[Linux-ima-user] [PATCH] audit: fix dangling keywords in integrity ima message output

Mimi Zohar zohar at linux.vnet.ibm.com
Wed Jun 18 02:08:43 UTC 2014 

On Mon, 2014-06-16 at 15:52 -0400, Richard Guy Briggs wrote:
> Replace spaces in op keyword labels in log output since userspace audit tools
> can't parse orphaned keywords.

The patch didn't apply cleanly to linux-integrity/#next.  Please take a
look at it (linux-integrity/#next-fixes).

thanks,

Mimi 


> Reported-by: Steve Grubb <sgrubb at redhat.com>
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
>  security/integrity/ima/ima_appraise.c |    2 +-
>  security/integrity/ima/ima_policy.c   |    6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 734e946..61c95af 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -214,7 +214,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
>  		hash_start = 1;
>  	case IMA_XATTR_DIGEST:
>  		if (iint->flags & IMA_DIGSIG_REQUIRED) {
> -			cause = "IMA signature required";
> +			cause = "IMA-signature-required";
>  			status = INTEGRITY_FAIL;
>  			break;
>  		}
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index a9c3d3c..dbdc528 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -330,7 +330,7 @@ void __init ima_init_policy(void)
>  void ima_update_policy(void)
>  {
>  	const char *op = "policy_update";
> -	const char *cause = "already exists";
> +	const char *cause = "already-exists";
>  	int result = 1;
>  	int audit_info = 0;
> 
> @@ -654,7 +654,7 @@ ssize_t ima_parse_add_rule(char *rule)
>  	/* Prevent installed policy from changing */
>  	if (ima_rules != &ima_default_rules) {
>  		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
> -				    NULL, op, "already exists",
> +				    NULL, op, "already-exists",
>  				    -EACCES, audit_info);
>  		return -EACCES;
>  	}
> @@ -680,7 +680,7 @@ ssize_t ima_parse_add_rule(char *rule)
>  	if (result) {
>  		kfree(entry);
>  		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
> -				    NULL, op, "invalid policy", result,
> +				    NULL, op, "invalid-policy", result,
>  				    audit_info);
>  		return result;
>  	}

More information about the Linux-audit mailing list