[PATCH v2] audit: add missing fields to AUDIT_CONFIG_CHANGE event

[Steve Grubb]

There are very important fields necessary to understand who is adding
audit rules and a little more context about the environment in which
its happening. This adds pid, uid, tty, subj, comm, and exe
information to the event. These are required fields.

* V2 added calls to audit_put_tty()

See: https://github.com/linux-audit/audit-kernel/issues/59

Signed-off-by: Steve Grubb <sgrubb at redhat.com>
Reviewed-by: Richard Guy Briggs <rgb at redhat.com>
---
 kernel/audit_watch.c | 24 ++++++++++++++++++++----
 kernel/auditfilter.c | 19 ++++++++++++++++---
 2 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 9eb8b3511636..fd68e99042f1 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -239,14 +239,30 @@ static struct audit_watch *audit_dupe_watch(struct 
audit_watch *old)
 static void audit_watch_log_rule_change(struct audit_krule *r, struct 
audit_watch *w, char *op)
 {
 	if (audit_enabled) {
+		struct tty_struct *tty;
+		const struct cred *cred;
 		struct audit_buffer *ab;
+		char comm[sizeof(current->comm)];
+
 		ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
 		if (unlikely(!ab))
 			return;
-		audit_log_format(ab, "auid=%u ses=%u op=%s",
-				 from_kuid(&init_user_ns, audit_get_loginuid(current)),
-				 audit_get_sessionid(current), op);
-		audit_log_format(ab, " path=");
+
+		cred = current_cred();
+		tty = audit_get_tty(current);
+		audit_log_format(ab, "pid=%d uid=%u auid=%u tty=%s ses=%u",
+				task_tgid_nr(current),
+				from_kuid(&init_user_ns, cred->uid),
+				from_kuid(&init_user_ns,
+				audit_get_loginuid(current)),
+				tty ? tty_name(tty) : "(none)",
+				audit_get_sessionid(current));
+		audit_put_tty(tty);
+		audit_log_task_context(ab);
+		audit_log_format(ab, " comm=");
+		audit_log_untrustedstring(ab, get_task_comm(comm, current));
+		audit_log_d_path_exe(ab, current->mm);
+		audit_log_format(ab, "op=%s path=", op);
 		audit_log_untrustedstring(ab, w->path);
 		audit_log_key(ab, r->filterkey);
 		audit_log_format(ab, " list=%d res=1", r->listnr);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 0b0aa5854dac..9dd4d67f1b95 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1065,8 +1065,9 @@ static void audit_list_rules(int seq, struct 
sk_buff_head *q)
 static void audit_log_rule_change(char *action, struct audit_krule *rule, int 
res)
 {
 	struct audit_buffer *ab;
-	uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(current));
-	unsigned int sessionid = audit_get_sessionid(current);
+	struct tty_struct *tty;
+	const struct cred *cred;
+	char comm[sizeof(current->comm)];
 
 	if (!audit_enabled)
 		return;
@@ -1074,8 +1075,20 @@ static void audit_log_rule_change(char *action, struct 
audit_krule *rule, int re
 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
 	if (!ab)
 		return;
-	audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
+
+	cred = current_cred();
+	tty = audit_get_tty(current);
+	audit_log_format(ab, "pid=%d uid=%u auid=%u tty=%s ses=%u",
+			task_tgid_nr(current),
+			from_kuid(&init_user_ns, cred->uid),
+			from_kuid(&init_user_ns, audit_get_loginuid(current)),
+			tty ? tty_name(tty) : "(none)",
+			audit_get_sessionid(current));
+	audit_put_tty(tty);
 	audit_log_task_context(ab);
+	audit_log_format(ab, " comm=");
+	audit_log_untrustedstring(ab, get_task_comm(comm, current));
+	audit_log_d_path_exe(ab, current->mm);
 	audit_log_format(ab, " op=%s", action);
 	audit_log_key(ab, rule->filterkey);
 	audit_log_format(ab, " list=%d res=%d", rule->listnr, res);
-- 
2.13.6