February 2007 - Linux-audit - Linux-Audit List Archives

by Matthew Booth

I added the following to audit.rules in RHEL4 U4 x86_64: -a task,always I expected this to have a similar effect to auditing the fork, vfork and clone system calls. However, it seems to either audit everything itself, or cause all the filtering to be removed from my other audit rules (which audit pretty much everything). Is this expected behaviour, or a bug? Thanks, Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

17 years, 10 months

2
1
0 / 0

Prettier formatting of audit.rules

by Matthew Booth

I note from the auditctl man page that sending a shorter list of audit rules to the kernel is preferrable. Specifically, specifying lots of system calls in a single rule is recommended. However, this makes audit.rules unpleasant to look at and impossible to comment. While audit.rules allows comments to be put on their own lines, it doesn't allow a rule to be split over multiple lines, or comments at the end of lines. So rather than: -a entry,always -S chmod -S fchmod -S chown -S fchown -S lchown -S creat -S truncate -S ftruncate -S mkdir -S rmdir -S exit -S exit_group -S execve -S vfork -S fork -S clone -F auid!= 101 -F auid!=102 -F auid!=103 it would be much nicer to write something like: -a entry,always -S chmod -S fchmod -S chown -S fchown -S lchown # Attribute changes -S creat -S truncate -S ftruncate -S mkdir -S rmdir -S exit -S exit_group -S execve -S vfork -S fork -S clone # Task creation -F auid!= 101 -F auid!=102 -F auid!=103 # Filter Oracle activity Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

17 years, 10 months

2
1
0 / 0

audit 1.4.2 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Add man pages - Reduce text relocations in parser library - Add -n option to auditd for no fork - In auditd.conf add exec option to space_left, admin_space_left, disk_full, and disk_error - eg EXEC /usr/local/script Please let me know if there are any problems with this release. -Steve

