[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [redhat-lspp] [PATCH] promiscuous mode



On Sat, 2005-12-03 at 08:39 -0500, Steve Grubb wrote:
> @@ -2121,6 +2122,12 @@ void dev_set_promiscuity(struct net_devi
>                 printk(KERN_INFO "device %s %s promiscuous mode\n",
>                        dev->name, (dev->flags & IFF_PROMISC) ?
> "entered" :
> 
> "left");
> +               audit_log(current->audit_context, GFP_KERNEL,
> +                       AUDIT_ANOM_PROMISCUOUS,
> +                       "dev=%s prom=%d old_prom=%d auid=%u",
> +                       dev->name, (dev->flags & IFF_PROMISC),
> +                       (old_flags & IFF_PROMISC),
> +                       audit_get_loginuid(current->audit_context)); 
>         }
>  }

Looking at this printk(KERN_INFO ...) and audit_log(...).

As long as it's just a small handful of isolated anomalous events that
we need to feed to the audit subsystem, I think we'll be okay.  But if
we start following lots of printk(KERN_INFO ...) calls with
audit_log(...) calls, we should probably consider if the printk() should
just do the audit_log() if some auditing flag has been raised.

This isn't bothering me yet, but something to think about if there are
dozens of places in the kernel that start calling printk and audit_log.


:-Dustin

-- 
Dustin Kirkland <dustin kirkland us ibm com>

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]