[PATCH] add/remove rule update

Amy Griffis amy.griffis at hp.com
Fri Jan 13 17:44:19 UTC 2006 

On Mon, Jan 09, 2006 at 09:48:17AM -0500, Steve Grubb wrote:
> Hi,
> 
> The following patch adds a little more information to the add/remove rule message emitted 
> by the kernel.
> 
> Signed-off-by: Steve Grubb <sgrubb at redhat.com>
> 
> 
> 
> diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h
> --- linux-2.6.14.orig/include/linux/audit.h	2006-01-05 10:13:30.000000000 -0500
> +++ linux-2.6.14/include/linux/audit.h	2006-01-05 10:12:09.000000000 -0500
> @@ -238,7 +238,7 @@ struct audit_rule {		/* for AUDIT_LIST, 
>  	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
>  	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
>  	__u32		field_count;
> -	__u32		mask[AUDIT_BITMASK_SIZE];
> +	__u32		mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
>  	__u32		fields[AUDIT_MAX_FIELDS];
>  	__u32		values[AUDIT_MAX_FIELDS];
>  };
> diff -urp linux-2.6.14.orig/kernel/auditfilter.c linux-2.6.14/kernel/auditfilter.c
> --- linux-2.6.14.orig/kernel/auditfilter.c	2006-01-05 10:13:40.000000000 -0500
> +++ linux-2.6.14/kernel/auditfilter.c	2006-01-05 10:11:29.000000000 -0500
> @@ -243,9 +243,9 @@ int audit_receive_filter(int type, int p
>  			;
>  		}
>  		err = audit_add_rule(data, &audit_filter_list[listnr]);
> -		if (!err)
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -				  "auid=%u added an audit rule\n", loginuid);
> +		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +			  "auid=%u added rule to list=%d res=%d\n",
> +			  loginuid, listnr, !err);

I just noticed that the record says "added rule to list" regardless of
whether the rule was actually added.  For the sake of clarity, it
should probably now say "add rule to list" since we're logging the
message on success and failure now.

>  		break;
>  	case AUDIT_DEL:
>  		listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
> @@ -253,9 +253,9 @@ int audit_receive_filter(int type, int p
>  			return -EINVAL;
>  
>  		err = audit_del_rule(data, &audit_filter_list[listnr]);
> -		if (!err)
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -				  "auid=%u removed an audit rule\n", loginuid);
> +		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +			  "auid=%u removed rule from list=%d res=%d\n",
> +			  loginuid, listnr, !err);

Same here.

>  		break;
>  	default:
>  		return -EINVAL;
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

More information about the Linux-audit mailing list