audit 1.0.2 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Make sure error packets get eaten.
- Fix a few error messages in auditctl
- Fix handling of unsupported watches when reading rules from file in auditctl
This is a bugfix release that addresses problems when people build their own
kernels and do not have everything enabled as a distribution kernel would be.
This package is not going to be built for RHEL4 at this time.
Let me know if there are any problems.
-Steve
20 years, 9 months
audit.87 kernel
by David Woodhouse
* Mon Aug 8 2005 David Woodhouse <dwmw2(a)redhat.com> audit.87
- Avoid marking the context auditable if no watches are actually triggered.
--
dwmw2
20 years, 9 months
watch question
by Linda Knippers
I'm running the capp rules on my ia64 box with the .84 kernel and the
1.0.1 tools and I'm seeing audit records for things that I don't think I
should be seeing them for.
With a watch rule like this:
-w /etc/group -p wa -k CFG_group
with the associated syscall rules in the capp rules file, should
I only be getting records when someone writes or appends to the
group file? That's what I think the -p options mean but I'm
getting audit records anytime someone does anything to the group
file, including just access()ing it. The same is true for other
watched files.
With a little test program that does a read access check on
any file, I always get a set of audit records like this when I do
it on a watched file.
type=SYSCALL msg=audit(1123283719.207:502): arch=c0000032 syscall=1049
success=yes exit=0 a0=60000fffffffb935 a1=4 a2=60000fffffffb935 a3=4
items=1 pid=4230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 comm="t_path" exe="/home/ljk/t_path"
type=FS_INODE msg=audit(1123283719.207:502): inode=559722 inode_uid=0
inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123283719.207:502): cwd="/home/ljk"
type=PATH msg=audit(1123283719.207:502): name="/etc/group" flags=401
inode=559722 dev=08:13 mode=0100644 ouid=0 ogid=0 rdev=00:00
Should that be happening?
My little test program and output of an auditctl -v are attached.
-- ljk
AUDIT_LIST: entry,possible syscall=chmod
AUDIT_LIST: entry,possible syscall=fchmod
AUDIT_LIST: entry,possible syscall=chown
AUDIT_LIST: entry,possible syscall=fchown
AUDIT_LIST: entry,possible syscall=lchown
AUDIT_LIST: entry,possible syscall=creat
AUDIT_LIST: entry,possible syscall=open
AUDIT_LIST: entry,possible syscall=truncate
AUDIT_LIST: entry,possible syscall=ftruncate
AUDIT_LIST: entry,possible syscall=mkdir
AUDIT_LIST: entry,possible syscall=rmdir
AUDIT_LIST: entry,possible syscall=unlink
AUDIT_LIST: entry,possible syscall=rename
AUDIT_LIST: entry,possible syscall=link
AUDIT_LIST: entry,possible syscall=symlink
AUDIT_LIST: entry,always syscall=mknod
AUDIT_LIST: entry,always syscall=mount
AUDIT_LIST: entry,always syscall=umount
AUDIT_LIST: entry,always syscall=adjtimex
AUDIT_LIST: entry,always syscall=settimeofday
AUDIT_LIST: entry,possible syscall=execve
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit, filterkey=LOG_audit, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log, filterkey=LOG_audit_log, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log.1, filterkey=LOG_audit_log, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log.2, filterkey=LOG_audit_log, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log.3, filterkey=LOG_audit_log, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log.4, filterkey=LOG_audit_log, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/auditd.conf, filterkey=CFG_auditd.conf, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/audit.rules, filterkey=CFG_audit.rules, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/usr/sbin/stunnel, filterkey=, perms=x, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/spool/at, filterkey=LOG_at, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/at.allow, filterkey=CFG_at.allow, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/at.deny, filterkey=CFG_at.deny, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.allow, filterkey=CFG_cron.allow, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.deny, filterkey=CFG_cron.deny, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.d, filterkey=CFG_cron.d, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.daily, filterkey=CFG_cron.daily, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.hourly, filterkey=CFG_cron.hourly, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.monthly, filterkey=CFG_cron.monthly, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.weekly, filterkey=CFG_cron.weekly, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/crontab, filterkey=CFG_crontab, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/spool/cron/root, filterkey=CFG_crontab_root, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/group, filterkey=CFG_group, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/passwd, filterkey=CFG_passwd, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/gshadow, filterkey=CFG_gshadow, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/shadow, filterkey=CFG_shadow, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/security/opasswd, filterkey=CFG_opasswd, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/login.defs, filterkey=CFG_login.defs, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/securetty, filterkey=CFG_securetty, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/faillog, filterkey=LOG_faillog, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/lastlog, filterkey=LOG_lastlog, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/hosts, filterkey=CFG_hosts, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/sysconfig, filterkey=, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/inittab, filterkey=CFG_inittab, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/rc.d/init.d, filterkey=, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/rc.d/init.d/auditd, filterkey=CFG_initd_auditd, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/ld.so.conf, filterkey=CFG_ld.so.conf, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/localtime, filterkey=CFG_localtime, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/sysctl.conf, filterkey=CFG_sysctl.conf, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/modprobe.conf, filterkey=CFG_modprobe.conf, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/pam.d, filterkey=, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/ssh/sshd_config, filterkey=CFG_sshd_config, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/stunnel/stunnel.conf, filterkey=CFG_stunnel.conf, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/stunnel/stunnel.pem, filterkey=CFG_stunnel.pem, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/vsftpd.ftpusers, filterkey=CFG_vsftpd.ftpusers, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/vsftpd/vsftpd.conf, filterkey=CFG_vsftpd.conf, perms=, valid=0
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
int
main(int argc, char *argv[])
{
int i, cnt = 1;
int mode=R_OK;
char *path="/etc/passwd";
if (argc > 1) {
path = argv[1];
}
if (argc > 2) {
cnt = atoi(argv[2]);
if (cnt <=0)
cnt = 1;
}
printf("looping %d times on access(%s, %o)\n", cnt, path, mode);
for (i = 0; i < cnt; i++) {
if (access(path, mode) < 0) {
fprintf(stderr, "access(%s, %o): %s\n", path,mode,strerror(errno));
}
}
exit(0);
}
20 years, 9 months
audit.86 kernel
by David Woodhouse
* Fri Aug 05 2005 David Woodhouse <dwmw2(a)redhat.com> audit.86
- Call audit_panic() if watch report fails
--
dwmw2
20 years, 9 months
audit.85 kernel
by David Woodhouse
I finally worked out what was wrong and got the kernel through the build
system.
* Wed Aug 3 2005 David Woodhouse <dwmw2(a)redhat.com> audit.85
- Fix success/failure for PPC64 syscall rules
While doing final checks, I also noticed that this part of the patch
which went into audit.83 was bogus, and removed it...
@@ -944,7 +947,7 @@ void audit_free(struct task_struct *tsk)
task_unlock(tsk);
if (likely(!context))
- return;
+ goto out;
/* Check for system calls that do not go through the exit
* function (e.g., exit_group), then free context block.
@@ -953,6 +956,7 @@ void audit_free(struct task_struct *tsk)
if (context->in_syscall && context->auditable)
audit_log_exit(context, GFP_ATOMIC);
+ out:
audit_free_context(context);
}
--
dwmw2
20 years, 9 months
audit 1.0.1 released
by Rob Myers
[ since steve mentioned his email was not working... ]
Hello,
Steve just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit Presumably, it
will also be in rawhide tomorrow. The Changelog is:
- Add check for fields that cannot be used with syscall entry in
auditctl
- Make auditctl not tolerate duplicate rule and watches
- Remove uid check in ausearch
Please report any problems.
rob.
20 years, 10 months
audit.83 kernel
by David Woodhouse
* Sun Jul 31 2005 David Woodhouse <dwmw2(a)redhat.com> audit.83
- Reduce lock contention in audit_data_get()
--
dwmw2
20 years, 10 months
audit 1.0 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Update sample CAPP config
- Remove warning for trimming file path in auditctl
- Make auditctl tolerate duplicate rule and watches
- auditd has new option so it doesn't overwrite log files
- Fixed bug in autrace that was reporting bad descriptor
This release marks the end of the current development for a CAPP style
auditing subsystem. This version is now in maintenance mode. All bugs fixed
for this version will continue to have 1.0.x notation. All new features will
be put into a 1.X release (where X >= 1) as we work towards a 2.0 version.
Please let me know of any problems.
-Steve
20 years, 10 months
audit.84 kernel
by David Woodhouse
* Mon Aug 01 2005 David Woodhouse <dwmw2(a)redhat.com> audit.84
- Avoid duplicate syscall rules (Amy)
I'll be away from the office tomorrow and almost certainly not on the
conference call.
--
dwmw2
20 years, 10 months
[PATCH] prevent duplicate syscall rules
by Amy Griffis
The following patch against audit.81 prevents duplicate syscall rules in a
given filter list by walking the list on each rule add.
I also removed the unused struct audit_entry in audit.c and made the static
inlines in auditsc.c consistent.
