On Thu, 2008-01-10 at 15:25 -0200, Klaus Heinrich Kiwi wrote: > Steve, as we talked earlier through IRC, ausearch/aureport are expecting > the kernel anomalies messages to have auid= uid= gid= fields (in this > order). This quick patch changes the ANOM_PROMISCUOUS message to the > correct format (as already used by ANOM_ABEND). > > Applies on 2.6.24-rc7 from the audit.git tree > > -- > Klaus Heinrich Kiwi > Security Development - IBM Linux Technology Center > > -- > > Fix ANOM_PROMISCUOUS message to the format as expected by > audit userspace: auid=%u uid=%u gid=%u [...]
not that i have a problem with auditing uid and gid in ANOM_PROMISCUOUS messages but doing it 'just because that's how userspace wants it' doesn't seem like a good solution (aka if that were it i'd say fix userspace not the kernel) anyway, lets stick with conventions of ordering, first is what happened, second is who-dun-it. dev=%s prom=%d old_prom=%d auid=%d uid=%u gid=%u ses=%u I guess i'm ok with adding if(audit_enabled) in the same patch. I'm not ok with adding some sort of "disable just this message" in the same patch. -Eric > > Signed-off-by: Klaus Heinrich Kiwi <[EMAIL PROTECTED]> > --- > net/core/dev.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/net/core/dev.c b/net/core/dev.c > index 0848da3..cd49cd0 100644 > --- a/net/core/dev.c > +++ b/net/core/dev.c > @@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_device > *dev, int inc) > "left"); > audit_log(current->audit_context, GFP_ATOMIC, > AUDIT_ANOM_PROMISCUOUS, > - "dev=%s prom=%d old_prom=%d auid=%u ses=%u", > + "auid=%u uid=%u gid=%u dev=%s prom=%d old_prom=%d > ses=%u", > + audit_get_loginuid(current->audit_context), > + current->uid, current->gid, > dev->name, (dev->flags & IFF_PROMISC), > (old_flags & IFF_PROMISC), > - audit_get_loginuid(current->audit_context), > audit_get_sessionid(current->audit_context)); > > if (dev->change_rx_flags) -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
