On Thursday 28 April 2005 11:52, Steve Grubb wrote:
On Wednesday 27 April 2005 12:35, Steve Grubb wrote:
> The attached patch addresses the problem with getting the audit daemon
> shutdown credential information. It creates a new message type
> AUDIT_SIGNAL_INFO, which is used by the audit daemon to query who issued
> the shutdown or reload.
>
> It requires the placement of a hook function that gathers the
> information. The hook is after the DAC & MAC checks and before the
> function returns. Racing threads could overwrite the uid & pid - but they
> would have to be root and have policy that allows signalling the audit
> daemon. That should be a manageable risk.
>
> The userspace component will be released later in audit 0.7.2. When it
> receives the TERM signal, it queries the kernel for shutdown information.
> When it receives it, it writes the message and exits. The message looks
> like this:
>
> type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending
> pid=2650 uid=525, auditd pid=1685
>
> Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
Attached is the revised patch with the audit_kill_info function prototype
moved up into the CONFIG_AUDITSYSCALL section of audit.h.
This patch also hooks SIGHUP so that we can get the credentials of who
requested the audit daemon to be reloaded. Many things were renamed since
multiple signals are now hooked.