[redhat-lspp] [PATCH] promiscuous mode

Dustin Kirkland dustin.kirkland at us.ibm.com
Mon Dec 5 14:54:29 UTC 2005


On Sat, 2005-12-03 at 08:39 -0500, Steve Grubb wrote:
> @@ -2121,6 +2122,12 @@ void dev_set_promiscuity(struct net_devi
>                 printk(KERN_INFO "device %s %s promiscuous mode\n",
>                        dev->name, (dev->flags & IFF_PROMISC) ?
> "entered" :
> 
> "left");
> +               audit_log(current->audit_context, GFP_KERNEL,
> +                       AUDIT_ANOM_PROMISCUOUS,
> +                       "dev=%s prom=%d old_prom=%d auid=%u",
> +                       dev->name, (dev->flags & IFF_PROMISC),
> +                       (old_flags & IFF_PROMISC),
> +                       audit_get_loginuid(current->audit_context)); 
>         }
>  }

Looking at this printk(KERN_INFO ...) and audit_log(...).

As long as it's just a small handful of isolated anomalous events that
we need to feed to the audit subsystem, I think we'll be okay.  But if
we start following lots of printk(KERN_INFO ...) calls with
audit_log(...) calls, we should probably consider if the printk() should
just do the audit_log() if some auditing flag has been raised.

This isn't bothering me yet, but something to think about if there are
dozens of places in the kernel that start calling printk and audit_log.


:-Dustin

-- 
Dustin Kirkland <dustin.kirkland at us.ibm.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20051205/d7729b59/attachment.sig>


More information about the redhat-lspp mailing list