[PATCH] Fix (make check)
by Miloslav Trmac
Hello,
(make check) currently builds tests against libaudit headers installed
system-wide; if no headers are installed, the build fails.
The attached patch fixes the build.
Mirek
17 years, 1 month
[PATCH] Audit: EINTR instead of kernel private return codes in audit records
by Eric Paris
When a syscall gets interrupted by a signal and that signal is set to
not restart the syscall its return code will get collected by the audit
system before the registers are changed to the userspace valid EINTR;
See the discussion in include/linux/errno.h
Thus it is possible to get a syscall audit such as:
type=SYSCALL msg=audit(11/13/2007 23:47:34.648:80314) : arch=x86_64
syscall=accept success=no exit=-512(Unknown error 512) a0=3 [snip]
with this patch we clean up those kernel only return codes and give the
userspace equivalent.
type=SYSCALL msg=audit(11/13/2007 23:06:04.017:898) : arch=x86_64
syscall=accept success=no exit=-4(Interrupted system call) a0=3 [snip]
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/auditsc.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bce9ecd..447ad65 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -702,7 +702,14 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk,
if (likely(!context))
return NULL;
context->return_valid = return_valid;
- context->return_code = return_code;
+
+ if (unlikely((return_code == -ERESTART_RESTARTBLOCK) ||
+ (return_code == -ERESTARTNOHAND) ||
+ (return_code == -ERESTARTSYS) ||
+ (return_code == -ERESTARTNOINTR)))
+ context->return_code = -EINTR;
+ else
+ context->return_code = return_code;
if (context->in_syscall && !context->dummy && !context->auditable) {
enum audit_state state;
17 years, 1 month
Correct audit field for a netmask?
by Paul Moore
Hello,
I was wondering what was the correct way to send a netmask in an audit
message? Can I simply add it to the end of the 'addr' field:
addr=10.0.0.0/8
Or is there some other field specifically for the netmask?
addr=10.0.0.0 X=8
--
paul moore
linux security @ hp
17 years, 1 month
auparse_interpret_field()
by Klaus Heinrich Kiwi
env: audit 1.6.2, s390x, RHEL5 in targeted policy, permissive mode
I'm trying to assign the field name + interpreted value to a variable
inside my dispatcher plugin. something along these lines:
do {
name = auparse_get_field_name(au);
value = auparse_interpret_field(au);
snprintf(data, 1023, "%s=%s", name, value);
} while (auparse_next_record(au) > 0);
but auparse is failing to interpret fields like arch and syscall. From
gdb:
(gdb) p name
$20 = 0x80037bd0 "arch"
(gdb) printf "%s\n",auparse_get_field_str(au)
80000016
(gdb) printf "%s\n",auparse_interpret_field(au)
unknown elf type(80000016)
---
(gdb) p name
$22 = 0x80037b90 "syscall"
(gdb) p auparse_get_field_str(au)
$23 = 0x8002acf0 "5"
(gdb) p auparse_interpret_field(au)
$24 = 0x8002ade0 "unknown syscall(-1)"
uid and auid are being correctly translated (at least for root). No AVCs
seen.
Am I missing something?
Thanks,
Klaus
17 years, 1 month
should I loose audit data if I only care about the record's fields?
by Klaus Heinrich Kiwi
Hi,
when I started building my dispatcher plug-in, I assumed that I'd only
need the fields values in each record to have all the data I needed. My
plug-in for remote logging aimed at consolidating the audit data in
another server, so I probably need all the audit data I can get from the
Audit subsystem, possibly in a format that is compatible with the target
system (thus using the record fields for mapping)
Giving another look the some audit records, I saw that this approach was
probably not sufficient to describe the audited operation as a whole.
Example record:
type=USER_CHAUTHTOK msg=audit(1194995431.057:58485): user pid=30759
uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023
msg='op=adding user to shadow group acct=klausk
exe="/usr/sbin/usermod" (hostname=?, addr=?, terminal=pts/1
res=success)'
using walk_test() from the test routine (python):
---
event 1 has 1 records
record 1 of type 1108(USER_CHAUTHTOK) has 12 fields
line=1 file=None
event time: 1194995431.57:58485, host=None
type=USER_CHAUTHTOK (USER_CHAUTHTOK)
pid=30759 (30759)
uid=0 (root)
auid=0 (root)
subj=root:system_r:unconfined_t:s0-s0:c0.c1023
(root:system_r:unconfined_t:s0-s0:c0.c1023)
op=adding (adding)
acct=klausk (klausk)
exe="/usr/sbin/usermod" (/usr/sbin/usermod)
hostname=? (?)
addr=? (?)
terminal=pts/1 (pts/1)
res=success (success)
---
'op=adding' - adding what? no information about what's going on here.
_side note_: just noticed that the original record is telling 'adding
user to shadow group' when in fact I was adding the user to the 'nobody'
group, plus others, with 'usermod -G' - I'll check that again later.
Another example is the LOGIN record:
original record:
type=LOGIN msg=audit(1193547601.367:36782): login pid=11698 uid=0 old
auid=4294967295 new auid=0
---walk_test()----
event 1 has 1 records
record 1 of type 1006(LOGIN) has 5 fields
line=1 file=None
event time: 1193547601.367:36782, host=None
type=LOGIN (LOGIN)
pid=11698 (11698)
uid=0 (root)
auid=4294967295 (unset)
auid=0 (root)
---
two auid fields? which is old and which is new? ok maybe not the
brightest example but IMO still valid.
There are probably more examples besides those two.
Maybe auparse is aimed to just help us when we need to extract data, but
it is well-settled that someone will need the whole record to actually
know what's going on - please tell me if that is the case.
Thoughts?
Klaus
17 years, 1 month
Re: event loss with dispatcher?
by Klaus Heinrich Kiwi
On Thu, 08 Nov 2007 16:55:22 -0500, Steve Grubb wrote:
> On Thursday 08 November 2007 16:17:52 klausk(a)br.ibm.com wrote:
>> Any tips on how can I debug this further?
>
> I'd put some syslog()'s in the main event loop of the dispatcher to see
> what is coming in and some in the output where its writing to the
> descriptor.
>
> -Steve
Added a syslog() in the auditd code just before writev() to pipe, and
another in audit dispatcher just after readv() from pipe (code attached
in the end). I see every record coming out of the daemon, but some
records are lost at the dispatcher input:
[watch event]
Nov 8 17:57:13 kwuser3 auditd[10304]: auditd, **out**: audit(1194562633.937:58313): arch=80000016 syscall=5 success=yes exit=3 a0=800fa310 a1=241 a2=1b6 a3=0 items=1 ppid=28559 pid=28561 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="bash" exe="/bin/bash" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Nov 8 17:57:13 kwuser3 auditd[10304]: auditd, **out**: audit(1194562633.937:58313): cwd="/root/audit-1.6.2_"
Nov 8 17:57:13 kwuser3 auditd[10304]: auditd, **out**: audit(1194562633.937:58313): item=0 name="/root/file" inode=1109999 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
Nov 8 17:57:13 kwuser3 audispd: audispd, **in**: audit(1194562633.937:58313): arch=80000016 syscall=5 success=yes exit=3 a0=800fa310 a1=241 a2=1b6 a3=0 items=1 ppid=28559 pid=28561 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="bash" exe="/bin/bash" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Nov 8 17:57:13 kwuser3 audispd: audispd, **in**: audit(1194562633.937:58313): item=0 name="/root/file" inode=1109999 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
[remove rules]
Nov 8 17:58:01 kwuser3 auditd[10304]: auditd, **out**: audit(1194562681.217:58314): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key=(null) list=4 res=1
Nov 8 17:58:01 kwuser3 audispd: audispd, **in**: audit(1194562681.217:58314): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=remove rule key=(null) list=4 res=1
[add watch again]
Nov 8 17:58:16 kwuser3 auditd[10304]: auditd, **out**: audit(1194562696.747:58315): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key=(null) list=4 res=1
Nov 8 17:58:16 kwuser3 audispd: audispd, **in**: audit(1194562696.747:58315): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key=(null) list=4 res=1
[watch event - this time not event the PATH record came through]
Nov 8 17:58:21 kwuser3 auditd[10304]: auditd, **out**: audit(1194562701.897:58316): arch=80000016 syscall=5 success=yes exit=3 a0=80122b40 a1=241 a2=1b6 a3=0 items=1 ppid=28559 pid=28561 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="bash" exe="/bin/bash" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Nov 8 17:58:21 kwuser3 auditd[10304]: auditd, **out**: audit(1194562701.897:58316): cwd="/root/audit-1.6.2_"
Nov 8 17:58:21 kwuser3 auditd[10304]: auditd, **out**: audit(1194562701.897:58316): item=0 name="/root/file" inode=1109999 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
Nov 8 17:58:21 kwuser3 audispd: audispd, **in**: audit(1194562701.897:58316): arch=80000016 syscall=5 success=yes exit=3 a0=80122b40 a1=241 a2=1b6 a3=0 items=1 ppid=28559 pid=28561 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="bash" exe="/bin/bash" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
--------------
Still don't have a clue of what's going on. here's the patch used:
diff -purN audit-1.6.2/audisp/audispd.c audit-1.6.2_/audisp/audispd.c
--- audit-1.6.2/audisp/audispd.c 2007-11-08 18:06:28.000000000 -0500
+++ audit-1.6.2_/audisp/audispd.c 2007-11-08 17:48:30.000000000 -0500
@@ -697,6 +697,11 @@ static void process_inbound_event(int fd
rc = readv(fd, vec, 2);
} while (rc < 0 && errno == EINTR);
if (rc > 0) {
+ char buf[MAX_AUDIT_MESSAGE_LENGTH];
+ strncpy(buf, vec[1].iov_base, vec[1].iov_len);
+ buf[vec[1].iov_len] = '\0';
+ syslog(LOG_ERR, "audispd, **in**: %s", buf);
+
enqueue(e);
}
}
diff -purN audit-1.6.2/src/auditd-dispatch.c audit-1.6.2_/src/auditd-dispatch.c
--- audit-1.6.2/src/auditd-dispatch.c 2007-09-17 10:43:01.000000000 -0400
+++ audit-1.6.2_/src/auditd-dispatch.c 2007-11-08 17:47:00.000000000 -0500
@@ -160,6 +160,13 @@ int dispatch_event(const struct audit_re
vec[1].iov_base = (void*)rep->message;
vec[1].iov_len = rep->len;
+ {
+ char buf[MAX_AUDIT_MESSAGE_LENGTH];
+ strncpy(buf, vec[1].iov_base, vec[1].iov_len);
+ buf[vec[1].iov_len] = '\0';
+ syslog(LOG_ERR, "auditd, **out**: %s", buf);
+ }
+
do {
rc = writev(disp_pipe[1], vec, 2);
} while (rc < 0 && errno == EAGAIN && count++ < 8);
17 years, 1 month
Re: Audit issue
by Alexander Viro
On Wed, Oct 31, 2007 at 05:40:19PM -0400, Steve Grubb wrote:
> On Tuesday 30 October 2007 07:15:25 pm Alexander Viro wrote:
> > On Tue, Oct 30, 2007 at 07:07:29PM -0400, Steve Grubb wrote:
> > > On Tuesday 30 October 2007 03:04:54 pm Eric Paris wrote:
> > > > why is it acceptable to mandate audit=1 in gurb but not to mandate
> > > > 'don't use auditctl -e 0' ?? ????
> > >
> > > Its not that audit=1 is mandated. Its recommended. In the other case,
> > > temporarily taking the audit system offline should in no way impair the
> > > ability to start auditing again. It is required that an admin be able to
> > > track any users in the system if they are accessing files or attempting
> > > to make privileged calls.
> >
> > Ahem... If you have it disabled for a while, what's going to do the
> > tracking until you reenable it?
Have fun...
diff --git a/kernel/audit.c b/kernel/audit.c
index f93c271..83227f8 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -70,6 +70,7 @@ static int audit_initialized;
* 1 - auditing enabled
* 2 - auditing enabled and configuration is locked/unchangeable. */
int audit_enabled;
+int audit_ever_enabled;
/* Default state when kernel boots without any parameters. */
static int audit_default;
@@ -340,8 +341,10 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sid)
state, old, loginuid, res);
/* If we are allowed, make the change */
- if (res == 1)
+ if (res == 1) {
audit_enabled = state;
+ audit_ever_enabled |= !!state;
+ }
/* Not allowed, update reason */
else if (rc == 0)
rc = -EPERM;
@@ -965,6 +968,7 @@ static int __init audit_init(void)
skb_queue_head_init(&audit_skb_queue);
audit_initialized = 1;
audit_enabled = audit_default;
+ audit_ever_enabled |= !!audit_default;
/* Register the callback with selinux. This callback will be invoked
* when a new policy is loaded. */
@@ -992,8 +996,10 @@ static int __init audit_enable(char *str)
printk(KERN_INFO "audit: %s%s\n",
audit_default ? "enabled" : "disabled",
audit_initialized ? "" : " (after initialization)");
- if (audit_initialized)
+ if (audit_initialized) {
audit_enabled = audit_default;
+ audit_ever_enabled |= !!audit_default;
+ }
return 1;
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bce9ecd..250f00f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -70,6 +70,7 @@
#include "audit.h"
extern struct list_head audit_filter_list[];
+extern int audit_ever_enabled;
/* AUDIT_NAMES is the number of slots we reserve in the audit_context
* for saving names from getname(). */
@@ -814,7 +815,7 @@ int audit_alloc(struct task_struct *tsk)
struct audit_context *context;
enum audit_state state;
- if (likely(!audit_enabled))
+ if (likely(!audit_ever_enabled))
return 0; /* Return if not auditing. */
state = audit_filter_task(tsk);
17 years, 1 month
How to capture a login event?
