[PATCH] audit: reserve a numerical code for AUDIT_ANOM_PATCHED
Paul Moore
paul at paul-moore.com
Tue Sep 5 14:39:24 UTC 2017
On Mon, Sep 4, 2017 at 4:27 AM, Vegard Nossum <vegard.nossum at oracle.com> wrote:
> A few years ago, I suggested a feature dubbed "known exploit detection".
> This feature defines an interface that allows kernel developers to add
> a tripwire for somebody who tries to exploit a known security hole in
> older versions of the kernel. See [1] for an article and the original
> discussion.
>
> [1]: https://lwn.net/Articles/577432/
>
> Due to the somewhat controversial nature of this feature, I never pushed
> very hard for it to go upstream. However, regardless of whether this code
> ever makes it upstream, it would still be useful to reserve a numerical
> code for the audit message in order to ensure that private deployments
> never conflicts with future upstream kernels.
>
> I hereby request the reservation of AUDIT_ANOM_PATCHED as code 1703. This
> message should be used when userspace makes a request which in previous
> (unpatched) versions of the kernel would have allowed the process to
> illicitly gain privileges (e.g. arbitrary code execution, etc.).
>
> Signed-off-by: Vegard Nossum <vegard.nossum at oracle.com>
> ---
> include/uapi/linux/audit.h | 1 +
> 1 file changed, 1 insertion(+)
In general I'm opposed to reserving audit message IDs for kernel code
that hasn't been accepted upstream and I don't yet see a compelling
reason to do so here.
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 0714a66f0e0c..7813efc09480 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -139,6 +139,7 @@
> #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
> #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
> #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
> +#define AUDIT_ANOM_PATCHED 1703 /* Patched security vulnerability */
> #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
> #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
> #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
> --
> 2.12.0.rc0
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list