audit on Fedora Core 5
by John D. Ramsdell
I installed FC5 on several machines by selecting the options office
products, software development, and web server, and customize later.
I was very surprised to discover that the audit and emacs packages
were not installed. You'd think that both audit and emacs would be
part of the base system, independent of what options are specified.
John
18 years, 9 months
Audit Parsing Library Requirements
by Steve Grubb
Hello,
I am ready to begin defining requirements for an audit event extraction and
parsing library. The purpose is two-fold, it should have the ability to
extract records from a given file and it must have the ability to parse a
buffer handed to it. This will allow audit event dispatcher utilities to
process events, too. The library should also be done in a way that is
friendly to other languages like python.
Comments?
-Steve
18 years, 9 months
ASCII representations of audit events
by John D. Ramsdell
Let me offer a design principle for tools that analyze audit logs, and
report their results by displaying audit records. Irrespective of the
contents of the audit log, these tools should generate a 7-bit ASCII
representation of each audit record.
Consider the poor guy accessing a computer with a terminal. If an
audit record contains binary data, and the person performs a query
using an audit tool, binary data in the answer could contain an escape
sequence that puts the terminal into a bazaar mode. This happens to
me when I connect to a Linux machine using putty, and read mail that
contains Chinese characters. Damn spam!
Binary data can occur in logs for unexpected reasons. For example, a
log file can become corrupted, or something that is not a log file can
accidentally be used as one. Furthermore, someone with bad intentions
can carefully add binary data designed to use terminal escapes to hide
their tracks.
Once one is carefully quoting field values, it becomes easy to offer
multiple formats. Let me propose two ASCII representations of audit
events, one that is very similar to what is produced by ausearch, and
a scripting language friendly version, in which each audit record is a
sequence of tab separated values.
In both formats, an audit event is started by a line of text with
three hyphen characters. In the tab separated values format, the
names and the values that make up a record are separated by a tab
character. Each name or value is quoted using the C string literal
syntax. Letters, digits, and space characters are formatted
unmodified. Characters that can be represented with character
escapes, such as the tab and newline characters, are formatted using a
character escape, with the exception of apostrophe and question mark,
which is formatted unmodified. Also formatted unmodified are the
graphics characters: !#%^&*(_)-+=~[]|;:{},.<>/. The remaining
characters are formatted using three digit octal numeric escapes.
In the ausearch-like format, each name is separated from its value
with an equal sign, and name-value pairs are separated by a space
character. A name or a value is formated unmodified if it contains
only characters that are formatted unmodifed in tab separated value
format, and do not contain an equal sign or a space character.
Otherwise, it is formated as in tab separated value format surrounded
by double quotes.
A name or value in tab separated value format is designed to be
scripting language friendly. For example in Python, if the variable
item contains a value, and it has a back slash, one obtains the binary
string it represents with the Python expression
eval('"' + item + '"', {}, {}).
Audit events represented as tab separated values are easily consumed
in Python. A simple loop does the job.
def filter():
seq = None # A sequence of tables representing an audit event
lineno = 0
seqno = 0
while True:
line = sys.stdin.readline()
if not line:
if seq:
consume(seq, seqno)
return
lineno = lineno + 1
if line == "---\n":
if seq:
consume(seq, seqno)
seq = []
seqno = lineno
continue
record = line.strip().split("\t")
nf = len(record) # number of fields
if nf % 2 != 0:
sys.stderr.write("Bad field count on line " + str(lineno) + "\n")
sys.exit(1)
tab = {}
for i in range(0, nf, 2):
tab[record[i]] = record[i + 1]
seq.append(tab)
C applications can easily generate both formats if they use the
following interface to generate their output.
#if !defined EMIT_H
#define EMIT_H
/* The emitters generate tab separated values when the flag is
non-zero, otherwise name-value pairs are separated by an equal
sign. */
void set_tsv_mode(int flag);
/* Emit an event start marker, the string "---\n". */
void emit_start_event(void);
/* Emit an end of record marker, a newline character. */
void emit_record_end(void);
/* Emit the field separator, a tab character when in TSV mode,
otherwise a space character. */
void emit_field_separator(void);
/* Emit the name-value pair separator, a tab character when in TSV
mode, otherwise an equal sign character. */
void emit_name_value_separator(void);
/* Emit a name or a value. In TSV mode, the output is quoted using
the C string literal syntax. Letters, digits, and space characters
are emitted unmodified. Characters that can be represented with
character escapes, such as the tab and newline characters, are
printed using a character escape, with the exception of apostrophe
and question mark, which are emitted unmodified. Also emitted
unmodified are the graphics characters: !#%^&*(_)-+=~[]|;:{},.<>/.
The remaining characters are output using three digit octal numeric
escapes.
In non-TSV mode, a name or a value is emitted unmodified if it
contains only characters that are emitted unmodifed in TSV mode,
and do not contain an equal sign or a space character. Otherwise,
it is emitted as in TSV mode surrounded by double quotes.
A name or value emitted in TSV mode is designed to be scripting
language friendly. For example in Python, if the variable item
contains a value, and it has a back slash, one obtains the string
it represents with the expression eval('"' + item + '"', {}, {}). */
void emit_item(const char *bytes);
#endif
The file emit.c that implements this interfaces is available in the
polgen CVS repository on SourceForge.
John
Those are my principles. If you don't like them, I have others.
-- Groucho Marx
18 years, 9 months
Basic audit test fails
by Steve Brueckner
I'm having trouble getting started with audit on FC4.
First, it appears I don't have file watch enabled in my kernel. Is file
watch enabled in the FC5 kernel, or still only in RHEL?
Second, I tried a basic test to audit files opened by a specific user (per
the auditctl man page) but it doesn't seem to work:
------------>8------------
[root@localhost ~]# auditctl -a exit,always -S open -F loginuid=600
audit.log:
type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
audit rule
[develop@localhost ~]$ id
uid=600(develop) gid=600(develop) groups=600(develop)
context=user_u:system_r:unconfined_t
[develop@localhost ~]$ echo foo >> temp
audit.log:
<NO OUTPUT TO AUDIT LOG>
[root@localhost ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=26244 rate_limit=0 backlog_limit=256
lost=0 backlog=0
[root@localhost ~]# auditctl -l
AUDIT_LIST: exit,always auid=600 (0x258) syscall=open
File system watches not supported
audit.log:
type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux: unrecognized
netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
success=no exit=-22 a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
type=SOCKADDR msg=audit(1142975791.439:6635): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1142975791.439:6635): nargs=6 a0=3 a1=bfb8dbec
a2=10 a3=0 a4=bfb8fd08 a5=c
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005
i686 i686 i386 GNU/Linux
[root@localhost ~]# getenforce
Enforcing
------------8<------------
Should this experiment have produced any output to audit.log when the user
wrote to a file? If not, why not? If so, could the stuff being logged
during the rules listing indicate a problem, or are those "unrecognized
netlink messages" normal?
Thanks for any help,
Steve Brueckner, ATC-NY
18 years, 9 months
Re: [Bugme-new] [Bug 6274] New: audit_log_exit calls sleeping function in invalid context
by Andrew Morton
bugme-daemon(a)bugzilla.kernel.org wrote:
>
> http://bugzilla.kernel.org/show_bug.cgi?id=6274
>
> Summary: audit_log_exit calls sleeping function in invalid
> context
> Kernel Version: 2.6.16
> Status: NEW
> Severity: normal
> Owner: process_other(a)kernel-bugs.osdl.org
> Submitter: vladimir.kondratiev(a)intel.com
>
>
> Most recent kernel where this bug did not occur:
> did not tested this in earlier kernels
>
> Distribution:
> Fedora Core 5
>
> Hardware Environment:
> Software Environment:
> Vanilla 2.6.16 kernel
> [root@vkondra-mobl ~]# cat /proc/version
> Linux version 2.6.16 (root@vkondra-mobl) (gcc version 4.1.0 20060304 (Red Hat
> 4.1.0-3)) #1 PREEMPT Mon Mar 20 13:43:30 IST 2006
>
> Problem Description:
> sleeping function called in invalid context.
