Skip to content
Snippets Groups Projects
Select Git revision
  • v5.4-rt
  • v5.10-rt
  • v6.1-rt
  • v6.6-rt
  • v6.6-rt-next
  • v4.19-rt
  • v4.14-rt
  • v6.6-rt-rebase
  • v5.15-rt
  • v5.15-rt-next
  • v6.1-rt-next
  • v6.1-rt-rebase
  • v4.9-rt
  • v4.19-rt-next
  • v4.4-rt
  • v5.10-rt-next
  • v5.15-rt-rebase
  • stable-rt/v5.10-rt
  • v4.14-rt-next
  • v5.10-rt-rebase
  • v5.4.293-rt98-rebase protected
  • v5.15.183-rt85-rebase protected
  • v5.4.293-rt98 protected
  • v5.4.291-rt97 protected
  • v5.15.183-rt85 protected
  • v5.10.237-rt131-rebase protected
  • v5.10.237-rt131 protected
  • v6.6.87-rt54-arch1 protected
  • v5.10.237-rt131-rc1 protected
  • v5.10.236-rt130 protected
  • v5.10.236-rt130-rc1 protected
  • v6.1.134-rt51-rebase protected
  • v6.1.134-rt51 protected
  • v6.6.87-rt54-rebase protected
  • v6.6.87-rt54 protected
  • v6.6.85-rt53-rebase protected
  • v6.6.85-rt53 protected
  • v6.1.132-rt50-rebase protected
  • v6.1.132-rt50 protected
  • v5.10.235-rt129-rebase protected
40 results

audit.c

  • Steve Grubb's avatar
    c2f0c7c3
    The attached patch addresses the problem with getting the audit daemon · c2f0c7c3
    Steve Grubb authored 
    shutdown credential information. It creates a new message type 
AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the 
shutdown. 

It requires the placement of a hook function that gathers the information. The 
hook is after the DAC & MAC checks and before the function returns. Racing 
threads could overwrite the uid & pid - but they would have to be root and 
have policy that allows signalling the audit daemon. That should be a 
manageable risk.

The userspace component will be released later in audit 0.7.2. When it 
receives the TERM signal, it queries the kernel for shutdown information. 
When it receives it, it writes the message and exits. The message looks 
like this:

type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650 
uid=525, auditd pid=1685

Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
    c2f0c7c3
    History
    The attached patch addresses the problem with getting the audit daemon
    Steve Grubb authored 
    shutdown credential information. It creates a new message type 
AUDIT_TERM_INFO, which is used by the audit daemon to query who issued the 
shutdown. 

It requires the placement of a hook function that gathers the information. The 
hook is after the DAC & MAC checks and before the function returns. Racing 
threads could overwrite the uid & pid - but they would have to be root and 
have policy that allows signalling the audit daemon. That should be a 
manageable risk.

The userspace component will be released later in audit 0.7.2. When it 
receives the TERM signal, it queries the kernel for shutdown information. 
When it receives it, it writes the message and exits. The message looks 
like this:

type=DAEMON msg=auditd(1114551182.000) auditd normal halt, sending pid=2650 
uid=525, auditd pid=1685

Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
Code owners
Assign users and groups as approvers for specific file changes. Learn more.