[PATCH] audit: reserve a numerical code for AUDIT_ANOM_PATCHED

Paul Moore paul at paul-moore.com
Tue Sep 5 14:39:24 UTC 2017 

On Mon, Sep 4, 2017 at 4:27 AM, Vegard Nossum <vegard.nossum at oracle.com> wrote:
> A few years ago, I suggested a feature dubbed "known exploit detection".
> This feature defines an interface that allows kernel developers to add
> a tripwire for somebody who tries to exploit a known security hole in
> older versions of the kernel. See [1] for an article and the original
> discussion.
>
> [1]: https://lwn.net/Articles/577432/
>
> Due to the somewhat controversial nature of this feature, I never pushed
> very hard for it to go upstream. However, regardless of whether this code
> ever makes it upstream, it would still be useful to reserve a numerical
> code for the audit message in order to ensure that private deployments
> never conflicts with future upstream kernels.
>
> I hereby request the reservation of AUDIT_ANOM_PATCHED as code 1703. This
> message should be used when userspace makes a request which in previous
> (unpatched) versions of the kernel would have allowed the process to
> illicitly gain privileges (e.g. arbitrary code execution, etc.).
>
> Signed-off-by: Vegard Nossum <vegard.nossum at oracle.com>
> ---
>  include/uapi/linux/audit.h | 1 +
>  1 file changed, 1 insertion(+)

In general I'm opposed to reserving audit message IDs for kernel code
that hasn't been accepted upstream and I don't yet see a compelling
reason to do so here.

> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 0714a66f0e0c..7813efc09480 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -139,6 +139,7 @@
>  #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
>  #define AUDIT_ANOM_ABEND            1701 /* Process ended abnormally */
>  #define AUDIT_ANOM_LINK                    1702 /* Suspicious use of file links */
> +#define AUDIT_ANOM_PATCHED         1703 /* Patched security vulnerability */
>  #define AUDIT_INTEGRITY_DATA       1800 /* Data integrity verification */
>  #define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
>  #define AUDIT_INTEGRITY_STATUS     1802 /* Integrity enable status */
> --
> 2.12.0.rc0

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list