Removal of audit rules with audit start
by Kris Wilson
Hi,
I found that when I stop auditd, any existing audit rules still exist, but
they are
deleted when I restart using audit-0.6.2. Is this new behavior deliberate
and
preferred? Is there a new option to not delete rules on startup? All our
tests
are stopping and restarting auditd between assertions and cleaning out the
log file to reduce clutter. We'll need to change the tests if this will no
longer
work. If users have a lot of rules created but have to bring down auditd
for
some reason, won't this be a problem?
Thanks!
Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw(a)us.ibm.com
21 years
SELinux, LSM, SNARE ...
by M. Fecina
All,
I've been a lurking member of the SNARE development list
and this list for quite some time. My place of employment
has need to meet NISPOM CH.8 requirements on Linux systems.
Thus far, we've been using Leigh's SNARE 0.9.7 audit daemon
with the necessary kernel patches.
However, with all of the patches and progress being made
on SELinux, I'm wondering what the comparison is between
SNARE and SELinux. I know SELinux is built-in to the 2.6
kernel tree, and in conjunction with some userspace daemons (auditd),
it can provide audit trails.
Can anyone on this list tell me their thoughts on using SELinux
to meet all the functionality that SNARE has (minus the front-end GUI)
and to meet NISPOM ch.8 requirements? What do I need to get SELinux to
provide a similar implementation as SNARE? Is there *one* place where
all of the patches everyone has made on this list are rolled into?
I'd like to know where I should be spending my time -- SNARE or SELinux.
Thanks,
M. Fecina
--
Michael D. Fecina
Research Assistant
Applied Research Laboratory
Pennsylvania State University
814.863.5248
21 years
Sample Rules
by Steve Grubb
Hi,
I'm getting closer to releasing the next version of the audit daemon. I'm
wanting to include a file that has sample auditctl rules demonstrating how to
do various things. I'm open to ideas. What common tasks should be included?
Note the file will be installed in the docs directory rather than being the
default ruleset.
-Steve Grubb
21 years
status bitmask in include/linux/audit.h
by Timothy R. Chavez
I went to add myself to the status bit mask in audit.h and I saw this:
#define AUDIT_STATUS_ENABLED 0x0001
#define AUDIT_STATUS_FAILURE 0x0002
#define AUDIT_STATUS_PID 0x0004
#define AUDIT_STATUS_RATE_LIMIT 0x0008
-->#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
Isn't that technically a bug?
--
- Timothy R. Chavez
21 years
More audit message types
by Steve Grubb
Hello,
I'm working on the code for the audit daemon that writes the startup and
termination records to the audit log. I want to add more message types to
handle this. I have 2 ways to do it. 1) add the defines to the kernel audit.h
file or 2) add the defines to libaudit.h and hope we never have a clash.
I'm setting message types in the range of 1500 - 1599 for audit daemon local
use. I doubt we'll ever need more that 4-5, but numbers are cheap. In order
to keep working on this, I'm putting it in libaudit.h. It looks like this:
/* These audit message types are for audit daemon local use. */
#define AUDIT_START 1500 /* Define daemon start record */
#define AUDIT_TERM_NORM 1501 /* Define normal termination */
#define AUDIT_TERM_ERR 1502 /* Define error termination */
Any consensus as to whether they belong in the kernel's audit.h or libaudit.h?
Thanks,
-Steve Grubb
21 years
RE: [PATCH] Add audit uid to netlink credentials
by Chad Hanson
David Woodhouse wrote:
>
> On Wed, 2005-02-09 at 16:19 -0800, Chris Wright wrote:
> > Then it comes back to the question of how to protect loginuid. If it
> > can be spoofed by someone with CAP_AUDIT_WRITE, then it shouldn't be
> > write protected by CAP_AUDIT_CONTROL.
>
> I'm not sure I agree with that. With CAP_AUDIT_WRITE you _can't_ modify
> the loginuid of the audit logs of your own actions. You can only modify
> the loginuid on the messages you pull out of thin air and send. You can
> already make up the rest of the payload -- why shouldn't you be allowed
> to make up the loginuid too? You could be reporting something that
> someone _else_ has done, after all.
