audit.65 kernel
by David Woodhouse
Uploading now with the patch that Tim sent...
* Mon Jun 20 2005 David Woodhouse <dwmw2(a)redhat.com> audit.65
- List watches from a kernel thread too
--
dwmw2
20 years
audit 0.9.10 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Make sure the bad packet is drained when retrying user messages
- Add support for new user and watch filter lists
- Interpret flags field in ausearch
I think this finally fixes the problems that were found by Fedora users
regarding login. The last part of the problem was to drain the kernel reply
before retrying the message.
Please let me know if there are any problems.
-Steve
20 years
audit.63 kernel.
by David Woodhouse
Linus has released 2.6.12 and subsequently merged a large batch of audit
patches, so I've re-ordered the patches in the RPM again accordingly.
There's now very little which isn't in the "Linus has this already"
section.
I've done the patch which wait for the backlog to clear in audit.63 with
no other changes in case it's problematic and we want to drop back to
audit.62. I think that Tim and I between us have now addressed just
about everything which was outstanding -- what did we miss?
* Mon Jun 20 2005 David Woodhouse <dwmw2(a)redhat.com> audit.63
- Wait for backlog to drain where possible
* Mon Jun 20 2005 David Woodhouse <dwmw2(a)redhat.com> audit.62
- Fix locking in auditfs_attach_wdata()
- Drop user messages if !audit_enabled
- Avoid auditing auditd in all cases
* Sun Jun 19 2005 David Woodhouse <dwmw2(a)redhat.com> audit.61
- Reorder patches again, merge auditfs patch
- Capture path_lookup() flags in audit_inode()
--
dwmw2
20 years
audit.64 kernel
by David Woodhouse
* Mon Jun 20 2005 David Woodhouse <dwmw2(a)redhat.com> audit.64
- Merge auditfs into one again
- More patches are in -mm
- Allow 5 more entries from non-sleeping contexts in backlog queue
- Protect auditd from OOM kill
- Fix locking in auditfs_attach_watch() harder
- List filter rules from kernel thread to avoid deadlock
--
dwmw2
20 years
/var/log/messages: backlog limit exceeded
by Denise Garrett
Howdy,
I am currently working with the attached test, config3_test, that I have
pasted into a text file below. Config3 (assertions 4 and 5) fail on
multiple platforms that contain audit-0.9.4-1, although they will pass
with earlier audits. When it is ran the messages file in var/log/messages
is filled with the following repeating lines during the problem cases.
Jun 15 09:36:05 xracer1 auditd: The audit daemon is exiting.
Jun 15 09:36:05 xracer1 kernel: audit: audit_backlog=257 >
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 auditd: auditd startup failed
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65593 audit_rate_limit=0
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 >
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 auditd: auditd startup succeeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65594 audit_rate_limit=0
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 >
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65595 audit_rate_limit=0
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 >
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65596 audit_rate_limit=0
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
The problem persists even with changing the backlog limit. Here are the
results in /var/log/messages with different limits.
backlog limit < 8000: Jun 15 00:38:43 bracer3 kernel: audit: backlog
limit exceeded
Jun 15 00:38:43 bracer3 auditd[6013]: Audit daemon rotating log file
s
Jun 15 00:38:43 bracer3 kernel: audit: audit_backlog=8001 >
audit_backlog_limit=8000
backlog limit > 9000
Jun 15 00:48:29 bracer3 auditd: auditd shutdown failed
Jun 15 00:48:29 bracer3 auditd: Value -1 should only be numbers - line
10
Jun 15 00:48:29 bracer3 auditd: The audit daemon is exiting.
Jun 15 00:48:29 bracer3 auditd: auditd startup failed
Jun 15 00:48:36 bracer3 auditd: auditd startup succeeded
Jun 15 00:48:36 bracer3 auditd[6832]: Init complete, audit pid set to:
6832
Jun 15 00:48:37 bracer3 auditd[6832]: Audit daemon rotating log files
Jun 15 00:49:08 bracer3 last message repeated 109 times
Jun 15 00:49:17 bracer3 last message repeated 33 times
Jun 15 00:49:20 bracer3 auditd[6832]: The audit daemon is exiting.
