Linux-audit Archive on
 help / color / Atom feed
* [PATCH AUTOSEL 4.19 072/206] audit: CONFIG_CHANGE don't log internal bookkeeping as an event
       [not found] <>
@ 2020-09-18  2:05 ` Sasha Levin
  0 siblings, 0 replies; only message in thread
From: Sasha Levin @ 2020-09-18  2:05 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Sasha Levin, linux-audit

From: Steve Grubb <>

[ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ]

Common Criteria calls out for any action that modifies the audit trail to
be recorded. That usually is interpreted to mean insertion or removal of
rules. It is not required to log modification of the inode information
since the watch is still in effect. Additionally, if the rule is a never
rule and the underlying file is one they do not want events for, they
get an event for this bookkeeping update against their wishes.

Since no device/inode info is logged at insertion and no device/inode
information is logged on update, there is nothing meaningful being
communicated to the admin by the CONFIG_CHANGE updated_rules event. One
can assume that the rule was not "modified" because it is still watching
the intended target. If the device or inode cannot be resolved, then
audit_panic is called which is sufficient.

The correct resolution is to drop logging config_update events since
the watch is still in effect but just on another unknown inode.

Signed-off-by: Steve Grubb <>
Signed-off-by: Paul Moore <>
Signed-off-by: Sasha Levin <>
 kernel/audit_watch.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 4f7262eba73d8..50952d6d81209 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -317,8 +317,6 @@ static void audit_update_watch(struct audit_parent *parent,
 			if (oentry->rule.exe)
-			audit_watch_log_rule_change(r, owatch, "updated_rules");
 			call_rcu(&oentry->rcu, audit_free_rule_rcu);

Linux-audit mailing list

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <>
2020-09-18  2:05 ` [PATCH AUTOSEL 4.19 072/206] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Sasha Levin

Linux-audit Archive on

Archives are clonable:
	git clone --mirror linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ \
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone