[PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format
Eric Paris
eparis at redhat.com
Thu Jan 10 18:07:14 UTC 2008
On Thu, 2008-01-10 at 15:25 -0200, Klaus Heinrich Kiwi wrote:
> Steve, as we talked earlier through IRC, ausearch/aureport are expecting
> the kernel anomalies messages to have auid= uid= gid= fields (in this
> order). This quick patch changes the ANOM_PROMISCUOUS message to the
> correct format (as already used by ANOM_ABEND).
>
> Applies on 2.6.24-rc7 from the audit.git tree
>
> --
> Klaus Heinrich Kiwi
> Security Development - IBM Linux Technology Center
>
> --
>
> Fix ANOM_PROMISCUOUS message to the format as expected by
> audit userspace: auid=%u uid=%u gid=%u [...]
not that i have a problem with auditing uid and gid in ANOM_PROMISCUOUS
messages but doing it 'just because that's how userspace wants it'
doesn't seem like a good solution (aka if that were it i'd say fix
userspace not the kernel)
anyway, lets stick with conventions of ordering, first is what happened,
second is who-dun-it.
dev=%s prom=%d old_prom=%d auid=%d uid=%u gid=%u ses=%u
I guess i'm ok with adding if(audit_enabled) in the same patch.
I'm not ok with adding some sort of "disable just this message" in the
same patch.
-Eric
>
> Signed-off-by: Klaus Heinrich Kiwi <klausk at br.ibm.com>
> ---
> net/core/dev.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 0848da3..cd49cd0 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
> "left");
> audit_log(current->audit_context, GFP_ATOMIC,
> AUDIT_ANOM_PROMISCUOUS,
> - "dev=%s prom=%d old_prom=%d auid=%u ses=%u",
> + "auid=%u uid=%u gid=%u dev=%s prom=%d old_prom=%d ses=%u",
> + audit_get_loginuid(current->audit_context),
> + current->uid, current->gid,
> dev->name, (dev->flags & IFF_PROMISC),
> (old_flags & IFF_PROMISC),
> - audit_get_loginuid(current->audit_context),
> audit_get_sessionid(current->audit_context));
>
> if (dev->change_rx_flags)
More information about the Linux-audit
mailing list