The audit subsystem has 2 general kinds of audit events, syscall auditing
and hardwired audit events. Syscall auditing records quite a lot about the
process because it doesn't know ahead of time what is important to the
current syscall. For hardwired events, the information recorded can be
greatly reduced.
This patch adds a new function, audit_log_task_simple, which should be used
for most cases because it sticks to what is necessary for "hardwired"
events. It provides pid, uid, auid, tty, session, context, comm, exe.
Signed-off-by: sgrubb <sgrubb(a)redhat.com>
---
include/linux/audit.h | 5 +++++
kernel/audit.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..eaf7615 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -159,6 +159,8 @@ static inline void audit_log_secctx(struct audit_buffer *ab, u32
secid)
extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk);
+extern void audit_log_task_simple(struct audit_buffer *ab,
+ struct task_struct *tsk);
extern int audit_update_lsm_rules(void);
@@ -213,6 +215,9 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
static inline void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk)
{ }
+static inline void audit_log_task_simple(struct audit_buffer *ab,
+ struct task_struct *tsk)
+{ }
#define audit_enabled 0
#endif /* CONFIG_AUDIT */
diff --git a/kernel/audit.c b/kernel/audit.c
index a8a91bd..22f8c3d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1128,6 +1128,39 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
+/*
+ * This function logs the essential information needed to understand
+ * what or who is causing the event.
+ */
+void audit_log_task_simple(struct audit_buffer *ab, struct task_struct *tsk)
+{
+ const struct cred *cred;
+ char comm[sizeof(tsk->comm)];
+ struct tty_struct *tty;
+
+ if (!ab)
+ return;
+
+ /* tsk == current */
+ cred = current_cred();
+
+ tty = audit_get_tty(tsk);
+ audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
+ task_pid_nr(tsk),
+ from_kuid(&init_user_ns, cred->uid),
+ from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
+ tty ? tty_name(tty) : "(none)",
+ audit_get_sessionid(tsk));
+ audit_put_tty(tty);
+
+ audit_log_task_context(ab); /* subj= */
+ audit_log_format(ab, " comm=");
+ audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
+
+ audit_log_d_path_exe(ab, tsk->mm); /* exe= */
+}
+EXPORT_SYMBOL(audit_log_task_simple);
+
/* Run custom bind function on netlink socket group connect or bind requests. */
static int audit_bind(struct net *net, int group)
{
--
2.7.4