11:14 a.m.
Hello,
I was testing the kernel and found a problem where the credentials are not
being recorded for LOGIN messages. Here's a typical message:
type=LOGIN msg=audit(1114444861.363:0): login pid=0 uid=0 old
loginuid=4294967295 new loginuid=0
The pid cannot be 0. The problem is that the kernel code assumes the
information is in the audit context. What if audit_get_context has never been
called for that process?
Attached is a patch that passes the needed info out of the task struct to the
function that emits the message.
-Steve
11:22 a.m.
On Mon, 25 Apr 2005 12:14:24 EDT, Steve Grubb said:
type=LOGIN msg=audit(1114444861.363:0): login pid=0 uid=0 old
loginuid=4294967295 new loginuid=0
The pid cannot be 0. The problem is that the kernel code assumes the
information is in the audit context. What if audit_get_context has never been
called for that process?
OK.. I'll bite - why wasn't audit_get_context called? Unless we've looked at
it and decided that it's a reasonable thing to happen, your patch is just
papering over a bug that will come back to bite us later...
11:29 a.m.
On Monday 25 April 2005 12:22, Valdis.Kletnieks(a)vt.edu wrote:
OK.. I'll bite - why wasn't audit_get_context called?
Because this normally happens at login. The login process may not be audited
depending on the rules.
Unless we've looked at it and decided that it's a reasonable
thing to
happen, your patch is just papering over a bug that will come back to bite
us later...
Its harmless. Calling audit_get_context is too heavy for the job at hand.
-Steve
11:38 a.m.
On Mon, 25 Apr 2005 12:29:31 EDT, Steve Grubb said:
On Monday 25 April 2005 12:22, Valdis.Kletnieks(a)vt.edu wrote:
> OK.. I'll bite - why wasn't audit_get_context called?
Because this normally happens at login. The login process may not be audited
depending on the rules.
Hmm.. OK... Let me go and get my brain wrapped around the idea of an audit
requirement that doesn't audit logins.. :)
11:45 a.m.
* Valdis.Kletnieks(a)vt.edu (Valdis.Kletnieks(a)vt.edu) wrote:
On Mon, 25 Apr 2005 12:29:31 EDT, Steve Grubb said:
> On Monday 25 April 2005 12:22, Valdis.Kletnieks(a)vt.edu wrote:
> > OK.. I'll bite - why wasn't audit_get_context called?
>
> Because this normally happens at login. The login process may not be audited
> depending on the rules.
Hmm.. OK... Let me go and get my brain wrapped around the idea of an audit
requirement that doesn't audit logins.. :)
It's an odd case. The audit context doesn't necessarily need to be
complete in the sense of syscall audit. audit_get_context fills out all
those extra bits (auditable, return_code, etc). In this case, the
loginuid msg is almost like a status message from the audit system
itself. Perhaps the api is a bit odd for this case, and some refactoring
could be done...
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
11:23 a.m.
* Steve Grubb (sgrubb(a)redhat.com) wrote:
Hello,
I was testing the kernel and found a problem where the credentials are not
being recorded for LOGIN messages. Here's a typical message:
type=LOGIN msg=audit(1114444861.363:0): login pid=0 uid=0 old
loginuid=4294967295 new loginuid=0
The pid cannot be 0. The problem is that the kernel code assumes the
information is in the audit context. What if audit_get_context has never been
called for that process?
Attached is a patch that passes the needed info out of the task struct to the
function that emits the message.
Any reason not to simply pass the task in?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
7181
days inactive
7181
days old
linux-audit@lists.linux-audit.osci.io
6 comments
3 participants
participants (3)
-
Chris Wright -
Steve Grubb -
Valdis.Kletnieks@vt.edu