audit.71 kernel
Steve Grubb
sgrubb at redhat.com
Mon Jun 27 15:35:12 UTC 2005
On Monday 27 June 2005 09:35, David Woodhouse wrote:
> The kernel prints KERN_NOTICE messages during initialisation unless you
> pass 'quiet' on the command line.
I was thinking about something more along these lines:
diff -ur linux-2.6.9.orig/kernel/audit.c linux-2.6.9/kernel/audit.c
--- linux-2.6.9.orig/kernel/audit.c 2005-06-27 09:55:55.000000000 -0400
+++ linux-2.6.9/kernel/audit.c 2005-06-27 09:54:00.000000000 -0400
@@ -928,14 +928,21 @@
if (!audit_rate_check()) {
audit_log_lost("rate limit exceeded");
} else {
+ struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
if (audit_pid) {
- struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
skb_queue_tail(&audit_skb_queue, ab->skb);
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
} else {
- printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
+ if ((nlh->nlmsg_type >= AUDIT_FIRST_USER_MSG &&
+ nlh->nlmsg_type <= AUDIT_LAST_USER_MSG &&
+ nlh->nlmsg_type != AUDIT_USER_AVC) ||
+ nlh->nlmsg_type == AUDIT_LOGIN ||
+ nlh->nlmsg_type == AUDIT_USER)
+ printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
+ else
+ printk(KERN_ERR "%s\n", ab->skb->data + NLMSG_SPACE(0));
}
}
audit_buffer_free(ab);
More information about the Linux-audit
mailing list