On Friday, September 18, 2015 03:59:59 AM Richard Guy Briggs wrote:
> Failed attempts to change the audit_pid configuration are not presently
> logged. One case is an attempt to starve an old auditd by starting up a
> new auditd when the old one is still alive and active. The other case
> is an attempt to orphan a new auditd when an old auditd shuts down.
>
> Log both as AUDIT_CONFIG_CHANGE messages with failure result.
>
> Signed-off-by: Richard Guy Briggs <r...@redhat.com>
> ---
> kernel/audit.c | 8 ++++++--
> 1 files changed, 6 insertions(+), 2 deletions(-)
This patch tends to reinforce the idea of a hijack message instead of a ping
message. Unfortunately, we can't use audit_log_config_change() to generate
the hijack message as it queues the record, but you get the idea.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 3399ab2..65dcd45 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -883,12 +883,16 @@ static int audit_receive_msg(struct sk_buff *skb,
> struct nlmsghdr *nlh) pid_t requesting_pid = task_tgid_vnr(current);
> u32 portid = NETLINK_CB(skb).portid;
>
> - if ((!new_pid) && (requesting_pid != audit_pid))
> + if ((!new_pid) && (requesting_pid != audit_pid)) {
> + audit_log_config_change("audit_pid", new_pid,
> audit_pid, 0);
> return -EACCES;
> + }
> if (audit_pid && new_pid &&
> audit_ping(requesting_pid,
> nlmsg_hdr(skb)->nlmsg_seq, portid)
!=
> - -ECONNREFUSED)
> + -ECONNREFUSED) {
> + audit_log_config_change("audit_pid", new_pid,
> audit_pid, 0);
> return -EEXIST;
> + }
> if (audit_enabled != AUDIT_OFF)
> audit_log_config_change("audit_pid", new_pid,
> audit_pid, 1);
> audit_pid = new_pid;
--
paul moore
security @ redhat
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
