diff options
author | Steve Grubb <sgrubb@redhat.com> | 2005-05-13 13:17:42 -0400 |
---|---|---|
committer | David Woodhouse <dwmw2@shinybook.infradead.org> | 2005-05-13 13:17:42 -0400 |
commit | c04049939f88b29e235d2da217bce6e8ead44f32 (patch) | |
tree | 9bf3ab72b9939c529e7c96f8768bc8b7e1d768c9 /include | |
parent | 9ea74f0655412d0fbd12bf9adb6c14c8fe707a42 (diff) |
AUDIT: Add message types to audit records
This patch adds more messages types to the audit subsystem so that audit
analysis is quicker, intuitive, and more useful.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
I forgot one type in the big patch. I need to add one for user space
originating SE Linux avc messages. This is used by dbus and nscd.
-Steve
---
Updated to 2.6.12-rc4-mm1.
-dwmw2
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/audit.h | 66 |
1 files changed, 50 insertions, 16 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 405332ebf3c6..1a15ba38c660 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
@@ -27,15 +27,53 @@ | |||
27 | #include <linux/sched.h> | 27 | #include <linux/sched.h> |
28 | #include <linux/elf.h> | 28 | #include <linux/elf.h> |
29 | 29 | ||
30 | /* Request and reply types */ | 30 | /* The netlink messages for the audit system is divided into blocks: |
31 | * 1000 - 1099 are for commanding the audit system | ||
32 | * 1100 - 1199 user space trusted application messages | ||
33 | * 1200 - 1299 messages internal to the audit daemon | ||
34 | * 1300 - 1399 audit event messages | ||
35 | * 1400 - 1499 SE Linux use | ||
36 | * 1500 - 1999 future use | ||
37 | * 2000 is for otherwise unclassified kernel audit messages | ||
38 | * | ||
39 | * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user | ||
40 | * space. Anything over that is kernel --> user space communication. | ||
41 | */ | ||
31 | #define AUDIT_GET 1000 /* Get status */ | 42 | #define AUDIT_GET 1000 /* Get status */ |
32 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ | 43 | #define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ |
33 | #define AUDIT_LIST 1002 /* List filtering rules */ | 44 | #define AUDIT_LIST 1002 /* List syscall filtering rules */ |
34 | #define AUDIT_ADD 1003 /* Add filtering rule */ | 45 | #define AUDIT_ADD 1003 /* Add syscall filtering rule */ |
35 | #define AUDIT_DEL 1004 /* Delete filtering rule */ | 46 | #define AUDIT_DEL 1004 /* Delete syscall filtering rule */ |
36 | #define AUDIT_USER 1005 /* Send a message from user-space */ | 47 | #define AUDIT_USER 1005 /* Message from userspace -- deprecated */ |
37 | #define AUDIT_LOGIN 1006 /* Define the login id and information */ | 48 | #define AUDIT_LOGIN 1006 /* Define the login id and information */ |
38 | #define AUDIT_SIGNAL_INFO 1010 /* Get information about sender of signal*/ | 49 | #define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */ |
50 | #define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */ | ||
51 | #define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */ | ||
52 | #define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */ | ||
53 | |||
54 | #define AUDIT_USER_AUTH 1100 /* User space authentication */ | ||
55 | #define AUDIT_USER_ACCT 1101 /* User space acct change */ | ||
56 | #define AUDIT_USER_MGMT 1102 /* User space acct management */ | ||
57 | #define AUDIT_CRED_ACQ 1103 /* User space credential acquired */ | ||
58 | #define AUDIT_CRED_DISP 1104 /* User space credential disposed */ | ||
59 | #define AUDIT_USER_START 1105 /* User space session start */ | ||
60 | #define AUDIT_USER_END 1106 /* User space session end */ | ||
61 | #define AUDIT_USER_AVC 1107 /* User space avc message */ | ||
62 | |||
63 | #define AUDIT_DAEMON_START 1200 /* Daemon startup record */ | ||
64 | #define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */ | ||
65 | #define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */ | ||
66 | #define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */ | ||
67 | |||
68 | #define AUDIT_SYSCALL 1300 /* Syscall event */ | ||
69 | #define AUDIT_FS_WATCH 1301 /* Filesystem watch event */ | ||
70 | #define AUDIT_PATH 1302 /* Filname path information */ | ||
71 | #define AUDIT_IPC 1303 /* IPC record */ | ||
72 | #define AUDIT_SOCKET 1304 /* Socket record */ | ||
73 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ | ||
74 | |||
75 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | ||
76 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | ||
39 | 77 | ||
40 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ | 78 | #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ |
41 | 79 | ||
@@ -216,14 +254,11 @@ extern void audit_signal_info(int sig, struct task_struct *t); | |||
216 | #ifdef CONFIG_AUDIT | 254 | #ifdef CONFIG_AUDIT |
217 | /* These are defined in audit.c */ | 255 | /* These are defined in audit.c */ |
218 | /* Public API */ | 256 | /* Public API */ |
219 | #define audit_log(ctx, fmt, args...) \ | 257 | extern void audit_log(struct audit_context *ctx, int type, |
220 | audit_log_type(ctx, AUDIT_KERNEL, 0, fmt, ##args) | 258 | const char *fmt, ...) |
221 | extern void audit_log_type(struct audit_context *ctx, int type, | 259 | __attribute__((format(printf,3,4))); |
222 | int pid, const char *fmt, ...) | ||
223 | __attribute__((format(printf,4,5))); | ||
224 | 260 | ||
225 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, | 261 | extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type); |
226 | int pid); | ||
227 | extern void audit_log_format(struct audit_buffer *ab, | 262 | extern void audit_log_format(struct audit_buffer *ab, |
228 | const char *fmt, ...) | 263 | const char *fmt, ...) |
229 | __attribute__((format(printf,2,3))); | 264 | __attribute__((format(printf,2,3))); |
@@ -243,9 +278,8 @@ extern void audit_send_reply(int pid, int seq, int type, | |||
243 | void *payload, int size); | 278 | void *payload, int size); |
244 | extern void audit_log_lost(const char *message); | 279 | extern void audit_log_lost(const char *message); |
245 | #else | 280 | #else |
246 | #define audit_log(c,f,...) do { ; } while (0) | 281 | #define audit_log(c,t,f,...) do { ; } while (0) |
247 | #define audit_log_type(c,t,p,f,...) do { ; } while (0) | 282 | #define audit_log_start(c,t) ({ NULL; }) |
248 | #define audit_log_start(c,t,p) ({ NULL; }) | ||
249 | #define audit_log_vformat(b,f,a) do { ; } while (0) | 283 | #define audit_log_vformat(b,f,a) do { ; } while (0) |
250 | #define audit_log_format(b,f,...) do { ; } while (0) | 284 | #define audit_log_format(b,f,...) do { ; } while (0) |
251 | #define audit_log_end(b) do { ; } while (0) | 285 | #define audit_log_end(b) do { ; } while (0) |