Linux-audit August 2018

linux-audit@lists.linux-audit.osci.io

11 participants
15 discussions

Kernel 4.9.51 null pointer dereference add_rule with null key

by Preston Bennes

Hey Audit team, I've got a kernel null pointer deref oops on Amazon Linux kernel 4.9.51-10.52.amzn1.x86_64. After the oops all new cron processes that spawned were stuck in D wait on some audit related syscall. This exhausted system file handles and the box ended up needing to be rebooted out-of-bounds. The audit handle was held by https://github.com/facebook/osquery/. It looks like there was an issue with audit sending to osquery (netlink_unicast sending to pid 21233, error -111) followed by something (presumably also osquery) attempting to 'op="add_rule" key=(null)'. Here's from /var/log/messages. Aug 13 14:34:54 packer_default-10-180-21-24 kernel: [4749520.133904] audit: > netlink_unicast sending to audit_pid=21233 returned error: -111 > Aug 13 14:34:54 packer_default-10-180-21-24 kernel: [4749520.137982] > audit_log_lost: 12 callbacks suppressed > Aug 13 14:34:54 packer_default-10-180-21-24 kernel: [4749520.137983] > audit: audit_lost=36081041 audit_rate_limit=8192 audit_backlog_limit=4096 > Aug 13 14:34:54 packer_default-10-180-21-24 kernel: [4749520.137985] > audit: type=1305 audit(1534170894.852:117649229): audit_pid=21233 old=21233 > auid=501 ses=102936 res=0 > Aug 13 14:34:54 packer_default-10-180-21-24 kernel: [4749520.137986] > audit: type=1305 audit(1534170894.852:117649230): audit_enabled=1 old=1 > auid=501 ses=102936 res=1 > Aug 13 14:34:54 packer_default-10-180-21-24 kernel: [4749520.137987] > audit: type=1305 audit(1534170894.852:117649231): audit_backlog_wait_time=1 > old=1 auid=501 ses=102936 res=1 > Aug 13 14:34:54 packer_default-10-180-21-24 kernel: [4749520.137989] > audit: type=1305 audit(1534170894.852:117649232): audit_backlog_limit=4096 > old=4096 auid=501 ses=102936 res=1 > Aug 13 14:34:54 packer_default-10-180-21-24 kernel: [4749520.137990] > audit: type=1305 audit(1534170894.852:117649233): audit_failure=0 old=0 > auid=501 ses=102936 res=1 > Aug 13 14:34:54 packer_default-10-180-21-24 kernel: [4749520.137991] > audit: type=1305 audit(1534170894.852:117649234): auid=501 ses=102936 > op="add_rule" key=(null) list=4 res=0 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.138007] BUG: > unable to handle kernel NULL pointer dereference at 00000000000001e0 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.143872] IP: > [<ffffffff814a76da>] netlink_unicast+0x4a/0x230 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.148336] PGD 0 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.149822] > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.151230] Oops: > 0000 [#1] SMP > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.153736] > Modules linked in: iptable_filter(E) ip_tables(E) x_tables(E) udp_diag(E) > nfnetlink_queue(E) nfnetlink_log(E) nfnetlink(E) tcp_diag(E) inet_diag(E) > isofs(E) ipv6(E) crc_ > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.184036] CPU: > 0 PID: 21372 Comm: osqueryd Tainted: G E > 4.9.51-10.52.amzn1.x86_64 #1 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.190620] > Hardware name: Xen HVM domU, BIOS 4.2.amazon 08/24/2006 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.195513] task: > ffff8807fa1c3b00 task.stack: ffffc900079a4000 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.200179] RIP: > 0010:[<ffffffff814a76da>] [<ffffffff814a76da>] netlink_unicast+0x4a/0x230 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.206822] RSP: > 0018:ffffc900079a7c38 EFLAGS: 00010246 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.211065] RAX: > 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.216779] RDX: > 00001ffffffffffe RSI: 00000000024000c0 RDI: 0000000000000014 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.222473] RBP: > ffffc900079a7c68 R08: 0000000000000004 R09: ffff88062a375414 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.228167] R10: > ffff8808004032c0 R11: ffff88062a375400 R12: 0000000000000000 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.233738] R13: > ffff8804200a0100 R14: 00000000000052f1 R15: 0000000000016d42 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.238999] FS: > 00007f3d40cc4700(0000) GS:ffff880800a00000(0000) knlGS:0000000000000000 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.244796] CS: > 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.249555] CR2: > 00000000000001e0 CR3: 000000059e63d000 CR4: 00000000001406f0 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.255401] DR0: > 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.260725] DR3: > 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.266038] Stack: > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.267680] > 00000000079a7c58 00000000000052f1 00000000000052f1 00000000ffffffa1 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.273540] > ffff88062a376800 ffff8804200a1d00 ffffc900079a7cf8 ffffffff811107d2 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.279379] > ffffc90000000004 ffffffff811e2f85 ffffc900079a7ca8 ffffffff8145a08c > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.285201] Call > Trace: > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.287137] > [<ffffffff811107d2>] audit_receive_msg+0x992/0xc20 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.291561] > [<ffffffff811e2f85>] ? __kmalloc_node_track_caller+0x35/0x260 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.296642] > [<ffffffff8145a08c>] ? release_sock+0x8c/0xa0 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.300718] > [<ffffffff81110ab2>] audit_receive+0x52/0xa0 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.304713] > [<ffffffff814a77ef>] netlink_unicast+0x15f/0x230 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.308943] > [<ffffffff814a7bdc>] netlink_sendmsg+0x31c/0x390 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.313236] > [<ffffffff81455818>] sock_sendmsg+0x38/0x50 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.317219] > [<ffffffff81455c4f>] SYSC_sendto+0xef/0x170 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.321142] > [<ffffffff811156ab>] ? __audit_syscall_entry+0xeb/0x100 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.325853] > [<ffffffff81003437>] ? syscall_trace_enter+0x1b7/0x290 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.330464] > [<ffffffff811158b3>] ? __audit_syscall_exit+0x1f3/0x280 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.335189] > [<ffffffff8145673e>] SyS_sendto+0xe/0x10 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.338952] > [<ffffffff81003854>] do_syscall_64+0x54/0xc0 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.342995] > [<ffffffff8153d32b>] entry_SYSCALL64_slow_path+0x25/0x25 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.347840] Code: > 65 8b 05 a2 5b b6 7e 25 00 ff 00 00 83 f8 01 19 f6 81 e6 a0 00 38 00 81 c6 > 20 00 08 02 e8 af cf ff ff 49 89 c5 31 c0 85 db 75 08 <49> 8b 84 24 e0 01 > 00 00 48 89 45 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.368625] RIP > [<ffffffff814a76da>] netlink_unicast+0x4a/0x230 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.373253] RSP > <ffffc900079a7c38> > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.376013] CR2: > 00000000000001e0 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.379307] ---[ > end trace 6a41b2274729ba2a ]--- > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.663029] > audit: type=1300 audit(1534170895.379:117649235): arch=c000003e syscall=59 > success=yes exit=0 a0=271cce0 a1=2741dd0 a2=26dc3b0 a3=7ffdd7f1ea80 items=2 > ppid=4556 pid=2407 > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.682741] > audit: type=1309 audit(1534170895.379:117649235): argc=2 a0="date" a1="+%s" > Aug 13 14:34:55 packer_default-10-180-21-24 kernel: [4749520.688585] > audit: type=1307 audit(1534170895.379:117649235): cwd="/" > Aug 13 14:34:55 packer_default-10-180-21-24 abrt-dump-oops: Reported 1 > kernel oopses to Abrt

