There are very important fields necessary to understand who is
adding
audit rules and a little more context about the environment in which
its happening. This adds pid, uid, tty, subj, comm, and exe
information to the event. These are required fields.
* V2 added calls to audit_put_tty()
See:
https://github.com/linux-audit/audit-kernel/issues/59
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
Reviewed-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit_watch.c | 24 ++++++++++++++++++++----
kernel/auditfilter.c | 19 ++++++++++++++++---
2 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 9eb8b3511636..fd68e99042f1 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -239,14 +239,30 @@ static struct audit_watch *audit_dupe_watch(struct
audit_watch *old)
static void audit_watch_log_rule_change(struct audit_krule *r, struct
audit_watch *w, char *op)
{
if (audit_enabled) {
+ struct tty_struct *tty;
+ const struct cred *cred;
struct audit_buffer *ab;
+ char comm[sizeof(current->comm)];
+
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=%s",
- from_kuid(&init_user_ns,
audit_get_loginuid(current)),
- audit_get_sessionid(current), op);
- audit_log_format(ab, " path=");
+
+ cred = current_cred();
+ tty = audit_get_tty(current);
+ audit_log_format(ab, "pid=%d uid=%u auid=%u tty=%s ses=%u",
+ task_tgid_nr(current),
+ from_kuid(&init_user_ns, cred->uid),
+ from_kuid(&init_user_ns,
+ audit_get_loginuid(current)),
+ tty ? tty_name(tty) : "(none)",
+ audit_get_sessionid(current));