Jun 15 00:49:21 bracer3 auditd: auditd shutdown succeeded
Jun 15 00:49:21 bracer3 kernel: audit: *NO* daemon at audit_pid=6832
Jun 15 00:49:21 bracer3 kernel: audit(1118814561.489:5030167):
auid=500 removed an audit rule
Jun 15 00:49:21 bracer3 kernel:
Jun 15 00:49:21 bracer3 kernel: audit(1118814561.693:5030173):
auid=500 removed an audit rule
Jun 15 00:49:21 bracer3 kernel:
Jun 15 00:49:21 bracer3 kernel: audit(1118814561.897:5030179):
auid=500 removed an audit rule
Jun 15 00:49:21 bracer3 kernel:
Jun 15 00:49:22 bracer3 kernel: audit(1118814562.101:5030185):
auid=500 removed an audit rule
Jun 15 00:49:22 bracer3 kernel:
Jun 15 00:49:22 bracer3 kernel: audit(1118814562.305:5030191):
auid=500 removed an audit rule
Jun 15 00:49:22 bracer3 kernel:
Jun 15 00:49:22 bracer3 kernel: audit(1118814562.509:5030197):
auid=500 removed an audit rule
Jun 15 00:49:22 bracer3 kernel:
When the commands are done manually for only assertion 4 it passes. This
is because assertion 3 causes the load that sends the messages to
/var/log/messages. Here is the loop and ruleset used by assertion 3.
for (lc1 = 0; lc1 < 2000; lc1++) {
syscall(__NR_mkdir,dirname,mode);
syscall(__NR_chmod,dirname,mode);
syscall(__NR_rmdir,dirname);
}
/* Create rules using auditctl. */
system("auditctl -a entry,always -S mkdir");
system("auditctl -a entry,always -S chmod");
system("auditctl -a entry,always -S rmdir");
system("auditctl -a exit,always -S mkdir");
system("auditctl -a exit,always -S chmod");
system("auditctl -a exit,always -S rmdir");
The line assertion 4 creates and searches for in /var/log/messages is
there but followed by many rows of the backlog limit messages pushing it
to the top of the file making it difficult to find.
Denise Garrett
dmgarret(a)us.ibm.com
20 years
Rule listing deadlock.
by David Woodhouse
As discussed, we need to send rules back to auditctl from a separate
context, because otherwise we'll just fill the available socket buffer
space and then deadlock waiting for userspace to read from it... but
without ever actually returning to userspace to allow it to do that.
This spawns a kernel thread to do the job for listing filtering rules --
we need to do the same for watches. Tim? Watch the locking (no pun
intended).
--- linux-2.6.9/kernel/audit.c 2005-06-20 17:27:16.000000000 +0100
+++ linux-2.6.9/kernel/audit.c 2005-06-20 17:27:23.000000000 +0100
@@ -116,7 +116,7 @@ static DECLARE_WAIT_QUEUE_HEAD(audit_bac
* there is still a chance of watch removal via a hook. In this case, the
* semaphore is not enough enough.
*/
-static DECLARE_MUTEX(audit_netlink_sem);
+DECLARE_MUTEX(audit_netlink_sem);
/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
* audit records. Since printk uses a 1024 byte buffer, this buffer
--- linux-2.6.9/kernel/auditsc.c 2005-06-20 16:46:53.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-06-20 17:29:23.000000000 +0100
@@ -39,6 +39,7 @@
#include <linux/audit.h>
#include <linux/personality.h>
#include <linux/time.h>
+#include <linux/kthread.h>
#include <asm/unistd.h>
/* 0 = no checking
@@ -291,24 +292,61 @@ static int audit_copy_rule(struct audit_
return 0;
}
+extern struct semaphore audit_netlink_sem;
+
+struct audit_reply_dest {
+ int pid;
+ int seq;
+};
+
+int audit_list_rules(void *_dest)
+{
+ int pid, seq;
+ struct audit_reply_dest *dest = _dest;
+ struct audit_entry *entry;
+ int i;
+
+ pid = dest->pid;
+ seq = dest->seq;
+ kfree(dest);
+
+ down(&audit_netlink_sem);
+
+ /* The *_rcu iterators not needed here because we are
+ always called with audit_netlink_sem held. */
+ for (i=0; i<AUDIT_NR_FILTERS; i++) {
+ list_for_each_entry(entry, &audit_filter_list[i], list)
+ audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
+ &entry->rule, sizeof(entry->rule));
+ }
+ audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
+
+ up(&audit_netlink_sem);
+ return 0;
+}
+
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
uid_t loginuid)
{
struct audit_entry *entry;
+ struct task_struct *tsk;
+ struct audit_reply_dest *dest;
int err = 0;
- int i;
unsigned listnr;
switch (type) {
case AUDIT_LIST:
- /* The *_rcu iterators not needed here because we are
- always called with audit_netlink_sem held. */
- for (i=0; i<AUDIT_NR_FILTERS; i++) {
- list_for_each_entry(entry, &audit_filter_list[i], list)
- audit_send_reply(pid, seq, AUDIT_LIST, 0, 1,
- &entry->rule, sizeof(entry->rule));
+ dest = kmalloc(sizeof (*dest), GFP_KERNEL);
+ if (!dest)
+ return -ENOMEM;
+ dest->pid = pid;
+ dest->seq = seq;
+
+ tsk = kthread_run(audit_list_rules, dest, "audit_list_rules");
+ if (IS_ERR(tsk)) {
+ kfree(dest);
+ err = PTR_ERR(tsk);
}
- audit_send_reply(pid, seq, AUDIT_LIST, 1, 1, NULL, 0);
break;
case AUDIT_ADD:
if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
--
dwmw2
20 years
[PATCH] bug fixes + cleanups against audit.58
by Timothy R. Chavez
Hello,
This patch introduces some more bug fixes which hopefully address Rob's
Oopses.
