[PATCH 1/2] integrity: Add errno field in audit message
Steve Grubb
sgrubb at redhat.com
Mon Jun 15 22:23:31 UTC 2020
On Friday, June 12, 2020 3:50:14 PM EDT Lakshmi Ramasubramanian wrote:
> On 6/12/20 12:25 PM, Mimi Zohar wrote:
> > The idea is a good idea, but you're assuming that "result" is always
> > errno. That was probably true originally, but isn't now. For
> > example, ima_appraise_measurement() calls xattr_verify(), which
> > compares the security.ima hash with the calculated file hash. On
> > failure, it returns the result of memcmp(). Each and every code path
> > will need to be checked.
>
> Good catch Mimi.
>
> Instead of "errno" should we just use "result" and log the value given
> in the result parameter?
That would likely collide with another field of the same name which is the
operation's results. If it really is errno, the name is fine. It's generic
enough that it can be reused on other events if that mattered.
> From the audit field dictionary (link given below) "result" is already
> a known field that is used to indicate the result of the audited operation.
>
> @Steve\Paul:
> Like "res" is "result" also expected to have only values "0" or "1", or
> can it be any result code?
It should only be 0 or 1. Sometime in the past it may have been the words
success/fail. But we've been converting those as we find them.
-Steve
> https://github.com/linux-audit/audit-documentation/blob/master/specs/fields
> /field-dictionary.csv
>
> res alphanumeric result of the audited operation(success/fail)
>
> result alphanumeric result of the audited operation(success/fail)
More information about the Linux-audit
mailing list