[PATCH] Auditd shutdown credentials
Steve Grubb
sgrubb at redhat.com
Thu Apr 28 15:52:21 UTC 2005
On Wednesday 27 April 2005 12:35, Steve Grubb wrote:
> The attached patch addresses the problem with getting the audit daemon
> shutdown credential information. It creates a new message type
> AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the
> shutdown.
>
> It requires the placement of a hook function that gathers the information.
> The hook is after the DAC & MAC checks and before the function returns.
> Racing threads could overwrite the uid & pid - but they would have to be
> root and have policy that allows signalling the audit daemon. That should
> be a manageable risk.
>
> The userspace component will be released later in audit 0.7.2. When it
> receives the TERM signal, it queries the kernel for shutdown information.
> When it receives it, it writes the message and exits. The message looks
> like this:
>
> type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650
> uid=525, auditd pid=1685
>
> Signed-off-by: Steve Grubb <sgrubb at redhat.com>
Attached is the revised patch with the audit_kill_info function prototype
moved up into the CONFIG_AUDITSYSCALL section of audit.h.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux-2.6.9-audit-terminfo.patch
Type: text/x-diff
Size: 5008 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050428/e31138bf/attachment.bin>
More information about the Linux-audit
mailing list