aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorSteve Grubb <sgrubb@redhat.com>2005-05-13 13:17:42 -0400
committerDavid Woodhouse <dwmw2@shinybook.infradead.org>2005-05-13 13:17:42 -0400
commitc04049939f88b29e235d2da217bce6e8ead44f32 (patch)
tree9bf3ab72b9939c529e7c96f8768bc8b7e1d768c9 /include
parent9ea74f0655412d0fbd12bf9adb6c14c8fe707a42 (diff)
AUDIT: Add message types to audit records
This patch adds more messages types to the audit subsystem so that audit analysis is quicker, intuitive, and more useful. Signed-off-by: Steve Grubb <sgrubb@redhat.com> --- I forgot one type in the big patch. I need to add one for user space originating SE Linux avc messages. This is used by dbus and nscd. -Steve --- Updated to 2.6.12-rc4-mm1. -dwmw2 Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'include')
-rw-r--r--include/linux/audit.h66
1 files changed, 50 insertions, 16 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 405332ebf3c6..1a15ba38c660 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -27,15 +27,53 @@
27#include <linux/sched.h> 27#include <linux/sched.h>
28#include <linux/elf.h> 28#include <linux/elf.h>
29 29
30/* Request and reply types */ 30/* The netlink messages for the audit system is divided into blocks:
31 * 1000 - 1099 are for commanding the audit system
32 * 1100 - 1199 user space trusted application messages
33 * 1200 - 1299 messages internal to the audit daemon
34 * 1300 - 1399 audit event messages
35 * 1400 - 1499 SE Linux use
36 * 1500 - 1999 future use
37 * 2000 is for otherwise unclassified kernel audit messages
38 *
39 * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user
40 * space. Anything over that is kernel --> user space communication.
41 */
31#define AUDIT_GET 1000 /* Get status */ 42#define AUDIT_GET 1000 /* Get status */
32#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */ 43#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
33#define AUDIT_LIST 1002 /* List filtering rules */ 44#define AUDIT_LIST 1002 /* List syscall filtering rules */
34#define AUDIT_ADD 1003 /* Add filtering rule */ 45#define AUDIT_ADD 1003 /* Add syscall filtering rule */
35#define AUDIT_DEL 1004 /* Delete filtering rule */ 46#define AUDIT_DEL 1004 /* Delete syscall filtering rule */
36#define AUDIT_USER 1005 /* Send a message from user-space */ 47#define AUDIT_USER 1005 /* Message from userspace -- deprecated */
37#define AUDIT_LOGIN 1006 /* Define the login id and information */ 48#define AUDIT_LOGIN 1006 /* Define the login id and information */
38#define AUDIT_SIGNAL_INFO 1010 /* Get information about sender of signal*/ 49#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */
50#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */
51#define AUDIT_WATCH_LIST 1009 /* List all file/dir watches */
52#define AUDIT_SIGNAL_INFO 1010 /* Get info about sender of signal to auditd */
53
54#define AUDIT_USER_AUTH 1100 /* User space authentication */
55#define AUDIT_USER_ACCT 1101 /* User space acct change */
56#define AUDIT_USER_MGMT 1102 /* User space acct management */
57#define AUDIT_CRED_ACQ 1103 /* User space credential acquired */
58#define AUDIT_CRED_DISP 1104 /* User space credential disposed */
59#define AUDIT_USER_START 1105 /* User space session start */
60#define AUDIT_USER_END 1106 /* User space session end */
61#define AUDIT_USER_AVC 1107 /* User space avc message */
62
63#define AUDIT_DAEMON_START 1200 /* Daemon startup record */
64#define AUDIT_DAEMON_END 1201 /* Daemon normal stop record */
65#define AUDIT_DAEMON_ABORT 1202 /* Daemon error stop record */
66#define AUDIT_DAEMON_CONFIG 1203 /* Daemon config change */
67
68#define AUDIT_SYSCALL 1300 /* Syscall event */
69#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
70#define AUDIT_PATH 1302 /* Filname path information */
71#define AUDIT_IPC 1303 /* IPC record */
72#define AUDIT_SOCKET 1304 /* Socket record */
73#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
74
75#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
76#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
39 77
40#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ 78#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
41 79
@@ -216,14 +254,11 @@ extern void audit_signal_info(int sig, struct task_struct *t);
216#ifdef CONFIG_AUDIT 254#ifdef CONFIG_AUDIT
217/* These are defined in audit.c */ 255/* These are defined in audit.c */
218 /* Public API */ 256 /* Public API */
219#define audit_log(ctx, fmt, args...) \ 257extern void audit_log(struct audit_context *ctx, int type,
220 audit_log_type(ctx, AUDIT_KERNEL, 0, fmt, ##args) 258 const char *fmt, ...)
221extern void audit_log_type(struct audit_context *ctx, int type, 259 __attribute__((format(printf,3,4)));
222 int pid, const char *fmt, ...)
223 __attribute__((format(printf,4,5)));
224 260
225extern struct audit_buffer *audit_log_start(struct audit_context *ctx, int type, 261extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type);
226 int pid);
227extern void audit_log_format(struct audit_buffer *ab, 262extern void audit_log_format(struct audit_buffer *ab,
228 const char *fmt, ...) 263 const char *fmt, ...)
229 __attribute__((format(printf,2,3))); 264 __attribute__((format(printf,2,3)));
@@ -243,9 +278,8 @@ extern void audit_send_reply(int pid, int seq, int type,
243 void *payload, int size); 278 void *payload, int size);
244extern void audit_log_lost(const char *message); 279extern void audit_log_lost(const char *message);
245#else 280#else
246#define audit_log(c,f,...) do { ; } while (0) 281#define audit_log(c,t,f,...) do { ; } while (0)
247#define audit_log_type(c,t,p,f,...) do { ; } while (0) 282#define audit_log_start(c,t) ({ NULL; })
248#define audit_log_start(c,t,p) ({ NULL; })
249#define audit_log_vformat(b,f,a) do { ; } while (0) 283#define audit_log_vformat(b,f,a) do { ; } while (0)
250#define audit_log_format(b,f,...) do { ; } while (0) 284#define audit_log_format(b,f,...) do { ; } while (0)
251#define audit_log_end(b) do { ; } while (0) 285#define audit_log_end(b) do { ; } while (0)