On Wednesday 27 April 2005 12:35, Steve Grubb wrote:
The attached patch addresses the problem with getting the audit
daemon
shutdown credential information. It creates a new message type
AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the
shutdown.
It requires the placement of a hook function that gathers the information.
The hook is after the DAC & MAC checks and before the function returns.
Racing threads could overwrite the uid & pid - but they would have to be
root and have policy that allows signalling the audit daemon. That should
be a manageable risk.
The userspace component will be released later in audit 0.7.2. When it
receives the TERM signal, it queries the kernel for shutdown information.
When it receives it, it writes the message and exits. The message looks
like this:
type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650
uid=525, auditd pid=1685
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
Attached is the revised patch with the audit_kill_info function prototype
moved up into the CONFIG_AUDITSYSCALL section of audit.h.