Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5762225yba; Thu, 11 Apr 2019 05:24:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqwVKC0MPRphzwT9uhO51kuSFy1/wzAM77QstLeJAyZShWr1uwYJE/MP18AZUpMVIt8OYSAZ X-Received: by 2002:a63:ff18:: with SMTP id k24mr45777165pgi.140.1554985472136; Thu, 11 Apr 2019 05:24:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554985472; cv=none; d=google.com; s=arc-20160816; b=zx+h9aR0YvmLLRufzsI+5hpLNrnvjVWS5FjOXh6YlPMkzaCIaGQKGGisDa/zmJKC3K CBoB2pAwLYX6T/pypF+r2Aev29JSZhr9gE0mEZmjbHV49hVR3ZYWjYYccpVLS2e3ucfJ 1xxuaoQA33WUzlbjRxBP1RoxflaF4Tvue6OsNOznt9CoWGgt1V7d6WZ2SCBjZs2dskfK DCAbA8k9Y97AefEq+sFL01A0328HWcC/8Yszu38LhaLDmZzk0cF2RVkMM8iTKnXPK6Zh Xr/rZts3iad/CKCSb/sNw6Uw8sJxtsUEPkNl8+nILuScsKde8DIwTLTe1bf+eiIdC7rk 5uYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=RaeCxxI7TtBD8wXyxkdj9YMKxG8z03k9qi9CV+wef0g=; b=DS1L/oJczg36eHW4Q1wOWc+zz+tdzTn8r7jsLsl0ldlU0jeCxgGgJkhJei1KasaaCN /WM4kUU9gBB3GCmlmtaE0x80yRZgGjGBAhH1QvDJODNxe6JIgr7eNL0OYn7N+dJkgUsv 6mIm8tLmI5bQIleKo5rQoJY5TJbtK6IlpOnrL0V+V1OXtDXBk3o1VI2coWPEH/2FEEGx vIyBNtrRi2D1nr7cRyIEbIXcyxos2Sl9hAwV3O7gWJqRZ+iK2HepI2/6vfPXzXL7pNEV lz/iW5ulN/ZgLluRU8VlnQCb4om4HWHd8iCS4FQkmjF4OGrIioo4dkP72VfcovIESviE 7XRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ay11si34941159plb.360.2019.04.11.05.24.16; Thu, 11 Apr 2019 05:24:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726755AbfDKMW4 (ORCPT + 99 others); Thu, 11 Apr 2019 08:22:56 -0400 Received: from mx1.redhat.com ([209.132.183.28]:52260 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726014AbfDKMWz (ORCPT ); Thu, 11 Apr 2019 08:22:55 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4517F30832DE; Thu, 11 Apr 2019 12:22:55 +0000 (UTC) Received: from ivy-bridge (ovpn-117-47.ams2.redhat.com [10.36.117.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id CF2295D6A9; Thu, 11 Apr 2019 12:22:46 +0000 (UTC) Date: Thu, 11 Apr 2019 14:22:47 +0200 From: Steve Grubb To: Richard Guy Briggs Cc: LKML , Linux-Audit Mailing List , Paul Moore , omosnace@redhat.com, eparis@parisplace.org, ebiederm@xmission.com, oleg@redhat.com Subject: Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall Message-ID: <20190411142247.1a7a3639@ivy-bridge> In-Reply-To: <20190409155728.dfp4qwseo6jxdmqr@madcap2.tricolour.ca> References: <20190409080138.745d18a1@ivy-bridge> <20190409140259.n4t6rxb24eu3uzvp@madcap2.tricolour.ca> <20190409173716.1a0308fb@ivy-bridge> <20190409155728.dfp4qwseo6jxdmqr@madcap2.tricolour.ca> Organization: Red Hat MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Thu, 11 Apr 2019 12:22:55 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 9 Apr 2019 11:57:28 -0400 Richard Guy Briggs wrote: > On 2019-04-09 17:37, Steve Grubb wrote: > > On Tue, 9 Apr 2019 10:02:59 -0400 > > Richard Guy Briggs wrote: > > > > > On 2019-04-09 08:01, Steve Grubb wrote: > > > > On Mon, 8 Apr 2019 23:52:29 -0400 Richard Guy Briggs > > > > wrote: > > > > > When a process signals the audit daemon (shutdown, rotate, > > > > > resume, reconfig) but syscall auditing is not enabled, we > > > > > still want to know the identity of the process sending the > > > > > signal to the audit daemon. > > > > > > > > Why? If syscall auditing is disabled, then there is no > > > > requirement to provide anything. What is the real problem that > > > > you are seeing? > > > > > > Shutdown messages with -1 in them rather than the real values. > > > > OK. We can fix that by patching auditd to see if auditing is enabled > > before requesting signal info. If auditing is disabled, the proper > > action is for the kernel to ignore any audit userspace messages > > except the configuration commands. > > If auditing is disabled in the kernel, none of this is trackable. It > is for those as yet unsupported arches that can run audit enabled but > without auditsyscall support. Ok. I suppose this is useful for this use case. No further objections. -Steve