reporting loginuid on AUDIT_USER message

Chris Wright chrisw at osdl.org
Fri Jan 14 18:02:50 UTC 2005


* Serge Hallyn (serue at us.ibm.com) wrote:
> Based on earlier discussion, we have a few options:
> 
>   1. hack netlink to send loginuid along with credentials
>   2. Get the loginuid from the task struct by pid at audit_receive_msg
> (), and require the programs sending AUDIT_USER messages to make sure
> that the process does not exit until a reply has been received.
>   3. Have the user-space programs send loginuid (as received
> from /proc/$$/loginuid) in the actual AUDIT_USER message.
> 
> Do we have a preference?  (1) is the most invasive, and would require
> going through netdev, but seems the cleanest to me.  On the other hand,
> we could just say we're going with (3) as a way to put off having to
> make a decision...

Makes most sense to have kernel send it, otherwise it's a less trusted
value (i.e. 3 sounds a bit sketchy).  Whether it's done in credentials
or in payload...dunno.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net




More information about the Linux-audit mailing list