There are very important fields necessary to understand who is adding audit rules and a little more context about the environment in which its happening. This adds pid, uid, tty, subj, comm, and exe information to the event. These are required fields. * V2 added calls to audit_put_tty() See: https://github.com/linux-audit/audit-kernel/issues/59 Signed-off-by: Steve Grubb <sgrubb(a)redhat.com&gt; Reviewed-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- kernel/audit_watch.c | 24 ++++++++++++++++++++---- kernel/auditfilter.c | 19 ++++++++++++++++--- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 9eb8b3511636..fd68e99042f1 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -239,14 +239,30 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old) static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op) { if (audit_enabled) { + struct tty_struct *tty; + const struct cred *cred; struct audit_buffer *ab; + char comm[sizeof(current->comm)]; + ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE); if (unlikely(!ab)) return; - audit_log_format(ab, "auid=%u ses=%u op=%s", - from_kuid(&init_user_ns, audit_get_loginuid(current)), - audit_get_sessionid(current), op); - audit_log_format(ab, " path="); + + cred = current_cred(); + tty = audit_get_tty(current); + audit_log_format(ab, "pid=%d uid=%u auid=%u tty=%s ses=%u", + task_tgid_nr(current), + from_kuid(&init_user_ns, cred->uid), + from_kuid(&init_user_ns, + audit_get_loginuid(current)), + tty ? tty_name(tty) : "(none)", + audit_get_sessionid(current)); + audit_put_tty(tty); + audit_log_task_context(ab); + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, get_task_comm(comm, current)); + audit_log_d_path_exe(ab, current->mm); + audit_log_format(ab, "op=%s path=", op); audit_log_untrustedstring(ab, w->path); audit_log_key(ab, r->filterkey); audit_log_format(ab, " list=%d res=1", r->listnr); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 0b0aa5854dac..9dd4d67f1b95 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1065,8 +1065,9 @@ static void audit_list_rules(int seq, struct sk_buff_head *q) static void audit_log_rule_change(char *action, struct audit_krule *rule, int res) { struct audit_buffer *ab; - uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current)); - unsigned int sessionid = audit_get_sessionid(current); + struct tty_struct *tty; + const struct cred *cred; + char comm[sizeof(current->comm)]; if (!audit_enabled) return; @@ -1074,8 +1075,20 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (!ab) return; - audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid); + + cred = current_cred(); + tty = audit_get_tty(current); + audit_log_format(ab, "pid=%d uid=%u auid=%u tty=%s ses=%u", + task_tgid_nr(current), + from_kuid(&init_user_ns, cred->uid), + from_kuid(&init_user_ns, audit_get_loginuid(current)), + tty ? tty_name(tty) : "(none)", + audit_get_sessionid(current)); + audit_put_tty(tty); audit_log_task_context(ab); + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, get_task_comm(comm, current)); + audit_log_d_path_exe(ab, current->mm); audit_log_format(ab, " op=%s", action); audit_log_key(ab, rule->filterkey); audit_log_format(ab, " list=%d res=%d", rule->listnr, res); -- 2.13.6