17 years, 10 months

1
0
0 / 0

[PATCH] log all actions by privileged user in bash

by Steve Grubb

Hi, This is a patch to bash 3.2 that depends on audit 1.4 to provide a logging function. The patch works well in my testing, but I have not finished the review process with bash upstream maintainers. So it may change, but this gives you a chance to play along at home. The resulting audit message looks like this: time->Tue Jan 30 18:23:45 2007 type=USER_CMD msg=audit(1170199425.793:143): user pid=22862 uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='cwd=2F726F6F742F7465737420646972 cmd=6C73202D6C (terminal=tty1 res=success)' Which translates to: type=USER_CMD msg=audit(01/30/2007 18:23:45.793:143) : user pid=22862 uid=root auid=root subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='cwd=/root/test dir cmd=ls -l (terminal=tty1 res=success)' This patch causes bash to log all command line arguments when the shell is started as aubash or "bash --audit". The preferred methos is to make a symlink frp, bash to aubash and then add aubash to /etc/shells. Then you can change root's shell to aubash. -Steve diff -urp bash-3.2.orig/config-bot.h bash-3.2/config-bot.h --- bash-3.2.orig/config-bot.h 2007-01-03 09:01:05.000000000 -0500 +++ bash-3.2/config-bot.h 2007-01-20 11:59:23.000000000 -0500 @@ -97,6 +97,11 @@ # define RESTRICTED_SHELL_NAME "rbash" #endif +/* If the shell is called by this name, it will become audited. */ +#if defined (AUDIT_SHELL) +# define AUDIT_SHELL_NAME "aubash" +#endif + /***********************************************************/ /* Make sure feature defines have necessary prerequisites. */ /***********************************************************/ diff -urp bash-3.2.orig/config.h.in bash-3.2/config.h.in --- bash-3.2.orig/config.h.in 2007-01-03 09:01:05.000000000 -0500 +++ bash-3.2/config.h.in 2007-01-20 11:59:23.000000000 -0500 @@ -81,6 +81,11 @@ flag. */ #undef RESTRICTED_SHELL +/* Define AUDIT_SHELL if you want the generated shell to audit all + actions performed by root account. The shell thus generated can become + audited by being run with the name "aubash". */ +#undef AUDIT_SHELL + /* Define DISABLED_BUILTINS if you want "builtin foo" to always run the shell builtin "foo", even if it has been disabled with "enable -n foo". */ #undef DISABLED_BUILTINS diff -urp bash-3.2.orig/configure.in bash-3.2/configure.in --- bash-3.2.orig/configure.in 2007-01-03 09:01:05.000000000 -0500 +++ bash-3.2/configure.in 2007-01-20 11:59:23.000000000 -0500 @@ -162,6 +162,7 @@ opt_history=yes opt_bang_history=yes opt_dirstack=yes opt_restricted=yes +opt_audit=yes opt_process_subst=yes opt_prompt_decoding=yes opt_select=yes @@ -195,8 +196,8 @@ dnl a minimal configuration turns everyt dnl added individually if test $opt_minimal_config = yes; then opt_job_control=no opt_alias=no opt_readline=no - opt_history=no opt_bang_history=no opt_dirstack=no - opt_restricted=no opt_process_subst=no opt_prompt_decoding=no + opt_history=no opt_bang_history=no opt_dirstack=no opt_restricted=no + opt_audit=no opt_process_subst=no opt_prompt_decoding=no opt_select=no opt_help=no opt_array_variables=no opt_dparen_arith=no opt_brace_expansion=no opt_disabled_builtins=no opt_command_timing=no opt_extended_glob=no opt_cond_command=no opt_arith_for_command=no @@ -227,6 +228,7 @@ AC_ARG_ENABLE(progcomp, AC_HELP_STRING([ AC_ARG_ENABLE(prompt-string-decoding, AC_HELP_STRING([--enable-prompt-string-decoding], [turn on escape character decoding in prompts]), opt_prompt_decoding=$enableval) AC_ARG_ENABLE(readline, AC_HELP_STRING([--enable-readline], [turn on command line editing]), opt_readline=$enableval) AC_ARG_ENABLE(restricted, AC_HELP_STRING([--enable-restricted], [enable a restricted shell]), opt_restricted=$enableval) +AC_ARG_ENABLE(audit, AC_HELP_STRING([--enable-audit], [enable an audited shell]), opt_audit=$enableval) AC_ARG_ENABLE(select, AC_HELP_STRING([--enable-select], [include select