On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
My guess is that userspace just throws away record where it doesn't find
the auid= and ses= and you kernel happens to live in those couple of
months were it had new-ses and new-auid
Was this patch sent to stable? The audit code tries to
Le Tue, 17 Jun 2014 09:29:21 -0400,
Steve Grubb sgr...@redhat.com a écrit :
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
[...]
I'd call this a pretty clear userspace bug where it just completely
drops records, even if it can't parse them...
That theory can be tested by using:
On Tue, 17 Jun 2014 16:09:32 +0200
Laurent Bigonville bi...@debian.org wrote:
Le Tue, 17 Jun 2014 09:29:21 -0400,
Steve Grubb sgr...@redhat.com a écrit :
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
[...]
I'd call this a pretty clear userspace bug where it just
completely
On Tuesday, June 17, 2014 10:55:42 AM Richard Guy Briggs wrote:
This feel like 2 clear bugs.
1) The kernel records for LOGIN are 'malformed' in 3.14.
Yes. That's why it got fixed for 3.15.
5ee9a75 audit: fix dangling keywords in audit_log_set_loginuid() output
introduced it
On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote:
On Tue, 17 Jun 2014 16:09:32 +0200
Laurent Bigonville bi...@debian.org wrote:
Le Tue, 17 Jun 2014 09:29:21 -0400,
Steve Grubb sgr...@redhat.com a écrit :
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
[...]
I'd
On 14/06/17, Eric Paris wrote:
On Tue, 17 Jun 2014 16:09:32 +0200
Laurent Bigonville bi...@debian.org wrote:
Le Tue, 17 Jun 2014 09:29:21 -0400,
Steve Grubb sgr...@redhat.com a écrit :
On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote:
[...]
I'd call this a pretty clear
On 14/06/17, Steve Grubb wrote:
On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote:
On Tue, 17 Jun 2014 16:09:32 +0200
Laurent Bigonville bi...@debian.org wrote:
Le Tue, 17 Jun 2014 09:29:21 -0400,
Steve Grubb sgr...@redhat.com a écrit :
On Monday, June 16, 2014 05:20:10
On Tue, 17 Jun 2014 10:56:24 -0400
Steve Grubb sgr...@redhat.com wrote:
On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote:
On Tue, 17 Jun 2014 16:09:32 +0200
2) Userspace silently throws records which are 'malformed' away,
instead of just printing them...
ausearch -m LOGIN
On Tuesday, June 17, 2014 11:26:01 AM Eric Paris wrote:
On Tue, 17 Jun 2014 10:56:24 -0400
Steve Grubb sgr...@redhat.com wrote:
On Tuesday, June 17, 2014 10:31:25 AM Eric Paris wrote:
On Tue, 17 Jun 2014 16:09:32 +0200
2) Userspace silently throws records which are 'malformed'
Eric Paris suggested lsm_str and lsm_rule could be added to this optimisation.
audit_free_rule needed a bit of re-factoring to accompish this, but nothing too
controversial.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
include/linux/audit.h |6 --
kernel/auditfilter.c | 27
The new- prefix on ses and auid are un-necessary and break ausearch.
Upstream-commit: aa589a1
Cc: sta...@vger.kernel.org # v3.14-rc1 to v3.14
Reported-by: Steve Grubb sgr...@redhat.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
kernel/auditsc.c |2 +-
1 files changed, 1
On Mon, 2014-06-16 at 15:52 -0400, Richard Guy Briggs wrote:
Replace spaces in op keyword labels in log output since userspace audit tools
can't parse orphaned keywords.
The patch didn't apply cleanly to linux-integrity/#next. Please take a
look at it (linux-integrity/#next-fixes).
thanks,
This is a continuation of Peter Moody, my and Eric Paris' work to implement
audit by executable name.
Some of these are obvious. Some demonstrate my lack of understanding of the
problem and of the services of fs/notify because they put needless restrictions
due to the orthogonal nature of the
Add space for consistency.
---
kernel/auditfilter.c |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index eede673..f40c13b 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1012,6 +1012,7 @@ int
Remove redundant goto.
---
kernel/audit_fsnotify.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index 0fda71f..d169326 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -134,7 +134,6 @@ struct
---
kernel/auditfilter.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index c52cbc0..cae8eae 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -148,7 +148,7 @@ static inline int audit_to_inode(struct
From: Eric Paris epa...@redhat.com
Instead of just hard coding the ino and dev of the executable we care
about at the moment the rule is inserted into the kernel, use the new
audit_fsnotify infrastructure. This means that if the inode in question
is unlinked and creat'd (aka updated) the rule
Put audit_alloc_mark() arguments in same order as watch, tree and inode.
---
kernel/audit.h |2 +-
kernel/audit_exe.c |2 +-
kernel/audit_fsnotify.c |2 +-
kernel/auditfilter.c|2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.h
---
kernel/audit_fsnotify.c | 12 ++--
kernel/auditfilter.c|2 +-
2 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index 707df2b..07e 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -99,7
Remove unnecessary space.
---
kernel/auditfilter.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 30091ce..94b6af1 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -551,7 +551,6 @@ static struct audit_entry
From: Eric Paris epa...@redhat.com
This is to be used to audit by executable rules, but audit watches
should be able to share this code eventually.
At the moment the audit watch code is a lot more complex, that code only
creates one fsnotify watch per parent directory. That 'audit_parent' in
---
include/linux/audit.h |1 +
kernel/audit.h |1 +
kernel/audit_fsnotify.c | 15 +++
kernel/auditfilter.c| 21 -
4 files changed, 37 insertions(+), 1 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index
From: Eric Paris epa...@redhat.com
This patch implements the ability to filter on the executable. It is
clearly incomplete! This patch adds the inode/dev of the executable at
the moment the rule is loaded. It does not update if the executable is
updated/moved/whatever. That should be added.
Rename audit_remove_rule() to audit_remove_mark_rule().
---
kernel/audit_fsnotify.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index d169326..efefa16 100644
--- a/kernel/audit_fsnotify.c
+++
---
kernel/audit.h |2 ++
kernel/audit_fsnotify.c |6 +++---
kernel/auditfilter.c| 10 +-
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 2093c5e..3151ae5 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@
Check for existence of exe rule.
---
kernel/audit_tree.c |2 +-
kernel/audit_watch.c |2 +-
kernel/auditfilter.c |4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 135944a..b4bf5d2 100644
--- a/kernel/audit_tree.c
26 matches
Mail list logo