Re: [PATCH 1/1] Added exe field to audit core dump signal log
On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Out of curiosity, on which platform are you observing this? This sounds
related to Bill Roberts' recent cmdline patches.
I also wonder how reliable this is, or whether it could have been
changed from under us by deletion or rename after invocation.
This BZ sounds related:
https://bugzilla.redhat.com/show_bug.cgi?id=837856
https://bugzilla.redhat.com/show_bug.cgi?id=831684
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..988de72 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current-mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, pid=%d comm=, current-pid);
audit_log_untrustedstring(ab, current-comm);
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=, mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ }
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long
signr)
--
1.7.9.5
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/1] Added exe field to audit core dump signal log
On Wed, Nov 20, 2013 at 02:07:58PM -0800, William Roberts wrote:
On Wed, Nov 20, 2013 at 2:03 PM, William Roberts
bill.c.robe...@gmail.com wrote:
On Wed, Nov 20, 2013 at 1:47 PM, Richard Guy Briggs r...@redhat.com wrote:
On Thu, Nov 14, 2013 at 08:56:57AM +0530, Paul Davies C wrote:
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=,
mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ }
snip
One other thing that I know Steve Grubb is picky on, is the field
still needs to be there even if mm is null. We can't have
disappearing fields. On error conditions, I've been doing
fieldname=(null) on my patches.
Agreed.
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 3/4] audit: dont allocate whole pages
Rather then cacheing whole pages, use kmalloc to potentially
cache a smaller size.
Change-Id: I9fb749dc2bdac506d1bc6f2259fbbdeeec87b298
Signed-off-by: William Roberts wrobe...@tresys.com
---
fs/proc/base.c | 93 +++
include/linux/proc_fs.h |5 ++-
kernel/auditsc.c| 43 ++
3 files changed, 109 insertions(+), 32 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 25b73d3..a0751ed 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -209,35 +209,76 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
return mm_access(task, PTRACE_MODE_READ);
}
-int proc_pid_cmdline(struct task_struct *task, char *buffer)
+/*
+ * Returns the length of the VM area containing the tasks cmdline info.
+ * 0 indicates success
+ */
+int proc_pid_cmdline_length(struct task_struct *task, unsigned int *len)
+{
+ int res = -1;
+ struct mm_struct *mm;
+
+ if (!task || !len)
+ return 0;
+
+ mm = get_task_mm(task);
+ if (!mm)
+ goto out;
+ if (!mm-arg_end)
+ goto out_mm;/* Shh! No looking before we're done */
+
+ *len = mm-arg_end - mm-arg_start;
+ res = 0;
+out_mm:
+ mmput(mm);
+out:
+ return res;
+}
+
+/* Copy's the tasks cmdline data into buf, truncating at buflen */
+int proc_pid_copy_cmdline_to_buf(struct task_struct *task, char *buf,
+unsigned int buflen)
{
int res = 0;
unsigned int len;
- struct mm_struct *mm = get_task_mm(task);
+ struct mm_struct *mm;
+
+ if (!buflen || !buf)
+ return 0;
+
+ mm = get_task_mm(task);
if (!mm)
goto out;
if (!mm-arg_end)
goto out_mm;/* Shh! No looking before we're done */
- len = mm-arg_end - mm-arg_start;
-
- if (len PAGE_SIZE)
- len = PAGE_SIZE;
-
- res = access_process_vm(task, mm-arg_start, buffer, len, 0);
+ res = access_process_vm(task, mm-arg_start, buf, buflen, 0);
+ if (res = 0)
+ goto out_mm;
+
+ /* Truncate to res if buflen is longer */
+ if (res buflen)
+ res = buflen;
- // If the nul at the end of args has been overwritten, then
- // assume application is using setproctitle(3).
- if (res 0 buffer[res-1] != '\0' len PAGE_SIZE) {
- len = strnlen(buffer, res);
+ /*
+* If the nul at the end of args has been overwritten, then
+* assume application is using setproctitle(3).
+*/
+ if (buf[res-1] != '\0') {
+ /* Nul between start and end of vm space?
