On Thursday, December 15, 2016 3:39:16 PM EST Paul Moore wrote: > On Sat, Dec 10, 2016 at 6:52 AM, Richard Guy Briggs <[email protected]> wrote: > > Add a method to reset the audit_lost value. > > > > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself > > will return a positive value repesenting the current audit_lost value > > and reset the counter to zero. If AUDIT_STATUS_LOST is not the > > only flag set, the reset command will be ignored. The value sent with > > the command is ignored. > > > > An AUDIT_LOST_RESET message will be sent to the listening audit daemon. > > The data field will contain a u32 with the positive value of the > > audit_lost value when it was reset. > > > > See: https://github.com/linux-audit/audit-kernel/issues/3 > > > > Signed-off-by: Richard Guy Briggs <[email protected]> > > --- > > > > include/uapi/linux/audit.h | 2 ++ > > kernel/audit.c | 8 +++++++- > > 2 files changed, 9 insertions(+), 1 deletions(-) > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index 208df7b..6d38bff 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -70,6 +70,7 @@ > > > > #define AUDIT_TTY_SET 1017 /* Set TTY auditing status */ > > #define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off > > */ #define AUDIT_GET_FEATURE 1019 /* Get which features are > > enabled */> > > +#define AUDIT_LOST_RESET 1020 /* Reset the audit_lost value */ > > > > #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly > > uninteresting to kernel */ #define AUDIT_USER_AVC 1107 /* We > > filter this differently */> > > @@ -325,6 +326,7 @@ enum { > > > > #define AUDIT_STATUS_RATE_LIMIT 0x0008 > > #define AUDIT_STATUS_BACKLOG_LIMIT 0x0010 > > #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020 > > > > +#define AUDIT_STATUS_LOST 0x0040 > > > > #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001 > > #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002 > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index f1ca116..19cfee0 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -122,7 +122,7 @@ > > > > 3) suppressed due to audit_rate_limit > > 4) suppressed due to audit_backlog_limit > > > > */ > > > > -static atomic_t audit_lost = ATOMIC_INIT(0); > > +static atomic_t audit_lost = ATOMIC_INIT(0); > > > > /* The netlink socket. */ > > static struct sock *audit_sock; > > > > @@ -920,6 +920,12 @@ static int audit_receive_msg(struct sk_buff *skb, > > struct nlmsghdr *nlh)> > > if (err < 0) > > > > return err; > > > > } > > > > + if (s.mask == AUDIT_STATUS_LOST) { > > + u32 lost = atomic_xchg(&audit_lost, 0); > > + > > + audit_send_reply(skb, seq, AUDIT_LOST_RESET, 0, 0, > > &lost, sizeof(lost)); > I'm not sure it makes much sense to both return the lost value as a > netlink return code as well as send a separate netlink message back to > the controlling task with the same information. What I meant earlier > was that we would emit an audit record, similar to > audit_log_config_change(), so that the audit log would not only have > information that the status count was reset, but also the subject > information necessary to associate the action with an individual. > > Does that make sense?
I'm planning to replace all the config change logging with the audit_log_task_simple function I sent so that we have everything. Can we go ahead and pull that in so that we can start using it? Thanks, -Steve > > + return lost; > > + } > > > > break; > > > > } > > > > case AUDIT_GET_FEATURE: > > -- > > 1.7.1 > > > > -- > > Linux-audit mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
