User space message bug
Steve Grubb
sgrubb at redhat.com
Tue Jun 14 15:04:59 UTC 2005
Hello,
I was doing some testing and found that user space messages are sent without checking the audit_enabled flag:
[root at endeavor ~]# auditctl -e 0
AUDIT_STATUS: enabled=0 flag=1 pid=1701 rate_limit=0 backlog_limit=1024 lost=0 backlog=0
[root at endeavor ~]# auditctl -m "This is a test"
[root at endeavor ~]# ausearch -m USER
----
time->Tue Jun 14 10:48:43 2005
type=USER msg=audit(1118760523.312:13408080): user pid=24223 uid=0 auid=4294967295 msg='This is a test'
The following patch fixes it:
diff -ur linux-2.6.9.orig/kernel/audit.c linux-2.6.9/kernel/audit.c
--- linux-2.6.9.orig/kernel/audit.c 2005-06-14 10:50:16.000000000 -0400
+++ linux-2.6.9/kernel/audit.c 2005-06-14 10:53:05.000000000 -0400
@@ -444,6 +444,8 @@
break;
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
+ if (!audit_enabled)
+ break;
ab = audit_log_start(NULL, msg_type);
if (!ab)
break; /* audit_panic has been called */
Signed-off-by: Steve Grubb <sgrubb at redhat.com>
More information about the Linux-audit
mailing list