Signed-off-by: Amy Griffis <amy.griffis(a)hp.com>
audit.c | 5 ---
auditsc.c | 95 ++++++++++++++++++++++++++++++++++++--------------------------
2 files changed, 56 insertions(+), 44 deletions(-)
diff -Nrup linux-2.6.9.orig/kernel/audit.c linux-2.6.9/kernel/audit.c
--- linux-2.6.9.orig/kernel/audit.c 2005-07-29 13:37:34.581058000 -0400
+++ linux-2.6.9/kernel/audit.c 2005-07-29 13:41:32.018555559 -0400
@@ -147,11 +147,6 @@ static void audit_set_pid(struct audit_b
nlh->nlmsg_pid = pid;
}
-struct audit_entry {
- struct list_head list;
- struct audit_rule rule;
-};
-
static void audit_panic(const char *message)
{
switch (audit_failure)
diff -Nrup linux-2.6.9.orig/kernel/auditsc.c linux-2.6.9/kernel/auditsc.c
--- linux-2.6.9.orig/kernel/auditsc.c 2005-07-29 13:37:34.572269000 -0400
+++ linux-2.6.9/kernel/auditsc.c 2005-07-29 13:53:31.988273302 -0400
@@ -198,9 +198,36 @@ struct audit_entry {
extern int audit_pid;
+/* Copy rule from user-space to kernel-space. Called from
+ * audit_add_rule during AUDIT_ADD. */
+static inline int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
+{
+ int i;
+
+ if (s->action != AUDIT_NEVER
+ && s->action != AUDIT_POSSIBLE
+ && s->action != AUDIT_ALWAYS)
+ return -1;
+ if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)
+ return -1;
+ if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
+ return -1;
+
+ d->flags = s->flags;
+ d->action = s->action;
+ d->field_count = s->field_count;
+ for (i = 0; i < d->field_count; i++) {
+ d->fields[i] = s->fields[i];
+ d->values[i] = s->values[i];
+ }
+ for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i];
+ return 0;
+}
+
/* Check to see if two rules are identical. It is called from
+ * audit_add_rule during AUDIT_ADD and
* audit_del_rule during AUDIT_DEL. */
-static int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
+static inline int audit_compare_rule(struct audit_rule *a, struct audit_rule *b)
{
int i;
@@ -229,18 +256,37 @@ static int audit_compare_rule(struct aud
/* Note that audit_add_rule and audit_del_rule are called via
* audit_receive() in audit.c, and are protected by
* audit_netlink_sem. */
-static inline void audit_add_rule(struct audit_entry *entry,
+static inline int audit_add_rule(struct audit_rule *rule,
struct list_head *list)
{
+ struct audit_entry *entry;
+
+ /* Do not use the _rcu iterator here, since this is the only
+ * addition routine. */
+ list_for_each_entry(entry, list, list) {
+ if (!audit_compare_rule(rule, &entry->rule)) {
+ return -EINVAL;
+ }
+ }
+
+ if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
+ return -ENOMEM;
+ if (audit_copy_rule(&entry->rule, rule)) {
+ kfree(entry);
+ return -EINVAL;
+ }
+
if (entry->rule.flags & AUDIT_FILTER_PREPEND) {
entry->rule.flags &= ~AUDIT_FILTER_PREPEND;
list_add_rcu(&entry->list, list);
} else {
list_add_tail_rcu(&entry->list, list);
}
+
+ return 0;
}
-static void audit_free_rule(struct rcu_head *head)
+static inline void audit_free_rule(struct rcu_head *head)
{
struct audit_entry *e = container_of(head, struct audit_entry, rcu);
kfree(e);
@@ -267,32 +313,6 @@ static inline int audit_del_rule(struct
}
#ifdef CONFIG_NET
-/* Copy rule from user-space to kernel-space. Called during
- * AUDIT_ADD. */
-static int audit_copy_rule(struct audit_rule *d, struct audit_rule *s)
-{
- int i;
-
- if (s->action != AUDIT_NEVER
- && s->action != AUDIT_POSSIBLE
- && s->action != AUDIT_ALWAYS)
- return -1;
- if (s->field_count < 0 || s->field_count > AUDIT_MAX_FIELDS)
- return -1;
- if ((s->flags & ~AUDIT_FILTER_PREPEND) >= AUDIT_NR_FILTERS)
- return -1;
-
- d->flags = s->flags;
- d->action = s->action;
- d->field_count = s->field_count;
- for (i = 0; i < d->field_count; i++) {
- d->fields[i] = s->fields[i];
- d->values[i] = s->values[i];
- }
- for (i = 0; i < AUDIT_BITMASK_SIZE; i++) d->mask[i] = s->mask[i];
- return 0;
-}
-
static int audit_list_rules(void *_dest)
{
int pid, seq;
@@ -322,7 +342,6 @@ static int audit_list_rules(void *_dest)
int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
uid_t loginuid)
{
- struct audit_entry *entry;
struct task_struct *tsk;
int *dest;
int err = 0;
@@ -349,16 +368,14 @@ int audit_receive_filter(int type, int p
}
break;
case AUDIT_ADD:
- if (!(entry = kmalloc(sizeof(*entry), GFP_KERNEL)))
- return -ENOMEM;
- if (audit_copy_rule(&entry->rule, data)) {
- kfree(entry);
+ listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
+ if (listnr >= AUDIT_NR_FILTERS)
return -EINVAL;
- }
- listnr = entry->rule.flags & ~AUDIT_FILTER_PREPEND;
- audit_add_rule(entry, &audit_filter_list[listnr]);
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "auid=%u added an audit rule\n", loginuid);
+
+ err = audit_add_rule(data, &audit_filter_list[listnr]);
+ if (!err)
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "auid=%u added an audit rule\n", loginuid);
break;
case AUDIT_DEL:
listnr =((struct audit_rule *)data)->flags & ~AUDIT_FILTER_PREPEND;
20 years, 10 months
