[PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits
Paul Moore
paul at paul-moore.com
Wed May 30 21:14:31 UTC 2018
On Wed, May 30, 2018 at 8:17 AM, Stefan Berger
<stefanb at linux.vnet.ibm.com> wrote:
> On 05/29/2018 05:19 PM, Paul Moore wrote:
>>
>> On Thu, May 24, 2018 at 4:11 PM, Stefan Berger
>> <stefanb at linux.vnet.ibm.com> wrote:
>>>
>>> Use the new public audit functions to add the exe= and tty=
>>> parts to the integrity audit records. We place them before
>>> res=.
>>>
>>> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>>> Suggested-by: Steve Grubb <sgrubb at redhat.com>
>>> ---
>>> security/integrity/integrity_audit.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/security/integrity/integrity_audit.c
>>> b/security/integrity/integrity_audit.c
>>> index db30763d5525..8d25d3c4dcca 100644
>>> --- a/security/integrity/integrity_audit.c
>>> +++ b/security/integrity/integrity_audit.c
>>> @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode
>>> *inode,
>>> audit_log_untrustedstring(ab, inode->i_sb->s_id);
>>> audit_log_format(ab, " ino=%lu", inode->i_ino);
>>> }
>>> + audit_log_d_path_exe(ab, current->mm);
>>> + audit_log_tty(ab, current);
>>
>> NACK
>>
>> Please add the new fields to the end of the audit record, thank you.
>
> I put it there since Steve said '"res" is traditionally the last field in
> any event' (https://lkml.org/lkml/2018/5/22/539). I don't mind breaking with
> this tradition...
Unfortunately Steve and I don't see eye-to-eye on everything, and this
is perhaps one of the more prominent issues.
I'll save you several years of arguments, on and off-list, and simply
say that the "safe" option, and the only option I'm likely to ACK,
would be to add new fields at the end of existing records. We have
made exceptions in the past, but those were pretty extreme cases.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list