November 2006 - Linux-audit - Linux-Audit List Archives

[2.6 patch] kernel/audit.c: remove unused exports

by Adrian Bunk

This patch removes the following unused EXPORT_SYMBOL's: - audit_log_start - audit_log_end - audit_log_format - audit_log Signed-off-by: Adrian Bunk <bunk(a)stusta.de> --- This patch was already sent on: - 20 Apr 2006 --- linux-2.6.17-rc1-mm3-full/kernel/audit.c.old 2006-04-20 22:38:17.000000000 +0200 +++ linux-2.6.17-rc1-mm3-full/kernel/audit.c 2006-04-20 22:40:03.000000000 +0200 @@ -1092,7 +1092,3 @@ } } -EXPORT_SYMBOL(audit_log_start); -EXPORT_SYMBOL(audit_log_end); -EXPORT_SYMBOL(audit_log_format); -EXPORT_SYMBOL(audit_log);

18 years

4
9
0 / 0

[PATCH 1/1] fix several things in ipsec audit

by Joy Latten

Steve, if this looks ok to you I will send to netdev. I compiled and tested with and without CONFIG_AUDITSYSCALL. ------------------------------------------------------------- This patch disables auditing in ipsec when CONFIG_AUDITSYSCALL is disabled in the kernel. This patch also includes a bug fix for xfrm_state.c as a result of original ipsec audit patch. Regards, Joy diff -urpN linux-2.6.18-patch/include/net/xfrm.h linux-2.6.18-patch.2/include/net/xfrm.h --- linux-2.6.18-patch/include/net/xfrm.h 2006-11-27 12:29:11.000000000 -0600 +++ linux-2.6.18-patch.2/include/net/xfrm.h 2006-11-28 13:26:49.000000000 -0600 @@ -395,8 +395,13 @@ struct xfrm_audit uid_t loginuid; u32 secid; }; -void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, + +#ifdef CONFIG_AUDITSYSCALL +extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, struct xfrm_policy *xp, struct xfrm_state *x); +#else +#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) +#endif /* CONFIG_AUDITSYSCALL */ static inline void xfrm_pol_hold(struct xfrm_policy *policy) { diff -urpN linux-2.6.18-patch/net/xfrm/xfrm_policy.c linux-2.6.18-patch.2/net/xfrm/xfrm_policy.c --- linux-2.6.18-patch/net/xfrm/xfrm_policy.c 2006-11-27 12:29:33.000000000 -0600 +++ linux-2.6.18-patch.2/net/xfrm/xfrm_policy.c 2006-11-28 14:51:09.000000000 -0600 @@ -1955,6 +1955,7 @@ int xfrm_bundle_ok(struct xfrm_policy *p EXPORT_SYMBOL(xfrm_bundle_ok); +#ifdef CONFIG_AUDITSYSCALL /* Audit addition and deletion of SAs and ipsec policy */ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, @@ -2063,6 +2064,7 @@ void xfrm_audit_log(uid_t auid, u32 sid, } EXPORT_SYMBOL(xfrm_audit_log); +#endif /* CONFIG_AUDITSYSCALL */ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) { diff -urpN linux-2.6.18-patch/net/xfrm/xfrm_state.c linux-2.6.18-patch.2/net/xfrm/xfrm_state.c --- linux-2.6.18-patch/net/xfrm/xfrm_state.c 2006-11-27 12:29:33.000000000 -0600 +++ linux-2.6.18-patch.2/net/xfrm/xfrm_state.c 2006-11-28 12:58:56.000000000 -0600 @@ -407,7 +407,6 @@ restart: xfrm_state_hold(x); spin_unlock_bh(&xfrm_state_lock); - xfrm_state_delete(x); err = xfrm_state_delete(x); xfrm_audit_log(audit_info->loginuid, audit_info->secid,

18 years

3
3
0 / 0

audit 1.3 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - ausearch & aureport implement uid/gid caching - In ausearch & aureport, extract addr when hostname is unknown - In ausearch & aureport, test audit log presence O_RDONLY - New ausearch/aureport time keywords: recent, this-week, this-month, this-year - Added --add & --delete option to aureport - Update res parsing in config change events - Increase the size on audit daemon buffers - Parse avc_path records in ausearch/aureport - Rework AVC processing in ausearch/aureport - ausearch has new output mode, raw, for extracting events - ausearch/aureport can now read stdin - Added long options to ausearch and aureport - new auditd commandline option, -l, to allow following symlinks for its config file. This is a big update with several new things. The first three are performance improvement things. The next item introduces some new keywords for time ranges. recent means 10 minutes ago, this-week means since day 0 of the week as determined by your locale, this-month means day 1 of the current month, and this-year means 1/1 of the current year. The next item adds 2 new command line options to aureport. This is intended to sort out things that are related to adding rules/users/groups vs deleting them. This can be handy to divide up config change reports. The next 4 items are bug fixes. ausearch has a new output mode, --raw. This means that the audit log entry is emitted with no interpretation and no changes. This is handy to extract portions of logs for use later or as the first stage of piping commands together. If you have a user you want to extract logs for, you can now do this: ausearch -ts this-week -ul 500 > user.log The next item in the new features is that ausearch/aureport can now take events from stdin. So, you can now do something like this: ausearch -ts this-month -ul 500 --raw | aureport The next item is that every commandline option in ausearch/aureport has a long option. This means that you can do this: ausearch --start this-week --loginuid 500 --message avc --terminal tty1 or aureport --start this-month --failed --event The final item is a commandline option allowing auditd to follow symlinks to read its config file. I guess this might be useful for people doing stateless or live CD's where the writeable files are kept somewhere else. If you see any issues with this release please let me know. -Steve

18 years

2
1
0 / 0

Chronological audit logs

by Kirkwood, David A

Can someone tell me how I can generate a chronological listing between 2 dates of all the issues I have designated to watch in the audit capabilities of the system? I need to get a system with audit capability sufficiently palatable to the Defense Department for classified use. I currently use Sun workstations and generate the audit logs via praudit and was looking for some way to set up simaller archived weekly audit logs. Thanks, David A. Kirkwood SAIC david.a.kirkwood(a)saic.com kirkwoodd(a)saic.com Phone: (727) 502-8310 Fax: (727) 822-7776

18 years

3
2
0 / 0

[PATCH] minor update to rule add/delete messages

by Steve Grubb

Hi, I was looking at parsing some of these messages and found that I wanted what it was doing next to an op= for the parser to key on. Also, you can search on the key field for a lot of things and I think its missing in a couple places as is the list number and results. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com> diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c --- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2006-11-28 14:23:17.000000000 -0500 +++ linux-2.6.18.x86_64/kernel/auditfilter.c 2006-11-28 14:21:51.000000000 -0500 @@ -938,9 +938,15 @@ static void audit_update_watch(struct au } ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "audit updated rules specifying path="); + audit_log_format(ab, "op=updated rules specifying path="); audit_log_untrustedstring(ab, owatch->path); audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); + if (r->filterkey) { + audit_log_format(ab, " key="); + audit_log_untrustedstring(ab, r->filterkey); + } else + audit_log_format(ab, " key=(null)"); + audit_log_format(ab, " list=%d res=1", r->listnr); audit_log_end(ab); audit_remove_watch(owatch); @@ -970,14 +976,14 @@ static void audit_remove_parent_watches( e = container_of(r, struct audit_entry, rule); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "audit implicitly removed rule path="); + audit_log_format(ab, "op=remove rule path="); audit_log_untrustedstring(ab, w->path); if (r->filterkey) { audit_log_format(ab, " key="); audit_log_untrustedstring(ab, r->filterkey); } else audit_log_format(ab, " key=(null)"); - audit_log_format(ab, " list=%d", r->listnr); + audit_log_format(ab, " list=%d res=1", r->listnr); audit_log_end(ab); list_del(&r->rlist); @@ -1411,7 +1417,7 @@ static void audit_log_rule_change(uid_t audit_log_format(ab, " subj=%s", ctx); kfree(ctx); } - audit_log_format(ab, " %s rule key=", action); + audit_log_format(ab, " op=%s rule key=", action); if (rule->filterkey) audit_log_untrustedstring(ab, rule->filterkey); else

18 years

1
0
0 / 0

syscall record for mq_unlink

by Michael C Thompson

Hey Steve, So, Happy Thanksgiving, is this a bug? :P Audit record: type=SYSCALL msg=audit(1164127960.194:49): arch=c000003e syscall=241 success=yes exit=0 a0=2aaaaab2171d a1=2aaaaab2171c a2=7fff69a6cab8 a3=2aaaafb31188 items=3 ppid=1758 pid=1791 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="python" exe="/usr/bin/python" subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 key=(null) type=CWD msg=audit(1164127960.194:49): cwd="/rhcc/lspp/tests/LTP/ltp-merged/testcases/kernel/security/mls/tests/framework" type=PATH msg=audit(1164127960.194:49): item=0 name="-RNHJnfkU" type=PATH msg=audit(1164127960.194:49): item=1 name=(null) inode=7385 dev=00:0d mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=abat_u:object_r:abat_tmpfs_t:s0 type=PATH msg=audit(1164127960.194:49): item=2 name=(null) inode=338 dev=00:0d mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s15:c0.c1023 The syscall prototype in the kernel is as follows: asmlinkage long sys_mq_unlink(const char __user *u_name) The function all is: ret = mq_unlink(msgqid); The value of char *msgqid is: 2aaaaab2171c So, the question is: Why is a0=(msgqid)+1, and why is a1=(msgqid) I am not sure if this is some crazy "feature" or if this is a real bug. I know there are some syscalls that differ from the glibc-level calls, but this one violates the function internal to the kernel. Any ideas? This is on the lspp.55 kernel. Thanks, Mike