+ If so, then truncate size down */
+ len = strnlen(buf, res);
if (len res) {
res = len;
} else {
+ /* No nul, truncate to buflen if too big to fit */
len = mm-env_end - mm-env_start;
- if (len PAGE_SIZE - res)
- len = PAGE_SIZE - res;
- res += access_process_vm(task, mm-env_start,
buffer+res, len, 0);
- res = strnlen(buffer, res);
+ if (len buflen - res)
+ len = buflen - res;
+ /* Copy in any remaining data */
+ res += access_process_vm(task, mm-env_start, buf+res,
+len, 0);
+ res = strnlen(buf, res);
}
}
out_mm:
@@ -246,6 +287,26 @@ out:
return res;
}
+static int proc_pid_cmdline(struct task_struct *task, char *buffer)
+{
+ unsigned int len;
+ int res = proc_pid_cmdline_length(task, len);
+ if (res)
+ return 0;
+
+ /* The caller of this allocates a page */
+ if (len PAGE_SIZE)
+ len = PAGE_SIZE;
+
+ res = proc_pid_copy_cmdline_to_buf(task, buffer, len);
+ /*
+* Ensure NULL terminated! Application could
+* could be using setproctitle(3).
+*/
+ buffer[res-1] = '\0';
+ return res;
+}
+
static int proc_pid_auxv(struct task_struct *task, char *buffer)
{
struct mm_struct *mm = mm_for_maps(task);
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
index d85ac14..f76deb3 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -118,7 +118,10 @@ struct pid_namespace;
extern int pid_ns_prepare_proc(struct pid_namespace *ns);
extern void pid_ns_release_proc(struct pid_namespace *ns);
-extern int proc_pid_cmdline(struct task_struct *task, char *buffer);
+
+extern int proc_pid_cmdline_length(struct task_struct *task, unsigned int
*len);
+extern int proc_pid_copy_cmdline_to_buf(struct task_struct *task, char *buf,
+ unsigned
[PATCH 2/4] audit: Enable cacheing of cmdline in audit_context
Rather then reading from userspace on every call,
cache the page in the audit_context and couple
to that objects life-cycle.
Change-Id: Ia0d432bc4aba8588840f0dc0026a1e9483e5b485
Signed-off-by: William Roberts wrobe...@tresys.com
---
kernel/auditsc.c | 48 +---
1 file changed, 37 insertions(+), 11 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 45fd3d0..27f8224 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -270,6 +270,7 @@ struct audit_context {
} mmap;
};
int fds[2];
+ char *cmdline;
#if AUDIT_DEBUG
int put_count;
@@ -1044,6 +1045,14 @@ static inline void audit_free_aux(struct audit_context
*context)
}
}
+static inline void audit_cmdline_free(struct audit_context *ctx)
+{
+ if (!ctx-cmdline)
+ return;
+ free_page((unsigned long)ctx-cmdline);
+ ctx-cmdline = NULL;
+}
+
static inline void audit_zero_context(struct audit_context *context,
enum audit_state state)
{
@@ -1118,6 +1127,7 @@ static inline void audit_free_context(struct
audit_context *context)
audit_free_aux(context);
kfree(context-filterkey);
kfree(context-sockaddr);
+ audit_cmdline_free(context);
kfree(context);
context = previous;
} while (context);
@@ -1154,35 +1164,51 @@ error_path:
EXPORT_SYMBOL(audit_log_task_context);
-static void audit_log_add_cmdline(struct audit_buffer *ab,
+static char *audit_cmdline_get_page(struct audit_buffer *ab,
struct task_struct *tsk)
{
int len;
unsigned long page;
- char *msg = (null);
-
- audit_log_format(ab, cmdline=);
/* Get the process cmdline */
page = __get_free_page(GFP_TEMPORARY);
if (!page) {
- audit_log_untrustedstring(ab, msg);
- return;
+ return NULL;
}
len = proc_pid_cmdline(tsk, (char *)page);
if (len = 0) {
free_page(page);
- audit_log_untrustedstring(ab, msg);
- return;
+ return NULL;
}
/*
* Ensure NULL terminated! Application could
* could be using setproctitle(3).
