Fwd: Re: Fw: Audit records for start/stop auditd
Steve Grubb
sgrubb at redhat.com
Wed Apr 6 13:54:10 UTC 2005
On Wednesday 06 April 2005 09:25, David Woodhouse wrote:
> +static inline void audit_kill_permission(int sig, struct siginfo *info,
> + struct task_struct *t, int err)
> +{
> + extern int audit_pid; /* Nothing external _except_ for this should
> use it */ +
> + if (unlikely(t->pid == audit_pid))
> + audit_log(NULL, "attempt to signal audit daemon: error=%d
> signal=%d pid=%d auid=%d", + err, sig,
> current->pid, audit_get_loginuid(current->audit_context)); +}
I wonder if we should have another audit message type AUDIT_TERM. Then in the
above function, do an if statement on SIGTERM or SIGKILL and send the
AUDIT_TERM message type. The message needs to be easily interpreted as the
audit system is being terminated. Then we could have an else statement that
uses the audit log like you have above. Maybe something like:
static inline void audit_kill_permission(int sig, struct siginfo *info,
struct task_struct *t, int err)
{
extern int audit_pid; /* Nothing external _except_ for this should use
it */
if (unlikely(t->pid == audit_pid)) {
if (sig == SIGTERM || sig == SIGKILL) {
struct audit_buffer *ab;
ab = audit_log_start(NULL);
if (ab) {
audit_log_format(ab,
"signal=%d pid=%d loginuid=%d'",
sig, pid,
audit_get_loginuid(current->audit_context),
ab->type = AUDIT_TERM;
ab->pid = pid;
audit_log_end(ab);
} else
printk("attempt to signal audit daemon: error=%d signal=%d pid=%d
auid=%d",
err, sig, current->pid, audit_get_loginuid(current->audit_context));
} else {
audit_log(NULL,
"attempt to signal audit daemon: error=%d signal=%d pid=%d loginuid=%d",
err, sig, current->pid, audit_get_loginuid(current->audit_context));
}
}
}
Of course, if we introduce and AUDIT_TERM message type, we should have a
AUDIT_START message type just for symmetry.
-Steve
More information about the Linux-audit
mailing list