提交 bccf6ae0 编写于 作者: D David Woodhouse

AUDIT: Unify auid reporting, put arch before syscall number

These changes make processing of audit logs easier. Based on a patch
from Steve Grubb <sgrubb@redhat.com>
Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
上级 bfb4496e
...@@ -234,7 +234,7 @@ static int audit_set_rate_limit(int limit, uid_t loginuid) ...@@ -234,7 +234,7 @@ static int audit_set_rate_limit(int limit, uid_t loginuid)
int old = audit_rate_limit; int old = audit_rate_limit;
audit_rate_limit = limit; audit_rate_limit = limit;
audit_log(NULL, AUDIT_CONFIG_CHANGE, audit_log(NULL, AUDIT_CONFIG_CHANGE,
"audit_rate_limit=%d old=%d by auid %u", "audit_rate_limit=%d old=%d by auid=%u",
audit_rate_limit, old, loginuid); audit_rate_limit, old, loginuid);
return old; return old;
} }
...@@ -244,7 +244,7 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid) ...@@ -244,7 +244,7 @@ static int audit_set_backlog_limit(int limit, uid_t loginuid)
int old = audit_backlog_limit; int old = audit_backlog_limit;
audit_backlog_limit = limit; audit_backlog_limit = limit;
audit_log(NULL, AUDIT_CONFIG_CHANGE, audit_log(NULL, AUDIT_CONFIG_CHANGE,
"audit_backlog_limit=%d old=%d by auid %u", "audit_backlog_limit=%d old=%d by auid=%u",
audit_backlog_limit, old, loginuid); audit_backlog_limit, old, loginuid);
return old; return old;
} }
...@@ -256,7 +256,7 @@ static int audit_set_enabled(int state, uid_t loginuid) ...@@ -256,7 +256,7 @@ static int audit_set_enabled(int state, uid_t loginuid)
return -EINVAL; return -EINVAL;
audit_enabled = state; audit_enabled = state;
audit_log(NULL, AUDIT_CONFIG_CHANGE, audit_log(NULL, AUDIT_CONFIG_CHANGE,
"audit_enabled=%d old=%d by auid %u", "audit_enabled=%d old=%d by auid=%u",
audit_enabled, old, loginuid); audit_enabled, old, loginuid);
return old; return old;
} }
...@@ -270,7 +270,7 @@ static int audit_set_failure(int state, uid_t loginuid) ...@@ -270,7 +270,7 @@ static int audit_set_failure(int state, uid_t loginuid)
return -EINVAL; return -EINVAL;
audit_failure = state; audit_failure = state;
audit_log(NULL, AUDIT_CONFIG_CHANGE, audit_log(NULL, AUDIT_CONFIG_CHANGE,
"audit_failure=%d old=%d by auid %u", "audit_failure=%d old=%d by auid=%u",
audit_failure, old, loginuid); audit_failure, old, loginuid);
return old; return old;
} }
...@@ -424,7 +424,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -424,7 +424,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
int old = audit_pid; int old = audit_pid;
audit_pid = status_get->pid; audit_pid = status_get->pid;
audit_log(NULL, AUDIT_CONFIG_CHANGE, audit_log(NULL, AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid %u", "audit_pid=%d old=%d by auid=%u",
audit_pid, old, loginuid); audit_pid, old, loginuid);
} }
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
......
...@@ -307,7 +307,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data, ...@@ -307,7 +307,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
if (!err && (flags & AUDIT_AT_EXIT)) if (!err && (flags & AUDIT_AT_EXIT))
err = audit_add_rule(entry, &audit_extlist); err = audit_add_rule(entry, &audit_extlist);
audit_log(NULL, AUDIT_CONFIG_CHANGE, audit_log(NULL, AUDIT_CONFIG_CHANGE,
"auid %u added an audit rule\n", loginuid); "auid=%u added an audit rule\n", loginuid);
break; break;
case AUDIT_DEL: case AUDIT_DEL:
flags =((struct audit_rule *)data)->flags; flags =((struct audit_rule *)data)->flags;
...@@ -318,7 +318,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data, ...@@ -318,7 +318,7 @@ int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
if (!err && (flags & AUDIT_AT_EXIT)) if (!err && (flags & AUDIT_AT_EXIT))
err = audit_del_rule(data, &audit_extlist); err = audit_del_rule(data, &audit_extlist);
audit_log(NULL, AUDIT_CONFIG_CHANGE, audit_log(NULL, AUDIT_CONFIG_CHANGE,
"auid %u removed an audit rule\n", loginuid); "auid=%u removed an audit rule\n", loginuid);
break; break;
default: default:
return -EINVAL; return -EINVAL;
...@@ -678,10 +678,10 @@ static void audit_log_exit(struct audit_context *context) ...@@ -678,10 +678,10 @@ static void audit_log_exit(struct audit_context *context)
ab = audit_log_start(context, AUDIT_SYSCALL); ab = audit_log_start(context, AUDIT_SYSCALL);
if (!ab) if (!ab)
return; /* audit_panic has been called */ return; /* audit_panic has been called */
audit_log_format(ab, "syscall=%d", context->major); audit_log_format(ab, "arch=%x syscall=%d",
context->arch, context->major);
if (context->personality != PER_LINUX) if (context->personality != PER_LINUX)
audit_log_format(ab, " per=%lx", context->personality); audit_log_format(ab, " per=%lx", context->personality);
audit_log_format(ab, " arch=%x", context->arch);
if (context->return_valid) if (context->return_valid)
audit_log_format(ab, " success=%s exit=%ld", audit_log_format(ab, " success=%s exit=%ld",
(context->return_valid==AUDITSC_SUCCESS)?"yes":"no", (context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册