>
> Steps to reproduce:
>
> Enable audit rule to track all "exit" syscalls:
> auditctl -a exit,always -S exit
>
> run anything, 'ls' is OK. This will trigger the following error:
>
> Mar 23 16:15:10 vkondra-mobl kernel: Debug: sleeping function called from
> invalid context at include/linux/rwsem.h:43
> Mar 23 16:15:10 vkondra-mobl kernel: in_atomic():1, irqs_disabled():0
> Mar 23 16:15:10 vkondra-mobl kernel: [<c0104084>] show_trace+0xd/0xf
> Mar 23 16:15:10 vkondra-mobl kernel: [<c01040d0>] dump_stack+0x17/0x19
> Mar 23 16:15:10 vkondra-mobl kernel: [<c0114685>] __might_sleep+0x86/0x90
> Mar 23 16:15:10 vkondra-mobl kernel: [<c01345e5>] audit_log_exit+0x136/0x36b
> Mar 23 16:15:10 vkondra-mobl kernel: [<c013560a>] audit_free+0x101/0x20e
> Mar 23 16:15:10 vkondra-mobl kernel: [<c0117368>] __put_task_struct_cb+0x8f/0xdc
> Mar 23 16:15:10 vkondra-mobl kernel: [<c012624d>]
> __rcu_process_callbacks+0xf6/0x14b
> Mar 23 16:15:10 vkondra-mobl kernel: [<c01262b4>] rcu_process_callbacks+0x12/0x23
> Mar 23 16:15:10 vkondra-mobl kernel: [<c011c5c8>] tasklet_action+0x3a/0x60
> Mar 23 16:15:10 vkondra-mobl kernel: [<c011c513>] __do_softirq+0x43/0x8f
> Mar 23 16:15:10 vkondra-mobl kernel: [<c011c589>] do_softirq+0x2a/0x2f
> Mar 23 16:15:10 vkondra-mobl kernel: [<c011c662>] irq_exit+0x30/0x3c
> Mar 23 16:15:10 vkondra-mobl kernel: [<c0104c02>] do_IRQ+0x4a/0x58
> Mar 23 16:15:10 vkondra-mobl kernel: [<c01036fe>] common_interrupt+0x1a/0x20
> Mar 23 16:15:10 vkondra-mobl kernel: [<c014d41a>]
> cache_alloc_debugcheck_after+0x25/0xf4
> Mar 23 16:15:10 vkondra-mobl kernel: [<c014d565>] kmem_cache_alloc+0x7c/0x88
> Mar 23 16:15:10 vkondra-mobl kernel: [<c0239690>] __alloc_skb+0x29/0xf4
> Mar 23 16:15:10 vkondra-mobl kernel: [<c02366f3>] sock_alloc_send_skb+0x62/0x19a
> Mar 23 16:15:10 vkondra-mobl kernel: [<c028afed>] unix_stream_sendmsg+0x131/0x2fd
> Mar 23 16:15:10 vkondra-mobl kernel: [<c023415d>] do_sock_write+0xb5/0xbe
> Mar 23 16:15:10 vkondra-mobl kernel: [<c0234f84>] sock_aio_write+0x56/0x64
> Mar 23 16:15:10 vkondra-mobl kernel: [<c0150684>] do_sync_write+0xb1/0xe6
> Mar 23 16:15:10 vkondra-mobl kernel: [<c0150f41>] vfs_write+0xbc/0x154
> Mar 23 16:15:10 vkondra-mobl kernel: [<c01514a5>] sys_write+0x3b/0x60
> Mar 23 16:15:10 vkondra-mobl kernel: [<c0102cb9>] syscall_call+0x7/0xb
Yes, bad. We cannot perform sleeping things in an RCU callback.
