Re: [patch] Syscall auditing - move "name=" field to the end
by Debora Velarde
Below is the format_text patch I worked on a long time ago based on Klaus'
suggestion. I wasn't able to contribute it back then, but can now.
It is built against and old version of audit. I can create a similar patch
against the latest level if it would be helpful.
-debbie
----- Forwarded by Debora Velarde/Austin/IBM on 03/17/2005 02:06 PM -----
Steve Grubb
<sgrubb(a)redhat.co
m> To
Debora Velarde/Austin/IBM@IBMUS
01/05/2005 08:48 cc
AM Mounir Bsaibes/Austin/IBM@IBMUS
Subject
format_text patch
Hi Debbie & Mounir,
Debbie, thanks for working on this and being so quick to get it done. I
really
appreciate that. I'm not so happy that I can't publish your contribution.
In short, I have to release a new version of audit today. I'm attaching
Debbie's patch to this e-mail. Its a diff between 0.6 and 0.5.7 - which was
my development copy that was never published. This will let you "put it
back"
for testing.
Thanks,
-Steve Grubb
(See attached file: audit-0.6-deb.patch)
20 years
audit vs. ptrace races.
by David Woodhouse
On most architectures we use the ptrace hooks for syscall tracing to
also call audit_syscall_entry() and audit_syscall_exit(). But we do so
_before_ calling ptrace_notify(), during which we stop the process and
let the debugger poke at it, potentially _changing_ the arguments to the
syscall.
So AFAICT we can log the syscall's arguments before they're changed, and
then it can go on to do something entirely different to what we said it
was going to do. We need to switch the order round, I think.
There is also a potential race condition where the argument is actually
a pointer to userspace memory -- for auditing purposes we _must_ use the
copy which we get from userspace at the time we perform the syscall, not
copy it in from userspace in audit_syscall_entry(). I don't think we
currently have problems with this -- both the IPC code and getname() are
doing this correctly -- but it's worth pointing out to avoid mistakes in
future.
--
dwmw2
20 years
altering audit_log_start
by Timothy R. Chavez
Hello,
I just wanted to get feedback. This would change the audit subsystem such
that subsystems like SELinux would have to adapt, but I think it'd be better
in the long run if the audit_log_start() function actually returned a
ERR_PTR() upon failure. That way we could properly handle/propigate the
error in non-void functions that want to use audit_log*.
Any opinions on the matter?
--
-tim
20 years
32bit and 64bit syscall issues
by Debora Velarde
Our current audit solution has some problems when a user tries to audit
32bit syscalls on x86_64 systems. (This is a CAPP requirement.)
Most of the problems are due to the fact that there are two unistd.h files
on x86_64 systems.
64bit syscalls are defined in /usr/include/asm-x86_64/unistd.h
32bit syscalls are defined in /usr/include/asm-i386/unistd.h
In these two files, the syscall numbers assigned to syscall names are not
the same.
For example:
From /usr/include/asm-i386/unistd.h:
#define __NR_fork 2
#define __NR_open 5
From /usr/include/asm-x86_64/unistd.h:
#define __NR_open 2
#define __NR_fstat 5
---------------
Problem 1:
"auditctl -t" always translates numbers to name based on
/usr/include/asm-x86_64/unistd.h
(When compiled in 64bit mode on a 64bit system).
Possible Solution 1:
Modify /usr/include/asm-i386/unistd.h and /usr/include/asm-x86_64/unistd.h
so that the 32bit and the 64bit syscall number of any syscall are the same
number.
Possible Solution 2:
Modify auditctl to return both 32bit and 64bit syscall names associated
with that number. This will require a change in how Steve creates his
table.
Example:
auditctl -t 2
Would Return:
32bit: fork
64bit: open
Possible Solution 3:
Modify auditctl -t option to require an additional flag indicating whether
the 32bit or the 64bit syscall number should be returned. Could possibly
use the "-F pers=" flag.
---------------
Problem 2:
"audictl -a" rule also always translates numbers to the syscall name found
in /usr/include/asm-x86_64/unistd.h
Possible Solution 1:
Modify /usr/include/asm-i386/unistd.h and /usr/include/asm-x86_64/unistd.h
so that the 32bit and the 64bit syscall number of any syscall are the same
number.