*/
((char *)page)[len-1] = '\0';
- msg = (char *)page;
+
+ /* XXX: Re-alloc to something smaller then a page here? */
+ return (char *)page;
+}
+
+static void audit_log_cmdline(struct audit_buffer *ab, struct task_struct *tsk,
+ struct audit_context *context)
+{
+ char *msg = (null);
+
+ audit_log_format(ab, cmdline=);
+
+ /* Already cached */
+ if (context-cmdline) {
+ msg = context-cmdline;
+ goto out;
+ }
+ /* Not cached yet */
+ context-cmdline = audit_cmdline_get_page(ab, tsk);
+ if (!context-cmdline)
+ goto out;
+ msg = context-cmdline;
+out:
audit_log_untrustedstring(ab, msg);
- free_page(page);
}
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct
*tsk)
@@ -1211,7 +1237,6 @@ static void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk
}
up_read(mm-mmap_sem);
}
- audit_log_add_cmdline(ab, tsk);
audit_log_task_context(ab);
}
@@ -1679,6 +1704,7 @@ static void audit_log_exit(struct audit_context *context,
struct task_struct *ts
audit_log_task_info(ab, tsk);
+ audit_log_cmdline(ab, tsk, context);
audit_log_key(ab, context-filterkey);
audit_log_end(ab);
--
1.7.9.5
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
[DRAFT v3.4] - audit cmdline updates
Changes since last publish: * Ran all patches through checkpatch, some elluded me. * Changed cmdline copy/length API to reduce task_mm_get() mmput() calls Still need to know: * Any major objecttions to this still? * My public API changes are in proc, is this the best spot for those? As always, thanks. [PATCH 1/4] audit: Allow auditing of proc/self/cmdline value [PATCH 2/4] audit: Enable cacheing of cmdline in audit_context [PATCH 3/4] audit: dont allocate whole pages [PATCH 4/4] SQUASH audit: Change cmdline get API to reduce locking -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 1/4] audit: Allow auditing of proc/self/cmdline value
Audit records will now contain a new field, cmdline.
This is the value that is stored in proc/self/cmdline,
and is useful for debugging when processes are being run
via VM's. A primary example of this is Android, in which
package names are set in this location, and thread names
are set via PR_SET_NAME. The other benefit is this
is not limited to 16 bytes as COMM historically has.
Change-Id: I9bf0928a8aa249d22ecd55fa9cd27325dd394eb1
Signed-off-by: William Roberts wrobe...@tresys.com
---
fs/proc/base.c |2 +-
include/linux/proc_fs.h |1 +
kernel/auditsc.c| 33 +
3 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 2f198da..25b73d3 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -209,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
return mm_access(task, PTRACE_MODE_READ);
}
-static int proc_pid_cmdline(struct task_struct *task, char * buffer)
+int proc_pid_cmdline(struct task_struct *task, char *buffer)
{
int res = 0;
unsigned int len;
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
index 85c5073..d85ac14 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -118,6 +118,7 @@ struct pid_namespace;
extern int pid_ns_prepare_proc(struct pid_namespace *ns);
extern void pid_ns_release_proc(struct pid_namespace *ns);
+extern int proc_pid_cmdline(struct task_struct *task, char *buffer);
/*
* proc_tty.c
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 27ad9dd..45fd3d0 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -67,6 +67,7 @@
#include linux/syscalls.h
#include linux/capability.h
#include linux/fs_struct.h
+#include linux/proc_fs.h
#include audit.h
@@ -1153,6 +1154,37 @@ error_path:
EXPORT_SYMBOL(audit_log_task_context);
+static void audit_log_add_cmdline(struct audit_buffer *ab,
+ struct task_struct *tsk)
+{
+ int len;
+ unsigned long page;
+ char *msg = (null);
+
+ audit_log_format(ab, cmdline=);
+
+ /* Get the process cmdline */
+ page = __get_free_page(GFP_TEMPORARY);
+ if (!page) {
+ audit_log_untrustedstring(ab, msg);
+ return;
+ }
+ len = proc_pid_cmdline(tsk, (char *)page);
+ if (len = 0) {
+ free_page(page);
+ audit_log_untrustedstring(ab, msg);
+ return;
+ }
+ /*
+* Ensure NULL terminated! Application could
+* could be using setproctitle(3).
