March 2007 - Linux-audit - Linux-Audit List Archives

[PATCH] audit=0 appears not to completely disable auditing

by Steve Grubb

Hi, There was a bz, 231371, reporting that current upstream kernels do not completely disable auditing when boot with audit=0 and the audit daemon not configured to run. You can reproduce the problem by: service auditd stop auditctl -e 0 auditctl -w /etc/passwd and you'd get an event in syslog: Mar 9 15:43:04 localhost kernel: audit(1173472984.321:982): auid=4294967295 subj=user_u:system_r:auditctl_t:s0 op=add rule key=(null) list=4 res=1 The patch below solves this problem by checking audit_enabled before creating an audit event. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com> diff -urp linux-2.6.18.x86_64.orig/kernel/audit.c linux-2.6.18.x86_64/kernel/audit.c --- linux-2.6.18.x86_64.orig/kernel/audit.c 2007-03-09 14:08:18.000000000 -0500 +++ linux-2.6.18.x86_64/kernel/audit.c 2007-03-09 14:06:59.000000000 -0500 @@ -238,46 +238,50 @@ void audit_log_lost(const char *message) static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) { - int old = audit_rate_limit; + if (audit_enabled) { + int old = audit_rate_limit; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_rate_limit=%d old=%d by auid=%u subj=%s", - limit, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_rate_limit=%d old=%d by auid=%u", - limit, old, loginuid); + limit, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_rate_limit=%d old=%d by auid=%u", + limit, old, loginuid); + } audit_rate_limit = limit; return 0; } static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) { - int old = audit_backlog_limit; + if (audit_enabled) { + int old = audit_backlog_limit; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_backlog_limit=%d old=%d by auid=%u subj=%s", - limit, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_backlog_limit=%d old=%d by auid=%u", - limit, old, loginuid); + limit, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_backlog_limit=%d old=%d by auid=%u", + limit, old, loginuid); + } audit_backlog_limit = limit; return 0; } @@ -289,21 +293,23 @@ static int audit_set_enabled(int state, if (state != 0 && state != 1) return -EINVAL; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (audit_enabled || state) { + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_enabled=%d old=%d by auid=%u subj=%s", - state, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_enabled=%d old=%d by auid=%u", - state, old, loginuid); + state, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_enabled=%d old=%d by auid=%u", + state, old, loginuid); + } audit_enabled = state; return 0; } @@ -317,21 +323,23 @@ static int audit_set_failure(int state, && state != AUDIT_FAIL_PANIC) return -EINVAL; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (audit_enabled) { + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_failure=%d old=%d by auid=%u subj=%s", - state, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_failure=%d old=%d by auid=%u", - state, old, loginuid); + state, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_failure=%d old=%d by auid=%u", + state, old, loginuid); + } audit_failure = state; return 0; } @@ -536,22 +544,26 @@ static int audit_receive_msg(struct sk_b if (err < 0) return err; } if (status_get->mask & AUDIT_STATUS_PID) { - int old = audit_pid; - if (sid) { - if ((err = selinux_ctxid_to_string( - sid, &ctx, &len))) - return err; - else + if (audit_enabled) { + int old = audit_pid; + if (sid) { + if ((err = selinux_ctxid_to_string( + sid, &ctx, &len))) + return