Possible Solution 2:
auditctl -a <l,a> -S <syscall name> should require additional flag
indicating if 32bit, 64bit, or both syscalls should be audited. Could
possibly use the "pers" flag, assuming personality can determine if a
syscall was compiled 32bit or 64bit.
Then audit rule(s) can be added for the correct syscall number(s).
auditctl -A, and auditctl -d rules would also need to be changed.
---------------
Problem 3:
Personality is currently always 0 by default. We can NOT assume that an
application will manually set personality to another number. Therefore we
cannot currently use the "pers" flag to determine if a syscall was executed
from a 32bit or a 64bit compiled program.
Possible Solution 1:
Modify /usr/include/asm-i386/unistd.h and /usr/include/asm-x86_64/unistd.h
so that the 32bit and the 64bit syscall number of any syscall are the same
number.
Then we would not need to filter on "pers" flag.
Possible Solution 2:
Fix personality so that it determines from the binary whether it was 32bit
or 64bit.
---------------
Problem 4:
Audit record does not indicate if a 32bit or a 64bit syscall was executed.
Because of this, you are unable to determine which syscall resulted in an
audit record.
For example, we cannot currently determine if a record with "syscall=2"
resulted from an __NR_open call (compiled 64bit) or a __NR_fork call
(compiled 32bit) because
From /usr/include/asm-i386/unistd.h:
#define __NR_fork 2
From /usr/include/asm-x86_64/unistd.h:
#define __NR_open 2
Possible Solution 1:
Modify /usr/include/asm-i386/unistd.h and /usr/include/asm-x86_64/unistd.h
so that the 32bit and the 64bit syscall number of any syscall are the same
number.
Possible Solution 2:
Fix 'pers' flag so that it can determine if it was a 32bit or 64bit
syscall. Currently 'pers' flag is included in the audit record if
'pers'!=0.
---------------
Problem 5:
Some syscalls are not defined in either unistd.h file. Therefore, auditctl
-t is not able to translate the syscall number to a syscall name. This is
a usability problem for administrators.
Possible Solution 1:
Add these other syscalls (found in Klaus' syscalltab file, but not in
unistd.h).
Possible Solution 2:
Include an additional header file containing these other syscalls (found in
Klaus' syscalltab file, but not in unistd.h) along with audit, so that
audictl is able to translate those syscall numbers to name.
---------------
I don't know how feasible it is to change the <syscall name> to <syscall
number> mapping so that usr/include/asm-i386/unistd.h and
/usr/include/asm-x86_64/unistd.h are in agreement with each other. But if
it is possible to change this, it could fix several of our problems.
-debbie
20 years
audit-0.6.7 released
by Steve Grubb
Hello,
The next version of the audit daemon has been released. You can get it from:
http://people.redhat.com/sgrubb/audit/ or in rawhide tomorrow morning. This
release fixes a bug in setting the loginuid and adds a new feature.
There is now a configuration option num_files for auditd.conf. This lets you
specify how many logs you want the program to allow when it rotates them due
to their size. If you set it to 5, you will get audit.log to audit.log.4 in
the /var/logs directory.
The new release should be in rawhide tomorrow morning. Let me know if there
are any problems.
-Steve Grubb
20 years
BOF audit proposal to Linux Symposium is accepted
by Mounir Bsaibes
I have submitted a proposal for a BOF to describe the audit subsystem to
the Linux Symposium in
Ottawa which was accepted and I am about to submit (already late) the
following abstract:
The purpose of this BOF is to discuss the current implementation of the
audit subsystem. Based on the audit infrastructure developed by Rick
Faith,
the current implementation added several functions to make the audit
compliant with the Common Criteria Controlled Access
Protection Profile (CAPP). For example, file system auditing
was added, the audit context structure was expanded, id inheritance
was fixed, etc... In addition, user-space programs and libraries have
been re-written completing the CAPP requirements as well as providing
ease of use to the administrator. A general description of the audit
subsystem will start this BOF, followed by how to configure the daemon,
set the filtering rules and use the search utilities. Time permitting,
we'll
share some experience and discuss future development.
