[PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format

Eric Paris eparis at redhat.com
Thu Jan 10 18:07:14 UTC 2008 

On Thu, 2008-01-10 at 15:25 -0200, Klaus Heinrich Kiwi wrote:
> Steve, as we talked earlier through IRC, ausearch/aureport are expecting
> the kernel anomalies messages to have auid= uid= gid= fields (in this
> order). This quick patch changes the ANOM_PROMISCUOUS message to the
> correct format (as already used by ANOM_ABEND).
> 
> Applies on 2.6.24-rc7 from the audit.git tree
> 
> -- 
> Klaus Heinrich Kiwi
> Security Development - IBM Linux Technology Center
> 
> --
> 
> Fix ANOM_PROMISCUOUS message to the format as expected by
> audit userspace: auid=%u uid=%u gid=%u [...]

not that i have a problem with auditing uid and gid in ANOM_PROMISCUOUS
messages but doing it 'just because that's how userspace wants it'
doesn't seem like a good solution (aka if that were it i'd say fix
userspace not the kernel)

anyway, lets stick with conventions of ordering, first is what happened,
second is who-dun-it.

dev=%s prom=%d old_prom=%d auid=%d uid=%u gid=%u ses=%u

I guess i'm ok with adding if(audit_enabled) in the same patch.

I'm not ok with adding some sort of "disable just this message" in the
same patch.

-Eric

> 
> Signed-off-by: Klaus Heinrich Kiwi <klausk at br.ibm.com>
> ---
>  net/core/dev.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 0848da3..cd49cd0 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
>  							       "left");
>  		audit_log(current->audit_context, GFP_ATOMIC,
>  			AUDIT_ANOM_PROMISCUOUS,
> -			"dev=%s prom=%d old_prom=%d auid=%u ses=%u",
> +			"auid=%u uid=%u gid=%u dev=%s prom=%d old_prom=%d ses=%u",
> +			audit_get_loginuid(current->audit_context),
> +			current->uid, current->gid,
>  			dev->name, (dev->flags & IFF_PROMISC),
>  			(old_flags & IFF_PROMISC),
> -			audit_get_loginuid(current->audit_context),
>  			audit_get_sessionid(current->audit_context));
>  
>  		if (dev->change_rx_flags)

More information about the Linux-audit mailing list