 { }
+static inline void audit_log_task_simple(struct audit_buffer *ab,
+				       struct task_struct *tsk)
+{ }
 #define audit_enabled 0
 #endif /* CONFIG_AUDIT */
 
diff --git a/kernel/audit.c b/kernel/audit.c
index a8a91bd..22f8c3d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1128,6 +1128,39 @@ static void audit_receive(struct sk_buff  *skb)
 	mutex_unlock(&audit_cmd_mutex);
 }
 
+/*
+ * This function logs the essential information needed to understand
+ * what or who is causing the event.
+ */
+void audit_log_task_simple(struct audit_buffer *ab, struct task_struct *tsk)
+{
+	const struct cred *cred;
+	char comm[sizeof(tsk->comm)];
+	struct tty_struct *tty;
+
+	if (!ab)
+		return;
+
+	/* tsk == current */
+	cred = current_cred();
+
+	tty = audit_get_tty(tsk);
+	audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
+			 task_pid_nr(tsk),
+			 from_kuid(&init_user_ns, cred->uid),
+			 from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
+			 tty ? tty_name(tty) : "(none)",
+			 audit_get_sessionid(tsk));
+	audit_put_tty(tty);
+
+	audit_log_task_context(ab); /* subj= */
+	audit_log_format(ab, " comm=");
+	audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
+
+	audit_log_d_path_exe(ab, tsk->mm); /* exe= */
+}
+EXPORT_SYMBOL(audit_log_task_simple);
+
 /* Run custom bind function on netlink socket group connect or bind requests. */
 static int audit_bind(struct net *net, int group)
 {
-- 
2.7.4