by Zachary Shay
I am fairly new to the linux audit subsystem, and have a question that
can probably be answered in a one line response. I'm trying to detect
when logins (successful) and login attempts (unsuccessful) occur using
the auditing subsystem. Is there an auditing rule that can do this? My
brief research has shown a syscall, setauid(), available in BSD and
SysV; however, it isn't implemented in linux. Also, a rule watching the
file "/proc/self/loginuid" will show every time the pam_loginuid.so is
called by a point of entry...unfortunately that isn't useful because the
uid/euid/auid is always bound to root. Any ideas?
Thanks in advance,
Zach
17 years, 1 month
more on limiting auditing of file access
by Bill Tangren
Like Greg, I have servers that are doing a lot of auditing of file access
that I don't want it to do. I am running a RHEL ES 4 system, fully
patched, that runs audit-1.0.15-3.EL4. This is the output for aureport
summary:
[root@aa ~]# /sbin/aureport -ts yesterday 00:00:00 -te today 00:00:00
Summary Report
======================
Range of time: 11/02/2007 10:38:28.035 - 11/05/2007 10:53:23.707
Number of changes in configuration: 0
Number of changes to accounts or groups: 0
Number of logins: 0
Number of failed logins: 0
Number of users: 3
Number of terminals: 2
Number of host names: 1
Number of executables: 55
Number of files: 3151
Number of AVC denials: 96937
Number of failed syscalls: 4300876
Number of watched file events: 215001
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of process IDs: 32349
Number of events: 4531650
Notice the large number of watched file events. The daily audit logs are
nearly 2GB in size. [And I'm required to keep a year's worth of audit
logs!]
When I issue this command:
[root@aa ~]# aureport -f --summary | head -20
File Summary Report
===========================
total file
===========================
703314 passwd
703313 /etc/passwd
515973 /dev/tty
355209 /home/httpd/faq/docs/daylight_time.php/.htaccess
288538 /home/httpd/css/default.css/.htaccess
281723 /home/httpd/js/default.js/.htaccess
237471 /home/httpd/menu/stmenu.js/.htaccess
211210 /home/httpd/graphics/USNODomeatNight_painted.png/.htaccess
209720 /home/httpd/css/print.css/.htaccess
205240 /home/httpd/graphics/blank.gif/.htaccess
205042 /home/httpd/graphics/header_strip_stars.jpg/.htaccess
202624 /home/httpd/graphics/valid-html401.png/.htaccess
188072 /home/httpd/favicon.ico/.htaccess
131774 /home/httpd/data/USPLACES.DA
49634 /home/httpd/faq/docs/daylight_time.html/.htaccess
Note the high percentage of files accessed by the web server, especially
.htaccess.
I have a rule that audits failed access to files:
-a exit,always -S chmod -S lchown -S chown -F success=0
I assume that this is the rule that is causing so many files accessed by
the web server to be logged. How can change this rule to exclude user
apache from tripping this rule?
--
Bill Tangren
U.S. Naval Observatory
17 years, 1 month
stopping "chatter"
by Greg Hennessy
I need to configure auditing for certification reasons, but I'd like to
cut down on wasted disk space by ignoring known "chatter". On a newly installed
Redhat 5 workstation there seems to be an open of /var/run/utmp every 10 seconds,
which fills the log files. I'd like to ignore these, but my first attempt doesn't
seem to work. I'm admittedly a novice at configuring auditd.
[root@foo ~]# aureport -f --summary | head -10
File Summary Report
===========================
total file
===========================
136065 /var/run/utmp
5283 /etc/symc-defutils.conf
795 /home/fsotest/.gconf/apps/puplet/
662 /usr/include/linux/
599 /dev/null
[root@foo ~]# auditctl -l | grep utmp
[root@foo ~]# auditctl -a exit,never -w /var/run/utmp
[root@foo ~]# auditctl -l | grep utmp
LIST_RULES: exit,always watch=/var/run/utmp perm=rwxa
[root@foo ~]#
What would be the proper syntax to get auditctl to
ignore the open attempts to /var/run/utmp?
17 years, 1 month
