linux-toradex.git/include/linux/audit.h, branch v2.6.22.3 Linux kernel for Apalis and Colibri modules [PATCH] Abnormal End of Processes 2007-05-11T09:38:26+00:00 Steve Grubb sgrubb@redhat.com 2007-04-19T14:28:21+00:00 0a4ff8c2598b72f2fa9d50aae9e1809e684dbf41 Hi, I have been working on some code that detects abnormal events based on audit system events. One kind of event that we currently have no visibility for is when a program terminates due to segfault - which should never happen on a production machine. And if it did, you'd want to investigate it. Attached is a patch that collects these events and sends them into the audit system. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Hi,

I have been working on some code that detects abnormal events based on audit
system events. One kind of event that we currently have no visibility for is
when a program terminates due to segfault - which should never happen on a
production machine. And if it did, you'd want to investigate it. Attached is a
patch that collects these events and sends them into the audit system.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] complete message queue auditing 2007-05-11T09:38:26+00:00 Amy Griffis amy.griffis@hp.com 2007-02-13T19:15:01+00:00 4fc03b9beb2314f3adb9e72b7935a80c577954d1 Handle the edge cases for POSIX message queue auditing. Collect inode info when opening an existing mq, and for send/receive operations. Remove audit_inode_update() as it has really evolved into the equivalent of audit_inode(). Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Handle the edge cases for POSIX message queue auditing. Collect inode
info when opening an existing mq, and for send/receive operations. Remove
audit_inode_update() as it has really evolved into the equivalent of
audit_inode().

Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] audit signal recipients 2007-05-11T09:38:25+00:00 Amy Griffis amy.griffis@hp.com 2007-03-29T22:01:04+00:00 e54dc2431d740a79a6bd013babade99d71b1714f When auditing syscalls that send signals, log the pid and security context for each target process. Optimize the data collection by adding a counter for signal-related rules, and avoiding allocating an aux struct unless we have more than one target process. For process groups, collect pid/context data in blocks of 16. Move the audit_signal_info() hook up in check_kill_permission() so we audit attempts where permission is denied. Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
When auditing syscalls that send signals, log the pid and security
context for each target process. Optimize the data collection by
adding a counter for signal-related rules, and avoiding allocating an
aux struct unless we have more than one target process. For process
groups, collect pid/context data in blocks of 16. Move the
audit_signal_info() hook up in check_kill_permission() so we audit
attempts where permission is denied.

Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] add SIGNAL syscall class (v3) 2007-05-11T09:38:25+00:00 Amy Griffis amy.griffis@hp.com 2007-03-29T22:00:37+00:00 7f13da40e36c84d0d046b7adbd060af7d3717250 Add a syscall class for sending signals. Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Add a syscall class for sending signals.

Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] auditing ptrace 2007-05-11T09:38:25+00:00 Al Viro viro@zeniv.linux.org.uk 2007-03-20T17:58:35+00:00 a5cb013da773a67ee48d1c19e96436c22a73a7eb Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[PATCH] linux/audit.h needs linux/types.h 2007-03-06T17:30:25+00:00 Jeff Dike jdike@addtoit.com 2007-03-06T09:42:17+00:00 3b46e650165f691a30ddede1a79d2df02f3459d7 Include linux/types.h here because we need a definition of __u32. This file appears not be exported verbatim by libc, so I think this doesn't have any userspace consequences. Signed-off-by: Jeff Dike <jdike@linux.intel.com> Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Include linux/types.h here because we need a definition of __u32.  This file
appears not be exported verbatim by libc, so I think this doesn't have any
userspace consequences.

Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[PATCH] AUDIT_FD_PAIR 2007-02-18T02:30:15+00:00 Al Viro viro@zeniv.linux.org.uk 2007-02-07T06:48:00+00:00 db3495099d3d52854b13874905af6e40a91f4721 Provide an audit record of the descriptor pair returned by pipe() and socketpair(). Rewritten from the original posted to linux-audit by John D. Ramsdell <ramsdell@mitre.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Provide an audit record of the descriptor pair returned by pipe() and
socketpair().  Rewritten from the original posted to linux-audit by
John D. Ramsdell <ramsdell@mitre.org>

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
audit: Add auditing to ipsec 2006-12-07T04:14:22+00:00 Joy Latten latten@austin.ibm.com 2006-11-27T19:11:54+00:00 161a09e737f0761ca064ee6a907313402f7a54b6 An audit message occurs when an ipsec SA or ipsec policy is created/deleted. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
An audit message occurs when an ipsec SA
or ipsec policy is created/deleted.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[PATCH] message types updated 2006-10-04T12:31:24+00:00 Steve Grubb sgrubb@redhat.com 2006-09-29T15:56:49+00:00 c8e649ba908954447e9a095677f6a6c8e50a37b2 Hi, This patch adds a new type for 3rd party module use and cleans up a deprecated message type. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Hi,

This patch adds a new type for 3rd party module use and cleans up a deprecated
message type.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[NetLabel]: audit fixups due to delayed feedback 2006-09-30T00:05:05+00:00 Paul Moore paul.moore@hp.com 2006-09-30T00:05:05+00:00 95d4e6be25a68cd9fbe8c0d356b585504d8db1c7 Fix some issues Steve Grubb had with the way NetLabel was using the audit subsystem. This should make NetLabel more consistent with other kernel generated audit messages specifying configuration changes. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
Fix some issues Steve Grubb had with the way NetLabel was using the audit
subsystem.  This should make NetLabel more consistent with other kernel
generated audit messages specifying configuration changes.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>