mirror of https://gitee.com/openkylin/linux.git
audit: add feature audit_lost reset
Add a method to reset the audit_lost value. An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself will return a positive value repesenting the current audit_lost value and reset the counter to zero. If AUDIT_STATUS_LOST is not the only flag set, the reset command will be ignored. The value sent with the command is ignored. The return value will be the +ve lost value at reset time. An AUDIT_CONFIG_CHANGE message will be queued to the listening audit daemon. The message will be a standard CONFIG_CHANGE message with the fields "lost=0" and "old=" with the latter containing the value of audit_lost at reset time. See: https://github.com/linux-audit/audit-kernel/issues/3 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Richard Guy Briggs
Paul Moore
parent
89670affa2
commit
92c82e8a32
|
|
@ -326,15 +326,19 @@ enum {
|
||||||
#define AUDIT_STATUS_RATE_LIMIT 0x0008
|
#define AUDIT_STATUS_RATE_LIMIT 0x0008
|
||||||
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
|
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
|
||||||
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
|
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
|
||||||
|
#define AUDIT_STATUS_LOST 0x0040
|
||||||
|
|
||||||
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
|
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
|
||||||
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
|
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
|
||||||
#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
|
#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
|
||||||
#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
|
#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
|
||||||
|
#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
|
||||||
|
|
||||||
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
|
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
|
||||||
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
|
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
|
||||||
AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
|
AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
|
||||||
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
|
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
|
||||||
|
AUDIT_FEATURE_BITMAP_LOST_RESET)
|
||||||
|
|
||||||
/* deprecated: AUDIT_VERSION_* */
|
/* deprecated: AUDIT_VERSION_* */
|
||||||
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
|
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
|
||||||
|
|
|
||||||
|
|
@ -121,7 +121,7 @@ u32 audit_sig_sid = 0;
|
||||||
3) suppressed due to audit_rate_limit
|
3) suppressed due to audit_rate_limit
|
||||||
4) suppressed due to audit_backlog_limit
|
4) suppressed due to audit_backlog_limit
|
||||||
*/
|
*/
|
||||||
static atomic_t audit_lost = ATOMIC_INIT(0);
|
static atomic_t audit_lost = ATOMIC_INIT(0);
|
||||||
|
|
||||||
/* The netlink socket. */
|
/* The netlink socket. */
|
||||||
static struct sock *audit_sock;
|
static struct sock *audit_sock;
|
||||||
|
|
@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
|
||||||
if (err < 0)
|
if (err < 0)
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
if (s.mask == AUDIT_STATUS_LOST) {
|
||||||
|
u32 lost = atomic_xchg(&audit_lost, 0);
|
||||||
|
|
||||||
|
audit_log_config_change("lost", 0, lost, 1);
|
||||||
|
return lost;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case AUDIT_GET_FEATURE:
|
case AUDIT_GET_FEATURE:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue