On Thu, Nov 29, 2012 at 7:10 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday, November 28, 2012 02:57:44 PM Kees Cook wrote:
> The userspace audit tools didn't like the existing formatting of the
> AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH
> event as well, so this implements the change. The bulk of the patch is
> moving code out of auditsc.c into audit.c and audit.h for general use.
> It expands audit_log_name to include an optional "struct path" argument
> for the simple case of just needing to report a pathname. This also makes
> audit_log_task_info available when syscall auditing is not enabled so
> an admin can make sense of the audit report (which would have only shown
> path information, not process information).
>
> Reported-by: Steve Grubb <sgrubb(a)redhat.com>
> Signed-off-by: Kees Cook <keescook(a)chromium.org>
Hrm, I actually had to unconditionally add the task_info call, and
that fixed things for me. I can send a v2 if this looks right to you.
Do you have a sample record I could check?
ausearch --start today -m 1702 --raw --just-one
# ausearch --start today -m 1702 --raw --just-one
type=UNKNOWN[1702] msg=audit(1354215561.568:5): op=follow_link
ppid=1972 pid=1988 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 ses=1 tty=pts0 comm="cat" exe="/bin/cat" res=0
type=PATH msg=audit(1354215561.568:5): item=0 name="/tmp/evil"
inode=19 dev=fd:01 mode=0120777 ouid=1000 ogid=1000 rdev=00:00
type=SYSCALL msg=audit(1354215561.568:5): arch=c000003e syscall=2
success=no exit=-13 a0=7fffba5b7955 a1=0 a2=0 a3=7fffba5b5940 items=0
ppid=1972 pid=1988 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 ses=1 tty=pts0 comm="cat" exe="/bin/cat" key=(null)
-Kees
--
Kees Cook
Chrome OS Security