>
I'm not sure I understand this logic.
Let me start with some background. The purpose of the loginuid is to record
the original creator of the process regardless of credential changes since
login. We use a capability to protect this, so it cannot be altered by most
programs, even those which write audit records. Placing the loginuid in the
payload effectively removes the purpose of CAP_AUDIT_CONTROL from all
userland audit messages. A program may be privileged to write an audit
record, but a granular security approach would not let them have the ability
to change the loginuid as well.
In your example of a process watching daemon, why would this daemon want to
spoof the credentials of the watched process? I can think of two examples.
One you are recording information for IDS like purposes of system and
process state. This could be a good use of audit, however, I don't
understand the need to make the loginuid of the audit logs match the process
you are watching. If you really did, y0ou are a heavily privileged process
already to watch all of these other processes, simply change your loginuid
through CAP_AUDIT_CONTROL and add that to the other privileges you already
have in monitoring the system state.
-Chad
21 years
[PATCH] Add audit uid to netlink credentials
by Serge E. Hallyn
Most audit control messages are sent over netlink. In order to properly
log the identity of the sender of audit control messages, we would like
to add the loginuid to the netlink_creds structure, as per the attached
patch.
thanks,
-serge
Signed-off-by: Serge Hallyn <serue(a)us.ibm.com>
Index: linux-2.6.10/include/linux/audit.h
===================================================================
--- linux-2.6.10.orig/include/linux/audit.h 2005-01-27 10:46:57.887036520 -0600
+++ linux-2.6.10/include/linux/audit.h 2005-01-27 10:51:37.408542792 -0600
@@ -145,7 +145,7 @@ extern void audit_inode(const char *name
/* Private API (for audit.c only) */
extern int audit_receive_filter(int type, int pid, int uid, int seq,
- void *data);
+ void *data, uid_t loginuid);
extern void audit_get_stamp(struct audit_context *ctx,
struct timespec *t, int *serial);
extern int audit_set_loginuid(struct audit_context *ctx, uid_t loginuid);
@@ -179,10 +179,10 @@ extern void audit_log_d_path(struct
const char *prefix,
struct dentry *dentry,
struct vfsmount *vfsmnt);
-extern int audit_set_rate_limit(int limit);
-extern int audit_set_backlog_limit(int limit);
-extern int audit_set_enabled(int state);
-extern int audit_set_failure(int state);
+extern int audit_set_rate_limit(int limit, uid_t loginuid);
+extern int audit_set_backlog_limit(int limit, uid_t loginuid);
+extern int audit_set_enabled(int state, uid_t loginuid);
+extern int audit_set_failure(int state, uid_t loginuid);
/* Private API (for auditsc.c only) */
extern void audit_send_reply(int pid, int seq, int type,
Index: linux-2.6.10/include/linux/netlink.h
===================================================================
--- linux-2.6.10.orig/include/linux/netlink.h 2005-01-27 10:46:57.888036368 -0600
+++ linux-2.6.10/include/linux/netlink.h 2005-01-27 10:51:37.409542640 -0600
@@ -110,6 +110,7 @@ struct netlink_skb_parms
__u32 dst_pid;
__u32 dst_groups;
kernel_cap_t eff_cap;
+ __u32 loginuid; /* Login (audit) uid */
};
#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb))
Index: linux-2.6.10/kernel/audit.c
===================================================================
--- linux-2.6.10.orig/kernel/audit.c 2005-01-27 10:46:57.888036368 -0600
+++ linux-2.6.10/kernel/audit.c 2005-01-27 10:52:28.753737136 -0600
@@ -236,36 +236,36 @@ void audit_log_lost(const char *message)
}
-int audit_set_rate_limit(int limit)