command]), opt_select=$enableval) AC_ARG_ENABLE(separate-helpfiles, AC_HELP_STRING([--enable-separate-helpfiles], [use external files for help builtin documentation]), opt_separate_help=$enableval) AC_ARG_ENABLE(single-help-strings, AC_HELP_STRING([--enable-single-help-strings], [store help documentation as a single string to ease translation]), opt_single_longdoc_strings=$enableval) @@ -254,6 +256,10 @@ fi if test $opt_restricted = yes; then AC_DEFINE(RESTRICTED_SHELL) fi +if test $opt_audit = yes; then +AC_DEFINE(AUDIT_SHELL) +AUDIT_LIB='-laudit' +fi if test $opt_process_subst = yes; then AC_DEFINE(PROCESS_SUBSTITUTION) fi @@ -355,6 +361,8 @@ AC_SUBST(HELPDIRDEFINE) AC_SUBST(HELPINSTALL) AC_SUBST(HELPSTRINGS) +AC_SUBST(AUDIT_LIB) + echo "" echo "Beginning configuration for bash-$BASHVERS-$RELSTATUS for ${host_cpu}-${host_vendor}-${host_os}" echo "" diff -urp bash-3.2.orig/doc/bash.1 bash-3.2/doc/bash.1 --- bash-3.2.orig/doc/bash.1 2007-01-03 09:01:05.000000000 -0500 +++ bash-3.2/doc/bash.1 2007-01-20 11:59:23.000000000 -0500 @@ -155,6 +155,12 @@ single-character options to be recognize .PP .PD 0 .TP +.B \-\-audit +The shell logs all commands run by the root user (see +.SM +.B "AUDIT SHELL" +below). +.TP .B \-\-debugger Arrange for the debugger profile to be executed before the shell starts. @@ -8770,6 +8776,17 @@ turns off any restrictions in the shell script. .\" end of rbash.1 .if \n(zY=1 .ig zY +.SH "AUDIT SHELL" +.zY +.PP +If +.B bash +is started with the name +.BR aubash , +or the +.B \-\-audit +option is supplied at invocation, the shell logs all commands issued by the root user to the audit system. +.if \n(zY=1 .ig zY .SH "SEE ALSO" .PD 0 .TP diff -urp bash-3.2.orig/eval.c bash-3.2/eval.c --- bash-3.2.orig/eval.c 2007-01-03 09:01:06.000000000 -0500 +++ bash-3.2/eval.c 2007-01-20 11:59:23.000000000 -0500 @@ -45,6 +45,11 @@ # include "bashhist.h" #endif +#if defined (AUDIT_SHELL) +# include <libaudit.h> +# include <errno.h> +#endif + extern int EOF_reached; extern int indirection_level; extern int posixly_correct; @@ -58,6 +63,38 @@ extern int rpm_requires; static void send_pwd_to_eterm __P((void)); static sighandler alrm_catcher __P((int)); +#if defined (AUDIT_SHELL) +static int audit_fd = -1; + +static int +audit_start () +{ + audit_fd = audit_open (); + if (audit_fd < 0) + return -1; + else + return 0; +} + +static int +audit (cmd, result) + char *cmd; + int result; +{ + int rc; + + if (audit_fd < 0) + return 0; + + rc = audit_log_user_command (audit_fd, AUDIT_USER_CMD, cmd, + NULL, !result); + close (audit_fd); + audit_fd = -1; + return rc; +} +#endif + + /* Read and execute commands until EOF is reached. This assumes that the input source has already been initialized. */ int @@ -145,7 +182,25 @@ reader_loop () executing = 1; stdin_redir = 0; +#if defined (AUDIT_SHELL) + if (audited && interactive_shell && getuid () == 0) + { + if (audit_start () < 0) + { + if (errno != EINVAL && errno != EPROTONOSUPPORT && + errno != EAFNOSUPPORT) + return EXECUTION_FAILURE; + } + } +#endif + execute_command (current_command); +#if defined (AUDIT_SHELL) + { + extern char *shell_input_line; + audit (shell_input_line, last_command_exit_value); + } +#endif exec_done: QUIT; diff -urp bash-3.2.orig/externs.h bash-3.2/externs.h --- bash-3.2.orig/externs.h 2007-01-03 09:01:06.000000000 -0500 +++ bash-3.2/externs.h 2007-01-20 12:05:00.000000000 -0500 @@ -77,6 +77,10 @@ extern int shell_is_restricted __P((char extern int maybe_make_restricted __P((char *)); #endif +#if defined (AUDIT_SHELL) +extern int maybe_make_audited __P((char *)); +#endif + extern void unset_bash_input __P((int)); extern void get_current_user_info __P((void)); diff -urp bash-3.2.orig/flags.c bash-3.2/flags.c --- bash-3.2.orig/flags.c 2007-01-03 09:01:06.000000000 -0500 +++ bash-3.2/flags.c 2007-01-20 11:59:23.000000000 -0500 @@ -142,6 +142,12 @@ int restricted = 0; /* currently restri int restricted_shell = 0; /* shell was started in restricted mode. */ #endif /* RESTRICTED_SHELL */ +#if