A few years ago, I suggested a feature dubbed "known exploit detection". This feature defines an interface that allows kernel developers to add a tripwire for somebody who tries to exploit a known security hole in older versions of the kernel. See [1] for an article and the original discussion.
[1]: https://lwn.net/Articles/577432/ Due to the somewhat controversial nature of this feature, I never pushed very hard for it to go upstream. However, regardless of whether this code ever makes it upstream, it would still be useful to reserve a numerical code for the audit message in order to ensure that private deployments never conflicts with future upstream kernels. I hereby request the reservation of AUDIT_ANOM_PATCHED as code 1703. This message should be used when userspace makes a request which in previous (unpatched) versions of the kernel would have allowed the process to illicitly gain privileges (e.g. arbitrary code execution, etc.). Signed-off-by: Vegard Nossum <vegard.nos...@oracle.com> --- include/uapi/linux/audit.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 0714a66f0e0c..7813efc09480 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -139,6 +139,7 @@ #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ +#define AUDIT_ANOM_PATCHED 1703 /* Patched security vulnerability */ #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */ #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ -- 2.12.0.rc0 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
