Fwd: Re: Fw: Audit records for start/stop auditd
Steve Grubb
sgrubb at redhat.com
Fri Apr 8 22:12:35 UTC 2005
On Friday 08 April 2005 17:11, David Woodhouse wrote:
> Going back to the issue of auditd shutdown, however -- are we satisfied
> with merely generating records when the audit_pid is signalled, or
> should I revert that patch while we seek a better solution?
I've never seen kernel 19 log the signal.
We are going to have the exact same problem when we ad the code for LSPP. I'd
like to have a solution lined up so we done face the same problem. When we
start making the LSPP capable, we will need to record the SE Linux label for
the user that sent the signal.
What we could do is perform a switcheroo in the kernel. If a signal is
permitted to be sent to the audit daemon, put the loginuid into the si_uid
filed of siginfo_t. si_uid will always be 0, so why not overwrite it with
something meaningful? Next question would be what field could we use for the
SE Linux context?
Otherwise, I think a SA_AUDITINFO sigaction flag would be cleanest. Basically,
if we set that flag, it still uses the same function signature:
void (*sa_sigaction)(int, siginfo_t *, void *);
But we would use a different structure to access the contents of the siginfo_t
pointer. As far as I know, we only need 3-4 fields, so its smaller than
siginfo_t.
-Steve
More information about the Linux-audit
mailing list