defined (AUDIT_SHELL) +/* Non-zero means that this shell is audited. An audited shell records + each command that the root user executes. */ +int audited = 0; /* shell was started in audit mode. */ +#endif /* AUDIT_SHELL */ + /* Non-zero means that this shell is running in `privileged' mode. This is required if the shell is to run setuid. If the `-p' option is not supplied at startup, and the real and effective uids or gids diff -urp bash-3.2.orig/flags.h bash-3.2/flags.h --- bash-3.2.orig/flags.h 2007-01-03 09:01:06.000000000 -0500 +++ bash-3.2/flags.h 2007-01-20 11:59:23.000000000 -0500 @@ -66,6 +66,10 @@ extern int restricted; extern int restricted_shell; #endif /* RESTRICTED_SHELL */ +#if defined (AUDIT_SHELL) +extern int audited; +#endif /* AUDIT_SHELL */ + extern int *find_flag __P((int)); extern int change_flag __P((int, int)); extern char *which_set_flags __P((void)); Only in bash-3.2: .made diff -urp bash-3.2.orig/Makefile.in bash-3.2/Makefile.in --- bash-3.2.orig/Makefile.in 2007-01-03 09:01:06.000000000 -0500 +++ bash-3.2/Makefile.in 2007-01-20 11:59:23.000000000 -0500 @@ -366,6 +366,8 @@ MALLOC_LIBRARY = @MALLOC_LIBRARY@ MALLOC_LDFLAGS = @MALLOC_LDFLAGS@ MALLOC_DEP = @MALLOC_DEP@ +AUDIT_LIB = @AUDIT_LIB@ + ALLOC_HEADERS = $(ALLOC_LIBSRC)/getpagesize.h $(ALLOC_LIBSRC)/shmalloc.h \ $(ALLOC_LIBSRC)/imalloc.h $(ALLOC_LIBSRC)/mstats.h \ $(ALLOC_LIBSRC)/table.h $(ALLOC_LIBSRC)/watch.h @@ -386,7 +388,7 @@ BASHINCFILES = $(BASHINCDIR)/posixstat. $(BASHINCDIR)/ocache.h LIBRARIES = $(SHLIB_LIB) $(READLINE_LIB) $(HISTORY_LIB) $(TERMCAP_LIB) $(GLOB_LIB) \ - $(TILDE_LIB) $(MALLOC_LIB) $(INTL_LIB) $(LOCAL_LIBS) + $(TILDE_LIB) $(MALLOC_LIB) $(INTL_LIB) $(LOCAL_LIBS) $(AUDIT_LIB) LIBDEP = $(SHLIB_DEP) $(INTL_DEP) $(READLINE_DEP) $(HISTORY_DEP) $(TERMCAP_DEP) $(GLOB_DEP) \ $(TILDE_DEP) $(MALLOC_DEP) diff -urp bash-3.2.orig/parse.y bash-3.2/parse.y --- bash-3.2.orig/parse.y 2007-01-03 09:01:06.000000000 -0500 +++ bash-3.2/parse.y 2007-01-20 11:59:23.000000000 -0500 @@ -258,7 +258,7 @@ int need_here_doc; /* Where shell input comes from. History expansion is performed on each line when the shell is interactive. */ -static char *shell_input_line = (char *)NULL; +char *shell_input_line = (char *)NULL; static int shell_input_line_index; static int shell_input_line_size; /* Amount allocated for shell_input_line. */ static int shell_input_line_len; /* strlen (shell_input_line) */ diff -urp bash-3.2.orig/shell.c bash-3.2/shell.c --- bash-3.2.orig/shell.c 2007-01-03 09:01:06.000000000 -0500 +++ bash-3.2/shell.c 2007-01-20 12:04:23.000000000 -0500 @@ -240,6 +240,9 @@ struct { #if defined (RESTRICTED_SHELL) { "restricted", Int, &restricted, (char **)0x0 }, #endif +#if defined (AUDIT_SHELL) + { "audit", Int, &audited, (char **)0x0 }, +#endif { "verbose", Int, &echo_input_at_read, (char **)0x0 }, { "version", Int, &do_version, (char **)0x0 }, { "wordexp", Int, &wordexp_only, (char **)0x0 }, @@ -644,6 +647,10 @@ main (argc, argv, env) maybe_make_restricted (shell_name); #endif /* RESTRICTED_SHELL */ +#if defined (AUDIT_SHELL) + maybe_make_audited (shell_name); +#endif + if (wordexp_only) { startup_state = 3; @@ -1143,6 +1150,29 @@ maybe_make_restricted (name) } #endif /* RESTRICTED_SHELL */ +#if defined (AUDIT_SHELL) +/* Perhaps make this shell an `audited' one, based on NAME. If the + basename of NAME is "aubash", then this shell is audited. The + name of the audited shell is a configurable option, see config.h. + In an audited shell, all actions performed by root will be logged + to the audit system. + Do this also if `audited' is already set to 1 maybe the shell was + started with --audit. */ +int +maybe_make_audited (name) + char *name; +{ + char *temp; + + temp = base_pathname (name); + if (*temp == '-') + temp++; + if (audited || (STREQ (temp, AUDIT_SHELL_NAME))) + audited = 1; + return (audited); +} +#endif /* AUDIT_SHELL */ + /* Fetch the current set of uids and gids and return 1 if we're running setuid or setgid. */ static int