+int audit_set_rate_limit(int limit, uid_t loginuid)
{
int old = audit_rate_limit;
audit_rate_limit = limit;
- audit_log(current->audit_context, "audit_rate_limit=%d old=%d",
- audit_rate_limit, old);
+ audit_log(NULL, "audit_rate_limit=%d old=%d by loginuid %u",
+ audit_rate_limit, old, loginuid);
return old;
}
-int audit_set_backlog_limit(int limit)
+int audit_set_backlog_limit(int limit, uid_t loginuid)
{
int old = audit_backlog_limit;
audit_backlog_limit = limit;
- audit_log(current->audit_context, "audit_backlog_limit=%d old=%d",
- audit_backlog_limit, old);
+ audit_log(NULL, "audit_backlog_limit=%d old=%d by loginuid %u",
+ audit_backlog_limit, old, loginuid);
return old;
}
-int audit_set_enabled(int state)
+int audit_set_enabled(int state, uid_t loginuid)
{
int old = audit_enabled;
if (state != 0 && state != 1)
return -EINVAL;
audit_enabled = state;
- audit_log(current->audit_context, "audit_enabled=%d old=%d",
- audit_enabled, old);
+ audit_log(NULL, "audit_enabled=%d old=%d by loginuid %u",
+ audit_enabled, old, loginuid);
return old;
}
-int audit_set_failure(int state)
+int audit_set_failure(int state, uid_t loginuid)
{
int old = audit_failure;
if (state != AUDIT_FAIL_SILENT
@@ -273,8 +273,8 @@ int audit_set_failure(int state)
&& state != AUDIT_FAIL_PANIC)
return -EINVAL;
audit_failure = state;
- audit_log(current->audit_context, "audit_failure=%d old=%d",
- audit_failure, old);
+ audit_log(NULL, "audit_failure=%d old=%d by loginuid %u",
+ audit_failure, old, loginuid);
return old;
}
@@ -341,6 +341,7 @@ static int audit_receive_msg(struct sk_b
int err;
struct audit_buffer *ab;
u16 msg_type = nlh->nlmsg_type;
+ uid_t loginuid; /* loginuid of sender */
err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
if (err)
@@ -348,6 +349,7 @@ static int audit_receive_msg(struct sk_b
pid = NETLINK_CREDS(skb)->pid;
uid = NETLINK_CREDS(skb)->uid;
+ loginuid = NETLINK_CB(skb).loginuid;
seq = nlh->nlmsg_seq;
data = NLMSG_DATA(nlh);
@@ -368,31 +370,33 @@ static int audit_receive_msg(struct sk_b
return -EINVAL;
status_get = (struct audit_status *)data;
if (status_get->mask & AUDIT_STATUS_ENABLED) {
- err = audit_set_enabled(status_get->enabled);
+ err = audit_set_enabled(status_get->enabled, loginuid);
if (err < 0) return err;
}
if (status_get->mask & AUDIT_STATUS_FAILURE) {
- err = audit_set_failure(status_get->failure);
+ err = audit_set_failure(status_get->failure, loginuid);
if (err < 0) return err;
}
if (status_get->mask & AUDIT_STATUS_PID) {
int old = audit_pid;
audit_pid = status_get->pid;
- audit_log(current->audit_context,
- "audit_pid=%d old=%d", audit_pid, old);
+ audit_log(NULL, "audit_pid=%d old=%d by loginuid %u",
+ audit_pid, old, loginuid);
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
- audit_set_rate_limit(status_get->rate_limit);
+ audit_set_rate_limit(status_get->rate_limit, loginuid);
if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
- audit_set_backlog_limit(status_get->backlog_limit);
+ audit_set_backlog_limit(status_get->backlog_limit,
+ loginuid);
break;
case AUDIT_USER:
ab = audit_log_start(NULL);
if (!ab)
break; /* audit_panic has been called */
audit_log_format(ab,
- "user pid=%d uid=%d length=%d msg='%.1024s'",
- pid, uid,
+ "user pid=%d uid=%d loginuid=%u length=%d"
+ " msg='%.1024s'",
+ pid, uid, loginuid,
(int)(nlh->nlmsg_len
- ((char *)data - (char *)nlh)),
(char *)data);
@@ -408,7 +412,7 @@ static int audit_receive_msg(struct sk_b
case AUDIT_LIST:
#ifdef CONFIG_AUDITSYSCALL
err = audit_receive_filter(nlh->nlmsg_type, pid, uid, seq,
- data);
+ data, loginuid);
#else
err = -EOPNOTSUPP;
#endif
Index: linux-2.6.10/kernel/auditsc.c
===================================================================