6 years, 4 months

3
5
0 / 0

[GIT PULL] Audit patches for v4.19

by Paul Moore

Hi Linus, Twelve audit patches for v4.19 and they run the full gamut from fixes to features. Notable changes include the ability to use the "exe" audit filter field in a wider variety of filter types, a fix for our comparison of GID/EGID in audit filter rules, better association of related audit records (connecting related audit records together into one audit event), and a fix for a potential use-after-free in audit_add_watch(). All the patches pass the audit-testsuite and merge cleanly on your current master branch. Please pull, thanks. -Paul -- The following changes since commit ce397d215ccd07b8ae3f71db689aedb85d56ab40: Linux 4.18-rc1 (2018-06-17 08:04:49 +0900) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20180814 for you to fetch changes up to baa2a4fdd525c8c4b0f704d20457195b29437839: audit: fix use-after-free in audit_add_watch (2018-07-18 11:43:36 -0400) ---------------------------------------------------------------- audit/stable-4.18 PR 20180814 ---------------------------------------------------------------- Arnd Bergmann (1): audit: use ktime_get_coarse_ts64() for time access Ondrej Mosnáček (3): audit: allow other filter list types for AUDIT_EXE audit: Fix extended comparison of GID/EGID cred: conditionally declare groups-related functions Paul Moore (1): audit: use ktime_get_coarse_real_ts64() for timestamps Richard Guy Briggs (6): audit: tie SECCOMP records to syscall audit: tie ANOM_ABEND records to syscall audit: rename FILTER_TYPE to FILTER_EXCLUDE audit: eliminate audit_enabled magic number comparison audit: check audit_enabled in audit_tree_log_remove_rule() audit: simplify audit_enabled check in audit_watch_log_rule_change() Ronny Chevalier (1): audit: fix use-after-free in audit_add_watch drivers/tty/tty_audit.c | 2 +- include/linux/audit.h | 5 ++++- include/linux/cred.h | 15 ++++++++++----- include/net/xfrm.h | 2 +- include/uapi/linux/audit.h | 3 ++- kernel/audit.c | 7 ++----- kernel/audit_tree.c | 2 ++ kernel/audit_watch.c | 41 ++++++++++++++++++++++++-------------- kernel/auditfilter.c | 17 ++++++++++------- kernel/auditsc.c | 14 +++++++------- net/netfilter/xt_AUDIT.c | 2 +- net/netlabel/netlabel_user.c | 2 +- 12 files changed, 67 insertions(+), 45 deletions(-) -- paul moore www.paul-moore.com

6 years, 4 months

1
0
0 / 0

[RFC PATCH ghak9 0/3] audit: Record the path of FDs passed to *at(2) syscalls

by Ondrej Mosnacek

This patchset is a prototype implementation of the feature requested in GHAK issue #9 [1]. I decided for a simple auxiliary record with just 2 fields (fd and path) that is emitted whenever we want to record the full path for a file descriptor passed to a syscall (e.g. the dirfd argument of openat(2)). I choose this approach because for some syscalls there is more than one file descriptor we might be interested in (a good example is the renameat(2) syscall). The motivation for this feature (as I understand it) is to avoid the need to reconstruct the paths corresponding to the file descriptors passed to syscalls, as this might be difficult and time consuming or even impossible in case not all of the right sycalls are being logged. Note that it is always possible to disable these records by simply adding an exclude filter rule matching all records of type FD_PATH. At this moment I only implement logging for a single syscall (openat(2)) to keep it simple. In the final version I plan to add support for other similar syscalls ()mkdirat, mknodeat, fchownat, ...). Please let me know if the general approach and the proposed record format make sense to you so I can improve/complete the solution. Thanks, Ondrej [1] https://github.com/linux-audit/audit-kernel/issues/9

6 years, 4 months

4
26
0 / 0

[RFC PATCH] audit: minimize our use of audit_log_format()

