Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] field-dictionary.csv: Add errno to audit message field dictionary
@ 2020-08-10  1:02 Lakshmi Ramasubramanian
  2020-08-12  0:53 ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Lakshmi Ramasubramanian @ 2020-08-10  1:02 UTC (permalink / raw)
  To: zohar, sgrubb, paul; +Cc: linux-integrity, linux-audit

Error code was not included in the audit messages logged by
the integrity subsystem in the Linux kernel.

commit 2f845882ecd2 in https://github.com/torvalds/linux tree added
"errno" field in the audit messages logged by the integrity subsystem.
The "errno" field will be set to 0 when the operation was completed
successfully, and on failure a non-zero error code is set in this field
in the audit message.

Add the documentation for the "errno" field in the audit message
field dictionary.

Sample audit message from the integrity subsystem with errno field:

    [    6.303048] audit: type=1804 audit(1592506281.627:2): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op=measuring_key cause=ENOMEM comm="swapper/0" name=".builtin_trusted_keys" res=0 errno=-12

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
 specs/fields/field-dictionary.csv | 1 +
 1 file changed, 1 insertion(+)

diff --git a/specs/fields/field-dictionary.csv b/specs/fields/field-dictionary.csv
index 055ff79..5117e25 100644
--- a/specs/fields/field-dictionary.csv
+++ b/specs/fields/field-dictionary.csv
@@ -49,6 +49,7 @@ dport,numeric,remote port number,
 egid,numeric,effective group ID,
 enforcing,numeric,new MAC enforcement status,
 entries,numeric,number of entries in the netfilter table,
+errno,numeric,error code of the audited operation,
 euid,numeric,effective user ID,
 exe,encoded,executable name,
 exit,numeric,syscall exit code,
-- 
2.28.0


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] field-dictionary.csv: Add errno to audit message field dictionary
  2020-08-10  1:02 [PATCH] field-dictionary.csv: Add errno to audit message field dictionary Lakshmi Ramasubramanian
@ 2020-08-12  0:53 ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2020-08-12  0:53 UTC (permalink / raw)
  To: Lakshmi Ramasubramanian; +Cc: linux-integrity, zohar, linux-audit

On Sun, Aug 9, 2020 at 9:02 PM Lakshmi Ramasubramanian
<nramas@linux.microsoft.com> wrote:
>
> Error code was not included in the audit messages logged by
> the integrity subsystem in the Linux kernel.
>
> commit 2f845882ecd2 in https://github.com/torvalds/linux tree added
> "errno" field in the audit messages logged by the integrity subsystem.
> The "errno" field will be set to 0 when the operation was completed
> successfully, and on failure a non-zero error code is set in this field
> in the audit message.
>
> Add the documentation for the "errno" field in the audit message
> field dictionary.
>
> Sample audit message from the integrity subsystem with errno field:
>
>     [    6.303048] audit: type=1804 audit(1592506281.627:2): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op=measuring_key cause=ENOMEM comm="swapper/0" name=".builtin_trusted_keys" res=0 errno=-12
>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> ---
>  specs/fields/field-dictionary.csv | 1 +
>  1 file changed, 1 insertion(+)

Merged.  Thanks for following up with this.

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-10  1:02 [PATCH] field-dictionary.csv: Add errno to audit message field dictionary Lakshmi Ramasubramanian
2020-08-12  0:53 ` Paul Moore

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git