Kernel handling of path length
by Loulwa Salem
Hello,
My test case is testing the following:
attempt to insert a watch on a path with strlen() = 4095.
My test case is expecting this to pass ...
but here is what I get:
DEBUG PRINT: Expected path length = 4095: Actual is 4095 (Not counting
terminating null)
Starting auditd: [ OK ]
Error sending watch insert request (File name too long)
Error sending watch to kernel
Fail - auditctl command returns 255
FAIL : Path length =PATH_MAX(without null) generated error
I thought the kernel should allow a watch to be inserted ... Is the
above a correct behavior?
- Loulwa
19 years, 5 months
audit.74 kernel
by David Woodhouse
* Thu Jun 30 2005 David Woodhouse <dwmw2(a)redhat.com> audit.74
- Really don't audit auditd. For real this time. Honest.
--
dwmw2
19 years, 5 months
audit_backlog_limit messages
by Debora Velarde
(decided it was best to move this discussion to the list)
We're hitting a system hang that repeatedly displays this to the terminal:
audit: audit_backlog=258 > audit_backlog_limit=256
audit: audit_lost=58 audit_rate_limit=0 audit_backlog_limit=256
audit: audit_backlog_limit exceeded
The systems (we're seeing it on multiple platforms) were running simple
testcases that used this audit rule:
auditctl -a exit,always -F auid=<tester_auid>
I was able to reproduce the hang on my system. Here's some info about my
environment before running the test:
# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=1143 rate_limit=0 backlog_limit=256
lost=0 backlog=0
auditctl version 0.9.14
Linux 2.6.9-11.EL.audit.71 SMP ppc64
Steve Grubb <sgrubb(a)redhat.com> wrote on 06/29/2005 09:03:34 AM:
> On Tuesday 28 June 2005 18:53, Debora Velarde wrote:
> > Is 'auditctl -a exit,always -F auid=<tester_auid>' not a reasonable
filter
> > rule, and therefore we shouldn't worry about this?
> This is a reasonable rule. However, I don't know anything else about your
> environment. What do you have for flush? How big is your backlog queue?
These
> matter more than the rule.
19 years, 5 months
audit.73 kernel
by David Woodhouse
* Fri Jun 24 2005 David Woodhouse <dwmw2(a)redhat.com> audit.73
- Quit waiting for backlog to clear once audit_panic() is called
- Add debugging to capture auditd getting audited.
Yeah, I keep forgetting to set the dates in the changelogs.
--
dwmw2
19 years, 5 months
deadlock/hang
by Steve Grubb
Hello,
I am testing the .72 kernel and seem to have run into a new problem. I wrote a
test script that inserted 150 syscall rules & deleted them over & over, ran
another script that listed them over and over, the enabler script, and the
trusty old fs-torture script.
Anything related to netlink hung. Everything else seemed to be fine. I was
able to open new terminals, but su would fail. auditctl -l would hang. There
was no disk activity, so auditd must be hung.
There was no messages in syslog indicating a problem. Eventually everything
stopped responding (including caps lock key) and I had to hit the reset
button.
-Steve
19 years, 5 months
Machine readable ausearch output
by John D. Ramsdell
Steve,
It was nice to meet you. Since we met, I installed FC4 and have been
playing with parts of the audit system, especially with ausearch.
As you know, a modified version of strace currently provides input for
our policy generation tool, however, once the audit system provides
better descriptions and security context information in its syscall
event records, we hope to be able to switch to ausearch as our source
of input.
One difficulty with using strace is that its output was designed to be
human readable at the expense of being difficult for a machine to read
it. I would like to see an output mode added to ausearch designed be
easily read by programs, and I am willing to contribute the code that
implements this mode.
There are many choices available for machine readable output. Let me
list four.
Since our programs are written in Python, the simplest syntax for us
is to write each record as a Python dictionary. If need be, a value
associated with a key in a record may also be a dictionary. If each
record is preceded by the string "aurec(" and ended by ")", a Python
program intended to consume the output simply provides a definition
for aurec, and then performs an execfile on the output generated by
ausearch. The execfile will cause aurec to be called with each record
as its argument.
For Python, the record:
time->Mon Jun 20 09:28:51 2005
type=SYSCALL msg=audit(1119274131.024:13634907): arch=40000003 syscall=6 success=yes exit=0 a0=3 a1=bf968e8a a2=bf968e8a a3=bf968f28 items=0 pid=9408 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="autrace" exe="/sbin/autrace"
would appear as:
aurec({'time':'Mon Jun 20 09:28:51 2005',
'type':'SYSCALL',
'msg':{'audit':'1119274131.024:13634907',
'arch':40000003,
'syscall':6,
...
'exec':'/sbin/autrace'}})
While the Python solution is easy, it leaves users of other languages
in the cold. At the other extreme, we could use XML syntax, as most
systems have an XML parser. The trouble with XML is that it is too
verbose and hard to read. Surely there must be an intermediate
solution.
JSON (JavaScript Object Notation) is a lightweight data-interchange
format <http://www.json.org>. It is easy for humans to read and write,
and it is easy for machines to parse and generate. An advantage of
JSON is that parsers and printers for many languages are available now.
The example written in JSON looks like:
{"time":"Mon Jun 20 09:28:51 2005",
"type":"SYSCALL",
"msg":{"audit":"1119274131.024:13634907",
"arch":40000003,
"syscall":6,
...
"exec":"/sbin/autrace"}}
In JSON, it's kind of a pain that every string must be quoted. My
final suggestion for machine readable syntax is to use an ausearch
specific one, based on JSON. Whenever a string contains either a C
identifier or a number, I suggest we allow it to appear unquoted.
With this change, the example is quite readable, something like:
{time:"Mon Jun 20 09:28:51 2005",
type:SYSCALL,
msg:{audit:"1119274131.024:13634907",
arch:40000003,
syscall:6,
...
exec:"/sbin/autrace"}}
I hope this message inspires more ideas on this topic.
John
19 years, 5 months
audit-0.9.15 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Update log rotation handling to be more robust
This update only changes log rotation error patch code in some cases. It also
documents likely failure scenarios in the code. Please let me know if there
are any problems.
-Steve
19 years, 6 months
audit.71 kernel
by David Woodhouse
Chris forwarded a patch for a netlink bug which could possibly be
causing the hang on 64-bit machines.
* Fri Jun 24 2005 David Woodhouse <dwmw2(a)redhat.com> audit.71
- Reduce loglevel of audit messages to KERN_NOTICE
- Netlink hashing fix forwarded by Chris
--
dwmw2
19 years, 6 months
System hangs using audit-0.9.9 (and few versions before)
by Loulwa Salem
I had a problem with the system hanging while running a test case that
exercises the boundary limits on path name and file name while inserting
watches. This seemed to only occur on SMP machines. I also tried the
test case on audit (0.9.4 -> 0.9.9) and it seemed to break on all those
versions regardless of the kernel version running.
The system hung when attempting to stop audit after trying to insert a
watch on a long filename (> NAME_MAX).
With audit0.9.10 (and the latest kernel.65) the problem seemed to just
go away.. I am not sure what changed in the code to fix it ... but I
thought it would be good to report it in case someone encounters a
similar problem again ... also it would be nice if we know what happened
to fix it .. or break it in the first place ...
Thanks for Klaus ... helping narrow the problem down.
To reproduce :
# /sbin/auditctl -w /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-k good-key
>> The base name of the path is too big
#/etc/init.d/auditd restart
>> Stopping auditd: [ OK ]
>> Starting auditd: [ OK ]
# /sbin/auditctl -w /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -k
good-key
>> The base name of the path is too big
# /etc/init.d/auditd restart
>>Stopping auditd: [ OK ]
------ IT hangs here -------
-loulwa
19 years, 6 months
audit 0.9.14 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- make auditctl -s work again
- make AUDITD_CLEAN_STOP test in init scripts case insensitive
This a bug fix release. Please let me know if there are any problems.
Thanks,
-Steve
19 years, 6 months