18 years, 1 month

2
2
0 / 0

[PATCH 2.6.19-rc6] audit: support for descriptor pairs

by Mark Workman

provide an audit record of the descriptor pair returned by pipe() and socketpair(). Signed-off-by: Jeremy Latt <jlatt(a)faceprint.com> Signed-off-by: Steven Trieber <spt(a)mitre.org> Signed-off-by: Mark Workman <mworkman(a)mitre.org> --- fs/pipe.c | 7 +++++++ include/linux/audit.h | 9 +++++++++ kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++ net/socket.c | 34 ++++++++++++++++++++++++++-------- 4 files changed, 82 insertions(+), 8 deletions(-) --- diff -uprN -X a/Documentation/dontdiff a/fs/pipe.c b/fs/pipe.c --- a/fs/pipe.c 2006-11-17 16:39:33.000000000 -0500 +++ b/fs/pipe.c 2006-11-17 17:34:24.000000000 -0500 @@ -16,6 +16,7 @@ #include <linux/uio.h> #include <linux/highmem.h> #include <linux/pagemap.h> +#include <linux/audit.h> #include <asm/uaccess.h> #include <asm/ioctls.h> @@ -972,6 +973,10 @@ int do_pipe(int *fd) goto err_fdr; fdw = error; + error = audit_fd_pair(fdr, fdw); + if (error < 0) + goto err_fdw; + fd_install(fdr, fr); fd_install(fdw, fw); fd[0] = fdr; @@ -979,6 +984,8 @@ int do_pipe(int *fd) return 0; + err_fdw: + put_unused_fd(fdw); err_fdr: put_unused_fd(fdr); err_read_pipe: diff -uprN -X a/Documentation/dontdiff a/include/linux/audit.h b/include/linux/audit.h --- a/include/linux/audit.h 2006-11-17 16:39:38.000000000 -0500 +++ b/include/linux/audit.h 2006-11-17 17:34:24.000000000 -0500 @@ -89,6 +89,7 @@ #define AUDIT_MQ_NOTIFY 1314 /* POSIX MQ notify record type */ #define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */ #define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */ +#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ @@ -382,6 +383,7 @@ extern int __audit_ipc_set_perm(unsigned extern int audit_bprm(struct linux_binprm *bprm); extern int audit_socketcall(int nargs, unsigned long *args); extern int audit_sockaddr(int len, void *addr); +extern int __audit_fd_pair(int fd1, int fd2); extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); extern int audit_set_macxattr(const char *name); extern int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr); @@ -396,6 +398,12 @@ static inline int audit_ipc_obj(struct k return __audit_ipc_obj(ipcp); return 0; } +static inline int audit_fd_pair(int fd1, int fd2) +{ + if (unlikely(!audit_dummy_context())) + return __audit_fd_pair(fd1, fd2); + return 0; +} static inline int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode) { if (unlikely(!audit_dummy_context())) @@ -453,6 +461,7 @@ extern int audit_n_rules; #define audit_ipc_set_perm(q,u,g,m) ({ 0; }) #define audit_bprm(p) ({ 0; }) #define audit_socketcall(n,a) ({ 0; }) +#define audit_fd_pair(n,a) ({ 0; }) #define audit_sockaddr(len, addr) ({ 0; }) #define audit_avc_path(dentry, mnt) ({ 0; }) #define audit_set_macxattr(n) do { ; } while (0) diff -uprN -X a/Documentation/dontdiff a/kernel/auditsc.c b/kernel/auditsc.c --- a/kernel/auditsc.c 2006-11-17 16:39:43.000000000 -0500 +++ b/kernel/auditsc.c 2006-11-17 17:34:24.000000000 -0500 @@ -169,6 +169,11 @@ struct audit_aux_data_sockaddr { char a[0]; }; +struct audit_aux_data_fd_pair { + struct audit_aux_data d; + int fd[2]; +}; + struct audit_aux_data_path { struct audit_aux_data d; struct dentry *dentry; @@ -956,6 +961,11 @@ static void audit_log_exit(struct audit_ audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); break; } + case AUDIT_FD_PAIR: { + struct audit_aux_data_fd_pair *axs = (void *)aux; + audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); + break; } + } audit_log_end(ab); } @@ -1808,6 +1818,36 @@ int audit_socketcall(int nargs, unsigned } /** + * __audit_fd_pair - record audit data for pipe and socketpair + * @fd1: the first file descriptor + * @fd2: the second file descriptor + * + * Returns 0 for success or NULL context or < 0 on error. + */ +int __audit_fd_pair(int fd1, int fd2) +{ + struct audit_context *context = current->audit_context; + struct audit_aux_data_fd_pair *ax; + + if (likely(!context)) { + return 0; + } + + ax = kmalloc(sizeof(*ax), GFP_KERNEL); + if (!ax) { + return -ENOMEM; + } + + ax->fd[0] = fd1; + ax->fd[1] = fd2; + + ax->d.type = AUDIT_FD_PAIR; + ax->d.next = context->aux; + context->aux = (void *)ax; + return 0; +} + +/** * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto * @len: data length in user space * @a: data address in kernel space diff -uprN -X a/Documentation/dontdiff a/net/socket.c b/net/socket.c --- a/net/socket.c 2006-11-17 16:39:45.000000000 -0500 +++ b/net/socket.c 2006-11-17 17:34:24.000000000 -0500 @@ -1200,6 +1200,7 @@ asmlinkage long sys_socketpair(int famil { struct socket *sock1, *sock2; int fd1, fd2, err; + struct file *newfile1, *newfile2; /* * Obtain the first socket and check if the underlying protocol @@ -1218,18 +1219,34 @@ asmlinkage long sys_socketpair(int famil if (err < 0) goto out_release_both; - fd1 = fd2 = -1; + fd1 = sock_alloc_fd(&newfile1); + if (likely(fd1 >= 0)) { + err = sock_attach_fd(sock1, newfile1); + + if (unlikely(err < 0)) { + put_filp(newfile1); + put_unused_fd(fd1); + goto out_release_both; + } + } - err = sock_map_fd(sock1); - if (err < 0) - goto out_release_both; - fd1 = err; + fd2 = sock_alloc_fd(&newfile2); + if (likely(fd2 >= 0)) { + err = sock_attach_fd(sock2, newfile2); + + if (unlikely(err < 0)) { + put_filp(newfile2); + put_unused_fd(fd2); + goto out_close_1; + } + } - err = sock_map_fd(sock2); + err = audit_fd_pair(fd1, fd2); if (err < 0) - goto out_close_1; - fd2 = err; + goto out_close_2; + fd_install(fd1, newfile1); + fd_install(fd2, newfile2); /* fd1 and fd2 may be already another descriptors. * Not kernel problem. */ @@ -1240,6 +1257,7 @@ asmlinkage long sys_socketpair(int famil if (!err) return 0; +out_close_2: sys_close(fd2); sys_close(fd1); return err;

