[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] collect security labels on user processes generating audit messages



> [..]
> 
>>> 
>>
>>>> >  			ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
>>>> >  			if (ab) {
>>>> >  				audit_log_format(ab,
>>>> > -						 "user pid=%d uid=%u auid=%u msg='%.1024s'",
>>>> > -						 pid, uid, loginuid, (char *)data);
>>>> > +						 "user pid=%d uid=%u auid=%u subj=%s msg='%.1024s'",
>>>> > +						 pid, uid, loginuid, ctx ? ctx : "null", (char *)data);
>>
>>> 
>>> Do you want those "subj=null" items in the output when SELinux is
>>> disabled, or should there be a different audit_log_format call in the !
>>> ctx case that completely omits "subj="? 
>>> 
> 
> 
> I remember a while back, Steve wanting to reduce / remove the
> conditional tokens in records (I think the argument had to do with
> performance impact and parsing).  Did I remember that correctly Steve?
> Assuming we do want to print the token if ctx == NULL, is there a
> standard way of printing NULL in the record?  I should probably make
> sure kernel/auditsc.c:audit_log_task_context() is consistent with
> whatever we decide.
> 

Amy submitted a patch a while back to eliminate the "name=" field
to avoid "name=(null)" from the audit records if there was no name
but I don't think the patch went anywhere.
https://www.redhat.com/archives/linux-audit/2005-November/msg00093.html

It looks like there's a new case (for tty) where "(none)" is used.

It would be nice to avoid having this in the audit records, especially
in this case where the value might never be set on a particular system.

-- ljk


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]