Re: Audit issues with Snare version 1.5 and RHEL 5.3 x86_64

[Steve Grubb]

On Monday 27 April 2009 06:03:48 pm Kevin Boyce wrote:
 I think the auditd package that ships with 5.3 has a bug.

There was a memory leak when specifying the NOLOG format option that was fixed 
in a RHEL5 release last week. Look for audit-1.7.7-6.el5_3.2.rpm.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

[RFC][PATCH] integrity: use audit_log_string

[Mimi Zohar]

Based on a request from Eric Paris to simplify parsing, replace
audit_log_format statements containing %s with audit_log_string().

Signed-off-by: Mimi Zohar zo...@us.ibm.com

Index: security-testing-2.6/security/integrity/ima/ima_audit.c
===
--- security-testing-2.6.orig/security/integrity/ima/ima_audit.c
+++ security-testing-2.6/security/integrity/ima/ima_audit.c
@@ -45,19 +45,10 @@ void integrity_audit_msg(int audit_msgno
 audit_get_loginuid(current),
 audit_get_sessionid(current));
audit_log_task_context(ab);
-   switch (audit_msgno) {
-   case AUDIT_INTEGRITY_DATA:
-   case AUDIT_INTEGRITY_METADATA:
-   case AUDIT_INTEGRITY_PCR:
-   case AUDIT_INTEGRITY_STATUS:
-   audit_log_format(ab,  op=%s cause=%s, op, cause);
-   break;
-   case AUDIT_INTEGRITY_HASH:
-   audit_log_format(ab,  op=%s hash=%s, op, cause);
-   break;
-   default:
-   audit_log_format(ab,  op=%s, op);
-   }
+   audit_log_format(ab,  op=);
+   audit_log_string(ab, op);
+   audit_log_format(ab,  cause=);
+   audit_log_string(ab, cause);
audit_log_format(ab,  comm=);
audit_log_untrustedstring(ab, current-comm);
if (fname) {


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit