October 2006 - Linux-audit - Linux-Audit List Archives

by Joy Latten

This code adds auditing to IPSec. An audit message gets logged whenever an ipsec policy or security association is added or deleted from the kernel's Security Policy Database and/or Security Association Database. IPSec policies and SAs can be added and/or deleted via the pfkey api or the netlink api, which was extended to accomodate key management. PFKEYv2 is a socket protocol for key management defined in RFC 2367. I added auditing for both key management protocols. Both protocols utilize the same code in some places. Please let me know if this patch is acceptable. Regards, Joy Latten --------------------------------------------------------------------------------- diff -urpN linux-2.6.18.ppc64/include/linux/audit.h linux-2.6.18.ppc64.patch/include/linux/audit.h --- linux-2.6.18.ppc64/include/linux/audit.h 2006-10-26 03:10:10.000000000 -0500 +++ linux-2.6.18.ppc64.patch/include/linux/audit.h 2006-10-26 07:04:08.000000000 -0500 @@ -100,6 +100,10 @@ #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ +#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ +#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ +#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ +#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff -urpN linux-2.6.18.ppc64/include/net/xfrm.h linux-2.6.18.ppc64.patch/include/net/xfrm.h --- linux-2.6.18.ppc64/include/net/xfrm.h 2006-10-26 03:10:11.000000000 -0500 +++ linux-2.6.18.ppc64.patch/include/net/xfrm.h 2006-10-26 07:04:08.000000000 -0500 @@ -18,6 +18,7 @@ #include <net/route.h> #include <net/ipv6.h> #include <net/ip6_fib.h> +#include <linux/audit.h> #define XFRM_ALIGN8(len) (((len) + 7) & ~7) #define MODULE_ALIAS_XFRM_MODE(family, encap) \ @@ -231,7 +232,7 @@ extern void km_state_notify(struct xfrm_ struct xfrm_tmpl; extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol); extern void km_state_expired(struct xfrm_state *x, int hard, u32 pid); -extern int __xfrm_state_delete(struct xfrm_state *x); +extern int __xfrm_state_delete(struct xfrm_state *x, uid_t auid); struct xfrm_state_afinfo { unsigned short family; @@ -737,16 +738,17 @@ static inline int xfrm_sk_clone_policy(s return 0; } -extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir); +extern int xfrm_policy_delete(struct xfrm_policy *pol, int dir, uid_t auid); static inline void xfrm_sk_free_policy(struct sock *sk) { + uid_t auid = audit_get_loginuid(current->audit_context); if (unlikely(sk->sk_policy[0] != NULL)) { - xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX); + xfrm_policy_delete(sk->sk_policy[0], XFRM_POLICY_MAX, auid); sk->sk_policy[0] = NULL; } if (unlikely(sk->sk_policy[1] != NULL)) { - xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1); + xfrm_policy_delete(sk->sk_policy[1], XFRM_POLICY_MAX+1, auid); sk->sk_policy[1] = NULL; } } @@ -898,13 +900,13 @@ extern struct xfrm_state *xfrm_state_fin struct xfrm_policy *pol, int *err, unsigned short family); extern int xfrm_state_check_expire(struct xfrm_state *x); -extern void xfrm_state_insert(struct xfrm_state *x); -extern int xfrm_state_add(struct xfrm_state *x); -extern int xfrm_state_update(struct xfrm_state *x); +extern void xfrm_state_insert(struct xfrm_state *x, uid_t auid); +extern int xfrm_state_add(struct xfrm_state *x, uid_t auid); +extern int xfrm_state_update(struct xfrm_state *x, uid_t auid); extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family); extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq); -extern int xfrm_state_delete(struct xfrm_state *x); -extern void xfrm_state_flush(u8 proto); +extern int xfrm_state_delete(struct xfrm_state *x, uid_t auid); +extern void xfrm_state_flush(u8 proto, uid_t auid); extern int xfrm_replay_check(struct xfrm_state *x, u32 seq); extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq); extern void xfrm_replay_notify(struct xfrm_state *x, int event); @@ -948,17 +950,18 @@ static inline int xfrm_dst_lookup(struct struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp); extern int xfrm_policy_walk(int (*func)(struct xfrm_policy *, int, int, void*), void *); -int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); +int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl, uid_t auid); struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel, - struct xfrm_sec_ctx *ctx, int delete); -struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete); -void xfrm_policy_flush(void); + struct xfrm_sec_ctx *ctx, int delete, + uid_t auid); +struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete, uid_t auid); +void xfrm_policy_flush(uid_t auid); u32 xfrm_get_acqseq(void); void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create, unsigned short family); -extern void xfrm_policy_flush(void); +extern void xfrm_policy_flush(uid_t auid); extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); extern int xfrm_flush_bundles(void); extern void xfrm_flush_all_bundles(void); diff -urpN linux-2.6.18.ppc64/kernel/auditsc.c linux-2.6.18.ppc64.patch/kernel/auditsc.c --- linux-2.6.18.ppc64/kernel/auditsc.c 2006-10-26 03:10:35.000000000 -0500 +++ linux-2.6.18.ppc64.patch/kernel/auditsc.c 2006-10-26 07:04:49.000000000 -0500 @@ -1488,6 +1488,7 @@ uid_t audit_get_loginuid(struct audit_co { return ctx ? ctx->loginuid : -1; } +EXPORT_SYMBOL(audit_get_loginuid); /** * __audit_mq_open - record audit data for a POSIX MQ open diff -urpN linux-2.6.18.ppc64/net/ipv4/ipcomp.c linux-2.6.18.ppc64.patch/net/ipv4/ipcomp.c --- linux-2.6.18.ppc64/net/ipv4/ipcomp.c 2006-09-19 22:42:06.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/ipv4/ipcomp.c 2006-10-26 07:04:08.000000000 -0500 @@ -29,6 +29,7 @@ #include <net/icmp.h> #include <net/ipcomp.h> #include <net/protocol.h> +#include <linux/audit.h> struct ipcomp_tfms { struct list_head list; @@ -251,7 +252,7 @@ static int ipcomp_tunnel_attach(struct x err = -EINVAL; goto out; } - xfrm_state_insert(t); + xfrm_state_insert(t,audit_get_loginuid(current->audit_context)); xfrm_state_hold(t); } x->tunnel = t; diff -urpN linux-2.6.18.ppc64/net/ipv6/ipcomp6.c linux-2.6.18.ppc64.patch/net/ipv6/ipcomp6.c --- linux-2.6.18.ppc64/net/ipv6/ipcomp6.c 2006-09-19 22:42:06.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/ipv6/ipcomp6.c 2006-10-26 07:04:08.000000000 -0500 @@ -50,6 +50,7 @@ #include <linux/ipv6.h> #include <linux/icmpv6.h> #include <linux/mutex.h> +#include <linux/audit.h> struct ipcomp6_tfms { struct list_head list; @@ -246,7 +247,7 @@ static int ipcomp6_tunnel_attach(struct err = -EINVAL; goto out; } - xfrm_state_insert(t); + xfrm_state_insert(t,audit_get_loginuid(current->audit_context)); xfrm_state_hold(t); } x->tunnel = t; diff -urpN linux-2.6.18.ppc64/net/key/af_key.c linux-2.6.18.ppc64.patch/net/key/af_key.c --- linux-2.6.18.ppc64/net/key/af_key.c 2006-10-26 03:10:11.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/key/af_key.c 2006-10-26 07:04:08.000000000 -0500 @@ -29,6 +29,7 @@ #include <net/xfrm.h> #include <net/sock.h> +#include <linux/audit.h> #define _X2KEY(x) ((x) == XFRM_INF ? 0 : (x)) #define _KEY2X(x) ((x) == 0 ? XFRM_INF : (x)) @@ -1416,9 +1417,9 @@ static int pfkey_add(struct sock *sk, st xfrm_state_hold(x); if (hdr->sadb_msg_type == SADB_ADD) - err = xfrm_state_add(x); + err = xfrm_state_add(x, audit_get_loginuid(current->audit_context)); else - err = xfrm_state_update(x); + err = xfrm_state_update(x, audit_get_loginuid(current->audit_context)); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -1461,7 +1462,7 @@ static int pfkey_delete(struct sock *sk, goto out; } - err = xfrm_state_delete(x); + err = xfrm_state_delete(x, audit_get_loginuid(current->audit_context)); if (err < 0) goto out; @@ -1642,7 +1643,7 @@ static int pfkey_flush(struct sock *sk, if (proto == 0) return -EINVAL; - xfrm_state_flush(proto); + xfrm_state_flush(proto, audit_get_loginuid(current->audit_context)); c.data.proto = proto; c.seq = hdr->sadb_msg_seq; c.pid = hdr->sadb_msg_pid; @@ -2192,7 +2193,8 @@ static int pfkey_spdadd(struct sock *sk, goto out; err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, - hdr->sadb_msg_type != SADB_X_SPDUPDATE); + hdr->sadb_msg_type != SADB_X_SPDUPDATE, + audit_get_loginuid(current->audit_context)); if (err) goto out; @@ -2268,7 +2270,7 @@ static int pfkey_spddelete(struct sock * return err; } - xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1); + xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1, audit_get_loginuid(current->audit_context)); security_xfrm_policy_free(&tmp); if (xp == NULL) return -ENOENT; @@ -2331,7 +2333,8 @@ static int pfkey_spdget(struct sock *sk, return -EINVAL; xp = xfrm_policy_byid(dir, pol->sadb_x_policy_id, - hdr->sadb_msg_type == SADB_X_SPDDELETE2); + hdr->sadb_msg_type == SADB_X_SPDDELETE2, + audit_get_loginuid(current->audit_context)); if (xp == NULL) return -ENOENT; @@ -2405,7 +2408,7 @@ static int pfkey_spdflush(struct sock *s { struct km_event c; - xfrm_policy_flush(); + xfrm_policy_flush(audit_get_loginuid(current->audit_context)); c.event = XFRM_MSG_FLUSHPOLICY; c.pid = hdr->sadb_msg_pid; c.seq = hdr->sadb_msg_seq; diff -urpN linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c --- linux-2.6.18.ppc64/net/xfrm/xfrm_policy.c 2006-10-26 03:10:11.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_policy.c 2006-10-26 07:04:08.000000000 -0500 @@ -293,7 +293,7 @@ out: expired: read_unlock(&xp->lock); - if (!xfrm_policy_delete(xp, dir)) + if (!xfrm_policy_delete(xp, dir, audit_get_loginuid(current->audit_context))) km_policy_expired(xp, dir, 1, 0); xfrm_pol_put(xp); } @@ -374,13 +374,21 @@ static void xfrm_policy_gc_task(void *da * entry dead. The rule must be unlinked from lists to the moment. */ -static void xfrm_policy_kill(struct xfrm_policy *policy) +static void xfrm_policy_kill(struct xfrm_policy *policy, uid_t auid) { int dead; write_lock_bh(&policy->lock); dead = policy->dead; policy->dead = 1; + + if (policy->security) + audit_log(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_DELSPD, + "spd delete: auid=%u ctx_alg=%d ctx_doi=%d ctx=%s", + auid, policy->security->ctx_alg, + policy->security->ctx_doi, policy->security->ctx_str); + write_unlock_bh(&policy->lock); if (unlikely(dead)) { @@ -417,7 +425,7 @@ static u32 xfrm_gen_index(int dir) } } -int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl) +int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl, uid_t auid) { struct xfrm_policy *pol, **p; struct xfrm_policy *delpol = NULL; @@ -460,10 +468,18 @@ int xfrm_policy_insert(int dir, struct x write_unlock_bh(&xfrm_policy_lock); if (delpol) - xfrm_policy_kill(delpol); + xfrm_policy_kill(delpol, auid); read_lock_bh(&xfrm_policy_lock); gc_list = NULL; + + if (policy->security) + audit_log(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_ADDSPD, + "spd add: auid=%u ctx_alg=%d ctx_doi=%d ctx=%s", + auid, policy->security->ctx_alg, + policy->security->ctx_doi, policy->security->ctx_str); + for (policy = policy->next; policy; policy = policy->next) { struct dst_entry *dst; @@ -480,6 +496,7 @@ int xfrm_policy_insert(int dir, struct x } write_unlock(&policy->lock); } + read_unlock_bh(&xfrm_policy_lock); while (gc_list) { @@ -494,7 +511,8 @@ int xfrm_policy_insert(int dir, struct x EXPORT_SYMBOL(xfrm_policy_insert); struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel, - struct xfrm_sec_ctx *ctx, int delete) + struct xfrm_sec_ctx *ctx, int delete, + uid_t auid) { struct xfrm_policy *pol, **p; @@ -512,13 +530,13 @@ struct xfrm_policy *xfrm_policy_bysel_ct if (pol && delete) { atomic_inc(&flow_cache_genid); - xfrm_policy_kill(pol); + xfrm_policy_kill(pol, auid); } return pol; } EXPORT_SYMBOL(xfrm_policy_bysel_ctx); -struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete) +struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete, uid_t auid) { struct xfrm_policy *pol, **p; @@ -535,13 +553,13 @@ struct xfrm_policy *xfrm_policy_byid(int if (pol && delete) { atomic_inc(&flow_cache_genid); - xfrm_policy_kill(pol); + xfrm_policy_kill(pol, auid); } return pol; } EXPORT_SYMBOL(xfrm_policy_byid); -void xfrm_policy_flush(void) +void xfrm_policy_flush(uid_t auid) { struct xfrm_policy *xp; int dir; @@ -552,7 +570,7 @@ void xfrm_policy_flush(void) xfrm_policy_list[dir] = xp->next; write_unlock_bh(&xfrm_policy_lock); - xfrm_policy_kill(xp); + xfrm_policy_kill(xp, auid); write_lock_bh(&xfrm_policy_lock); } @@ -696,7 +714,7 @@ static struct xfrm_policy *__xfrm_policy return NULL; } -int xfrm_policy_delete(struct xfrm_policy *pol, int dir) +int xfrm_policy_delete(struct xfrm_policy *pol, int dir, uid_t auid) { write_lock_bh(&xfrm_policy_lock); pol = __xfrm_policy_unlink(pol, dir); @@ -704,7 +722,7 @@ int xfrm_policy_delete(struct xfrm_polic if (pol) { if (dir < XFRM_POLICY_MAX) atomic_inc(&flow_cache_genid); - xfrm_policy_kill(pol); + xfrm_policy_kill(pol, auid); return 0; } return -ENOENT; @@ -728,7 +746,7 @@ int xfrm_sk_policy_insert(struct sock *s write_unlock_bh(&xfrm_policy_lock); if (old_pol) { - xfrm_policy_kill(old_pol); + xfrm_policy_kill(old_pol, audit_get_loginuid(current->audit_context)); } return 0; } diff -urpN linux-2.6.18.ppc64/net/xfrm/xfrm_state.c linux-2.6.18.ppc64.patch/net/xfrm/xfrm_state.c --- linux-2.6.18.ppc64/net/xfrm/xfrm_state.c 2006-10-26 03:10:09.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_state.c 2006-10-26 07:04:08.000000000 -0500 @@ -59,7 +59,7 @@ static DEFINE_SPINLOCK(xfrm_state_gc_loc static int xfrm_state_gc_flush_bundles; -int __xfrm_state_delete(struct xfrm_state *x); +int __xfrm_state_delete(struct xfrm_state *x, uid_t auid); static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family); static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); @@ -180,7 +180,8 @@ expired: next = 2; goto resched; } - if (!__xfrm_state_delete(x) && x->id.spi) + if (!__xfrm_state_delete(x, audit_get_loginuid(current->audit_context)) + && x->id.spi) km_state_expired(x, 1, 0); out: @@ -231,7 +232,7 @@ void __xfrm_state_destroy(struct xfrm_st } EXPORT_SYMBOL(__xfrm_state_destroy); -int __xfrm_state_delete(struct xfrm_state *x) +int __xfrm_state_delete(struct xfrm_state *x, uid_t auid) { int err = -ESRCH; @@ -244,6 +245,13 @@ int __xfrm_state_delete(struct xfrm_stat list_del(&x->byspi); __xfrm_state_put(x); } + if (x->security) + audit_log(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_ADDSA, + "SAD delete: auid=%u ctx_alg=%d ctx_doi=%d ctx=%s", + auid, x->security->ctx_alg, + x->security->ctx_doi, x->security->ctx_str); + spin_unlock(&xfrm_state_lock); if (del_timer(&x->timer)) __xfrm_state_put(x); @@ -272,19 +280,19 @@ int __xfrm_state_delete(struct xfrm_stat } EXPORT_SYMBOL(__xfrm_state_delete); -int xfrm_state_delete(struct xfrm_state *x) +int xfrm_state_delete(struct xfrm_state *x, uid_t auid) { int err; spin_lock_bh(&x->lock); - err = __xfrm_state_delete(x); + err = __xfrm_state_delete(x, auid); spin_unlock_bh(&x->lock); return err; } EXPORT_SYMBOL(xfrm_state_delete); -void xfrm_state_flush(u8 proto) +void xfrm_state_flush(u8 proto, uid_t auid) { int i; struct xfrm_state *x; @@ -298,7 +306,7 @@ restart: xfrm_state_hold(x); spin_unlock_bh(&xfrm_state_lock); - xfrm_state_delete(x); + xfrm_state_delete(x, auid); xfrm_state_put(x); spin_lock_bh(&xfrm_state_lock); @@ -441,7 +449,7 @@ out: return x; } -static void __xfrm_state_insert(struct xfrm_state *x) +static void __xfrm_state_insert(struct xfrm_state *x, uid_t auid) { unsigned h = xfrm_dst_hash(&x->id.daddr, x->props.family); @@ -461,12 +469,20 @@ static void __xfrm_state_insert(struct x xfrm_state_hold(x); wake_up(&km_waitq); + + if (x->security) + audit_log(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_ADDSA, + "SAD add: auid=%u ctx_alg=%d ctx_doi=%d, ctx=%s", + auid, x->security->ctx_alg, x->security->ctx_doi, + x->security->ctx_str); + } -void xfrm_state_insert(struct xfrm_state *x) +void xfrm_state_insert(struct xfrm_state *x, uid_t auid) { spin_lock_bh(&xfrm_state_lock); - __xfrm_state_insert(x); + __xfrm_state_insert(x, auid); spin_unlock_bh(&xfrm_state_lock); xfrm_flush_all_bundles(); @@ -475,7 +491,7 @@ EXPORT_SYMBOL(xfrm_state_insert); static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq); -int xfrm_state_add(struct xfrm_state *x) +int xfrm_state_add(struct xfrm_state *x, uid_t auid) { struct xfrm_state_afinfo *afinfo; struct xfrm_state *x1; @@ -510,7 +526,7 @@ int xfrm_state_add(struct xfrm_state *x) x->props.mode, x->props.reqid, x->id.proto, &x->id.daddr, &x->props.saddr, 0); - __xfrm_state_insert(x); + __xfrm_state_insert(x, auid); err = 0; out: @@ -521,7 +537,7 @@ out: xfrm_flush_all_bundles(); if (x1) { - xfrm_state_delete(x1); + xfrm_state_delete(x1, auid); xfrm_state_put(x1); } @@ -529,7 +545,7 @@ out: } EXPORT_SYMBOL(xfrm_state_add); -int xfrm_state_update(struct xfrm_state *x) +int xfrm_state_update(struct xfrm_state *x, uid_t auid) { struct xfrm_state_afinfo *afinfo; struct xfrm_state *x1; @@ -553,7 +569,7 @@ int xfrm_state_update(struct xfrm_state } if (x1->km.state == XFRM_STATE_ACQ) { - __xfrm_state_insert(x); + __xfrm_state_insert(x, auid); x = NULL; } err = 0; @@ -566,7 +582,7 @@ out: return err; if (!x) { - xfrm_state_delete(x1); + xfrm_state_delete(x1, auid); xfrm_state_put(x1); return 0; } @@ -1125,11 +1141,15 @@ static void xfrm_state_put_afinfo(struct /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ void xfrm_state_delete_tunnel(struct xfrm_state *x) { + uid_t auid; + + auid = audit_get_loginuid(current->audit_context); + if (x->tunnel) { struct xfrm_state *t = x->tunnel; if (atomic_read(&t->tunnel_users) == 2) - xfrm_state_delete(t); + xfrm_state_delete(t, auid); atomic_dec(&t->tunnel_users); xfrm_state_put(t); x->tunnel = NULL; diff -urpN linux-2.6.18.ppc64/net/xfrm/xfrm_user.c linux-2.6.18.ppc64.patch/net/xfrm/xfrm_user.c --- linux-2.6.18.ppc64/net/xfrm/xfrm_user.c 2006-10-26 03:10:11.000000000 -0500 +++ linux-2.6.18.ppc64.patch/net/xfrm/xfrm_user.c 2006-10-26 07:04:08.000000000 -0500 @@ -27,6 +27,7 @@ #include <net/xfrm.h> #include <net/netlink.h> #include <asm/uaccess.h> +#include <linux/audit.h> static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) { @@ -396,9 +397,9 @@ static int xfrm_add_sa(struct sk_buff *s xfrm_state_hold(x); if (nlh->nlmsg_type == XFRM_MSG_NEWSA) - err = xfrm_state_add(x); + err = xfrm_state_add(x, NETLINK_CB(skb).loginuid); else - err = xfrm_state_update(x); + err = xfrm_state_update(x, NETLINK_CB(skb).loginuid); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -435,7 +436,7 @@ static int xfrm_del_sa(struct sk_buff *s goto out; } - err = xfrm_state_delete(x); + err = xfrm_state_delete(x, NETLINK_CB(skb).loginuid); if (err < 0) goto out; @@ -859,7 +860,7 @@ static int xfrm_add_policy(struct sk_buf * in netlink excl is a flag and you wouldnt need * a type XFRM_MSG_UPDPOLICY - JHS */ excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; - err = xfrm_policy_insert(p->dir, xp, excl); + err = xfrm_policy_insert(p->dir, xp, excl, NETLINK_CB(skb).loginuid); if (err) { security_xfrm_policy_free(xp); kfree(xp); @@ -1026,6 +1027,7 @@ static int xfrm_get_policy(struct sk_buf int err; struct km_event c; int delete; + uid_t auid; p = NLMSG_DATA(nlh); delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY; @@ -1034,8 +1036,9 @@ static int xfrm_get_policy(struct sk_buf if (err) return err; + auid = NETLINK_CB(skb).loginuid; if (p->index) - xp = xfrm_policy_byid(p->dir, p->index, delete); + xp = xfrm_policy_byid(p->dir, p->index, delete, auid); else { struct rtattr **rtattrs = (struct rtattr **)xfrma; struct rtattr *rt = rtattrs[XFRMA_SEC_CTX-1]; @@ -1052,7 +1055,7 @@ static int xfrm_get_policy(struct sk_buf if ((err = security_xfrm_policy_alloc(&tmp, uctx))) return err; } - xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete); + xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete, auid); security_xfrm_policy_free(&tmp); } if (xp == NULL) @@ -1090,7 +1093,7 @@ static int xfrm_flush_sa(struct sk_buff struct km_event c; struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); - xfrm_state_flush(p->proto); + xfrm_state_flush(p->proto, NETLINK_CB(skb).loginuid); c.data.proto = p->proto; c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; @@ -1237,7 +1240,7 @@ static int xfrm_flush_policy(struct sk_b { struct km_event c; - xfrm_policy_flush(); + xfrm_policy_flush(NETLINK_CB(skb).loginuid); c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; c.pid = nlh->nlmsg_pid; @@ -1251,9 +1254,12 @@ static int xfrm_add_pol_expire(struct sk struct xfrm_user_polexpire *up = NLMSG_DATA(nlh); struct xfrm_userpolicy_info *p = &up->pol; int err = -ENOENT; + uid_t auid; + + auid = NETLINK_CB(skb).loginuid; if (p->index) - xp = xfrm_policy_byid(p->dir, p->index, 0); + xp = xfrm_policy_byid(p->dir, p->index, 0, auid); else { struct rtattr **rtattrs = (struct rtattr **)xfrma; struct rtattr *rt = rtattrs[XFRMA_SEC_CTX-1]; @@ -1270,7 +1276,7 @@ static int xfrm_add_pol_expire(struct sk if ((err = security_xfrm_policy_alloc(&tmp, uctx))) return err; } - xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, 0); + xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, 0, auid); security_xfrm_policy_free(&tmp); } @@ -1285,7 +1291,7 @@ static int xfrm_add_pol_expire(struct sk read_unlock(&xp->lock); err = 0; if (up->hard) { - xfrm_policy_delete(xp, p->dir); + xfrm_policy_delete(xp, p->dir, auid); } else { // reset the timers here? printk("Dont know what to do with soft policy expire\n"); @@ -1318,7 +1324,7 @@ static int xfrm_add_sa_expire(struct sk_ km_state_expired(x, ue->hard, current->pid); if (ue->hard) - __xfrm_state_delete(x); + __xfrm_state_delete(x, NETLINK_CB(skb).loginuid); out: spin_unlock_bh(&x->lock); xfrm_state_put(x);

18 years, 9 months

2
3
0 / 0

segfaults in pam_loginuid.so/sshd

by Klaus Weidner

If you're seeing segfaults when logging in via ssh with pam_loginuid.so using the "require_auditd" option, or possibly other weird audit related behavior, try upgrading or recompiling the PAM library and/or the audit library. The segfault I was seeing was caused by a binary incompatible change in the libaudit.h audit_reply structure with mismatched packages in the recent RHEL5 beta. (Irina, feel free to declassify issue tracker #104436 if you think that's appropriate.) -Klaus

18 years, 9 months

1
0
0 / 0

autail

by Timothy R. Chavez

Hello, I thought the following really basic script might be useful to others. The script adds tail functionality to the "human readable" audit log. Particular care was taken to allow for "tail -f" functionality to work reasonably well. It's not perfect, unfortunately, so if you have any improvements feel free to send them my way. The hard part here is that ausearch consults /etc/passwd quite a bit and will wreak havoc on the audit log if /etc/passwd is being audited and ausearch is reading from stdin. There's no really good way to pipe raw audit records into ausearch either, so the below is the best I could get it. There's one side effect that I know of with this solution and that is you may get a "<no matches>" message. I'll spend some time figuring out how to get rid of it. It'd be really great if you could pipe data directly into ausearch rather than having to use "-if". Enjoy. -tim #!/bin/bash # # autail - tail functionality for the audit log # # Copyright (C) IBM Corporation, 2001 # Authors: Timothy R. Chavez <tinytim(a)us.ibm.com> # # The "ausearch" utility accesses /etc/passwd frequently, so to prevent it # from generating its own messages while reading from /dev/stdin, we disable # it by introducing a short-circuit rule into the audit subsystem and run # ausearch such that any record it generates is thrown away. # insert_shortcircuit () { groupadd autail /sbin/auditctl -A entry,never -F gid=autail } remove_shortcircuit () { /sbin/auditctl -d entry,never -F gid=autail groupdel autail } trap "{ remove_shortcircuit; exit 0; }" SIGINT SIGTERM insert_shortcircuit sg autail "/sbin/ausearch -i -if /dev/stdin"& /usr/bin/tail $* /var/log/audit/audit.log remove_shortcircuit exit 0

18 years, 9 months

1
1
0 / 0

audit 1.2.9 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - In auditd if num_logs is zero, don't rotate on SIGUSR1 (#208834) - Fix some defines in libaudit.h - Some auditd config strings were not initialized in aureport (#211443) - Updated man pages - Add Netlabel event types to libaudit - Update aureports to current audit event types - Update autrace a little - Deprecated all the old audit_rule functions from public API - Drop auparse library for the moment Please let me know if there are any problems with this release. -Steve