18 years, 1 month

2
1
0 / 0

[PATCH 1/1]:ipsec audit: additional change when AUDITSYSCALL is off

by Joy Latten

Steve, I have successfully compiled and run following kernels with this patch. - lspp 55 kernel source with config that comes with it - lspp 55 kernel source with CONFIG_SELINUX turned off in config - lspp 55 kernel source with CONFIG_AUDITSYSCALL turned off (this compilation resulted in my having to add following line to linux/audit.h so that kernel would compile. Let me know if that looks ok or not. +#define audit_log_task_context(b) do { ; } while (0) If the new line of code I added looks ok, let me know and I will send patch to netdev and cc you. When I tested the kernel with CONFIG_AUDITSYSCALL turned off, I noticed that I did receive the expected messages in the audit.log. Is that ok? Should I have also turned off CONFIG_AUDIT? Or was I just ensuring that kernel compiled with CONFIG_AUDITSYSCALL turned off? Thanks! Regards, Joy ---------------------------------------------------------------------------- diff -urpN linux-2.6.18.ppc64.orig/include/linux/audit.h linux-2.6.18.ppc64.test/include/linux/audit.h --- linux-2.6.18.ppc64.orig/include/linux/audit.h 2006-11-20 09:52:19.000000000 -0600 +++ linux-2.6.18.ppc64.test/include/linux/audit.h 2006-11-20 18:05:30.000000000 -0600 @@ -100,6 +100,10 @@ #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ +#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ +#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ +#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ +#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 @@ -376,6 +380,7 @@ extern void auditsc_get_stamp(struct aud struct timespec *t, unsigned int *serial); extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); extern uid_t audit_get_loginuid(struct audit_context *ctx); +extern void audit_log_task_context(struct audit_buffer *ab); extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); extern int audit_bprm(struct linux_binprm *bprm); @@ -448,6 +453,7 @@ extern int audit_n_rules; #define audit_inode_update(i) do { ; } while (0) #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) #define audit_get_loginuid(c) ({ -1; }) +#define audit_log_task_context(b) do { ; } while (0) #define audit_ipc_obj(i) ({ 0; }) #define audit_ipc_set_perm(q,u,g,m) ({ 0; }) #define audit_bprm(p) ({ 0; }) diff -urpN linux-2.6.18.ppc64.orig/include/net/xfrm.h linux-2.6.18.ppc64.test/include/net/xfrm.h --- linux-2.6.18.ppc64.orig/include/net/xfrm.h 2006-11-20 09:52:43.000000000 -0600 +++ linux-2.6.18.ppc64.test/include/net/xfrm.h 2006-11-20 11:05:49.000000000 -0600 @@ -371,9 +371,17 @@ struct xfrm_mgr extern int xfrm_register_km(struct xfrm_mgr *km); extern int xfrm_unregister_km(struct xfrm_mgr *km); - extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2]; +/* Audit Information */ +struct xfrm_audit +{ + uid_t loginuid; + u32 secid; +}; +void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, + struct xfrm_policy *xp, struct xfrm_state *x); + static inline void xfrm_pol_hold(struct xfrm_policy *policy) { if (likely(policy != NULL)) @@ -904,7 +912,7 @@ extern int xfrm_state_update(struct xfrm extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family); extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq); extern int xfrm_state_delete(struct xfrm_state *x); -extern void xfrm_state_flush(u8 proto); +extern void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info); extern int xfrm_replay_check(struct xfrm_state *x, u32 seq); extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq); extern void xfrm_replay_notify(struct xfrm_state *x, int event); @@ -952,13 +960,12 @@ int xfrm_policy_insert(int dir, struct x struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel, struct xfrm_sec_ctx *ctx, int delete); struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete); -void xfrm_policy_flush(void); u32 xfrm_get_acqseq(void); void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create, unsigned short family); -extern void xfrm_policy_flush(void); +extern void xfrm_policy_flush(struct xfrm_audit *audit_info); extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); extern int xfrm_flush_bundles(void); extern void xfrm_flush_all_bundles(void); diff -urpN linux-2.6.18.ppc64.orig/kernel/auditsc.c linux-2.6.18.ppc64.test/kernel/auditsc.c --- linux-2.6.18.ppc64.orig/kernel/auditsc.c 2006-11-20 09:51:06.000000000 -0600 +++ linux-2.6.18.ppc64.test/kernel/auditsc.c 2006-11-20 11:02:36.000000000 -0600 @@ -730,7 +730,7 @@ static inline void audit_free_context(st printk(KERN_ERR "audit: freed %d contexts\n", count); } -static void audit_log_task_context(struct audit_buffer *ab) +void audit_log_task_context(struct audit_buffer *ab) { char *ctx = NULL; ssize_t len = 0; @@ -759,6 +759,8 @@ error_path: return; } +EXPORT_SYMBOL(audit_log_task_context); + static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) { char name[sizeof(tsk->comm)]; @@ -1489,6 +1491,8 @@ uid_t audit_get_loginuid(struct audit_co return ctx ? ctx->loginuid : -1; } +EXPORT_SYMBOL(audit_get_loginuid); + /** * __audit_mq_open - record audit data for a POSIX MQ open * @oflag: open flag diff -urpN linux-2.6.18.ppc64.orig/net/key/af_key.c linux-2.6.18.ppc64.test/net/key/af_key.c --- linux-2.6.18.ppc64.orig/net/key/af_key.c 2006-11-20 09:53:03.000000000 -0600 +++ linux-2.6.18.ppc64.test/net/key/af_key.c 2006-11-20 11:06:15.000000000 -0600 @@ -27,6 +27,7 @@ #include <linux/proc_fs.h> #include <linux/init.h> #include <net/xfrm.h> +#include <linux/audit.h> #include <net/sock.h> @@ -1420,6 +1421,9 @@ static int pfkey_add(struct sock *sk, st else err = xfrm_state_update(x); + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + if (err < 0) { x->km.state = XFRM_STATE_DEAD; __xfrm_state_put(x); @@ -1462,6 +1466,10 @@ static int pfkey_delete(struct sock *sk, } err = xfrm_state_delete(x); + + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + if (err < 0) goto out; @@ -1637,12 +1645,15 @@ static int pfkey_flush(struct sock *sk, { unsigned proto; struct km_event c; + struct xfrm_audit audit_info; proto = pfkey_satype2proto(hdr->sadb_msg_satype); if (proto == 0) return -EINVAL; - xfrm_state_flush(proto); + audit_info.loginuid = audit_get_loginuid(current->audit_context); + audit_info.secid = 0; + xfrm_state_flush(proto, &audit_info); c.data.proto = proto; c.seq = hdr->sadb_msg_seq; c.pid = hdr->sadb_msg_pid; @@ -2194,6 +2205,8 @@ static int pfkey_spdadd(struct sock *sk, err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, hdr->sadb_msg_type != SADB_X_SPDUPDATE); + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); if (err) goto out; @@ -2270,7 +2283,11 @@ static int pfkey_spddelete(struct sock * xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1); security_xfrm_policy_free(&tmp); - if (xp == NULL) + + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); + + if (xp == NULL) return -ENOENT; err = 0; @@ -2404,8 +2421,11 @@ static int key_notify_policy_flush(struc static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) { struct km_event c; + struct xfrm_audit audit_info; - xfrm_policy_flush(); + audit_info.loginuid = audit_get_loginuid(current->audit_context); + audit_info.secid = 0; + xfrm_policy_flush(&audit_info); c.event = XFRM_MSG_FLUSHPOLICY; c.pid = hdr->sadb_msg_pid; c.seq = hdr->sadb_msg_seq; diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_policy.c --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c 2006-11-20 14:03:05.000000000 -0600 +++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_policy.c 2006-11-20 13:49:47.000000000 -0600 @@ -24,6 +24,7 @@ #include <linux/module.h> #include <net/xfrm.h> #include <net/ip.h> +#include <linux/audit.h> DEFINE_MUTEX(xfrm_cfg_mutex); EXPORT_SYMBOL(xfrm_cfg_mutex); @@ -541,7 +542,7 @@ struct xfrm_policy *xfrm_policy_byid(int } EXPORT_SYMBOL(xfrm_policy_byid); -void xfrm_policy_flush(void) +void xfrm_policy_flush(struct xfrm_audit *audit_info) { struct xfrm_policy *xp; int dir; @@ -552,6 +553,8 @@ void xfrm_policy_flush(void) xfrm_policy_list[dir] = xp->next; write_unlock_bh(&xfrm_policy_lock); + xfrm_audit_log(audit_info->loginuid, audit_info->secid, + AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); xfrm_policy_kill(xp); write_lock_bh(&xfrm_policy_lock); @@ -1367,6 +1370,116 @@ int xfrm_bundle_ok(struct xfrm_policy *p EXPORT_SYMBOL(xfrm_bundle_ok); +/* Audit addition and deletion of SAs and ipsec policy */ + +void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, + struct xfrm_policy *xp, struct xfrm_state *x) +{ + + char *secctx; + u32 secctx_len; + struct xfrm_sec_ctx *sctx = NULL; + struct audit_buffer *audit_buf; + int family; + extern int audit_enabled; + + + if (audit_enabled == 0) + return; + + audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); + if (audit_buf == NULL) + return; + + switch(type) { + case AUDIT_MAC_IPSEC_ADDSA: + audit_log_format(audit_buf, "SAD add: auid=%u", auid); + break; + case AUDIT_MAC_IPSEC_DELSA: + audit_log_format(audit_buf, "SAD delete: auid=%u", auid); + break; + case AUDIT_MAC_IPSEC_ADDSPD: + audit_log_format(audit_buf, "SPD add: auid=%u", auid); + break; + case AUDIT_MAC_IPSEC_DELSPD: + audit_log_format(audit_buf, "SPD delete: auid=%u", auid); + break; + default: + return; + } + + if (sid != 0 && + security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) + audit_log_format(audit_buf, " subj=%s", secctx); + else + audit_log_task_context(audit_buf); + + if (xp) { + family = xp->selector.family; + if (xp->security) + sctx = xp->security; + } else { + family = x->props.family; + if (x->security) + sctx = x->security; + } + + if (sctx) + audit_log_format(audit_buf, + " sec_alg=%u sec_doi=%u sec_obj=%s", + sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); + + switch(family) { + case AF_INET: + { + struct in_addr saddr, daddr; + if (xp) { + saddr.s_addr = xp->selector.saddr.a4; + daddr.s_addr = xp->selector.daddr.a4; + } else { + saddr.s_addr = x->props.saddr.a4; + daddr.s_addr = x->id.daddr.a4; + } + audit_log_format(audit_buf, + " src=%u.%u.%u.%u dst=%u.%u.%u.%u", + NIPQUAD(saddr), NIPQUAD(daddr)); + } + break; + case AF_INET6: + { + struct in6_addr saddr6, daddr6; + if (xp) { + memcpy(&saddr6, xp->selector.saddr.a6, + sizeof(struct in6_addr)); + memcpy(&daddr6, xp->selector.daddr.a6, + sizeof(struct in6_addr)); + } else { + memcpy(&saddr6, x->props.saddr.a6, + sizeof(struct in6_addr)); + memcpy(&daddr6, x->id.daddr.a6, + sizeof(struct in6_addr)); + } + audit_log_format(audit_buf, + " src=" NIP6_FMT "dst=" NIP6_FMT, + NIP6(saddr6), NIP6(daddr6)); + } + break; + } + + if (x) + audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", + (unsigned long)ntohl(x->id.spi), + (unsigned long)ntohl(x->id.spi), + x->id.proto == IPPROTO_AH ? "AH" : + (x->id.proto == IPPROTO_ESP ? + "ESP" : "IPCOMP")); + + audit_log_format(audit_buf, " res=%u", result); + audit_log_end(audit_buf); +} + +EXPORT_SYMBOL(xfrm_audit_log); + int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) { int err = 0; diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_state.c --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c 2006-11-20 14:03:08.000000000 -0600 +++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_state.c 2006-11-20 13:50:03.000000000 -0600 @@ -19,6 +19,7 @@ #include <linux/ipsec.h> #include <linux/module.h> #include <asm/uaccess.h> +#include <linux/audit.h> struct sock *xfrm_nl; EXPORT_SYMBOL(xfrm_nl); @@ -123,6 +124,7 @@ static void xfrm_timer_handler(unsigned unsigned long now = (unsigned long)xtime.tv_sec; long next = LONG_MAX; int warn = 0; + int err = 0; spin_lock(&x->lock); if (x->km.state == XFRM_STATE_DEAD) @@ -180,8 +182,13 @@ expired: next = 2; goto resched; } - if (!__xfrm_state_delete(x) && x->id.spi) + + err = __xfrm_state_delete(x); + if (!err && x->id.spi) km_state_expired(x, 1, 0); + + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); out: spin_unlock(&x->lock); @@ -284,10 +291,11 @@ int xfrm_state_delete(struct xfrm_state } EXPORT_SYMBOL(xfrm_state_delete); -void xfrm_state_flush(u8 proto) +void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info) { int i; struct xfrm_state *x; + int err = 0; spin_lock_bh(&xfrm_state_lock); for (i = 0; i < XFRM_DST_HSIZE; i++) { @@ -298,7 +306,13 @@ restart: xfrm_state_hold(x); spin_unlock_bh(&xfrm_state_lock); - xfrm_state_delete(x); + err = xfrm_state_delete(x); + + xfrm_audit_log(audit_info->loginuid, + audit_info->secid, + AUDIT_MAC_IPSEC_DELSA, + err ? 0 : 1, NULL, x); + xfrm_state_put(x); spin_lock_bh(&xfrm_state_lock); @@ -1130,6 +1144,7 @@ void xfrm_state_delete_tunnel(struct xfr if (atomic_read(&t->tunnel_users) == 2) xfrm_state_delete(t); + atomic_dec(&t->tunnel_users); xfrm_state_put(t); x->tunnel = NULL; diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_user.c --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c 2006-11-20 09:53:04.000000000 -0600 +++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_user.c 2006-11-20 11:06:17.000000000 -0600 @@ -27,6 +27,7 @@ #include <net/xfrm.h> #include <net/netlink.h> #include <asm/uaccess.h> +#include <linux/audit.h> static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) { @@ -400,6 +401,9 @@ static int xfrm_add_sa(struct sk_buff *s else err = xfrm_state_update(x); + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + if (err < 0) { x->km.state = XFRM_STATE_DEAD; __xfrm_state_put(x); @@ -436,6 +440,10 @@ static int xfrm_del_sa(struct sk_buff *s } err = xfrm_state_delete(x); + + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + if (err < 0) goto out; @@ -860,6 +868,10 @@ static int xfrm_add_policy(struct sk_buf * a type XFRM_MSG_UPDPOLICY - JHS */ excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; err = xfrm_policy_insert(p->dir, xp, excl); + + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + if (err) { security_xfrm_policy_free(xp); kfree(xp); @@ -1055,6 +1067,11 @@ static int xfrm_get_policy(struct sk_buf xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete); security_xfrm_policy_free(&tmp); } + + if (delete) + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); + if (xp == NULL) return -ENOENT; @@ -1089,8 +1106,11 @@ static int xfrm_flush_sa(struct sk_buff { struct km_event c; struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); + struct xfrm_audit audit_info; - xfrm_state_flush(p->proto); + audit_info.loginuid = NETLINK_CB(skb).loginuid; + audit_info.secid = NETLINK_CB(skb).sid; + xfrm_state_flush(p->proto, &audit_info); c.data.proto = p->proto; c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; @@ -1235,9 +1255,12 @@ out: static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) { -struct km_event c; + struct km_event c; + struct xfrm_audit audit_info; - xfrm_policy_flush(); + audit_info.loginuid = NETLINK_CB(skb).loginuid; + audit_info.secid = NETLINK_CB(skb).sid; + xfrm_policy_flush(&audit_info); c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; c.pid = nlh->nlmsg_pid; @@ -1286,6 +1309,8 @@ static int xfrm_add_pol_expire(struct sk err = 0; if (up->hard) { xfrm_policy_delete(xp, p->dir); + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); } else { // reset the timers here? printk("Dont know what to do with soft policy expire\n"); @@ -1317,8 +1342,11 @@ static int xfrm_add_sa_expire(struct sk_ goto out; km_state_expired(x, ue->hard, current->pid); - if (ue->hard) + if (ue->hard) { + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); __xfrm_state_delete(x); + } out: spin_unlock_bh(&x->lock); xfrm_state_put(x);

