[PATCH 1/1] Added exe field to audit core dump signal log
Richard Guy Briggs
rgb at redhat.com
Wed Nov 20 21:47:06 UTC 2013
On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
> Currently when the coredump signals are logged by the audit system , the
> actual path to the executable is not logged. Without details of exe , the
> system admin may not have an exact idea on what program failed.
>
> This patch changes the audit_log_task() so that the path to the exe is also
> logged.
Out of curiosity, on which platform are you observing this? This sounds
related to Bill Roberts' recent cmdline patches.
I also wonder how reliable this is, or whether it could have been
changed from under us by deletion or rename after invocation.
This BZ sounds related:
https://bugzilla.redhat.com/show_bug.cgi?id=837856
https://bugzilla.redhat.com/show_bug.cgi?id=831684
> Signed-off-by: Paul Davies C <pauldaviesc at gmail.com>
> ---
> kernel/auditsc.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9845cb3..988de72 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
> kuid_t auid, uid;
> kgid_t gid;
> unsigned int sessionid;
> + struct mm_struct *mm = current->mm;
>
> auid = audit_get_loginuid(current);
> sessionid = audit_get_sessionid(current);
> @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
> audit_log_task_context(ab);
> audit_log_format(ab, " pid=%d comm=", current->pid);
> audit_log_untrustedstring(ab, current->comm);
> + if (mm) {
> + down_read(&mm->mmap_sem);
> + if (mm->exe_file)
> + audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
> + up_read(&mm->mmap_sem);
> + }
> }
>
> static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
> --
> 1.7.9.5
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list