audit: log failed attempts to change audit_pid configuration
authorRichard Guy Briggs <rgb@redhat.com>
Mon, 25 Jan 2016 23:04:15 +0000 (18:04 -0500)
committerPaul Moore <paul@paul-moore.com>
Mon, 25 Jan 2016 23:04:15 +0000 (18:04 -0500)
Failed attempts to change the audit_pid configuration are not presently
logged.  One case is an attempt to starve an old auditd by starting up
a new auditd when the old one is still alive and active.  The other
case is an attempt to orphan a new auditd when an old auditd shuts
down.

Log both as AUDIT_CONFIG_CHANGE messages with failure result.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
kernel/audit.c

index 2fd63d6879c53ef17a6036bb4782b45f72696754..8fa7533bf10681857aff4825e21ee5d3090f4d3e 100644 (file)
@@ -882,11 +882,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        int new_pid = s.pid;
                        pid_t requesting_pid = task_tgid_vnr(current);
 
-                       if ((!new_pid) && (requesting_pid != audit_pid))
+                       if ((!new_pid) && (requesting_pid != audit_pid)) {
+                               audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
                                return -EACCES;
+                       }
                        if (audit_pid && new_pid &&
-                           audit_replace(requesting_pid) != -ECONNREFUSED)
+                           audit_replace(requesting_pid) != -ECONNREFUSED) {
+                               audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
                                return -EEXIST;
+                       }
                        if (audit_enabled != AUDIT_OFF)
                                audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
                        audit_pid = new_pid;