Re: [redhat-lspp] [PATCH] promiscuous mode
On Sat, 2005-12-03 at 08:39 -0500, Steve Grubb wrote:
@@ -2121,6 +2122,12 @@ void dev_set_promiscuity(struct net_devi
printk(KERN_INFO "device %s %s promiscuous mode\n",
dev->name, (dev->flags & IFF_PROMISC) ?
"entered" :
"left");
+ audit_log(current->audit_context, GFP_KERNEL,
+ AUDIT_ANOM_PROMISCUOUS,
+ "dev=%s prom=%d old_prom=%d auid=%u",
+ dev->name, (dev->flags & IFF_PROMISC),
+ (old_flags & IFF_PROMISC),
+ audit_get_loginuid(current->audit_context));
}
}
Looking at this printk(KERN_INFO ...) and audit_log(...).
As long as it's just a small handful of isolated anomalous events that
we need to feed to the audit subsystem, I think we'll be okay. But if
we start following lots of printk(KERN_INFO ...) calls with
audit_log(...) calls, we should probably consider if the printk() should
just do the audit_log() if some auditing flag has been raised.
This isn't bothering me yet, but something to think about if there are
dozens of places in the kernel that start calling printk and audit_log.
:-Dustin
--
Dustin Kirkland <dustin.kirkland(a)us.ibm.com>
Attachments:
- signature.asc (application/pgp-signature — 189 bytes)