If anyone would like to cooperate in conducting this meeting and/or see
changes/additions to this abstract, please let me know as soon as you can.
The abstract was due today.
Mounir Bsaibes
Linux Security
Tel: (512) 838-1301
Cell: (512) 762-9957
Fax: (512) 838-8858
e-mail: bsaibes(a)us.ibm.com
20 years
Patch #6 as an attachment
by Timothy R. Chavez
Hello,
Some people are having problems applying patches by copying and pasting from
their mail client *cough* (we won't identify which mail client) *cough*. So,
I've decided to send the patch as an attachment as well.
-tim
20 years
audit 0.6.8 released
by Steve Grubb
Hi,
I have just released audit 0.6.8. The main change of this release is that
pam_loginuid has been removed. Since it has applications beyond whether or
not audit is installed on a system, it only makes sense to move it to pam.
This also removes the circular dependency of pam needing audit, audit needs
pam.
The first step is to grep around for pam_loginuid throughout your /etc/pam.d
directory. Either comment out the line with pam_loginuid or change it from
required to optional. If you get locked out of your machine, reboot to single
user mode and fix pam.
Then get the newest pam from rawhide (if you are a rawhide user) or wait until
David's yum repo has a new version of pam with the patch adding
pam_loginuid.so to it.
If you want to roll your own version of pam, I have put the patch on my
website that adds it back to pam. http://people.redhat.com/sgrubb/audit/ The
latest version of audit is at the same place.
-Steve Grubb
20 years
[PATCH] auditfsify the audit-0.6.7 userspace package
by Timothy R. Chavez
Hello,
This patch is updated for audit-0.6.7. The most notable change is the removal
of runtime enablement/disablement of the filesystem auditing mechanism.
Though I don't envision many more changes on my part, to the userspace
package, I have to reiterate that the mixed-spacing is atrocious and that we
should just "indent -i8 -kr" the entire audit userspace package so we can get
some normalcy going.
A patch for auditfs against linux-2.6.11 should follow suit. I just need to
do a little more testing of the newer logic.
Please note, it's probably best to patch with a seperate audit-0.6.7 package
and ./configure it with an sbindir other then the one you used for your
original audit-0.6.7 install.
-tim
diff -Nurp audit-0.6.7/lib/libaudit.c auditfs-audit-0.6.7/lib/libaudit.c
--- audit-0.6.7/lib/libaudit.c 2005-03-09 12:11:39.000000000 -0600
+++ auditfs-audit-0.6.7/lib/libaudit.c 2005-03-14 00:29:58.000000000 -0600
@@ -200,6 +200,17 @@ uid_t audit_getloginuid(void)
return uid;
}
+/* req->namelen is used for kernel->user traffic only */
+int audit_insert_watch(int fd, struct audit_watch *req)
+{
+ return audit_send(fd, AUDIT_WATCH_INS, req, sizeof(*req));
+}
+
+int audit_remove_watch(int fd, struct audit_watch *req)
+{
+ return audit_send(fd, AUDIT_WATCH_REM, req, sizeof(*req));
+}
+
int audit_send_message(int fd, const char *message)
{
if (fd >= 0) {
diff -Nurp audit-0.6.7/lib/libaudit.h auditfs-audit-0.6.7/lib/libaudit.h
--- audit-0.6.7/lib/libaudit.h 2005-03-08 12:56:09.000000000 -0600
+++ auditfs-audit-0.6.7/lib/libaudit.h 2005-03-14 00:32:50.000000000 -0600