17 years, 10 months

2
4
0 / 0

Problems with -F exit!=-2 on x86_64

by Matthew Booth

Amongst other things, I'm auditing all open calls on RHEL4 U4. I've noticed that the dynamic linker generates a massive amount of noise, most of which is open calls for files which don't exist. These are uninteresting from an audit perspective as they don't relate to a successful or unsuccessful attempt to read or write to a particular file. On my workload, these make up about 45% of audit traffic. The exit code for these failures is -2 (No such file or directory). I tried the following on both i386 and x86_64: auditctl -a exit,always -S open -F exit!=-2 This works exactly as expected on i386, but not on x86_64. The effect on x86_64 is as if no filtering had been applied. However the following, for eg, works fine: auditctl -a exit,always -S open -F exit=3 I'm using auditd-1.0.15 from U5 (audit-1.0.15-2.EL4). I saw the same behaviour on the vanilla auditd, version 1.0.14. Is this a known issue, expected behaviour, or user error? If the former, I'll be happy to file a BZ. However, I'd like to know if it's in user space or kernel space in case I have to look at it myself. Thanks, Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

17 years, 10 months

2
1
0 / 0

SELinux for auditing

by Matthew Booth

I have a couple of requirements which on the face of it don't seem simple to achieve with auditctl. These are: * Audit changes to executables * Audit changes to configuration files I'll concentrate on the former as it's more obviously problematic. I believe this would require putting a watch explicitly on every executable in the system. If this isn't correct, please correct me and this problem goes away. Assuming it is, though, I don't believe this is a practical solution. It occurs to me that this might be more easily achieved with SELinux. As a test, I made the following small change to the unconfined domain of the RHEL 4 targeted policy macros/global_macros.te: define(`executable_files', `{ exec_type sbin_t bin_t lib_t shlib_t ld_so_t }') #allow $1 file_type:dir_file_class_set *; allow $1 file_type:dir_file_class_set ~execute; allow $1 executable_files:dir_file_class_set *; auditallow $1 executable_files:dir_file_class_set { create write rename setattr append relabelfrom }; This does 2 things. Firstly it enforces that the system won't execute files which aren't labelled with an executable type. This is really just to make sure everything is caught by the second rule, which is to audit changes to executables. To make this thorough, you'd have to go through everywhere else execute is granted in other domains. However, I'm worried I might be stepping outside design intentions. Is the above a good idea? Is using SELinux for writing auditing rules a good idea in general? uIs there a better way to achieve this and similar requirements which affect a potentially large class of file? Thanks, Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

