reporting loginuid on AUDIT_USER message
Stephen Smalley
sds at epoch.ncsc.mil
Fri Jan 14 18:04:04 UTC 2005
On Fri, 2005-01-14 at 14:10, Serge Hallyn wrote:
> Based on earlier discussion, we have a few options:
>
> 1. hack netlink to send loginuid along with credentials
> 2. Get the loginuid from the task struct by pid at audit_receive_msg
> (), and require the programs sending AUDIT_USER messages to make sure
> that the process does not exit until a reply has been received.
> 3. Have the user-space programs send loginuid (as received
> from /proc/$$/loginuid) in the actual AUDIT_USER message.
>
> Do we have a preference? (1) is the most invasive, and would require
> going through netdev, but seems the cleanest to me. On the other hand,
> we could just say we're going with (3) as a way to put off having to
> make a decision...
Adding a loginuid to the netlink_skb_parms seems best, and doesn't
require lifecycle management (unlike adding a generic security field).
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list