@@ -45,6 +45,7 @@ struct audit_reply {
struct audit_status *status;
struct audit_rule *rule;
struct audit_login *login;
+ int watch;
const char *message;
struct nlmsgerr *error;
};
@@ -120,6 +121,11 @@ extern int audit_set_loginuid(uid_t uid
extern int audit_login_message(int fd, const char *arg);
extern int audit_logout_message(int fd, const char *arg);
+/* INSERT WATCH */
+extern int audit_insert_watch(int fd, struct audit_watch *req);
+/* REMOVE WATCH */
+extern int audit_remove_watch(int fd, struct audit_watch *req);
+
/* Rule-building helper functions */
extern struct audit_rule *audit_rule_alloc(void);
extern int audit_rule_syscall(struct audit_rule *rule, int syscall);
diff -Nurp audit-0.6.7/lib/netlink.c auditfs-audit-0.6.7/lib/netlink.c
--- audit-0.6.7/lib/netlink.c 2005-03-08 12:55:31.000000000 -0600
+++ auditfs-audit-0.6.7/lib/netlink.c 2005-03-14 00:32:31.000000000 -0600
@@ -124,6 +124,7 @@ static int adjust_reply(struct audit_rep
rep->type = rep->msg.nlh.nlmsg_type;
rep->len = rep->msg.nlh.nlmsg_len;
rep->nlh = &rep->msg.nlh;
+ rep->watch = 0;
rep->status = NULL;
rep->rule = NULL;
rep->message = NULL;
@@ -146,6 +147,10 @@ static int adjust_reply(struct audit_rep
case AUDIT_USER:
rep->message = NLMSG_DATA(rep->nlh);
break;
+ case AUDIT_WATCH_INS:
+ case AUDIT_WATCH_REM:
+ memcpy(&rep->watch, NLMSG_DATA(rep->nlh), sizeof(int));
+ break;
}
return len;
}
diff -Nurp audit-0.6.7/linux/audit.h auditfs-audit-0.6.7/linux/audit.h
--- audit-0.6.7/linux/audit.h 1969-12-31 17:00:00.000000000 -0700
+++ auditfs-audit-0.6.7/linux/audit.h 2005-03-14 00:35:27.000000000 -0600
@@ -0,0 +1,268 @@
+/* audit.h -- Auditing support -*- linux-c -*-
+ *
+ * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Written by Rickard E. (Rik) Faith <faith(a)redhat.com>
+ *
+ */
+
+#ifndef _LINUX_AUDIT_H_
+#define _LINUX_AUDIT_H_
+
+#ifdef __KERNEL__
+#include <linux/list.h>
+#include <linux/spinlock.h>
+#include <asm/atomic.h>
+#endif
+
+/* Request and reply types */
+#define AUDIT_GET 1000 /* Get status */
+#define AUDIT_SET 1001 /* Set status (enable/disable/auditd) */
+#define AUDIT_LIST 1002 /* List filtering rules */
+#define AUDIT_ADD 1003 /* Add filtering rule */
+#define AUDIT_DEL 1004 /* Delete filtering rule */
+#define AUDIT_USER 1005 /* Send a message from user-space */
+#define AUDIT_LOGIN 1006 /* Define the login id and information */
+#define AUDIT_WATCH_INS 1007 /* Insert file/dir watch entry */
+#define AUDIT_WATCH_REM 1008 /* Remove file/dir watch entry */
+#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
+
+/* Rule flags */
+#define AUDIT_PER_TASK 0x01 /* Apply rule at task creation (not syscall) */
+#define AUDIT_AT_ENTRY 0x02 /* Apply rule at syscall entry */
+#define AUDIT_AT_EXIT 0x04 /* Apply rule at syscall exit */
+#define AUDIT_PREPEND 0x10 /* Prepend to front of list */
+
+/* Rule actions */
+#define AUDIT_NEVER 0 /* Do not build context if rule matches */
+#define AUDIT_POSSIBLE 1 /* Build context if rule matches */
+#define AUDIT_ALWAYS 2 /* Generate audit record if rule matches */
+
+/* Rule structure sizes -- if these change, different AUDIT_ADD and
+ * AUDIT_LIST commands must be implemented. */
+#define AUDIT_MAX_FIELDS 64