I've made sure to call hlist_del_init instead of hlist_del where necessary
(ie: audit_update_watch).
I've also scrapped the audit_is_watched function in favor of !hlist_unhashed.
One other change was putting the lock around the entire list traversal in
audit_drain_watchlist, rather then in it. This was just to make the locking
more uniform (ie: if auditfs_lock is held, whatever is holding it has
complete control).
I also rearranged auditfs_wdata_attach a bit, such that if there is no
context, we return out of the function. I've also made it so the context is
only made auditable if it makes it past the memory allocation. No sense in
making it auditable if we were able to collect audit info.
I added audit_notify_watch hooks to fs/open.c and fs/attr.c
Some other little odds and ends are cleanup related. I removed the item=
field from the PATH record component, I turned audit_notify_watch and
auditfs_attach_wdata into void functions as we're unable to handle failed
memory allocations. Reduced my goto abuse.
-tim
20 years
audit system still audits auditd
by Steve Grubb
I was doing a test:
auditctl -a entry,always -S all -F auid=-1
It turns out this tends to report auditd doing things:
type=SYSCALL msg=audit(1118858393.806:1338447): arch=40000003 syscall=240
success=yes exit=1 a0=b8ce64 a1=1 a2=1 a3=a79a208 items=0 pid=1716
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditd" exe="/sbin/auditd"
type=SYSCALL msg=audit(1118858393.806:1338456): arch=40000003 syscall=4
success=yes exit=254 a0=5 a1=b7fff000 a2=fe a3=fe items=0 pid=1716
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditd" exe="/sbin/auditd"
type=SYSCALL msg=audit(1118858393.806:1338459): arch=40000003 syscall=197
success=yes exit=0 a0=5 a1=b7fe81bc a2=659ff4 a3=b7fe81bc items=0 pid=1716
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditd" exe="/sbin/auditd"
Of course, the audit system dies in about 15 seconds since each record
generates 10 new events.
-Steve
20 years
Re: [PATCH] Small kfree cleanup, save a local variable.
by Chris Wright
* Jesper Juhl (jesper.juhl(a)gmail.com) wrote:
> On 6/19/05, Chris Wright <chrisw(a)osdl.org> wrote:
> > * Jesper Juhl (juhl-lkml(a)dif.dk) wrote:
> > > Here's a patch with a small improvement to kernel/auditsc.c .
> > > There's no need for the local variable struct audit_entry *e ,
> > > we can just call kfree directly on container_of() .
> > > Patch also removes an extra space a little further down in the file.
> >
> > Please Cc: linux-audit(a)redhat.com on audit patches.
>
> I didn't find that address in MAINTAINERS nor in the source file. I
> had no idea it existed. Perhaps it ought to be listed in MAINTAINERS
> somewhere...
Ahh, good point, that needs to be fixed.
thanks,
-chris
20 years
Re: [PATCH] Small kfree cleanup, save a local variable.
by Chris Wright
* Jesper Juhl (juhl-lkml(a)dif.dk) wrote:
> Here's a patch with a small improvement to kernel/auditsc.c .
> There's no need for the local variable struct audit_entry *e ,
> we can just call kfree directly on container_of() .
> Patch also removes an extra space a little further down in the file.
Please Cc: linux-audit(a)redhat.com on audit patches. I tend to agree
with Michael, it's optimized away, and readable as is.
thanks,
-chris
> Signed-off-by: Jesper Juhl <juhl-lkml(a)dif.dk>
> ---
>
> kernel/auditsc.c | 5 ++---
> 1 files changed, 2 insertions(+), 3 deletions(-)
>
> --- linux-2.6.12-orig/kernel/auditsc.c 2005-06-17 21:48:29.000000000 +0200
> +++ linux-2.6.12/kernel/auditsc.c 2005-06-19 21:21:37.000000000 +0200
> @@ -202,8 +202,7 @@ static inline int audit_add_rule(struct
>
> static void audit_free_rule(struct rcu_head *head)
> {
> - struct audit_entry *e = container_of(head, struct audit_entry, rcu);
> - kfree(e);
> + kfree(container_of(head, struct audit_entry, rcu));
> }
>
> /* Note that audit_add_rule and audit_del_rule are called via
> @@ -612,7 +611,7 @@ static inline void audit_free_context(st
> audit_free_names(context);
> audit_free_aux(context);
> kfree(context);
> - context = previous;
> + context = previous;
> } while (context);
> if (count >= 10)
> printk(KERN_ERR "audit: freed %d contexts\n", count);
20 years