+*/
+ ((char *)page)[len-1] = '\0';
+ msg = (char *)page;
+ audit_log_untrustedstring(ab, msg);
+ free_page(page);
+}
+
static void audit_log_task_info(struct audit_buffer *ab, struct task_struct
*tsk)
{
char name[sizeof(tsk-comm)];
@@ -1179,6 +1211,7 @@ static void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk
}
up_read(mm-mmap_sem);
}
+ audit_log_add_cmdline(ab, tsk);
audit_log_task_context(ab);
}
--
1.7.9.5
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 4/4] SQUASH audit: Change cmdline get API to reduce locking
Each call to length copy required a call to get_task_mm() and mmput.
Just require the caller to aquire and pass a valid mm.
Change-Id: Id7069b80f1cbea5b30032a0a459dd54b7446f665
Signed-off-by: William Roberts wrobe...@tresys.com
---
fs/proc/base.c | 63 +++
include/linux/proc_fs.h | 13 +++---
kernel/auditsc.c| 28 +++--
3 files changed, 51 insertions(+), 53 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index a0751ed..4d74830 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -210,51 +210,21 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
}
/*
- * Returns the length of the VM area containing the tasks cmdline info.
- * 0 indicates success
+ * Copy's the tasks cmdline data into buf, truncating at buflen
+ * must call holding semaphore on mm
*/
-int proc_pid_cmdline_length(struct task_struct *task, unsigned int *len)
-{
- int res = -1;
- struct mm_struct *mm;
-
- if (!task || !len)
- return 0;
-
- mm = get_task_mm(task);
- if (!mm)
- goto out;
- if (!mm-arg_end)
- goto out_mm;/* Shh! No looking before we're done */
-
- *len = mm-arg_end - mm-arg_start;
- res = 0;
-out_mm:
- mmput(mm);
-out:
- return res;
-}
-
-/* Copy's the tasks cmdline data into buf, truncating at buflen */
-int proc_pid_copy_cmdline_to_buf(struct task_struct *task, char *buf,
-unsigned int buflen)
+int proc_pid_copy_cmdline_to_buf(struct task_struct *task, struct mm_struct
*mm,
+char *buf, unsigned int buflen)
{
int res = 0;
unsigned int len;
- struct mm_struct *mm;
- if (!buflen || !buf)
+ if (!task || !mm || !buf)
return 0;
- mm = get_task_mm(task);
- if (!mm)
- goto out;
- if (!mm-arg_end)
- goto out_mm;/* Shh! No looking before we're done */
-
res = access_process_vm(task, mm-arg_start, buf, buflen, 0);
if (res = 0)
- goto out_mm;
+ return 0;
/* Truncate to res if buflen is longer */
if (res buflen)
@@ -281,29 +251,36 @@ int proc_pid_copy_cmdline_to_buf(struct task_struct
*task, char *buf,
res = strnlen(buf, res);
}
}
-out_mm:
- mmput(mm);
-out:
return res;
}
static int proc_pid_cmdline(struct task_struct *task, char *buffer)
{
- unsigned int len;
- int res = proc_pid_cmdline_length(task, len);
- if (res)
+ int res = 0;
+ unsigned int len = 0;
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
return 0;
+ len = proc_pid_cmdline_length(mm);
+ if (!len)
+ goto mm_out;
+
/* The caller of this allocates a page */
if (len PAGE_SIZE)
len = PAGE_SIZE;
- res = proc_pid_copy_cmdline_to_buf(task, buffer, len);
+ res = proc_pid_copy_cmdline_to_buf(task, mm, buffer, len);
+ if (!res)
+ goto mm_out;
+
/*
* Ensure NULL terminated! Application could
* could be using setproctitle(3).
