anthraxx
log the access to SUID
Log the access to SUID. The display format is as follows:
[ 9.799423] linux-hardened: exim4 executed by the uid/euid:0/0 just used a SUID [ 78.596654] linux-hardened: bash executed by the uid/euid:1000/1000 just used a SUID
Well this doesn't address my concerns that the audit subsystem would be a better place to log such things plus I still don't see why this should to be a warning.
The goal is simply to have the essentials in the log with the default installation.
You have been using GRKERNSEC_EXECLOG for years but now you don't want to keep one of the essential information?
All right, I accept.
You have been using GRKERNSEC_EXECLOG for years but now you don't want to keep one of the essential information?
Well, GRKERNSEC_EXECLOG is configurable both at compile and run time, which is quite important as it produces a lot of logs and is probably only useful in very specific cases.
I'm no expert on what the C standard says about it, but doesn't current_uid() in the printf call translate to trying to (%u) print a struct? A kuid_t struct, specifically. That should, if I understand it correctly, work anyway, but won't it result in an extra warning being printed during build, at least? Using current_uid().val would eliminate that warning.
Still, for the addition itself, I believe it could well be a worthy extra to have available, either in audit or this way. The crucial part would be making sure it's toggleable in some capacity, be it Kconfig or otherwise. That way, for those that should need the extra verbosity, whatever that might be for, they get the option of flipping the option on if they so choose.