18 years, 1 month

2
1
0 / 0

fixed ipsec audit patch

by Joy Latten

Steve, Here is the fixed ipsec patch. Let me know if all is ok. It is still building (slow machine) but I will let you know when all is done and ok. Joy ------------------------------------------------------------------------- diff -urpN linux-2.6.18.ppc64.orig/include/linux/audit.h linux-2.6.18.ppc64.test/include/linux/audit.h --- linux-2.6.18.ppc64.orig/include/linux/audit.h 2006-11-20 09:52:19.000000000 -0600 +++ linux-2.6.18.ppc64.test/include/linux/audit.h 2006-11-20 11:05:09.000000000 -0600 @@ -100,6 +100,10 @@ #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ +#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ +#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ +#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ +#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 @@ -376,6 +380,7 @@ extern void auditsc_get_stamp(struct aud struct timespec *t, unsigned int *serial); extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); extern uid_t audit_get_loginuid(struct audit_context *ctx); +extern void audit_log_task_context(struct audit_buffer *ab); extern int __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode); extern int audit_bprm(struct linux_binprm *bprm); diff -urpN linux-2.6.18.ppc64.orig/include/net/xfrm.h linux-2.6.18.ppc64.test/include/net/xfrm.h --- linux-2.6.18.ppc64.orig/include/net/xfrm.h 2006-11-20 09:52:43.000000000 -0600 +++ linux-2.6.18.ppc64.test/include/net/xfrm.h 2006-11-20 11:05:49.000000000 -0600 @@ -371,9 +371,17 @@ struct xfrm_mgr extern int xfrm_register_km(struct xfrm_mgr *km); extern int xfrm_unregister_km(struct xfrm_mgr *km); - extern struct xfrm_policy *xfrm_policy_list[XFRM_POLICY_MAX*2]; +/* Audit Information */ +struct xfrm_audit +{ + uid_t loginuid; + u32 secid; +}; +void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, + struct xfrm_policy *xp, struct xfrm_state *x); + static inline void xfrm_pol_hold(struct xfrm_policy *policy) { if (likely(policy != NULL)) @@ -904,7 +912,7 @@ extern int xfrm_state_update(struct xfrm extern struct xfrm_state *xfrm_state_lookup(xfrm_address_t *daddr, u32 spi, u8 proto, unsigned short family); extern struct xfrm_state *xfrm_find_acq_byseq(u32 seq); extern int xfrm_state_delete(struct xfrm_state *x); -extern void xfrm_state_flush(u8 proto); +extern void xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info); extern int xfrm_replay_check(struct xfrm_state *x, u32 seq); extern void xfrm_replay_advance(struct xfrm_state *x, u32 seq); extern void xfrm_replay_notify(struct xfrm_state *x, int event); @@ -952,13 +960,12 @@ int xfrm_policy_insert(int dir, struct x struct xfrm_policy *xfrm_policy_bysel_ctx(int dir, struct xfrm_selector *sel, struct xfrm_sec_ctx *ctx, int delete); struct xfrm_policy *xfrm_policy_byid(int dir, u32 id, int delete); -void xfrm_policy_flush(void); u32 xfrm_get_acqseq(void); void xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); struct xfrm_state * xfrm_find_acq(u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create, unsigned short family); -extern void xfrm_policy_flush(void); +extern void xfrm_policy_flush(struct xfrm_audit *audit_info); extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol); extern int xfrm_flush_bundles(void); extern void xfrm_flush_all_bundles(void); diff -urpN linux-2.6.18.ppc64.orig/kernel/auditsc.c linux-2.6.18.ppc64.test/kernel/auditsc.c --- linux-2.6.18.ppc64.orig/kernel/auditsc.c 2006-11-20 09:51:06.000000000 -0600 +++ linux-2.6.18.ppc64.test/kernel/auditsc.c 2006-11-20 11:02:36.000000000 -0600 @@ -730,7 +730,7 @@ static inline void audit_free_context(st printk(KERN_ERR "audit: freed %d contexts\n", count); } -static void audit_log_task_context(struct audit_buffer *ab) +void audit_log_task_context(struct audit_buffer *ab) { char *ctx = NULL; ssize_t len = 0; @@ -759,6 +759,8 @@ error_path: return; } +EXPORT_SYMBOL(audit_log_task_context); + static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) { char name[sizeof(tsk->comm)]; @@ -1489,6 +1491,8 @@ uid_t audit_get_loginuid(struct audit_co return ctx ? ctx->loginuid : -1; } +EXPORT_SYMBOL(audit_get_loginuid); + /** * __audit_mq_open - record audit data for a POSIX MQ open * @oflag: open flag diff -urpN linux-2.6.18.ppc64.orig/net/key/af_key.c linux-2.6.18.ppc64.test/net/key/af_key.c --- linux-2.6.18.ppc64.orig/net/key/af_key.c 2006-11-20 09:53:03.000000000 -0600 +++ linux-2.6.18.ppc64.test/net/key/af_key.c 2006-11-20 11:06:15.000000000 -0600 @@ -27,6 +27,7 @@ #include <linux/proc_fs.h> #include <linux/init.h> #include <net/xfrm.h> +#include <linux/audit.h> #include <net/sock.h> @@ -1420,6 +1421,9 @@ static int pfkey_add(struct sock *sk, st else err = xfrm_state_update(x); + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + if (err < 0) { x->km.state = XFRM_STATE_DEAD; __xfrm_state_put(x); @@ -1462,6 +1466,10 @@ static int pfkey_delete(struct sock *sk, } err = xfrm_state_delete(x); + + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + if (err < 0) goto out; @@ -1637,12 +1645,15 @@ static int pfkey_flush(struct sock *sk, { unsigned proto; struct km_event c; + struct xfrm_audit audit_info; proto = pfkey_satype2proto(hdr->sadb_msg_satype); if (proto == 0) return -EINVAL; - xfrm_state_flush(proto); + audit_info.loginuid = audit_get_loginuid(current->audit_context); + audit_info.secid = 0; + xfrm_state_flush(proto, &audit_info); c.data.proto = proto; c.seq = hdr->sadb_msg_seq; c.pid = hdr->sadb_msg_pid; @@ -2194,6 +2205,8 @@ static int pfkey_spdadd(struct sock *sk, err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, hdr->sadb_msg_type != SADB_X_SPDUPDATE); + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); if (err) goto out; @@ -2270,7 +2283,11 @@ static int pfkey_spddelete(struct sock * xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1); security_xfrm_policy_free(&tmp); - if (xp == NULL) + + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); + + if (xp == NULL) return -ENOENT; err = 0; @@ -2404,8 +2421,11 @@ static int key_notify_policy_flush(struc static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) { struct km_event c; + struct xfrm_audit audit_info; - xfrm_policy_flush(); + audit_info.loginuid = audit_get_loginuid(current->audit_context); + audit_info.secid = 0; + xfrm_policy_flush(&audit_info); c.event = XFRM_MSG_FLUSHPOLICY; c.pid = hdr->sadb_msg_pid; c.seq = hdr->sadb_msg_seq; diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_policy.c --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_policy.c 2006-11-20 09:53:04.000000000 -0600 +++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_policy.c 2006-11-20 11:06:17.000000000 -0600 @@ -24,6 +24,7 @@ #include <linux/module.h> #include <net/xfrm.h> #include <net/ip.h> +#include <linux/audit.h> DEFINE_MUTEX(xfrm_cfg_mutex); EXPORT_SYMBOL(xfrm_cfg_mutex); @@ -541,7 +542,7 @@ struct xfrm_policy *xfrm_policy_byid(int } EXPORT_SYMBOL(xfrm_policy_byid); -void xfrm_policy_flush(void) +void xfrm_policy_flush(struct xfrm_audit audit_info) { struct xfrm_policy *xp; int dir; @@ -552,6 +553,8 @@ void xfrm_policy_flush(void) xfrm_policy_list[dir] = xp->next; write_unlock_bh(&xfrm_policy_lock); + xfrm_audit_log(audit_info.loginuid, audit_info.secid, + AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); xfrm_policy_kill(xp); write_lock_bh(&xfrm_policy_lock); @@ -1367,6 +1370,115 @@ int xfrm_bundle_ok(struct xfrm_policy *p EXPORT_SYMBOL(xfrm_bundle_ok); +/* Audit addition and deletion of SAs and ipsec policy */ + +void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, + struct xfrm_policy *xp, struct xfrm_state *x) +{ + + char *secctx; + u32 secctx_len; + struct xfrm_sec_ctx *sctx = NULL; + struct audit_buffer *audit_buf; + int family; + extern int audit_enabled; + + + if (audit_enabled == 0) + return; + + audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); + if (audit_buf == NULL) + return; + + switch(type) { + case AUDIT_MAC_IPSEC_ADDSA: + audit_log_format(audit_buf, "SAD add: auid=%u", auid); + break; + case AUDIT_MAC_IPSEC_DELSA: + audit_log_format(audit_buf, "SAD delete: auid=%u", auid); + break; + case AUDIT_MAC_IPSEC_ADDSPD: + audit_log_format(audit_buf, "SPD add: auid=%u", auid); + break; + case AUDIT_MAC_IPSEC_DELSPD: + audit_log_format(audit_buf, "SPD delete: auid=%u", auid); + break; + default: + return; + } + + if (sid != 0 && + security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) + audit_log_format(audit_buf, " subj=%s", secctx); + else + audit_log_task_context(audit_buf); + + if (xp) { + family = xp->selector.family; + if (xp->security) + sctx = xp->security; + } else { + family = x->props.family; + if (x->security) + sctx = x->security; + } + + if (sctx) + audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u ctx=%s", + sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); + + switch(family) { + case AF_INET: + { + struct in_addr saddr, daddr; + if (xp) { + saddr.s_addr = xp->selector.saddr.a4; + daddr.s_addr = xp->selector.daddr.a4; + } else { + saddr.s_addr = x->props.saddr.a4; + daddr.s_addr = x->id.daddr.a4; + } + audit_log_format(audit_buf, + " src=%u.%u.%u.%u dst=%u.%u.%u.%u", + NIPQUAD(saddr), NIPQUAD(daddr)); + } + break; + case AF_INET6: + { + struct in6_addr saddr6, daddr6; + if (xp) { + memcpy(&saddr6, xp->selector.saddr.a6, + sizeof(struct in6_addr)); + memcpy(&daddr6, xp->selector.daddr.a6, + sizeof(struct in6_addr)); + } else { + memcpy(&saddr6, x->props.saddr.a6, + sizeof(struct in6_addr)); + memcpy(&daddr6, x->id.daddr.a6, + sizeof(struct in6_addr)); + } + audit_log_format(audit_buf, + " src=" NIP6_FMT "dst=" NIP6_FMT, + NIP6(saddr6), NIP6(daddr6)); + } + break; + } + + if (x) + audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", + (unsigned long)ntohl(x->id.spi), + (unsigned long)ntohl(x->id.spi), + x->id.proto == IPPROTO_AH ? "AH" : + (x->id.proto == IPPROTO_ESP ? + "ESP" : "IPCOMP")); + + audit_log_format(audit_buf, " res=%u", result); + audit_log_end(audit_buf); +} + +EXPORT_SYMBOL(xfrm_audit_log); + int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) { int err = 0; diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_state.c --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_state.c 2006-11-20 09:53:04.000000000 -0600 +++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_state.c 2006-11-20 11:06:17.000000000 -0600 @@ -19,6 +19,7 @@ #include <linux/ipsec.h> #include <linux/module.h> #include <asm/uaccess.h> +#include <linux/audit.h> struct sock *xfrm_nl; EXPORT_SYMBOL(xfrm_nl); @@ -123,6 +124,7 @@ static void xfrm_timer_handler(unsigned unsigned long now = (unsigned long)xtime.tv_sec; long next = LONG_MAX; int warn = 0; + int err = 0; spin_lock(&x->lock); if (x->km.state == XFRM_STATE_DEAD) @@ -180,8 +182,13 @@ expired: next = 2; goto resched; } - if (!