Re: [PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits
From: Steve Grubb
Date: Tue May 29 2018 - 17:35:58 EST
On Tuesday, May 29, 2018 5:19:39 PM EDT Paul Moore wrote:
> On Thu, May 24, 2018 at 4:11 PM, Stefan Berger
>
> <stefanb@xxxxxxxxxxxxxxxxxx> wrote:
> > Use the new public audit functions to add the exe= and tty=
> > parts to the integrity audit records. We place them before
> > res=.
> >
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
> > Suggested-by: Steve Grubb <sgrubb@xxxxxxxxxx>
> > ---
> >
> > security/integrity/integrity_audit.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/security/integrity/integrity_audit.c
> > b/security/integrity/integrity_audit.c index db30763d5525..8d25d3c4dcca
> > 100644
> > --- a/security/integrity/integrity_audit.c
> > +++ b/security/integrity/integrity_audit.c
> > @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode
> > *inode,>
> > audit_log_untrustedstring(ab, inode->i_sb->s_id);
> > audit_log_format(ab, " ino=%lu", inode->i_ino);
> >
> > }
> >
> > + audit_log_d_path_exe(ab, current->mm);
> > + audit_log_tty(ab, current);
>
> NACK
>
> Please add the new fields to the end of the audit record, thank you.
Let's see what an example event looks like before NACK'ing this. Way back in
2013 the IMA events were good. I think this is repairing the event after some
drift.
Thanks,
-Steve
> > audit_log_format(ab, " res=%d", !result);
> > audit_log_end(ab);
> >
> > }