8:48 a.m.
Hi,
The following patch adds a little more information to the add/remove rule message emitted
by the kernel.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h
--- linux-2.6.14.orig/include/linux/audit.h 2006-01-05 10:13:30.000000000 -0500
+++ linux-2.6.14/include/linux/audit.h 2006-01-05 10:12:09.000000000 -0500
@@ -238,7 +238,7 @@ struct audit_rule { /* for AUDIT_LIST,
__u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
__u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
__u32 field_count;
- __u32 mask[AUDIT_BITMASK_SIZE];
+ __u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
__u32 fields[AUDIT_MAX_FIELDS];
__u32 values[AUDIT_MAX_FIELDS];
};
diff -urp linux-2.6.14.orig/kernel/auditfilter.c linux-2.6.14/kernel/auditfilter.c
--- linux-2.6.14.orig/kernel/auditfilter.c 2006-01-05 10:13:40.000000000 -0500
+++ linux-2.6.14/kernel/auditfilter.c 2006-01-05 10:11:29.000000000 -0500
@@ -243,9 +243,9 @@ int audit_receive_filter(int type, int p
;
}
err = audit_add_rule(data, &audit_filter_list[listnr]);
- if (!err)
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u added an audit rule\n", loginuid);
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "auid=%u added rule to list=%d res=%d\n",
+ loginuid, listnr, !err);
break;
case AUDIT_DEL:
listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
@@ -253,9 +253,9 @@ int audit_receive_filter(int type, int p
return -EINVAL;
err = audit_del_rule(data, &audit_filter_list[listnr]);
- if (!err)
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u removed an audit rule\n", loginuid);
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "auid=%u removed rule from list=%d res=%d\n",
+ loginuid, listnr, !err);
break;
default:
return -EINVAL;
11:44 a.m.
On Mon, Jan 09, 2006 at 09:48:17AM -0500, Steve Grubb wrote:
Hi,
The following patch adds a little more information to the add/remove rule message emitted
by the kernel.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h
--- linux-2.6.14.orig/include/linux/audit.h 2006-01-05 10:13:30.000000000 -0500
+++ linux-2.6.14/include/linux/audit.h 2006-01-05 10:12:09.000000000 -0500
@@ -238,7 +238,7 @@ struct audit_rule { /* for AUDIT_LIST,
__u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
__u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
__u32 field_count;
- __u32 mask[AUDIT_BITMASK_SIZE];
+ __u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
__u32 fields[AUDIT_MAX_FIELDS];
__u32 values[AUDIT_MAX_FIELDS];
};
diff -urp linux-2.6.14.orig/kernel/auditfilter.c linux-2.6.14/kernel/auditfilter.c
--- linux-2.6.14.orig/kernel/auditfilter.c 2006-01-05 10:13:40.000000000 -0500
+++ linux-2.6.14/kernel/auditfilter.c 2006-01-05 10:11:29.000000000 -0500
@@ -243,9 +243,9 @@ int audit_receive_filter(int type, int p
;
}
err = audit_add_rule(data, &audit_filter_list[listnr]);
- if (!err)
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u added an audit rule\n", loginuid);
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "auid=%u added rule to list=%d res=%d\n",
+ loginuid, listnr, !err);
I just noticed that the record says "added rule to list" regardless of
whether the rule was actually added. For the sake of clarity, it
should probably now say "add rule to list" since we're logging the
message on success and failure now.
break;
case AUDIT_DEL:
listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
@@ -253,9 +253,9 @@ int audit_receive_filter(int type, int p
return -EINVAL;
err = audit_del_rule(data, &audit_filter_list[listnr]);
- if (!err)
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u removed an audit rule\n", loginuid);
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "auid=%u removed rule from list=%d res=%d\n",
+ loginuid, listnr, !err);
Same here.
break;
default:
return -EINVAL;
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
6929
days inactive
6933
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
participants (2)
-
Amy Griffis -
Steve Grubb