+#define AUDIT_BITMASK_SIZE 64
+#define AUDIT_WORD(nr) ((__u32)((nr)/32))
+#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
+
+/* Rule fields */
+ /* These are useful when checking the
+ * task structure at task creation time
+ * (AUDIT_PER_TASK). */
+#define AUDIT_PID 0
+#define AUDIT_UID 1
+#define AUDIT_EUID 2
+#define AUDIT_SUID 3
+#define AUDIT_FSUID 4
+#define AUDIT_GID 5
+#define AUDIT_EGID 6
+#define AUDIT_SGID 7
+#define AUDIT_FSGID 8
+#define AUDIT_LOGINUID 9
+#define AUDIT_PERS 10
+
+ /* These are ONLY useful when checking
+ * at syscall exit time (AUDIT_AT_EXIT). */
+#define AUDIT_DEVMAJOR 100
+#define AUDIT_DEVMINOR 101
+#define AUDIT_INODE 102
+#define AUDIT_EXIT 103
+#define AUDIT_SUCCESS 104 /* exit >= 0; value ignored */
+
+#define AUDIT_ARG0 200
+#define AUDIT_ARG1 (AUDIT_ARG0+1)
+#define AUDIT_ARG2 (AUDIT_ARG0+2)
+#define AUDIT_ARG3 (AUDIT_ARG0+3)
+
+#define AUDIT_NEGATE 0x80000000
+
+
+/* Status symbols */
+ /* Mask values */
+#define AUDIT_STATUS_ENABLED 0x0001
+#define AUDIT_STATUS_FAILURE 0x0002
+#define AUDIT_STATUS_PID 0x0004
+#define AUDIT_STATUS_RATE_LIMIT 0x0008
+#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
+
+ /* Failure-to-log actions */
+#define AUDIT_FAIL_SILENT 0
+#define AUDIT_FAIL_PRINTK 1
+#define AUDIT_FAIL_PANIC 2
+
+/* 32 byte max key size */
+#define AUDIT_FILTERKEY_MAX 32
+
+#ifndef __KERNEL__
+struct audit_message {
+ struct nlmsghdr nlh;
+ char data[1200];
+};
+#endif
+
+struct audit_status {
+ __u32 mask; /* Bit mask for valid entries */
+ __u32 enabled; /* 1 = enabled, 0 = disbaled */
+ __u32 failure; /* Failure-to-log action */
+ __u32 pid; /* pid of auditd process */
+ __u32 rate_limit; /* messages rate limit (per second) */
+ __u32 backlog_limit; /* waiting messages limit */
+ __u32 lost; /* messages lost */
+ __u32 backlog; /* messages waiting in queue */
+};
+
+struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
+ __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
+ __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
+ __u32 field_count;
+ __u32 mask[AUDIT_BITMASK_SIZE];
+ __u32 fields[AUDIT_MAX_FIELDS];
+ __u32 values[AUDIT_MAX_FIELDS];
+};
+
+struct audit_watch {
+ int namelen;
+ int fklen;
+ char *name;
+ char *filterkey;
+ __u32 perms;
+};
+
+#ifdef __KERNEL__
+
+struct audit_data {
+ struct audit_wentry *wentry;
+ struct list_head watchlist;
+ rwlock_t watchlist_lock;
+ struct list_head link;
+};
+
+struct audit_wentry {
+ struct list_head w_list;
+ atomic_t w_count;
+ struct audit_watch *w_watch;
+ unsigned int w_valid;
+ unsigned int w_cached;
+
+};
+
+#ifdef CONFIG_AUDIT
+struct audit_buffer;
+struct audit_context;
+#endif
+
+#ifdef CONFIG_AUDITSYSCALL
+/* These are defined in auditsc.c */
+ /* Public API */
+extern int audit_alloc(struct task_struct *task);
+extern void audit_free(struct task_struct *task);
+extern void audit_syscall_entry(struct task_struct *task,
+ int major, unsigned long a0, unsigned long a1,
+ unsigned long a2, unsigned long a3);
+extern void audit_syscall_exit(struct task_struct *task, int return_code);
+extern void audit_getname(const char *name);
+extern void audit_putname(const char *name);
+extern void audit_inode(const char *name, unsigned long ino, dev_t rdev);
