[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

audit messages when there's no audit daemon


I spent my weekend researching this:

I think I have a solution for the original "I can't log in" problem. There is 
a new one, though. It seems that the user space audit messages go to the 
screen after login when they don't have an audit daemon running. This leads 
to 4 pam state messages immediately on login, messages when you run a trusted 
app like passwd, or whenever hwclock runs. This is not desirable.

Looking at the source code in audit.c, kauditd_thread:
printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0));

Do we need the priority level to be that high or should it be either: 

1) user adjustable: all messages types same priority

2) only AVC, USER_AVC, & SE_LINUX_ERR get that level - everything else is  
LOG_INFO so that syslog can optionally discard the messages

3) both meaning there are 3 knobs: SE Linux has user adjustable priority, file 
system and sycall has a user adjustable priority, and everything else has 

I think we've overlooked this minor usability issue. It really is ugly when 
there's no audit daemon.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]