by Paul Moore

WARNING: completely untested patch! There are several cases where we are using audit_log_format() when we could be using audit_log_string(), which should be quicker. There are also some cases where we are making multiple audit_log_format() calls in a row, for no apparent reason. This patch fixes the problems above in the core audit code, the other kernel subsystems are left for another time. Signed-off-by: Paul Moore <paul(a)paul-moore.com> --- kernel/audit.c | 37 ++++++++++++++++++------------------- kernel/audit_fsnotify.c | 2 +- kernel/audit_tree.c | 3 +-- kernel/audit_watch.c | 2 +- kernel/auditsc.c | 19 +++++++++---------- 5 files changed, 30 insertions(+), 33 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 160144f7e5f9..a0f57f4f9944 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1347,7 +1347,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) else { int size; - audit_log_format(ab, " data="); + audit_log_string(ab, " data="); size = nlmsg_len(nlh); if (size > 0 && ((unsigned char *)data)[size - 1] == '\0') @@ -1375,7 +1375,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_TRIM: audit_trim_trees(); audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, " op=trim res=1"); + audit_log_string(ab, " op=trim res=1"); audit_log_end(ab); break; case AUDIT_MAKE_EQUIV: { @@ -1406,9 +1406,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, " op=make_equiv old="); + audit_log_string(ab, " op=make_equiv old="); audit_log_untrustedstring(ab, old); - audit_log_format(ab, " new="); + audit_log_string(ab, " new="); audit_log_untrustedstring(ab, new); audit_log_format(ab, " res=%d", !err); audit_log_end(ab); @@ -2021,7 +2021,7 @@ void audit_log_d_path(struct audit_buffer *ab, const char *prefix, char *p, *pathname; if (prefix) - audit_log_format(ab, "%s", prefix); + audit_log_string(ab, prefix); /* We will allow 11 spaces for ' (deleted)' to be appended */ pathname = kmalloc(PATH_MAX+11, ab->gfp_mask); @@ -2048,11 +2048,11 @@ void audit_log_session_info(struct audit_buffer *ab) void audit_log_key(struct audit_buffer *ab, char *key) { - audit_log_format(ab, " key="); + audit_log_string(ab, " key="); if (key) audit_log_untrustedstring(ab, key); else - audit_log_format(ab, "(null)"); + audit_log_string(ab, "(null)"); } void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) @@ -2134,7 +2134,7 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, switch (n->name_len) { case AUDIT_NAME_FULL: /* log the full path */ - audit_log_format(ab, " name="); + audit_log_string(ab, " name="); audit_log_untrustedstring(ab, n->name->name); break; case 0: @@ -2144,12 +2144,12 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, break; default: /* log the name's directory component */ - audit_log_format(ab, " name="); + audit_log_string(ab, " name="); audit_log_n_untrustedstring(ab, n->name->name, n->name_len); } } else - audit_log_format(ab, " name=(null)"); + audit_log_string(ab, " name=(null)"); if (n->ino != AUDIT_INO_UNSET) audit_log_format(ab, " inode=%lu" @@ -2178,22 +2178,21 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, } /* log the audit_names record type */ - audit_log_format(ab, " nametype="); switch(n->type) { case AUDIT_TYPE_NORMAL: - audit_log_format(ab, "NORMAL"); + audit_log_string(ab, "nametype=NORMAL"); break; case AUDIT_TYPE_PARENT: - audit_log_format(ab, "PARENT"); + audit_log_string(ab, "nametype=PARENT"); break; case AUDIT_TYPE_CHILD_DELETE: - audit_log_format(ab, "DELETE"); + audit_log_string(ab, "nametype=DELETE"); break; case AUDIT_TYPE_CHILD_CREATE: - audit_log_format(ab, "CREATE"); + audit_log_string(ab, "nametype=CREATE"); break; default: - audit_log_format(ab, "UNKNOWN"); + audit_log_string(ab, "nametype=UNKNOWN"); break; } @@ -2245,7 +2244,7 @@ void audit_log_d_path_exe(struct audit_buffer *ab, fput(exe_file); return; out_null: - audit_log_format(ab, " exe=(null)"); + audit_log_string(ab, " exe=(null)"); } struct tty_struct *audit_get_tty(void) @@ -2294,7 +2293,7 @@ void audit_log_task_info(struct audit_buffer *ab) tty ? tty_name(tty) : "(none)", audit_get_sessionid(current)); audit_put_tty(tty); - audit_log_format(ab, " comm="); + audit_log_string(ab, " comm="); audit_log_untrustedstring(ab, get_task_comm(comm, current)); audit_log_d_path_exe(ab, current->mm); audit_log_task_context(ab); @@ -2318,7 +2317,7 @@ void audit_log_link_denied(const char *operation) return; audit_log_format(ab, "op=%s", operation); audit_log_task_info(ab); - audit_log_format(ab, " res=0"); + audit_log_string(ab, " res=0"); audit_log_end(ab); } diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c index fba78047fb37..27d29103333c 100644 --- a/kernel/audit_fsnotify.c +++ b/kernel/audit_fsnotify.c @@ -133,7 +133,7 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c audit_log_format(ab, "auid=%u ses=%u op=%s", from_kuid(&init_user_ns, audit_get_loginuid(current)), audit_get_sessionid(current), op); - audit_log_format(ab, " path="); + audit_log_string(ab, " path="); audit_log_untrustedstring(ab, audit_mark->path); audit_log_key(ab, rule->filterkey); audit_log_format(ab, " list=%d res=1", rule->listnr); diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 9f6eaeb6919f..f01bce6d1b23 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c @@ -502,8 +502,7 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule) ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (unlikely(!ab)) return; - audit_log_format(ab, "op=remove_rule"); - audit_log_format(ab, " dir="); + audit_log_string(ab, "op=remove_rule dir="); audit_log_untrustedstring(ab, rule->tree->pathname); audit_log_key(ab, rule->filterkey); audit_log_format(ab, " list=%d res=1", rule->listnr); diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 787c7afdf829..0ce85fe25a53 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -248,7 +248,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc audit_log_format(ab, "auid=%u ses=%u op=%s", from_kuid(&init_user_ns, audit_get_loginuid(current)), audit_get_sessionid(current), op); - audit_log_format(ab, " path="); + audit_log_string(ab, " path="); audit_log_untrustedstring(ab, w->path); audit_log_key(ab, r->filterkey); audit_log_format(ab, " list=%d res=1", r->listnr); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 8b12e525306e..f370930265ea 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -954,14 +954,14 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, uid), sessionid); if (sid) { if (security_secid_to_secctx(sid, &ctx, &len)) { - audit_log_format(ab, " obj=(none)"); + audit_log_string(ab, " obj=(none)"); rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); security_release_secctx(ctx, len); } } - audit_log_format(ab, " ocomm="); + audit_log_string(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1104,7 +1104,7 @@ static void audit_log_execve_info(struct audit_context *context, abuf[sizeof(abuf) - 1] = '\0'; /* log the arg in the audit record */ - audit_log_format(*ab, "%s", abuf); + audit_log_string(*ab, abuf); len_rem -= len_tmp; len_tmp = len_buf; if (encode) { @@ -1240,7 +1240,7 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_execve_info(context, &ab); break; case AUDIT_KERN_MODULE: - audit_log_format(ab, "name="); + audit_log_string(ab, "name="); audit_log_untrustedstring(ab, context->module.name); kfree(context->module.name); break; @@ -1276,7 +1276,7 @@ static void audit_log_proctitle(void) if (!ab) return; /* audit_panic or being filtered */ - audit_log_format(ab, "proctitle="); + audit_log_string(ab, "proctitle="); /* Not cached */ if (!context->proctitle.value) { @@ -1405,7 +1405,7 @@ static void audit_log_exit(int ret_valid, long ret_code) if (context->sockaddr_len) { ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR); if (ab) { - audit_log_format(ab, "saddr="); + audit_log_string(ab, "saddr="); audit_log_n_hex(ab, (void *)context->sockaddr, context->sockaddr_len); audit_log_end(ab); @@ -2498,10 +2498,9 @@ void audit_seccomp_actions_logged(const char *names, const char *old_names, if (unlikely(!ab)) return; - audit_log_format(ab, "op=seccomp-logging"); - audit_log_format(ab, " actions=%s", names); - audit_log_format(ab, " old-actions=%s", old_names); - audit_log_format(ab, " res=%d", res); + audit_log_string(ab, "op=seccomp-logging"); + audit_log_format(ab, " actions=%s old-actions=%s res=%d", + names, old_names, res); audit_log_end(ab); }

6 years, 4 months

3
3
0 / 0

What time do the auditd timestamps represent?

by James Davis

6 years, 4 months

3
3
0 / 0

← Newer
1
2
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit August 2018