+
+ /* Private API (for audit.c only) */
+extern int audit_receive_filter(int type, int pid, int uid, int seq,
+ void *data);
+extern void audit_get_stamp(struct audit_context *ctx,
+ struct timespec *t, int *serial);
+extern int audit_set_loginuid(struct audit_context *ctx, uid_t loginuid);
+extern uid_t audit_get_loginuid(struct audit_context *ctx);
+#ifdef CONFIG_AUDITFILESYSTEM
+extern int audit_notify_watch(struct inode *inode, int mask);
+#else
+#define audit_notify_watch(i,m) ({ 0; })
+#endif
+#else
+#define audit_alloc(t) ({ 0; })
+#define audit_free(t) do { ; } while (0)
+#define audit_syscall_entry(t,a,b,c,d,e) do { ; } while (0)
+#define audit_syscall_exit(t,r) do { ; } while (0)
+#define audit_getname(n) do { ; } while (0)
+#define audit_putname(n) do { ; } while (0)
+#define audit_inode(n,i,d) do { ; } while (0)
+#define audit_get_loginuid(c) ({ -1; })
+#define audit_notify_watch(i,m) ({ 0; })
+#endif
+
+#ifdef CONFIG_AUDITFILESYSTEM
+extern void audit_receive_watch(int type, int pid, int uid, int seq,
+ struct audit_watch *req);
+extern int audit_filesystem_init(void);
+extern void audit_inode_alloc(struct inode *inode);
+extern void audit_inode_free(struct inode *inode);
+extern void audit_watch(struct dentry *dentry, int remove);
+extern void audit_wentry_put(struct audit_wentry *wentry);
+extern struct audit_wentry *audit_wentry_get(struct audit_wentry *wentry);
+#else
+#define audit_receive_watch(t,p,u,s,r) ({ -EOPNOTSUPP; })
+#define audit_filesystem_init() ({ 0; })
+#define audit_inode_alloc(i) do { ; } while(0)
+#define audit_inode_free(i) do { ; } while(0)
+#define audit_watch(d,r) do { ; } while (0)
+#define audit_watch_put(w) do { ; } while(0)
+#define audit_watch_get(w) ({ 0; })
+#endif
+
+#ifdef CONFIG_AUDIT
+/* These are defined in audit.c */
+ /* Public API */
+extern void audit_log(struct audit_context *ctx,
+ const char *fmt, ...)
+ __attribute__((format(printf,2,3)));
+
+extern struct audit_buffer *audit_log_start(struct audit_context *ctx);
+extern void audit_log_format(struct audit_buffer *ab,
+ const char *fmt, ...)
+ __attribute__((format(printf,2,3)));
+extern void audit_log_end(struct audit_buffer *ab);
+extern void audit_log_end_fast(struct audit_buffer *ab);
+extern void audit_log_end_irq(struct audit_buffer *ab);
+extern void audit_log_d_path(struct audit_buffer *ab,
+ const char *prefix,
+ struct dentry *dentry,
+ struct vfsmount *vfsmnt);
+extern int audit_set_rate_limit(int limit);
+extern int audit_set_backlog_limit(int limit);
+extern int audit_set_enabled(int state);
+extern int audit_set_failure(int state);
+
+ /* Private API (for auditsc.c only) */
+extern void audit_send_reply(int pid, int seq, int type,
+ int done, int multi,
+ void *payload, int size);
+extern void audit_log_lost(const char *message);
+#else
+#define audit_log(t,f,...) do { ; } while (0)
+#define audit_log_start(t) ({ NULL; })
+#define audit_log_vformat(b,f,a) do { ; } while (0)
+#define audit_log_format(b,f,...) do { ; } while (0)
+#define audit_log_end(b) do { ; } while (0)
+#define audit_log_end_fast(b) do { ; } while (0)
+#define audit_log_end_irq(b) do { ; } while (0)
+#define audit_log_d_path(b,p,d,v) do { ; } while (0)
