[PATCH] audit config lockdown
Steve Beattie
sbeattie at suse.de
Sat Jan 27 08:13:07 UTC 2007
On Fri, Jan 19, 2007 at 02:39:55PM -0500, Steve Grubb wrote:
> The following patch adds a new mode to the audit system. It uses the
> audit_enabled config option to introduce the idea of audit enabled, but
> configuration is immutable. Any attempt to change the configuration
> while in this mode is audited. To change the audit rules, you'd need to
> reboot the machine.
Seems reasonable to me. Just a couple of comments.
> This patch also adds "res=" to a number of configuration commands that did not
> have it before.
The res= idiom is unfamiliar to me, seems like an is_xxx name
(is_allowed?) would make it clear what the intent is for.
> @@ -64,7 +64,9 @@
> * (Initialization happens after skb_init is called.) */
> static int audit_initialized;
>
> -/* No syscall auditing will take place unless audit_enabled != 0. */
> +/* 0 - no auditing
> + * 1 - auditing enabled
> + * 2 - auditing enabled and configuration is locked/unchangeable. */
> int audit_enabled;
You probably want a #define or enum for these values, rather than
using magic numbers.
Thanks.
--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie at suse.de>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070127/39d55d7e/attachment.sig>
More information about the Linux-audit
mailing list