17 years, 10 months

3
6
0 / 0

source code control for audit userspace tools

by Tony Jones

I brought this up on #audit but the conversation didn't go anywhere. It would be nice if there could be some form of source code control for the changes that occur between revisions of the userspace tools. Is development internally to RedHat done using any form of source code control? Or is the development more ad-hoq? Full public source code control would perhaps be beneficial in terms of fostering community development. Failing this, just having the diffs per discret change included in each release would be very helpful. Possible? Thanks Tony

17 years, 10 months

3
3
0 / 0

[PATCH 1/2] add SIGNAL syscall class

by Amy Griffis

Add a syscall class for sending signals. Signed-off-by: Amy Griffis <amy.griffis(a)hp.com> --- arch/ia64/ia32/audit.c | 5 +++++ arch/ia64/kernel/audit.c | 8 ++++++++ arch/powerpc/kernel/audit.c | 8 ++++++++ arch/s390/kernel/audit.c | 8 ++++++++ arch/sparc64/kernel/audit.c | 8 ++++++++ arch/x86_64/ia32/audit.c | 5 +++++ arch/x86_64/kernel/audit.c | 8 ++++++++ include/asm-generic/audit_signal.h | 3 +++ include/linux/audit.h | 2 ++ lib/audit.c | 6 ++++++ 10 files changed, 61 insertions(+), 0 deletions(-) diff --git a/arch/ia64/ia32/audit.c b/arch/ia64/ia32/audit.c index 92d7d0c..8850fe4 100644 --- a/arch/ia64/ia32/audit.c +++ b/arch/ia64/ia32/audit.c @@ -20,6 +20,11 @@ unsigned ia32_read_class[] = { ~0U }; +unsigned ia32_signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + int ia32_classify_syscall(unsigned syscall) { switch(syscall) { diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 0468255..538312a 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -23,6 +23,11 @@ static unsigned chattr_class[] = { ~0U }; +static unsigned signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + int audit_classify_syscall(int abi, unsigned syscall) { #ifdef CONFIG_IA32_SUPPORT @@ -49,15 +54,18 @@ static int __init audit_classes_init(void) extern __u32 ia32_write_class[]; extern __u32 ia32_read_class[]; extern __u32 ia32_chattr_class[]; + extern __u32 ia32_signal_class[]; audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class); audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class); audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL_32, ia32_signal_class); #endif audit_register_class(AUDIT_CLASS_WRITE, write_class); audit_register_class(AUDIT_CLASS_READ, read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL, signal_class); return 0; } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index 7fe5e63..66d54ba 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -23,6 +23,11 @@ static unsigned chattr_class[] = { ~0U }; +static unsigned signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + int audit_classify_syscall(int abi, unsigned syscall) { #ifdef CONFIG_PPC64 @@ -51,15 +56,18 @@ static int __init audit_classes_init(void) extern __u32 ppc32_write_class[]; extern __u32 ppc32_read_class[]; extern __u32 ppc32_chattr_class[]; + extern __u32 ppc32_signal_class[]; audit_register_class(AUDIT_CLASS_WRITE_32, ppc32_write_class); audit_register_class(AUDIT_CLASS_READ_32, ppc32_read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ppc32_dir_class); audit_register_class(AUDIT_CLASS_CHATTR_32, ppc32_chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL_32, ppc32_signal_class); #endif audit_register_class(AUDIT_CLASS_WRITE, write_class); audit_register_class(AUDIT_CLASS_READ, read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL, signal_class); return 0; } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index 0741d91..7affafe 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -23,6 +23,11 @@ static unsigned chattr_class[] = { ~0U }; +static unsigned signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + int audit_classify_syscall(int abi, unsigned syscall) { #ifdef CONFIG_COMPAT @@ -51,15 +56,18 @@ static int __init audit_classes_init(void) extern __u32 s390_write_class[]; extern __u32 s390_read_class[]; extern __u32 s390_chattr_class[]; + extern __u32 s390_signal_class[]; audit_register_class(AUDIT_CLASS_WRITE_32, s390_write_class); audit_register_class(AUDIT_CLASS_READ_32, s390_read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE_32, s390_dir_class); audit_register_class(AUDIT_CLASS_CHATTR_32, s390_chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL_32, s390_signal_class); #endif audit_register_class(AUDIT_CLASS_WRITE, write_class); audit_register_class(AUDIT_CLASS_READ, read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL, signal_class); return 0; } diff --git a/arch/sparc64/kernel/audit.c b/arch/sparc64/kernel/audit.c index aef19cc..d57a9da 100644 --- a/arch/sparc64/kernel/audit.c +++ b/arch/sparc64/kernel/audit.c @@ -23,6 +23,11 @@ static unsigned chattr_class[] = { ~0U }; +static unsigned signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + int audit_classify_syscall(int abi, unsigned syscall) { #ifdef CONFIG_SPARC32_COMPAT @@ -51,15 +56,18 @@ static int __init audit_classes_init(void) extern __u32 sparc32_write_class[]; extern __u32 sparc32_read_class[]; extern __u32 sparc32_chattr_class[]; + extern __u32 sparc32_signal_class[]; audit_register_class(AUDIT_CLASS_WRITE_32, sparc32_write_class); audit_register_class(AUDIT_CLASS_READ_32, sparc32_read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE_32, sparc32_dir_class); audit_register_class(AUDIT_CLASS_CHATTR_32, sparc32_chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL_32, sparc32_signal_class); #endif audit_register_class(AUDIT_CLASS_WRITE, write_class); audit_register_class(AUDIT_CLASS_READ, read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL, signal_class); return 0; } diff --git a/arch/x86_64/ia32/audit.c b/arch/x86_64/ia32/audit.c index 92d7d0c..8850fe4 100644 --- a/arch/x86_64/ia32/audit.c +++ b/arch/x86_64/ia32/audit.c @@ -20,6 +20,11 @@ unsigned ia32_read_class[] = { ~0U }; +unsigned ia32_signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + int ia32_classify_syscall(unsigned syscall) { switch(syscall) { diff --git a/arch/x86_64/kernel/audit.c b/arch/x86_64/kernel/audit.c index 21f3338..b970de6 100644 --- a/arch/x86_64/kernel/audit.c +++ b/arch/x86_64/kernel/audit.c @@ -23,6 +23,11 @@ static unsigned chattr_class[] = { ~0U }; +static unsigned signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + int audit_classify_syscall(int abi, unsigned syscall) { #ifdef CONFIG_IA32_EMULATION @@ -49,15 +54,18 @@ static int __init audit_classes_init(void) extern __u32 ia32_write_class[]; extern __u32 ia32_read_class[]; extern __u32 ia32_chattr_class[]; + extern __u32 ia32_signal_class[]; audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class); audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class); audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL_32, ia32_signal_class); #endif audit_register_class(AUDIT_CLASS_WRITE, write_class); audit_register_class(AUDIT_CLASS_READ, read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL, signal_class); return 0; } diff --git a/include/asm-generic/audit_signal.h b/include/asm-generic/audit_signal.h new file mode 100644 index 0000000..6feab7f --- /dev/null +++ b/include/asm-generic/audit_signal.h @@ -0,0 +1,3 @@ +__NR_kill, +__NR_tgkill, +__NR_tkill, diff --git a/include/linux/audit.h b/include/linux/audit.h index aa205cd..0194a9b 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -147,6 +147,8 @@ #define AUDIT_CLASS_READ_32 5 #define AUDIT_CLASS_WRITE 6 #define AUDIT_CLASS_WRITE_32 7 +#define AUDIT_CLASS_SIGNAL 8 +#define AUDIT_CLASS_SIGNAL_32 9 /* This bitmask is used to validate user input. It represents all bits that * are currently used in an audit field constant understood by the kernel. diff --git a/lib/audit.c b/lib/audit.c index 3b1289f..50e9152 100644 --- a/lib/audit.c +++ b/lib/audit.c @@ -23,6 +23,11 @@ static unsigned chattr_class[] = { ~0U }; +static unsigned signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { @@ -49,6 +54,7 @@ static int __init audit_classes_init(void) audit_register_class(AUDIT_CLASS_READ, read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL, signal_class); return 0; } -- 1.4.4.4