I don't think that audit_log_exit() call is in the correct place anyway.
It's not actually logging an "exit" - it's currently logging the free of a
task_struct, which can happen an arbitrary time later and can be performed
by a different task (or by none at all, as in this case).
IOW: shouldn't we be calling audit_log_exit() from within do_exit()??
A backportable-to-2.6.16.1 fix is needed, I'd suggest.
18 years, 9 months
I'm looking for a pointer on the programming model
by Taylor_Tad@emc.com
I'm interested in learning how the audit framework is used by trusted
applications. I've gone over all the audit-related man pages that I could
find on a RHEL 4 system and searched/googled for a while but I can't find a
clear description of the programming model/paradigm that trusted processes
would follow to generate audit records. I could go through something like
the login code to see what it does, but then I'd be making an assumption
that it does it correctly :-). If such a description exists, could someone
provide a pointer for me? Thanks,
--Tad
18 years, 9 months
Re: Help with setup
by Gene Dellinger
The systems are RHEL3.
Services: audit, crond, httpd, irqbalance, mdmmonintor, netfs, network,
ntpd, psacct, random, rawdevices, sgi_fam, sshd, syslog, systat, vsftpd.
Gene D.
-----Original Message-----
From: linux-audit-bounces(a)redhat.com
[mailto:linux-audit-bounces@redhat.com]On Behalf Of
linux-audit-request(a)redhat.com
Sent: Sunday, March 19, 2006 7:00 AM
To: linux-audit(a)redhat.com
Subject: Linux-audit Digest, Vol 18, Issue 26
Send Linux-audit mailing list submissions to
linux-audit(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request(a)redhat.com
You can reach the person managing the list at
linux-audit-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Linux-audit digest..."
Today's Topics:
1. Re: Help with setup (Stephen J. Smoogen)
----------------------------------------------------------------------
Message: 1
Date: Sat, 18 Mar 2006 19:57:47 -0700
From: "Stephen J. Smoogen" <smooge(a)gmail.com>
Subject: Re: Help with setup
Cc: linux-audit(a)redhat.com
Message-ID:
<80d7e4090603181857t6b7a6c0bib202f422e7c6aa16(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 3/16/06, Gene Dellinger <gene(a)poh.com> wrote:
> Hoping this is the right place to get help configuring auditd(laus) on Red
> Hat.
>
> I have 4 high security systems that I need to allow a new employee root
> access to. I would like to see everything that is done by root or any
other
> users/processes, however the only thing I can seem to get it to do is tell
> me when my cronjobs, the sa stuff runs and login info.
>
>
I am guessing the systems are Red Hat Enterprise Linux 3 systems? What
processes are turned on at boot time?
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
------------------------------
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
End of Linux-audit Digest, Vol 18, Issue 26
*******************************************
18 years, 9 months
[RFC][PATCH] auditctl: add user anomoly type option
by George C. Wilson
This patch adds -u <type> to auditctl. It allows a userspace
message sender to specify the message type by number. Manpage
update to follow if this proves OK.
diff -Narp audit-1.1.5.orig/src/auditctl.c audit-1.1.5/src/auditctl.c
*** audit-1.1.5.orig/src/auditctl.c 2006-03-05 07:40:35.000000000 -0600
--- audit-1.1.5/src/auditctl.c 2006-03-18 19:25:43.000000000 -0600
*************** static void usage(void)
*** 128,133 ****
--- 128,134 ----
" -R <file> read rules from file\n"
" -s Report status\n"
" -S syscall Build rule: syscall name or number\n"
+ " -u <type> Specify the type of user-space anomaly message by number\n"
" -v Version\n"
" -w <path> Insert watch at <path>\n"
" -W <path> Remove watch at <path>\n"
*************** void audit_request_both_lists(int fd)
*** 326,337 ****
static int setopt(int count, char *vars[])
{
int c;
int retval = 0;
optind = 0;
opterr = 0;
while ((retval >= 0) && (c = getopt(count, vars,
! "hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:")) != EOF) {
int flags = AUDIT_FILTER_UNSET;
switch (c) {
case 'h':
--- 327,340 ----
static int setopt(int count, char *vars[])
{
int c;
+ int user_message_type = 0;
int retval = 0;
optind = 0;
opterr = 0;
+
while ((retval >= 0) && (c = getopt(count, vars,
! "hislDve:f:r:b:a:A:d:S:F:m:R:w:W:k:p:u:")) != EOF) {
int flags = AUDIT_FILTER_UNSET;
switch (c) {
case 'h':
*************** static int setopt(int count, char *vars[
*** 589,599 ****
}
break;
case 'm':
! if (audit_log_user_message( fd, AUDIT_USER, optarg, NULL,
! NULL, NULL, 1) <=0)
! retval = -1;
! else
! return -2; // success - no reply for this
break;
case 'R':
fprintf(stderr, "Error - nested rule files not supported\n");
--- 592,608 ----
}
break;
case 'm':
! if (user_message_type) {
! if (audit_log_user_message( fd, user_message_type, optarg,
! NULL, NULL, NULL, 1) <=0)
! retval = -1;
! else
! return -2; // success - no reply for this
! } else {
! fprintf(stderr,
! "Error - -u must be given before -m\n");
! retval = -1;
! }
break;
case 'R':
fprintf(stderr, "Error - nested rule files not supported\n");
*************** static int setopt(int count, char *vars[
*** 659,664 ****
--- 668,689 ----
else
retval = audit_setup_perms(&watch, optarg);
break;
+ case 'u':
+ if (optarg) {
+ user_message_type = atoi(optarg);
+ if (user_message_type >= AUDIT_FIRST_ANOM_MSG &&
+ user_message_type <= AUDIT_LAST_ANOM_MSG) {
+ } else {
+ fprintf(stderr,
+ "user message type must be a number from %d to %d\n",
+ AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG);
+ retval = -1;
+ }
+ } else {
+ fprintf(stderr, "user message type option needs a type number\n");
+ retval = -1;
+ }
+ break;
case 'v':
printf("auditctl version %s\n", VERSION);
retval = -2;
--
George Wilson <ltcgcw(a)us.ibm.com>
IBM Linux Technology Center
18 years, 9 months
Re: to support for wildcard notation
by Steve Grubb
>is there any way to support for wildcard notation. I must watch and monitor
>lots of files in some directories. This directories contain a lot of file and
>also contents are changed by users, sometimes they add another files, rarely
>they delete files, lots of times they change contents of files that are in
>directories.
Not in the RHEL4 kernel at this point. I think we are looking into this for a
future update. Also, we are working on a new file system auditing kernel
patch for future upstream acceptance and I believe that it will be able to
support this.
Hope this helps...
-Steve
18 years, 9 months
audit test results on lspp.12 kernel
by Loulwa Salem
On the call Monday, I said I'll test on an lspp.12 kernel. I ran our
CAPP audit test suite on an x86_64 installed with FC5-t3, and lspp.12
kernel. Audit version 1.1.5. Below are my results ..
- All syscall test passed with no problems
- object identity (watch) tests (and any other tests that use watches)
all failed due to inability to insert watches, I get the following
> Error sending watch insert request (Invalid argument)
> add_audit_rule failed - auditctl_comm [auditctl -w /tmp/lafa0qlNM -k
file-basic-key ] returned 255
- Saw some failures in filters tests due the change in the message of
adding/removing audit rules in the CONFIG_CHANGE type records. It used
to be "added/removed an audit rule" and now it is "add/remove rule
to/from list=X"... is there a reason we changed the message?
- Saw some failures in trusted programs due to the missing
msg='SomeString (ex, gpasswd, password, chage ..etc) field from the
audit record in some instances. Our test cases check for that string and
are failing if it's not found... Is there a reason this was removed?
- Loulwa
18 years, 9 months
