[PATCH v2] audit: add feature audit_lost reset
Steve Grubb
sgrubb at redhat.com
Fri Dec 16 00:22:19 UTC 2016
On Thursday, December 15, 2016 3:39:16 PM EST Paul Moore wrote:
> On Sat, Dec 10, 2016 at 6:52 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > Add a method to reset the audit_lost value.
> >
> > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > will return a positive value repesenting the current audit_lost value
> > and reset the counter to zero. If AUDIT_STATUS_LOST is not the
> > only flag set, the reset command will be ignored. The value sent with
> > the command is ignored.
> >
> > An AUDIT_LOST_RESET message will be sent to the listening audit daemon.
> > The data field will contain a u32 with the positive value of the
> > audit_lost value when it was reset.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/3
> >
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> >
> > include/uapi/linux/audit.h | 2 ++
> > kernel/audit.c | 8 +++++++-
> > 2 files changed, 9 insertions(+), 1 deletions(-)
> >
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 208df7b..6d38bff 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -70,6 +70,7 @@
> >
> > #define AUDIT_TTY_SET 1017 /* Set TTY auditing status */
> > #define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off
> > */ #define AUDIT_GET_FEATURE 1019 /* Get which features are
> > enabled */>
> > +#define AUDIT_LOST_RESET 1020 /* Reset the audit_lost value */
> >
> > #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly
> > uninteresting to kernel */ #define AUDIT_USER_AVC 1107 /* We
> > filter this differently */>
> > @@ -325,6 +326,7 @@ enum {
> >
> > #define AUDIT_STATUS_RATE_LIMIT 0x0008
> > #define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
> > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
> >
> > +#define AUDIT_STATUS_LOST 0x0040
> >
> > #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
> > #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index f1ca116..19cfee0 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -122,7 +122,7 @@
> >
> > 3) suppressed due to audit_rate_limit
> > 4) suppressed due to audit_backlog_limit
> >
> > */
> >
> > -static atomic_t audit_lost = ATOMIC_INIT(0);
> > +static atomic_t audit_lost = ATOMIC_INIT(0);
> >
> > /* The netlink socket. */
> > static struct sock *audit_sock;
> >
> > @@ -920,6 +920,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> > struct nlmsghdr *nlh)>
> > if (err < 0)
> >
> > return err;
> >
> > }
> >
> > + if (s.mask == AUDIT_STATUS_LOST) {
> > + u32 lost = atomic_xchg(&audit_lost, 0);
> > +
> > + audit_send_reply(skb, seq, AUDIT_LOST_RESET, 0, 0,
> > &lost, sizeof(lost));
> I'm not sure it makes much sense to both return the lost value as a
> netlink return code as well as send a separate netlink message back to
> the controlling task with the same information. What I meant earlier
> was that we would emit an audit record, similar to
> audit_log_config_change(), so that the audit log would not only have
> information that the status count was reset, but also the subject
> information necessary to associate the action with an individual.
>
> Does that make sense?
I'm planning to replace all the config change logging with the
audit_log_task_simple function I sent so that we have everything. Can we go
ahead and pull that in so that we can start using it?
Thanks,
-Steve
> > + return lost;
> > + }
> >
> > break;
> >
> > }
> >
> > case AUDIT_GET_FEATURE:
> > --
> > 1.7.1
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list