On Thursday, February 9, 2017 9:06:57 AM EST Richard Guy Briggs wrote:
On 2017-01-13 10:48, Steve Grubb wrote:
> On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote:
> > Add a method to reset the audit_lost value.
> >
> > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > will return a positive value repesenting the current audit_lost value
> > and reset the counter to zero. If AUDIT_STATUS_LOST is not the
> > only flag set, the reset command will be ignored. The value sent with
> > the command is ignored. The return value will be the +ve lost value at
> > reset time.
> >
> > An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> > daemon. The message will be a standard CONFIG_CHANGE message with the
> > fields "lost=0" and "old=" with the latter containing the
value of
> > audit_lost at reset time.
>
> This passes testing and event looks good.
Did you create a formal test for it or just test it manually?
I tested this by building a kernel and testing it by hand.
-Steve
> Acked-by: Steve Grubb <sgrubb(a)redhat.com>
>
> This clears the way for audit-2.7.1 release today.
>
> -Steve
>
> > See:
https://github.com/linux-audit/audit-kernel/issues/3
> >
> > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> > ---
> > There is a merge conflict anticipated with the exclude filter
> > FEATURE_BITMAP patch (ghak5)
> >
> > v2:
> > Switch from AUDIT_GET to AUDIT_SET
> > Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
> > Return +ve lost value, reply AUDIT_LOST_RESET msg to sender
> >
> > v3:
> > Switch, from reply to sender, to queue to audit log
> >
> > v4:
> > Switch from LOST_RESET to CONFIG_CHANGE log msg
> > Re-add AUDIT_FEATURE_BITMASK
> >
> > ---
> > ---
> >
> > include/uapi/linux/audit.h | 6 +++++-
> > kernel/audit.c | 8 +++++++-
> > 2 files changed, 12 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index c8dc97b..3f24110 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -326,15 +326,19 @@ enum {
> >
> > #define AUDIT_STATUS_RATE_LIMIT 0x0008
> > #define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
> > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
> >
> > +#define AUDIT_STATUS_LOST 0x0040
> >
> > #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
> > #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> > #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
> > #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
> >
> > +#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
> > +
> >
> > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT |
> > \
> >
> > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> >
> > - AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> > + AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> > + AUDIT_FEATURE_BITMAP_LOST_RESET)
> >
> > /* deprecated: AUDIT_VERSION_* */
> > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 57acf25..25dd70a 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -121,7 +121,7 @@ u32 audit_sig_sid = 0;
> >
> > 3) suppressed due to audit_rate_limit
> > 4) suppressed due to audit_backlog_limit
> >
> > */
> >
> > -static atomic_t audit_lost = ATOMIC_INIT(0);
> > +static atomic_t audit_lost = ATOMIC_INIT(0);
> >
> > /* The netlink socket. */
> > static struct sock *audit_sock;
> >
> > @@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> > struct nlmsghdr *nlh) if (err < 0)
> >
> > return err;
> >
> > }
> >
> > + if (s.mask == AUDIT_STATUS_LOST) {
> > + u32 lost = atomic_xchg(&audit_lost, 0);
> > +
> > + audit_log_config_change("lost", 0, lost, 1);
> > + return lost;
> > + }
> >
> > break;
> >
> > }
> > case AUDIT_GET_FEATURE:
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635