__xfrm_state_delete(x) && x->id.spi) + + err = __xfrm_state_delete(x); + if (!err && x->id.spi) km_state_expired(x, 1, 0); + + xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); out: spin_unlock(&x->lock); @@ -284,10 +291,11 @@ int xfrm_state_delete(struct xfrm_state } EXPORT_SYMBOL(xfrm_state_delete); -void xfrm_state_flush(u8 proto) +void xfrm_state_flush(u8 proto, struct xfrm_audit audit_info) { int i; struct xfrm_state *x; + int err = 0; spin_lock_bh(&xfrm_state_lock); for (i = 0; i < XFRM_DST_HSIZE; i++) { @@ -298,7 +306,13 @@ restart: xfrm_state_hold(x); spin_unlock_bh(&xfrm_state_lock); - xfrm_state_delete(x); + err = xfrm_state_delete(x); + + xfrm_audit_log(audit_info.loginuid, + audit_info.secid, + AUDIT_MAC_IPSEC_DELSA, + err ? 0 : 1, NULL, x); + xfrm_state_put(x); spin_lock_bh(&xfrm_state_lock); @@ -1130,6 +1144,7 @@ void xfrm_state_delete_tunnel(struct xfr if (atomic_read(&t->tunnel_users) == 2) xfrm_state_delete(t); + atomic_dec(&t->tunnel_users); xfrm_state_put(t); x->tunnel = NULL; diff -urpN linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c linux-2.6.18.ppc64.test/net/xfrm/xfrm_user.c --- linux-2.6.18.ppc64.orig/net/xfrm/xfrm_user.c 2006-11-20 09:53:04.000000000 -0600 +++ linux-2.6.18.ppc64.test/net/xfrm/xfrm_user.c 2006-11-20 11:06:17.000000000 -0600 @@ -27,6 +27,7 @@ #include <net/xfrm.h> #include <net/netlink.h> #include <asm/uaccess.h> +#include <linux/audit.h> static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) { @@ -400,6 +401,9 @@ static int xfrm_add_sa(struct sk_buff *s else err = xfrm_state_update(x); + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + if (err < 0) { x->km.state = XFRM_STATE_DEAD; __xfrm_state_put(x); @@ -436,6 +440,10 @@ static int xfrm_del_sa(struct sk_buff *s } err = xfrm_state_delete(x); + + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + if (err < 0) goto out; @@ -860,6 +868,10 @@ static int xfrm_add_policy(struct sk_buf * a type XFRM_MSG_UPDPOLICY - JHS */ excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; err = xfrm_policy_insert(p->dir, xp, excl); + + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + if (err) { security_xfrm_policy_free(xp); kfree(xp); @@ -1055,6 +1067,11 @@ static int xfrm_get_policy(struct sk_buf xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete); security_xfrm_policy_free(&tmp); } + + if (delete) + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL); + if (xp == NULL) return -ENOENT; @@ -1089,8 +1106,11 @@ static int xfrm_flush_sa(struct sk_buff { struct km_event c; struct xfrm_usersa_flush *p = NLMSG_DATA(nlh); + struct xfrm_audit audit_info; - xfrm_state_flush(p->proto); + audit_info.loginuid = NETLINK_CB(skb).loginuid; + audit_info.secid = NETLINK_CB(skb).sid; + xfrm_state_flush(p->proto, &audit_info); c.data.proto = p->proto; c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; @@ -1235,9 +1255,12 @@ out: static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma) { -struct km_event c; + struct km_event c; + struct xfrm_audit audit_info; - xfrm_policy_flush(); + audit_info.loginuid = NETLINK_CB(skb).loginuid; + audit_info.secid = NETLINK_CB(skb).sid; + xfrm_policy_flush(&audit_info); c.event = nlh->nlmsg_type; c.seq = nlh->nlmsg_seq; c.pid = nlh->nlmsg_pid; @@ -1286,6 +1309,8 @@ static int xfrm_add_pol_expire(struct sk err = 0; if (up->hard) { xfrm_policy_delete(xp, p->dir); + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); } else { // reset the timers here? printk("Dont know what to do with soft policy expire\n"); @@ -1317,8 +1342,11 @@ static int xfrm_add_sa_expire(struct sk_ goto out; km_state_expired(x, ue->hard, current->pid); - if (ue->hard) + if (ue->hard) { + xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, + AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); __xfrm_state_delete(x); + } out: spin_unlock_bh(&x->lock); xfrm_state_put(x);

18 years, 1 month

2
1
0 / 0

audit 1.0.15 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit The srpm is aimed at FC-4. A slightly different srpm is required for RHEL4. The Changelog is: - Correct address resolving of hostname in logging functions - Fix logging messages to use addr if passed - Add TRUSTED_APP message type - Fix netlink errno return - Auditd ignore most signals - Add audit dispatcher interface to auditd - In auditd if num_logs is zero, don't rotate on SIGUSR1 (#208834) - Cleanup file descriptor handling in auditd - Improve time handling in ausearch and aureport (#191394) - Attempt to reconstruct full path from relative for searching - Ausearch & aureport now fail if no args to -te - In aureport, add class between syscall and permission in avc report - Fix bug where fsync is called in debug mode - ausearch & aureport implement uid/gid caching - In ausearch & aureport, extract addr when hostname is unknown - In ausearch & aureport, test audit log presence O_RDONLY - Updated man pages (#213328, #213330) Please let me if there are any issues with this. -Steve

18 years, 1 month

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit November 2006