From mboxrd@z Thu Jan  1 00:00:00 1970
From: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: [PATCH v2] audit: add feature audit_lost reset
Date: Thu, 15 Dec 2016 22:59:12 -0500
Message-ID: <20161216035912.GO22660@madcap2.tricolour.ca>
References: <75c9c4dcd0a57ba6afec676ec55155e70ccb6a28.1481370732.git.rgb@redhat.com>
	<CAHC9VhQwVKTmFnYUmOAHSv5RfPs_BYaHcpzxcMyMfWm-kKuHXA@mail.gmail.com>
	<1803050.hqkP3u55ii@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <1803050.hqkP3u55ii@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 2016-12-15 19:22, Steve Grubb wrote:
> On Thursday, December 15, 2016 3:39:16 PM EST Paul Moore wrote:
> > On Sat, Dec 10, 2016 at 6:52 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > > Add a method to reset the audit_lost value.
> > > 
> > > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > > will return a positive value repesenting the current audit_lost value
> > > and reset the counter to zero.  If AUDIT_STATUS_LOST is not the
> > > only flag set, the reset command will be ignored.  The value sent with
> > > the command is ignored.
> > > 
> > > An AUDIT_LOST_RESET message will be sent to the listening audit daemon.
> > > The data field will contain a u32 with the positive value of the
> > > audit_lost value when it was reset.
> > > 
> > > See: https://github.com/linux-audit/audit-kernel/issues/3
> > > 
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > > 
> > >  include/uapi/linux/audit.h |    2 ++
> > >  kernel/audit.c             |    8 +++++++-
> > >  2 files changed, 9 insertions(+), 1 deletions(-)
> > > 
> > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > index 208df7b..6d38bff 100644
> > > --- a/include/uapi/linux/audit.h
> > > +++ b/include/uapi/linux/audit.h
> > > @@ -70,6 +70,7 @@
> > > 
> > >  #define AUDIT_TTY_SET          1017    /* Set TTY auditing status */
> > >  #define AUDIT_SET_FEATURE      1018    /* Turn an audit feature on or off
> > >  */ #define AUDIT_GET_FEATURE      1019    /* Get which features are
> > >  enabled */> 
> > > +#define AUDIT_LOST_RESET       1020    /* Reset the audit_lost value */
> > > 
> > >  #define AUDIT_FIRST_USER_MSG   1100    /* Userspace messages mostly
> > >  uninteresting to kernel */ #define AUDIT_USER_AVC         1107    /* We
> > >  filter this differently */> 
> > > @@ -325,6 +326,7 @@ enum {
> > > 
> > >  #define AUDIT_STATUS_RATE_LIMIT                0x0008
> > >  #define AUDIT_STATUS_BACKLOG_LIMIT     0x0010
> > >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
> > > 
> > > +#define AUDIT_STATUS_LOST              0x0040
> > > 
> > >  #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT     0x00000001
> > >  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> > > 
> > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > index f1ca116..19cfee0 100644
> > > --- a/kernel/audit.c
> > > +++ b/kernel/audit.c
> > > @@ -122,7 +122,7 @@
> > > 
> > >     3) suppressed due to audit_rate_limit
> > >     4) suppressed due to audit_backlog_limit
> > >  
> > >  */
> > > 
> > > -static atomic_t    audit_lost = ATOMIC_INIT(0);
> > > +static atomic_t        audit_lost = ATOMIC_INIT(0);
> > > 
> > >  /* The netlink socket. */
> > >  static struct sock *audit_sock;
> > > 
> > > @@ -920,6 +920,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> > > struct nlmsghdr *nlh)> 
> > >                         if (err < 0)
> > >                         
> > >                                 return err;
> > >                 
> > >                 }
> > > 
> > > +               if (s.mask == AUDIT_STATUS_LOST) {
> > > +                       u32 lost = atomic_xchg(&audit_lost, 0);
> > > +
> > > +                       audit_send_reply(skb, seq, AUDIT_LOST_RESET, 0, 0,
> > > &lost, sizeof(lost));
> > I'm not sure it makes much sense to both return the lost value as a
> > netlink return code as well as send a separate netlink message back to
> > the controlling task with the same information.  What I meant earlier
> > was that we would emit an audit record, similar to
> > audit_log_config_change(), so that the audit log would not only have
> > information that the status count was reset, but also the subject
> > information necessary to associate the action with an individual.
> > 
> > Does that make sense?
> 
> I'm planning to replace all the config change logging with the 
> audit_log_task_simple function I sent so that we have everything. Can we go 
> ahead and pull that in so that we can start using it?

I was too late for this kernel release even with the first version of
this patch, so now we have plenty of time to get this right and have it
sit in next for a while.

> Thanks,
> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635