+#define audit_set_rate_limit(l) do { ; } while (0)
+#define audit_set_backlog_limit(l) do { ; } while (0)
+#define audit_set_enabled(s) do { ; } while (0)
+#define audit_set_failure(s) do { ; } while (0)
+#endif
+#endif
+#endif
diff -Nurp audit-0.6.7/src/auditctl.c auditfs-audit-0.6.7/src/auditctl.c
--- audit-0.6.7/src/auditctl.c 2005-03-14 00:45:01.000000000 -0600
+++ auditfs-audit-0.6.7/src/auditctl.c 2005-03-14 00:39:49.000000000 -0600
@@ -49,6 +49,14 @@
*/
#define LINE_SIZE 1600
+#define WATCH_MAY_EXEC 1
+#define WATCH_MAY_WRITE 2
+#define WATCH_MAY_READ 4
+#define WATCH_MAY_APPEND 8
+
+#define WATCH_NAME 1
+#define WATCH_FILTERKEY 2
+#define WATCH_PERMS 3
/* Global functions */
static int handle_request(int status);
@@ -61,7 +69,9 @@ static int fd = -1;
static int list_requested = 0;
static int syscalladded = 0;
static int add = 0, del = 0, action = 0;
+static int ins = 0, rem = 0;
static struct audit_rule rule;
+static struct audit_watch watch;
/*
* This function will reset everything used for each loop when loading
@@ -73,8 +83,11 @@ static int reset_vars(void)
syscalladded = 0;
add = 0;
del = 0;
+ ins = 0;
+ rem = 0;
action = 0;
memset(&rule, 0, sizeof(rule));
+ memset(&watch, 0, sizeof(watch));
if ((fd = audit_open()) < 0) {
fprintf(stderr, "Cannot open netlink audit socket\n");
return 1;
@@ -104,6 +117,11 @@ static void usage(void)
" -s Report status\n"
" -S syscall Build rule: syscall name or number\n"
" -t <syscall> Translate syscall number to syscall name\n"
+ " -w <path> Insert watch at <path>\n"
+ " -W <path> Remove watch at <path>\n"
+ " -p [r|w|e|a] Set permissions filter on watch:\n"
+ " r=read, w=write, e=execute, a=append\n"
+ " -k <key> Set filterkey on watch\n"
);
}
@@ -128,6 +146,84 @@ static int audit_rule_setup(const char *
return 0;
}
+/* Setup a watch. The "name" of the watch in userspace will be the <path> to
+ * the watch. When this potential watch reaches the kernel, it will resolve
+ * down to <name> (of terminating file or directory).
+ */
+static int audit_watch_setup(int type, struct audit_watch *req,
+ const char *opt)
+{
+ int i;
+ int ret = 0;
+
+ if (!opt)
+ goto audit_watch_setup_exit;
+
+ switch (type) {
+ case WATCH_NAME:
+ if (!req->name && opt) {
+ req->namelen = strlen(opt) + 1;
+ req->name = (char *) malloc(req->namelen);
+ if (!req->name)
+ goto audit_watch_setup_exit;
+ strcpy(req->name, opt);
+ ret = 1;
+ }
+ break;
+ case WATCH_FILTERKEY:
+ if (!req->filterkey && opt) {
+ req->fklen = strlen(opt) + 1;
+ req->filterkey = (char *) malloc(req->fklen);
+ if (!req->filterkey)
+ goto audit_watch_setup_exit;
+ strcpy(req->filterkey, opt);
+ ret = 1;
+ }
+ break;
+ case WATCH_PERMS:
+ if (strlen(opt) > 4)
+ goto audit_watch_setup_exit;
+
+ for (i = 0; i < strlen(opt); i++) {
+ switch (opt[i]) {
+ case 'r':
+ if (!(req->perms & WATCH_MAY_READ))
+ req->perms |= WATCH_MAY_READ;
+ else
+ goto audit_watch_setup_exit;
+ break;
+ case 'w':
+ if (!(req->perms & WATCH_MAY_WRITE))
+ req->perms |= WATCH_MAY_WRITE;
+ else
+ goto audit_watch_setup_exit;
+ break;
+ case 'e':
+ if (!(req->perms & WATCH_MAY_EXEC))
+ req->perms |= WATCH_MAY_EXEC;
+ else
+ goto audit_watch_setup_exit;
+ break;
+ case 'a':