17 years, 10 months

2
5
0 / 0

RHEL-AS-4.4 and auditd-1.0.14

by Simon Jones

Hi, We have been having some OOM problems over the last week. We think it is stemming from auditd-1.0.14. I've had a quick look over the archives and couldn't find anything, so if this has already been fixed, please be kind... I went from using the standard CAPP.rules example file to the following audit.rules file: -D -w /etc -p w -k ETC -w /etc/sysconfig -p w -k SYSCONFIG -w /caer/e/cnf -p w -k DMS_CNF -w /caer/g/cnf -p w -k GAS_CNF -w /bin/su -p x -k SBIN A glance at cat /proc/slabinfo shows that there may be a memory leak: After two minutes: size-32 13447 13447 32 119 1 : tunables 120 60 8 : slabdata 113 113 0 After several hours: size-32 18598891 18599105 32 119 1 : tunables 120 60 8 : slabdata 156295 156295 0 Whereas on a server not running the auditd daemon a cat /proc/ slabinfo gives: After two minutes: size-32 3556 3808 32 119 1 : tunables 120 60 8 : slabdata 32 32 0 After several hours: size-32 3601 3808 32 119 1 : tunables 120 60 8 : slabdata 32 32 0 OOM starts killing off processes (seemingly at random) even though there appears to be plenty of memory free (physical and swap). The above tests are on DELL 1650's with 2GB of RAM running 2.6.9-42.ELsmp #1 SMP. I found this https://bugzilla.redhat.com/bugzilla/show_bug.cgi? id=193542#c15 bug that seems to have a similar problem... Anyone else come across this issue? If so has it been fixed in 1.0.15? As I mentioned, using the following rules file seems to be significantly more stable, (so perhaps my rules file has something to do with it too): This is the original rules file: ## ## This file contains a sample audit configuration. Combined with the ## system events that are audited by default, this set of rules causes ## audit to generate records for the auditable events specified by the ## Controlled Access Protection Profile (CAPP). ## ## It should be noted that this set of rules identifies directories by ## leaving a / at the end of the path. These need to be updated to be ## a watch for each file in that directory. This is because a watch on ## a directory only triggers when the directory's inode is updated with ## meta data. To have accurate events, a watch should be place on each ## file. Because each installation is different, we leave that as a ## site customization. ## ## Remove any existing rules -D ## Increase buffer size to handle the increased number of messages. ## Feel free to increase this if the machine panic's -b 8192 ## Set failure mode to panic -f 2 ## ## FAU_SAR.1, FAU_SAR.2, FMT_MTD.1 ## successful and unsuccessful attempts to read information from the ## audit records; all modifications to the audit trail ## # -w /var/log/audit/ -k LOG_audit #-w /var/log/audit/audit_log -k LOG_audit_log #-w /var/log/audit/audit_log.1 -k LOG_audit_log #-w /var/log/audit/audit_log.2 -k LOG_audit_log #-w /var/log/audit/audit_log.3 -k LOG_audit_log #-w /var/log/audit/audit_log.4 -k LOG_audit_log ## ## FAU_SEL.1, FMT_MTD.1 ## modifications to audit configuration that occur while the audit ## collection functions are operating; all modications to the set of ## audited events ## -w /etc/auditd.conf -k CFG_auditd.conf -w /etc/audit.rules -k CFG_audit.rules ## ## FDP_ACF.1, FMT_MSA.1, FMT_MTD.1, FMT_REV.1 ## all requests to perform an operation on an object covered by the ## SFP; all modifications of the values of security attributes; ## modifications to TSF data; attempts to revoke security attributes ## ## Objects covered by the Security Functional Policy (SFP) are: ## - File system objects (files, directories, special files, extended attributes) ## - IPC objects (SYSV shared memory, message queues, and semaphores) ## Operations on file system objects - by default, only monitor ## files and directories covered by filesystem watches. Replace ## "possible" with "always" to create audit records for all uses of this ## syscall. ## Changes in ownership and permissions -a entry,possible -S chmod -a entry,possible -S fchmod -a entry,possible -S chown -a entry,possible -S chown32 -a entry,possible -S fchown -a entry,possible -S fchown32 -a entry,possible -S lchown -a entry,possible -S lchown32 ## For x86_64,ia64 architectures, disable any *32 rules above ## File content modification. Permissions are checked at open time, ## monitoring individual read/write calls is not useful. -a entry,possible -S creat -a entry,possible -S open -a entry,possible -S truncate -a entry,possible -S truncate64 -a entry,possible -S ftruncate -a entry,possible -S ftruncate64 ## For x86_64,ia64 architectures, disable any *64 rules above ## directory operations -a entry,possible -S mkdir -a entry,possible -S rmdir ## moving, removing, and linking -a entry,possible -S unlink -a entry,possible -S rename -a entry,possible -S link -a entry,possible -S symlink ## Extended attribute operations ## Enable if you are interested in these events #-a entry,always -S setxattr #-a entry,always -S lsetxattr #-a entry,always -S fsetxattr #-a entry,always -S removexattr #-a entry,always -S lremovexattr #-a entry,always -S fremovexattr ## special files -a