--- linux-2.6.10.orig/kernel/auditsc.c 2005-01-27 10:46:57.890036064 -0600
+++ linux-2.6.10/kernel/auditsc.c 2005-01-27 10:52:53.776933032 -0600
@@ -228,7 +228,8 @@ static int audit_copy_rule(struct audit_
return 0;
}
-int audit_receive_filter(int type, int pid, int uid, int seq, void *data)
+int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
+ uid_t loginuid)
{
u32 flags;
struct audit_entry *entry;
@@ -263,6 +264,7 @@ int audit_receive_filter(int type, int p
err = audit_add_rule(entry, &audit_entlist);
if (!err && (flags & AUDIT_AT_EXIT))
err = audit_add_rule(entry, &audit_extlist);
+ audit_log(NULL, "loginuid %u added an audit rule\n", loginuid);
break;
case AUDIT_DEL:
flags =((struct audit_rule *)data)->flags;
@@ -272,6 +274,8 @@ int audit_receive_filter(int type, int p
err = audit_del_rule(data, &audit_entlist);
if (!err && (flags & AUDIT_AT_EXIT))
err = audit_del_rule(data, &audit_extlist);
+ audit_log(NULL, "loginuid %u removed an audit rule\n",
+ loginuid);
break;
default:
return -EINVAL;
Index: linux-2.6.10/net/netlink/af_netlink.c
===================================================================
--- linux-2.6.10.orig/net/netlink/af_netlink.c 2005-01-27 10:46:57.891035912 -0600
+++ linux-2.6.10/net/netlink/af_netlink.c 2005-01-27 10:51:37.411542336 -0600
@@ -928,6 +928,7 @@ static int netlink_sendmsg(struct kiocb
NETLINK_CB(skb).groups = nlk->groups;
NETLINK_CB(skb).dst_pid = dst_pid;
NETLINK_CB(skb).dst_groups = dst_groups;
+ NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context);
memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
/* What can I do? Netlink is asynchronous, so that
21 years
[INFO] my auditfs portal page + design diagrams
by Timothy R. Chavez
Hello,
I've removed my auditfs portal page. I would like to have the
SourceForge project changed to accomodate both kernel and user space
code. Though there has been sentiment expressed that is against using
the project space, I'd like to use it for the auditfs stuff. I would
like to have a centralized place to post design diagrams,
documentation, and patches. This is useful for people who are just
joining the project or would like to join the project and do not want
to sift through months of archived messages to find what they need.
Also, if anyone would like the two diagrams I've done so far, please
privately e-mail. I don't want to introduce large files on the e-mail
list.
--
- Timothy R. Chavez
21 years
RE: [PATCH] Add audit uid to netlink credentials
by Chad Hanson
David Woodhouse wrote:
>
> Perhaps I misunderstand the intent of userspace AUDIT_WRITE. Can you
> provide examples of why you _wouldn't_ want to let a dæmon which is
> already sending random unvetted AUDIT_WRITE messages also specify the
> loginuid on _those_ messages?
The loginuid is part of the process state. This is the reason you do not
want to write out this information from a userspace application, as the
process state portions of the audit record are recorded by the kernel.
-Chad
21 years
Re: [PATCH] Add audit uid to netlink credentials
by Stephen Smalley
On Wed, 2005-02-09 at 13:52, Patrick McHardy wrote:
> Could you explain how this can happen ? From what I can see whenever data
> is queued to the receive queue the input function is called immediately
> through sk->sk_data_ready() -> netlink_data_ready() -> nlk->data_ready()
> and processes all queued packets, except in the case you pointed out,
> when audit_netlink_sem is already taken.
More packets may be queued by another sender while audit_receive() is
still processing the original one, so it will process them too.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
21 years
