[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] add/remove rule update



On Mon, Jan 09, 2006 at 09:48:17AM -0500, Steve Grubb wrote:
> Hi,
> 
> The following patch adds a little more information to the add/remove rule message emitted 
> by the kernel.
> 
> Signed-off-by: Steve Grubb <sgrubb redhat com>
> 
> 
> 
> diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h
> --- linux-2.6.14.orig/include/linux/audit.h	2006-01-05 10:13:30.000000000 -0500
> +++ linux-2.6.14/include/linux/audit.h	2006-01-05 10:12:09.000000000 -0500
> @@ -238,7 +238,7 @@ struct audit_rule {		/* for AUDIT_LIST, 
>  	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
>  	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
>  	__u32		field_count;
> -	__u32		mask[AUDIT_BITMASK_SIZE];
> +	__u32		mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
>  	__u32		fields[AUDIT_MAX_FIELDS];
>  	__u32		values[AUDIT_MAX_FIELDS];
>  };
> diff -urp linux-2.6.14.orig/kernel/auditfilter.c linux-2.6.14/kernel/auditfilter.c
> --- linux-2.6.14.orig/kernel/auditfilter.c	2006-01-05 10:13:40.000000000 -0500
> +++ linux-2.6.14/kernel/auditfilter.c	2006-01-05 10:11:29.000000000 -0500
> @@ -243,9 +243,9 @@ int audit_receive_filter(int type, int p
>  			;
>  		}
>  		err = audit_add_rule(data, &audit_filter_list[listnr]);
> -		if (!err)
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -				  "auid=%u added an audit rule\n", loginuid);
> +		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +			  "auid=%u added rule to list=%d res=%d\n",
> +			  loginuid, listnr, !err);

I just noticed that the record says "added rule to list" regardless of
whether the rule was actually added.  For the sake of clarity, it
should probably now say "add rule to list" since we're logging the
message on success and failure now.

>  		break;
>  	case AUDIT_DEL:
>  		listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
> @@ -253,9 +253,9 @@ int audit_receive_filter(int type, int p
>  			return -EINVAL;
>  
>  		err = audit_del_rule(data, &audit_filter_list[listnr]);
> -		if (!err)
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -				  "auid=%u removed an audit rule\n", loginuid);
> +		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +			  "auid=%u removed rule from list=%d res=%d\n",
> +			  loginuid, listnr, !err);

Same here.

>  		break;
>  	default:
>  		return -EINVAL;
> 
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]