entry,always -S mknod ## Other file system operations -a entry,always -S mount -a entry,always -S umount -a entry,always -S umount2 ## For x86_64 architecture, disable umount rule ## For ia64 architecture, disable umount2 rule ## SYSV message queues ## Enable if you are interested in these events (x86) ## msgctl #-a entry,always -S ipc -F a0=14 ## msgget #-a entry,always -S ipc -F a0=13 ## Enable if you are interested in these events (x86_64,ia64) #-a entry,always -S msgctl #-a entry,always -S msgget ## SYSV semaphores ## Enable if you are interested in these events (x86) ## semctl #-a entry,always -S ipc -F a0=3 ## semget #-a entry,always -S ipc -F a0=2 ## semop #-a entry,always -S ipc -F a0=1 ## semtimedop #-a entry,always -S ipc -F a0=4 ## Enable if you are interested in these events (x86_64, ia64) #-a entry,always -S semctl #-a entry,always -S semget #-a entry,always -S semop #-a entry,always -S semtimedop ## SYSV shared memory ## Enable if you are interested in these events (x86) ## shmctl #-a entry,always -S ipc -F a0=24 ## shmget #-a entry,always -S ipc -F a0=23 ## Enable if you are interested in these events (x86_64, ia64) #-a entry,always -S shmctl #-a entry,always -S shmget ## ## FIA_USB.1 ## success and failure of binding user security attributes to a subject ## ## Enable if you are interested in these events ## #-a entry,always -S clone #-a entry,always -S fork #-a entry,always -S vfork ## For ia64 architecture, disable fork and vfork rules above, and ## enable the following: #-a entry,always -S clone2 ## ## FMT_MSA.3 ## modifications of the default setting of permissive or restrictive ## rules, all modifications of the initial value of security attributes ## ## Enable if you are interested in these events ## #-a entry,always -S umask ## ## FPT_STM.1 ## changes to the time ## -a entry,always -S adjtimex -a entry,always -S settimeofday ## ## FTP_ITC.1 ## set-up of trusted channel ## -w /usr/sbin/stunnel -p x -a entry,possible -S execve ## ## Security Databases ## ## at configuration & scheduled jobs -w /var/spool/at -k LOG_at -w /etc/at.allow -k CFG_at.allow -w /etc/at.deny -k CFG_at.deny ## cron configuration & scheduled jobs -w /etc/cron.allow -p wa -k CFG_cron.allow -w /etc/cron.deny -p wa -k CFG_cron.deny -w /etc/cron.d/ -p wa -k CFG_cron.d -w /etc/cron.daily/ -p wa -k CFG_cron.daily -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly -w /etc/crontab -p wa -k CFG_crontab -w /var/spool/cron/root -k CFG_crontab_root ## user, group, password databases -w /etc/group -p wa -k CFG_group -w /etc/passwd -p wa -k CFG_passwd -w /etc/gshadow -k CFG_gshadow -w /etc/shadow -k CFG_shadow -w /etc/security/opasswd -k CFG_opasswd ## login configuration and information -w /etc/login.defs -p wa -k CFG_login.defs -w /etc/securetty -k CFG_securetty -w /var/log/faillog -k LOG_faillog -w /var/log/lastlog -k LOG_lastlog ## network configuration -w /etc/hosts -p wa -k CFG_hosts -w /etc/sysconfig/ ## system startup scripts -w /etc/inittab -p wa -k CFG_inittab -w /etc/rc.d/init.d/ -w /etc/rc.d/init.d/auditd -p wa -k CFG_initd_auditd ## library search paths -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf ## local time zone -w /etc/localtime -p wa -k CFG_localtime ## kernel parameters -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf ## modprobe configuration -w /etc/modprobe.conf -p wa -k CFG_modprobe.conf ## pam configuration -w /etc/pam.d/ ## postfix configuration -w /etc/aliases -p wa -k CFG_aliases -w /etc/postfix/ -p wa -k CFG_postfix ## ssh configuration -w /etc/ssh/sshd_config -k CFG_sshd_config ## stunnel configuration -w /etc/stunnel/stunnel.conf -k CFG_stunnel.conf -w /etc/stunnel/stunnel.pem -k CFG_stunnel.pem ## vsftpd configuration #-w /etc/vsftpd.ftpusers -k CFG_vsftpd.ftpusers #-w /etc/vsftpd/vsftpd.conf -k CFG_vsftpd.conf ## Not specifically required by CAPP; but common sense items -a exit,always -S sethostname -w /etc/issue -p wa -k CFG_issue -w /etc/issue.net -p wa -k CFG_issue.net ## Put your own watches after this point Regards, Simon.

17 years, 10 months

2
6
0 / 0

Auditd 1.0.15 in RHEL4 U4

by Matthew Booth

I have a requirement to stream audit logs from RHEL 4. The product will have to be deployed before RHEL 4.5 is likely to be released, so I expect I will have to import the 4.5 rpm into U4. Will this work without any other 4.5 updates? Also, I had a quick flick through the dispatcher example. I note that it's shipping binary logs. This is great from a storage POV, however it wasn't clear to me how this would tie in with the existing audit tools. If I simply dump the binary data to a file, can I easily: * Turn it into text? * Process it with aureport/ausearch? Also, that you're aware of, has anybody already implemented the simplest possible centralised log server. ie: * Stream uncompressed, unencrypted, unauthenticated audit logs to server * Write 1 log file per client audit daemon * Rotate on signal, respecting message boundaries I'll be writing this if not. Thanks, Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

17 years, 10 months

2
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit February 2007