Steve, as we talked earlier through IRC, ausearch/aureport are expecting
the kernel anomalies messages to have auid= uid= gid= fields (in this
order). This quick patch changes the ANOM_PROMISCUOUS message to the
correct format (as already used by ANOM_ABEND).
Applies on 2.6.24-rc7 from the audit.git tree
--
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center
--
Fix ANOM_PROMISCUOUS message to the format as expected by
audit userspace: auid=%u uid=%u gid=%u [...]
Signed-off-by: Klaus Heinrich Kiwi <[EMAIL PROTECTED]>
---
net/core/dev.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 0848da3..cd49cd0 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_device
*dev, int inc)
"left");
audit_log(current->audit_context, GFP_ATOMIC,
AUDIT_ANOM_PROMISCUOUS,
- "dev=%s prom=%d old_prom=%d auid=%u ses=%u",
+ "auid=%u uid=%u gid=%u dev=%s prom=%d old_prom=%d
ses=%u",
+ audit_get_loginuid(current->audit_context),
+ current->uid, current->gid,
dev->name, (dev->flags & IFF_PROMISC),
(old_flags & IFF_PROMISC),
- audit_get_loginuid(current->audit_context),
audit_get_sessionid(current->audit_context));
if (dev->change_rx_flags)
--
1.5.3.7
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
