6:48 a.m.
Hi,
I was doing some testing and noticed that when the audit system was disabled,
I was still getting messages about the loginuid being set. The following patch
makes audit_set_loginuid look at in_syscall to determine if it should create
an audit event. The loginuid will continue to be set as long as there is a context.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c
--- linux-2.6.16.x86_64.orig/kernel/auditsc.c 2006-06-10 14:01:20.000000000 -0400
+++ linux-2.6.16.x86_64/kernel/auditsc.c 2006-06-10 14:00:14.000000000 -0400
@@ -1275,18 +1275,23 @@ void auditsc_get_stamp(struct audit_cont
*/
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
{
- if (task->audit_context) {
- struct audit_buffer *ab;
+ struct audit_context *context = task->audit_context;
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
- if (ab) {
- audit_log_format(ab, "login pid=%d uid=%u "
- "old auid=%u new auid=%u",
- task->pid, task->uid,
- task->audit_context->loginuid, loginuid);
- audit_log_end(ab);
+ if (context) {
+ /* Only log if audit is enabled */
+ if (context->in_syscall) {
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+ if (ab) {
+ audit_log_format(ab, "login pid=%d uid=%u "
+ "old auid=%u new auid=%u",
+ task->pid, task->uid,
+ context->loginuid, loginuid);
+ audit_log_end(ab);
+ }
}
- task->audit_context->loginuid = loginuid;
+ context->loginuid = loginuid;
}
return 0;
}
4:39 p.m.
Steve Grubb wrote: [Mon Jun 12 2006, 07:48:28AM EDT]
I was doing some testing and noticed that when the audit system was
disabled,
I was still getting messages about the loginuid being set. The following patch
makes audit_set_loginuid look at in_syscall to determine if it should create
an audit event. The loginuid will continue to be set as long as there is a context.
Do we really want to do away with these records? The loginuid is used
in several records that can be logged even with syscall auditing
disabled, e.g. AUDIT_CONFIG_CHANGE records generated by AUDIT_SET
operations.
It seems like we would want the LOGIN records for a complete trail of
what happened.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.16.x86_64.orig/kernel/auditsc.c linux-2.6.16.x86_64/kernel/auditsc.c
--- linux-2.6.16.x86_64.orig/kernel/auditsc.c 2006-06-10 14:01:20.000000000 -0400
+++ linux-2.6.16.x86_64/kernel/auditsc.c 2006-06-10 14:00:14.000000000 -0400
@@ -1275,18 +1275,23 @@ void auditsc_get_stamp(struct audit_cont
*/
int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
{
- if (task->audit_context) {
- struct audit_buffer *ab;
+ struct audit_context *context = task->audit_context;
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
- if (ab) {
- audit_log_format(ab, "login pid=%d uid=%u "
- "old auid=%u new auid=%u",
- task->pid, task->uid,
- task->audit_context->loginuid, loginuid);
- audit_log_end(ab);
+ if (context) {
+ /* Only log if audit is enabled */
+ if (context->in_syscall) {
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+ if (ab) {
+ audit_log_format(ab, "login pid=%d uid=%u "
+ "old auid=%u new auid=%u",
+ task->pid, task->uid,
+ context->loginuid, loginuid);
+ audit_log_end(ab);
+ }
}
- task->audit_context->loginuid = loginuid;
+ context->loginuid = loginuid;
}
return 0;
}
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
5:08 p.m.
On Tuesday 13 June 2006 17:39, Amy Griffis wrote:
It seems like we would want the LOGIN records for a complete trail
of
what happened.
When audit is enabled, I think so. Otherwise they spam the console because
that's what syslog does with them. With audit disabled, you can already make
other changes with no record. This patch just makes it consistent with all
the other pieces.
-Steve
6767
days inactive
6768
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Amy Griffis -
Steve Grubb