Re: [PATCH 2/2] audit: log failed attempts to change audit_pid configuration
On Friday, September 18, 2015 03:59:59 AM Richard Guy Briggs wrote:
Failed attempts to change the audit_pid configuration are not
presently
logged. One case is an attempt to starve an old auditd by starting up a
new auditd when the old one is still alive and active. The other case
is an attempt to orphan a new auditd when an old auditd shuts down.
Log both as AUDIT_CONFIG_CHANGE messages with failure result.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
This patch tends to reinforce the idea of a hijack message instead of a ping
message. Unfortunately, we can't use audit_log_config_change() to generate
the hijack message as it queues the record, but you get the idea.
diff --git a/kernel/audit.c b/kernel/audit.c
index 3399ab2..65dcd45 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -883,12 +883,16 @@ static int audit_receive_msg(struct sk_buff *skb,
struct nlmsghdr *nlh) pid_t requesting_pid = task_tgid_vnr(current);
u32 portid = NETLINK_CB(skb).portid;
- if ((!new_pid) && (requesting_pid != audit_pid))
+ if ((!new_pid) && (requesting_pid != audit_pid)) {
+ audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
return -EACCES;
+ }
if (audit_pid && new_pid &&
audit_ping(requesting_pid, nlmsg_hdr(skb)->nlmsg_seq, portid)
!=
- -ECONNREFUSED)
+ -ECONNREFUSED) {
+ audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
return -EEXIST;
+ }
if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid;
--
paul moore
security @ redhat