18 years, 9 months

1
0
0 / 0

An autrace that follows forks

by John D. Ramsdell

I plan to write a version of autrace that follows forks. When run in follow forks mode, it will ptrace the child. Each time the child or one of its descendents creates a new process, the program will use the API provided by libaudit to add an audit rule for the freshly created process. If I hear of interest in this capability, I'll prepare a patch against the most recent audit source release, and share. Last summer, someone else in my company made a simple version of a fork following tracer based on the audit library; however it does not compile on my FC5 machine. The reason is he was including the kernel's headers for ptrace, which defines PTRACE_O_TRACEFORK and other symbols not part of the standard ptrace header. I don't like the idea of requiring kernel headers to compile the extended version autrace. I studied the strace source code, in particular, strace.c and process.c. I ran the preprocessor on these files using the options created on an FC5 machine, and my comments refer to the preprocessed version of these source files. When asked to follow forks, in addition to calling ptrace with the PTRACE_TRACEME option in the child, strace uses procfs to find the task ID of the process PID in the directory /proc/PID/task. Apparently, it's the only file name in the directory that parses as a positive number. Using ptrace to attach to the task ID allows strace to follow forks. I'm guessing that I have to set a ptrace option so that the parent is signaled on every descendent system call, and inspect each system call to see if a new process was created. I bet following more of the strace logic will allow me to figure out these details. I'm worried that blindly following strace's ways may lead me astray. Is there someplace I can find high-level documentation on when to use ptrace and when to use the procfs? Should I also study the GDB sources? John

18 years, 10 months

3
9
0 / 0

auditing labeled ipsec

by Joy Latten

Linux provides two apis to add/delete/manage SAs and spd. One is netlink which was extended to do key management. The other is pfkeyv2, which our setkey and racoon uses. With all that said, I am not able to figure out how to get "auid" from pfkeyv2? I can use NETLINK_CB(skb).loginuid to get it when netlink is used, but I don't think I can use this for pfkeyv2 since I am not using netlink headers. I am using pfkey message headers, such as sadb_msg, which don't include this. Any ideas or suggestions? Regards, Joy

18 years, 10 months

4
7
0 / 0

labeled ipsec auditing

by Joy Latten

I am auditing when an ipsec policy is added and removed from the Security Policy Database. Should I also add audit when an SA is added and removed? SAs can quickly fill up log since there can be many of them and they also have a lifetime associated with them that can result in continuous renewal. I looked at how Paul implemented netlabel auditing, but was wondering is there any specific info I should audit for labeled ipsec? Regards, Joy

18 years, 10 months

5
9
0 / 0

Audit-1.0.14

by Boyce, Kevin P. (Melbourne, FL)

I am trying to use a vanilla kernel from kernel.org version 2.6.12 and 2.6.16 with the audit daemon version 1.0.14. I am using ubuntu, so I have used alien to convert the redhat binary packages for an x86_64 architecture into *.deb files. I can install the deb files and the audit daemon runs, but it has trouble parsing the audit.rules file. The error I am getting is "Error sending insert watch request (Invalid Argument)." Please help. I have a requirement to use these two kernel versions, and unfortunately can't use redhat, fedora, or their kernel binaries. I have recompiled my kernel with auditing turned on. I can look in the audit.log file and see events being written there when I start and stop the daemon, so I know the daemon works. I just need to know how to parse the log file correctly. Also when you bypass the log file and just use auditctl -w <file to watch>, the same error is returned. Thanks in advance. Kevin Boyce kevin.boyce(a)ngc.com

18 years, 10 months

2
1
0 / 0

file watch and stat

by Michael C Thompson

Hey all, I'm trying to figure out why having a watch a on file is not generating a record when I stat said file. Put a watch on a file, and do stat file. No record... I'm not sure why this is happening, isn't getting such information considered security relevant? Mike

18 years, 10 months

2
3
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit October 2006