The audit subsystem could use a function that logs the commonly needed fields for a typical audit event. This logs less that audit_log_task_info and reduces the need to hand code individual fields.
Signed-off-by: Steve Grubb <[email protected]> --- include/linux/audit.h | 5 +++++ kernel/audit.c | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/include/linux/audit.h b/include/linux/audit.h index c2e7e3a..2620847 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -484,6 +484,8 @@ static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk); +extern void audit_log_task_simple(struct audit_buffer *ab, + struct task_struct *tsk); extern int audit_update_lsm_rules(void); @@ -540,6 +542,9 @@ static inline int audit_log_task_context(struct audit_buffer *ab) static inline void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) { } +static inline void audit_log_task_simple(struct audit_buffer *ab, + struct task_struct *tsk) +{ } #define audit_enabled 0 #endif /* CONFIG_AUDIT */ static inline void audit_log_string(struct audit_buffer *ab, const char *buf) diff --git a/kernel/audit.c b/kernel/audit.c index 1c13e42..29fb38b 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1100,6 +1100,41 @@ static void audit_receive(struct sk_buff *skb) mutex_unlock(&audit_cmd_mutex); } +/* This function logs the essential information needed to understand + * what or who is causing the event */ +void audit_log_task_simple(struct audit_buffer *ab, struct task_struct *tsk) +{ + const struct cred *cred; + char comm[sizeof(tsk->comm)]; + char *tty; + + if (!ab) + return; + + /* tsk == current */ + cred = current_cred(); + + spin_lock_irq(&tsk->sighand->siglock); + if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name) + tty = tsk->signal->tty->name; + else + tty = "(none)"; + spin_unlock_irq(&tsk->sighand->siglock); + + audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u", + task_pid_nr(tsk), + from_kuid(&init_user_ns, cred->uid), + from_kuid(&init_user_ns, audit_get_loginuid(tsk)), + tty, audit_get_sessionid(tsk)); + + audit_log_task_context(ab); /* subj= */ + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, get_task_comm(comm, tsk)); + + audit_log_d_path_exe(ab, tsk->mm); /* exe= */ +} +EXPORT_SYMBOL(audit_log_task_simple); + /* Run custom bind function on netlink socket group connect or bind requests. */ static int audit_bind(struct net *net, int group) { -- 2.4.3 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
