Two netlink patches
by Serge Hallyn
Hi,
Is there any objection to my sending the two netlink patches I recently
sent out to lkml? Just to refresh memory, the one (audit-fix-
permchecks.diff) adds some message length checks and moves audit control
message authorization to netlink message send, while the other (audit-
loginuid.patch) changes the SET_LOGINUID behavior to set loginuid for
the sending process (as expected) rather than whichever process happens
to end up handling the message.
thanks,
-serge
--
Serge Hallyn <serue(a)us.ibm.com>
19 years, 12 months
Corrupted avc log messages
by Peter Martuccelli
Hello,
I had some of the SELinux folks reporting a problem with corrupted avc
messages, truncated entries, concatenated entries, etc. I reproduced
the problem for the first time last week after a 16 hour SMP test run.
I can now reproduce the issue within 10 minutes on a UP system running
2.6.9, which is a much better test environment. I will be adding some
debug code to determine the root cause, I will follow up with a patch
when finished.
Regards,
Peter
19 years, 12 months
Snare, SELinux, NISPOM
by Browder, Tom
OK, given the current state of things, is anyone satisfying NISPOM
auditing requirements on Linux? If so, what are you using for auditing
(Linux distribution, add-ons, kernel)?
The best I can figure in the short term (right out of the box) is FC 2
and snare 096b with the UT kernel rpms: 2.6.7-1.494.2.2SNARE096b
Any better ideas would be appreciated.
Thanks.
Tom Browder
20 years
RE: Newbie: How to use auditd?
by Browder, Tom
> -----Original Message-----
> From: linux-audit-bounces(a)redhat.com
> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
> On Tuesday 21 December 2004 12:48, Browder, Tom wrote:
> > Um, I'm going to show my ignorance. Where is the rawhide rpm site?
>
> http://mirrors.kernel.org/fedora/core/development/
>
> -Steve Grubb
Thanks, Steve.
Tom Browder
20 years
RE: Newbie: How to use auditd?
by Browder, Tom
Um, I'm going to show my ignorance. Where is the rawhide rpm site? The
fp link I found with google would not allow access.
Thanks.
Tom Browder
20 years
Newbie: How to use auditd?
by Linux
Dear linux-audit people,
I'm recently converted to Fedora3 from Slackware and I'm very new
to this linux audit stuff, I really need help on this.
I'm working on some user space audit logging stuff which does
capture both netfilter's ulog and audit for my own project.
First off, I tried auditd to understand how audit facility works
in user space. But since there's lack of info, I have no idea
how to use it first of all. I followed readme's example below:
===>
Examples:
General:
Window 1:
./auditd
Window 2 (you don't have to have the daemon running to try this, but
enabled has to be 1):
./auditctl -s
./auditctl -a entry,always -S open
ls
./auditctl -d entry,always -S open
Identity tracking:
./auditctl -a exit,always -S all -F loginuid=2000
./auditctl -L 2000,"test uid"
<===
Nothing worked. The auditd stuck at pthread_cond_wait() call.
Maybe I need some policy setting to make it work?
I tried strict policy too but it was same though I got avc
error that some of auditd's requests were rejected.
I ran aduitd and auditctl under sysadm_r:sysadm_t.
Am I missing something very important thing at first place?
Please enlighten me how to use auditd and more info on
linux audit facility, such as policy settings if required?
Thank you,
-- Junji Kanemaru
Linuon Inc.
Tokyo Japan
20 years
RE: Snare, SELinux, NISPOM
by Browder, Tom
> -----Original Message-----
> From: linux-audit-bounces(a)redhat.com
> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
> Sent: Tuesday, December 21, 2004 9:51 AM
> To: Linux Audit Discussion
> Subject: Re: Snare, SELinux, NISPOM
> I use FC3 & rawhide under targeted policy for auditd
> development. However, both user space and kernel code is
> still be written.
Thanks, Steve, when someone has a good policy that (1) satisfies NISPOM
and (2) eliminates most other avc log traffic you'll have a winner.
Tom Browder
20 years
best way to audit in vfs
by Timothy R. Chavez
Hello,
I've been kind of thinking about this. Presumably, we want to audit
both failed and successful attempts in whatever vfs function we happen
to be in. For instance, if we fall out of vfs_mkdir because
may_create returned an error, we'd like to receive an audit message
that said something like, "filename=myfile syscall= mkdir()
error=<errno>.....", but, would I want to do this by hooking each
conditional statement? Is there a better approach? The only other
one I can think of would be to have one exit point in the functions
and audit right before we exit...
i.e.:
int vfs_create(struct inode *dir, struct dentry *dentry, int mode,
struct nameidata *nd)
{
int error = may_create(dir, dentry, nd);
if (error)
goto vfs_create_exit;
if (!dir->i_op || !dir->i_op->create) {
error = -EACCES;
goto vfs_create_exit;
}
mode &= S_IALLUGO;
mode |= S_IFREG;
error = security_inode_create(dir, dentry, mode);
if (error)
goto vfs_create_exit;
DQUOT_INIT(dir);
error = dir->i_op->create(dir, dentry, mode, nd);
if (!error) {
inode_dir_notify(dir, DN_CREATE);
security_inode_post_create(dir, dentry, mode);
}
vfs_create_exit:
audit_inode_create(dir, dentry, error, mode);
return error;
}
--
- Timothy R. Chavez
20 years
suspending a process when audit resource are not available
by Mounir Bsaibes
One of the CAPP requirements and probably the LSPP as well is when audit
records cannot be generated, for a particular process, the process need to
be halted. the current audit system, depending on the failure flag can
either, 1) do nothing 2) print a kernel message or 3) issue a panic. I am
thinking of adding a 4) option for the failure flag to suspend the
process. If the failure flag is set to "suspend" and the audit_log_lost
function is called the process will be suspended by issuing a sigsuspend
call.
I am soliciting comments to see if I proceed with this or not.
Thanks,
Mounir
Mounir Bsaibes
Linux Security
Tel: (512) 838-1301
Cell: (512) 762-9957
Fax: (512) 838-8858
e-mail: bsaibes(a)us.ibm.com
20 years