+ if (!(req->perms & WATCH_MAY_APPEND))
+ req->perms |= WATCH_MAY_APPEND;
+ else
+ goto audit_watch_setup_exit;
+ break;
+ default:
+ goto audit_watch_setup_exit;
+ }
+ }
+
+ ret = 1;
+
+ default:
+ break;
+ }
+audit_watch_setup_exit:
+ return ret;
+}
+
/*
* returns: < 0 error - noreply, 0 success - reply, > 0 success - rule
*/
@@ -138,8 +234,8 @@ static int setopt(int count, char *vars[
optind = 0;
opterr = 0;
- while ((c = getopt(count, vars, "hslDe:f:r:b:a:A:d:S:F:m:t:R:")) != EOF
&&
- retval != -1) {
+ while ((c = getopt(count, vars,
"hslDf:e:E:r:b:a:A:d:S:F:m:t:R:W:w:k:p:"))
+ != EOF && retval != -1) {
switch (c) {
case 'h':
usage();
@@ -291,6 +387,38 @@ static int setopt(int count, char *vars[
case 'D':
retval = delete_all_rules();
break;
+ case 'W':
+ if (audit_watch_setup(WATCH_NAME, &watch, optarg))
+ rem = retval = 1;
+ else {
+ usage();
+ retval = -1;
+ }
+ break;
+ case 'w':
+ if (audit_watch_setup(WATCH_NAME, &watch, optarg))
+ ins = retval = 1;
+ else {
+ usage();
+ retval = -1;
+ }
+ break;
+ case 'k':
+ if (ins && audit_watch_setup(WATCH_FILTERKEY, &watch, optarg))
+ retval = 1;
+ else {
+ usage();
+ retval = -1;
+ }
+ break;
+ case 'p':
+ if (ins && audit_watch_setup(WATCH_PERMS, &watch, optarg))
+ retval = 1;
+ else {
+ usage();
+ retval = -1;
+ }
+ break;
default:
usage();
retval = -1;
@@ -458,6 +586,10 @@ static int handle_request(int status)
rc = audit_add_rule(fd, &rule, add, action);
else if (del & 0x07)
rc = audit_delete_rule(fd, &rule, del, action);
+ else if (ins && !rem)
+ rc = audit_insert_watch(fd, &watch);
+ else if (rem && !ins)
+ rc = audit_remove_watch(fd, &watch);
else {
usage();
audit_close(fd);
@@ -577,6 +709,18 @@ static int audit_print_reply(struct audi
}
printf("\n");
return 1; /* get more messages, until NLMSG_DONE */
+ case AUDIT_WATCH_INS:
+ if (rep->watch < 0)
+ printf("AUDIT_WATCH : INSERT : %s\n", strerror(-(rep->watch)));
+ else
+ printf("AUDIT_WATCH : INSERT : SUCCESS\n");
+ return 0;
+ case AUDIT_WATCH_REM:
+ if (rep->watch < 0)
+ printf("AUDIT_WATCH : REMOVE : %s\n", strerror(-(rep->watch)));
+ else
+ printf("AUDIT_WATCH : REMOVE : SUCCESS\n");
+ return 0;
default:
printf("Unknown: type=%d, len=%d\n", rep->type, rep->nlh->nlmsg_len);
return 0;
20 years
dev information for open, exec?
by Erich Schubert
Hi,
the dev= field of auditd information seems to be missing for open,
exec syscalls.
Is there a reason why this information is not available?
(I'd like to filter out all open calls on /proc...)
The log lines i get look like the following:
type=KERNEL msg=audit(1109035917.261:14548): item=0
name=/usr/share/locale/de/LC_MESSAGES/coreutils.mo inode=852010
dev=00:00
and the dev=00:00 value is bogus; I never get a different value.
I'm currently trying to use auditd to obtain an optimized "readahead"
file list for speeding up system boot. I had this idea some months
ago; maybe I should check recent boot speedup developments... ;-)
Greetings,
Erich Schubert
--
erich(a)(mucl.de|debian.org) -- GPG Key ID: 4B3A135C (o_
To understand recursion you first need to understand recursion. //\
Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für V_/_
eine Stunde wie eine Heimat aus. --- Herrmann Hesse
20 years, 1 month
