[PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits
Steve Grubb
sgrubb at redhat.com
Tue May 29 21:35:48 UTC 2018
On Tuesday, May 29, 2018 5:19:39 PM EDT Paul Moore wrote:
> On Thu, May 24, 2018 at 4:11 PM, Stefan Berger
>
> <stefanb at linux.vnet.ibm.com> wrote:
> > Use the new public audit functions to add the exe= and tty=
> > parts to the integrity audit records. We place them before
> > res=.
> >
> > Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> > Suggested-by: Steve Grubb <sgrubb at redhat.com>
> > ---
> >
> > security/integrity/integrity_audit.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/security/integrity/integrity_audit.c
> > b/security/integrity/integrity_audit.c index db30763d5525..8d25d3c4dcca
> > 100644
> > --- a/security/integrity/integrity_audit.c
> > +++ b/security/integrity/integrity_audit.c
> > @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode
> > *inode,>
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> >
> > }
> >
> > + audit_log_d_path_exe(ab, current->mm);
> > + audit_log_tty(ab, current);
>
> NACK
>
> Please add the new fields to the end of the audit record, thank you.
Let's see what an example event looks like before NACK'ing this. Way back in
2013 the IMA events were good. I think this is repairing the event after some
drift.
Thanks,
-Steve
> > audit_log_format(ab, " res=%d", !result);
> > audit_log_end(ab);
> >
> > }
More information about the Linux-audit
mailing list