*/
buffer[res-1] = '\0';
+mm_out:
+ mmput(mm);
return res;
}
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
index f76deb3..8bc2718 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -6,6 +6,7 @@
#include linux/spinlock.h
#include linux/magic.h
#include linux/atomic.h
+#include linux/mm.h
struct net;
struct completion;
@@ -119,10 +120,16 @@ struct pid_namespace;
extern int pid_ns_prepare_proc(struct pid_namespace *ns);
extern void pid_ns_release_proc(struct pid_namespace *ns);
-extern int proc_pid_cmdline_length(struct task_struct *task, unsigned int
*len);
-extern int proc_pid_copy_cmdline_to_buf(struct task_struct *task, char *buf,
- unsigned int buflen);
+/* must call holding semaphore on mm */
+static inline unsigned int proc_pid_cmdline_length(struct mm_struct *mm)
+{
+return mm-arg_end ? mm-arg_end - mm-arg_start : 0;
+}
+extern int proc_pid_copy_cmdline_to_buf(struct task_struct *task,
+ struct mm_struct *mm,
+ char *buf,
+ unsigned int buflen);
/*
* proc_tty.c
*/
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 34a6c1d..8bd0549 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1165,29 +1165,37 @@ error_path:
EXPORT_SYMBOL(audit_log_task_context);
static char *audit_cmdline_get(struct audit_buffer *ab,
- struct task_struct *tsk)
+ struct task_struct *tsk)
{
int len;
int res;
char *buf;
+ struct mm_struct *mm;
+
+
Re: [DRAFT v3.4] - audit cmdline updates
Also, updating to a master kernel now, to try and publish relative to that. On Wed, Nov 20, 2013 at 5:29 PM, William Roberts bill.c.robe...@gmail.com wrote: Changes since last publish: * Ran all patches through checkpatch, some elluded me. * Changed cmdline copy/length API to reduce task_mm_get() mmput() calls Still need to know: * Any major objecttions to this still? * My public API changes are in proc, is this the best spot for those? As always, thanks. [PATCH 1/4] audit: Allow auditing of proc/self/cmdline value [PATCH 2/4] audit: Enable cacheing of cmdline in audit_context [PATCH 3/4] audit: dont allocate whole pages [PATCH 4/4] SQUASH audit: Change cmdline get API to reduce locking -- Respectfully, William C Roberts -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/1 v1] Added exe field to audit core dump signal log
This patch addresses the issue of dissappearing exe field that was
raised by William in the previous discussion on this patch.
On Thursday 21 November 2013 07:43 AM, Paul Davies C wrote:
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c |8
1 file changed, 8 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..4abae3d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current-mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, pid=%d comm=, current-pid);
audit_log_untrustedstring(ab, current-comm);
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=, mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ } else
+ audit_log_format(ab, exe=null);
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
File system watches not supported with auditctl 1.0.12 / kernel 2.6.32
Hi, I'm running Red Hat Enterprise Linux AS release 4 (Nahant Update 3) With a customized kernel version 2.6.32. And auditctl version 1.0.12 When I run auditctl -l, I got the following error: # auditctl -l No rules File system watches not supported What options could be missing in my kernel config? I've enabled everything related to AUDIT # zgrep AUDIT /proc/config.gz CONFIG_AUDIT_ARCH=y CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_TREE=y -- Best Regards, Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 1/1 v2] Added exe field to audit core dump signal log
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c |8
1 file changed, 8 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..53ecc02 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current-mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, pid=%d comm=, current-pid);
audit_log_untrustedstring(ab, current-comm);
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=, mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ } else
+ audit_log_format(ab, exe=(null));
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
1.7.9.5
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/1 v2] Added exe field to audit core dump signal log
Resending the patch since I forgot to add the brackets around null in v1.
On Thursday 21 November 2013 08:14 AM, Paul Davies C wrote:
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c |8
1 file changed, 8 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..53ecc02 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current-mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, pid=%d comm=, current-pid);
audit_log_untrustedstring(ab, current-comm);
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=, mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ } else
+ audit_log_format(ab, exe=(null));
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
