* [PATCH] the loginuid field should be output in all AUDIT_CONFIG_CHANGE audit messages @ 2008-07-30 3:40 zhangxiliang 2008-07-31 17:42 ` Eric Paris 0 siblings, 1 reply; 3+ messages in thread From: zhangxiliang @ 2008-07-30 3:40 UTC (permalink / raw) To: sgrubb, viro, eparis, Linux Audit, Linux Kernel Mailing List In the audit message which type is "AUDIT_CONFIG_CHANGE", the output format should contain "auid" field. Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com> --- kernel/auditfilter.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 98c50cc..8a184f5 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1022,8 +1022,9 @@ static void audit_update_watch(struct audit_parent *parent, struct audit_buffer *ab; ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); + audit_log_format(ab, "auid=%u", current->loginuid); audit_log_format(ab, - "op=updated rules specifying path="); + " op=updated rules specifying path="); audit_log_untrustedstring(ab, owatch->path); audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); @@ -1058,7 +1059,8 @@ static void audit_remove_parent_watches(struct audit_parent *parent) struct audit_buffer *ab; ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=remove rule path="); + audit_log_format(ab, "auid=%u", current->loginuid); + audit_log_format(ab, " op=remove rule path="); audit_log_untrustedstring(ab, w->path); if (r->filterkey) { audit_log_format(ab, " key="); -- 1.5.4.2 -- Regards Zhang Xiliang ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] the loginuid field should be output in all AUDIT_CONFIG_CHANGE audit messages 2008-07-30 3:40 [PATCH] the loginuid field should be output in all AUDIT_CONFIG_CHANGE audit messages zhangxiliang @ 2008-07-31 17:42 ` Eric Paris 2008-08-01 1:47 ` zhangxiliang 0 siblings, 1 reply; 3+ messages in thread From: Eric Paris @ 2008-07-31 17:42 UTC (permalink / raw) To: zhangxiliang; +Cc: sgrubb, viro, Linux Audit, Linux Kernel Mailing List On Wed, 2008-07-30 at 11:40 +0800, zhangxiliang wrote: > In the audit message which type is "AUDIT_CONFIG_CHANGE", the output format should contain "auid" field. shouldn't these be using the "audit_get_loginuid(current)" and if we are going to output loginuid we also should be outputting sessionid -Eric > > Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com> > --- > kernel/auditfilter.c | 6 ++++-- > 1 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index 98c50cc..8a184f5 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -1022,8 +1022,9 @@ static void audit_update_watch(struct audit_parent *parent, > struct audit_buffer *ab; > ab = audit_log_start(NULL, GFP_KERNEL, > AUDIT_CONFIG_CHANGE); > + audit_log_format(ab, "auid=%u", current->loginuid); > audit_log_format(ab, > - "op=updated rules specifying path="); > + " op=updated rules specifying path="); > audit_log_untrustedstring(ab, owatch->path); > audit_log_format(ab, " with dev=%u ino=%lu\n", > dev, ino); > @@ -1058,7 +1059,8 @@ static void audit_remove_parent_watches(struct audit_parent *parent) > struct audit_buffer *ab; > ab = audit_log_start(NULL, GFP_KERNEL, > AUDIT_CONFIG_CHANGE); > - audit_log_format(ab, "op=remove rule path="); > + audit_log_format(ab, "auid=%u", current->loginuid); > + audit_log_format(ab, " op=remove rule path="); > audit_log_untrustedstring(ab, w->path); > if (r->filterkey) { > audit_log_format(ab, " key="); > -- > 1.5.4.2 > > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] the loginuid field should be output in all AUDIT_CONFIG_CHANGE audit messages 2008-07-31 17:42 ` Eric Paris @ 2008-08-01 1:47 ` zhangxiliang 0 siblings, 0 replies; 3+ messages in thread From: zhangxiliang @ 2008-08-01 1:47 UTC (permalink / raw) To: Eric Paris; +Cc: sgrubb, viro, Linux Audit, Linux Kernel Mailing List > shouldn't these be using the "audit_get_loginuid(current)" and if we > are going to output loginuid we also should be outputting sessionid Thanks for your detailed explanation. I have made a new patch for outputing "loginuid" and "sessionid" by audit_get_loginuid(current) and audit_get_sessionid(current). If there are some deficiencies, please give me your indication. Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com> --- kernel/auditfilter.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 98c50cc..b7d354e 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1022,8 +1022,11 @@ static void audit_update_watch(struct audit_parent *parent, struct audit_buffer *ab; ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); + audit_log_format(ab, "auid=%u ses=%u", + audit_get_loginuid(current), + audit_get_sessionid(current)); audit_log_format(ab, - "op=updated rules specifying path="); + " op=updated rules specifying path="); audit_log_untrustedstring(ab, owatch->path); audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); @@ -1058,7 +1061,10 @@ static void audit_remove_parent_watches(struct audit_parent *parent) struct audit_buffer *ab; ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=remove rule path="); + audit_log_format(ab, "auid=%u ses=%u", + audit_get_loginuid(current), + audit_get_sessionid(current)); + audit_log_format(ab, " op=remove rule path="); audit_log_untrustedstring(ab, w->path); if (r->filterkey) { audit_log_format(ab, " key="); -- 1.5.4.2 Regards Zhang Xiliang Eric Paris said the following on 2008-08-01 1:42: > On Wed, 2008-07-30 at 11:40 +0800, zhangxiliang wrote: >> In the audit message which type is "AUDIT_CONFIG_CHANGE", the output format should contain "auid" field. > > shouldn't these be using the "audit_get_loginuid(current)" and if we > are going to output loginuid we also should be outputting sessionid > > -Eric > >> Signed-off-by: Zhang Xiliang <zhangxiliang@cn.fujitsu.com> >> --- >> kernel/auditfilter.c | 6 ++++-- >> 1 files changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c >> index 98c50cc..8a184f5 100644 >> --- a/kernel/auditfilter.c >> +++ b/kernel/auditfilter.c >> @@ -1022,8 +1022,9 @@ static void audit_update_watch(struct audit_parent *parent, >> struct audit_buffer *ab; >> ab = audit_log_start(NULL, GFP_KERNEL, >> AUDIT_CONFIG_CHANGE); >> + audit_log_format(ab, "auid=%u", current->loginuid); >> audit_log_format(ab, >> - "op=updated rules specifying path="); >> + " op=updated rules specifying path="); >> audit_log_untrustedstring(ab, owatch->path); >> audit_log_format(ab, " with dev=%u ino=%lu\n", >> dev, ino); >> @@ -1058,7 +1059,8 @@ static void audit_remove_parent_watches(struct audit_parent *parent) >> struct audit_buffer *ab; >> ab = audit_log_start(NULL, GFP_KERNEL, >> AUDIT_CONFIG_CHANGE); >> - audit_log_format(ab, "op=remove rule path="); >> + audit_log_format(ab, "auid=%u", current->loginuid); >> + audit_log_format(ab, " op=remove rule path="); >> audit_log_untrustedstring(ab, w->path); >> if (r->filterkey) { >> audit_log_format(ab, " key="); >> -- >> 1.5.4.2 >> >> > > > > ^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-08-01 1:49 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-07-30 3:40 [PATCH] the loginuid field should be output in all AUDIT_CONFIG_CHANGE audit messages zhangxiliang 2008-07-31 17:42 ` Eric Paris 2008-08-01 1:47 ` zhangxiliang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox