[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Re: [PATCH] add/remove rule update
From:       Amy Griffis <amy.griffis () hp ! com>
Date:       2006-01-13 17:44:19
Message-ID: 20060113174419.GA30537 () zk3 ! dec ! com
[Download RAW message or body]

On Mon, Jan 09, 2006 at 09:48:17AM -0500, Steve Grubb wrote:
> Hi,
> 
> The following patch adds a little more information to the add/remove rule message emitted 
> by the kernel.
> 
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> 
> 
> 
> diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h
> --- linux-2.6.14.orig/include/linux/audit.h	2006-01-05 10:13:30.000000000 -0500
> +++ linux-2.6.14/include/linux/audit.h	2006-01-05 10:12:09.000000000 -0500
> @@ -238,7 +238,7 @@ struct audit_rule {		/* for AUDIT_LIST, 
>  	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
>  	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
>  	__u32		field_count;
> -	__u32		mask[AUDIT_BITMASK_SIZE];
> +	__u32		mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
>  	__u32		fields[AUDIT_MAX_FIELDS];
>  	__u32		values[AUDIT_MAX_FIELDS];
>  };
> diff -urp linux-2.6.14.orig/kernel/auditfilter.c linux-2.6.14/kernel/auditfilter.c
> --- linux-2.6.14.orig/kernel/auditfilter.c	2006-01-05 10:13:40.000000000 -0500
> +++ linux-2.6.14/kernel/auditfilter.c	2006-01-05 10:11:29.000000000 -0500
> @@ -243,9 +243,9 @@ int audit_receive_filter(int type, int p
>  			;
>  		}
>  		err = audit_add_rule(data, &audit_filter_list[listnr]);
> -		if (!err)
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -				  "auid=%u added an audit rule\n", loginuid);
> +		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +			  "auid=%u added rule to list=%d res=%d\n",
> +			  loginuid, listnr, !err);

I just noticed that the record says "added rule to list" regardless of
whether the rule was actually added.  For the sake of clarity, it
should probably now say "add rule to list" since we're logging the
message on success and failure now.

>  		break;
>  	case AUDIT_DEL:
>  		listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
> @@ -253,9 +253,9 @@ int audit_receive_filter(int type, int p
>  			return -EINVAL;
>  
>  		err = audit_del_rule(data, &audit_filter_list[listnr]);
> -		if (!err)
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -				  "auid=%u removed an audit rule\n", loginuid);
> +		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +			  "auid=%u removed rule from list=%d res=%d\n",
> +			  loginuid, listnr, !err);

Same here.

>  		break;
>  	default:
>  		return -EINVAL;
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic