• S
    The attached patch addresses the problem with getting the audit daemon · c2f0c7c3
    Steve Grubb 提交于
    shutdown credential information. It creates a new message type 
    AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the 
    shutdown. 
    
    It requires the placement of a hook function that gathers the information. The 
    hook is after the DAC & MAC checks and before the function returns. Racing 
    threads could overwrite the uid & pid - but they would have to be root and 
    have policy that allows signalling the audit daemon. That should be a 
    manageable risk.
    
    The userspace component will be released later in audit 0.7.2. When it 
    receives the TERM signal, it queries the kernel for shutdown information. 
    When it receives it, it writes the message and exits. The message looks 
    like this:
    
    type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650 
    uid=525, auditd pid=1685
    Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
    Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
    c2f0c7c3
nlmsgtab.c 5.0 KB