err; + else + audit_log(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE, + "audit_pid=%d old=%d by auid=%u subj=%s", + status_get->pid, old, + loginuid, ctx); + kfree(ctx); + } else audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_pid=%d old=%d by auid=%u subj=%s", - status_get->pid, old, - loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_pid=%d old=%d by auid=%u", - status_get->pid, old, loginuid); + status_get->pid, old, + loginuid); + } audit_pid = status_get->pid; } if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c --- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2007-03-09 14:08:18.000000000 -0500 +++ linux-2.6.18.x86_64/kernel/auditfilter.c 2007-03-09 14:05:54.000000000 -0500 @@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih; /* Inotify events we care about. */ #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF +extern int audit_enabled; + void audit_free_parent(struct inotify_watch *i_watch) { struct audit_parent *parent; @@ -897,7 +899,6 @@ static void audit_update_watch(struct au struct audit_watch *owatch, *nwatch, *nextw; struct audit_krule *r, *nextr; struct audit_entry *oentry, *nentry; - struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { @@ -937,13 +938,18 @@ static void audit_update_watch(struct au call_rcu(&oentry->rcu, audit_free_rule_rcu); } - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=updated rules specifying path="); - audit_log_untrustedstring(ab, owatch->path); - audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); - audit_log_format(ab, " list=%d res=1", r->listnr); - audit_log_end(ab); - + if (audit_enabled) { + struct audit_buffer *ab; + ab = audit_log_start(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE); + audit_log_format(ab, + "op=updated rules specifying path="); + audit_log_untrustedstring(ab, owatch->path); + audit_log_format(ab, " with dev=%u ino=%lu\n", + dev, ino); + audit_log_format(ab, " list=%d res=1", r->listnr); + audit_log_end(ab); + } audit_remove_watch(owatch); goto add_watch_to_parent; /* event applies to a single watch */ } @@ -962,25 +968,28 @@ static void audit_remove_parent_watches( struct audit_watch *w, *nextw; struct audit_krule *r, *nextr; struct audit_entry *e; - struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); parent->flags |= AUDIT_PARENT_INVALID; list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { list_for_each_entry_safe(r, nextr, &w->rules, rlist) { e = container_of(r, struct audit_entry, rule); - - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=remove rule path="); - audit_log_untrustedstring(ab, w->path); - if (r->filterkey) { - audit_log_format(ab, " key="); - audit_log_untrustedstring(ab, r->filterkey); - } else - audit_log_format(ab, " key=(null)"); - audit_log_format(ab, " list=%d res=1", r->listnr); - audit_log_end(ab); - + if (audit_enabled) { + struct audit_buffer *ab; + ab = audit_log_start(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE); + audit_log_format(ab, "op=remove rule path="); + audit_log_untrustedstring(ab, w->path); + if (r->filterkey) { + audit_log_format(ab, " key="); + audit_log_untrustedstring(ab, + r->filterkey); + } else + audit_log_format(ab, " key=(null)"); + audit_log_format(ab, " list=%d res=1", + r->listnr); + audit_log_end(ab); + } list_del(&r->rlist); list_del_rcu(&e->list); call_rcu(&e->rcu, audit_free_rule_rcu); @@ -1409,6 +1418,9 @@ static void audit_log_rule_change(uid_t { struct audit_buffer *ab; + if (!audit_enabled) + return; + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (!ab) return;

18 years, 6 months

4
5
0 / 0

[RFC] NISPOM audit rules - first draft

by Steve Grubb

Hi, Posting this in case anyone has comments good or bad. This is aimed at current upstream kernels as of 2.6.19 or later. -Steve ## ## This file contains the a sample audit configuration intended to ## meet the NISPOM Chapter 8 rules. ## ## This file should be saved as /etc/audit/audit.rules. ## ## Remove any existing rules -D ## Increase buffer size to handle the increased number of messages. ## Feel free to increase this if the machine panic's -b 8192 ## Audit 1, 1(a) (a) Enough information to determine the date and time ## of action (e.g., common network time), the system locale of the action, ## the system entity that initiated or completed the action, the resources ## involved, and the action involved. ## changes to the time -a entry,always -S adjtimex -S settimeofday -k time-change -w /etc/localtime -p wa -k time-change ## system locale -a exit,always -S sethostname -k system-locale -w /etc/issue -p wa -k CFG_issue -k system-locale -w /etc/issue.net -p wa -k CFG_issue.net -k system-locale ## Audit 1, 1(b) Successful and unsuccessful logons and logoffs. ## This is covered by patches to login, gdm, and openssh ## Audit 1, 1(c) Successful and unsuccessful accesses to ## security-relevant objects and directories, including ## creation, open, close, modification, and deletion. ## unsuccessful creation -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation ## unsuccessful open -a exit,always -S open -F exit=-13 -k open ## unsuccessful close -a exit,always -S close -F exit=-13 -k close ## unsuccessful modifications -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods -a exit,always -S renameat -F exit=-13 -k mods -a exit,always -F perm=a -F exit=-13 -k mods ## unsuccessful deletion -a exit,always -S rmdir -S unlink -F exit=-13 -k delete -a exit,always -S unlinkat -F exit=-13 -k delete ## Audit 1, 1(d) Changes in user authenticators. ## Covered by patches to libpam ## Audit 1, 1(e) The blocking or blacklisting of a user ID, ## terminal, or access port and the reason for the action. ## Covered by patches to pam_tally ## Audit 1, 1(f) Denial of access resulting from an excessive ## number of unsuccessful logon attempts. ## Covered by patches to pam_tally ## Audit 1, 2 Audit Trail Protection. The contents of audit trails ## shall be protected against unauthorized access, modification, ## or deletion. ## This should be covered by file permissions, but we can watch it ## to see any activity -w /var/log/audit/ -k audit-logs -w /var/log/audit/audit.log -k audit-logs #-w /var/log/audit/audit.log.1 -k audit-logs #-w /var/log/audit/audit.log.2 -k audit-logs #-w /var/log/audit/audit.log.3 -k audit-logs #-w /var/log/audit/audit.log.4 -k audit-logs ## Put your own watches after this point # -w /your-file -p rwxa -k mykey

18 years, 11 months

4
6
0 / 0

[PATCH 0/2] signal audit (v3)

by Amy Griffis

Several changes since last version: - use arch rule field to determine which signal class to check, check both if arch is unspecified - don't check AUDIT_CLASS_SIGNAL_32 if it doesn't exist - group target pids in aux structs (initially 16) - on syscall exit, initialize context's aux ptrs for re-use - don't convert sid to string until we log a record Applies on top of ptrace patch.

18 years, 12 months

1
2
0 / 0

Pull timestamp from audit event

by Kirkwood, David A.

How can I pull the timestamp from a particular audit event. For example: I want to pull all /bin/su events from the audit log for the week with when they occurred. How can I do this? Thanks David A. Kirkwood

19 years

2
1
0 / 0

where can i find the document reference about audit-libs-devel?

by mengzhu929

i have searched it for several days but got nothing. could anyone send me some meterial about it? thanks very much! mengzhu929 2007-03-22

19 years

3
2
0 / 0

auditctl Question

by Khoa V. Nguyen

Hello, I want to be able to audit failed access to /etc/inittab but I don't think the current auditctl features able to accomplish it. auditctl -a watch,always /etc/inittab -F success=no This would be a syntax error..but auditctl -a exit,always -w /etc/inittab -F success=no How can I do it? Thanks, ____________________________________________________________________________________ Need Mail bonding? Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users. http://answers.yahoo.com/dir/?link=list&sid=396546091

19 years

2
1
0 / 0

Syscall issues with Audit 1.0.14 and linux 2.6.9-42.0.10

by Walt Powell

All: When using linux kernel-smp-2.6.9-42.0.10.EL and audit-1.0.14-1.EL In the audit.rules files -a entry, always -S chmod errors out. Does not recognize 'chmod'. It works in kernel-smp-2.6.9-42.EL given the same audit rpm Is the syscalls list for 2.6.9-42.0.10.EL radically different, and if so, is there a list of the syscalls available for audit somewhere?

19 years

1
0
0 / 0

audit 1.5.1 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Updated autrace to monitor some *at syscalls in resource mode - Add support in libaudit for AUDIT_BIT_TEST(&=) and AUDIT_MASK_TEST (&) - Finish reworking auditd config parser - In auparse, interpret open, fcntl, and clone flags - In auparse, when interpreting execve record types, run args through unencode - Add support for OBJ_PID message type - Event dispatcher updates Please let me know if there are any problems with this release. -Steve

19 years

1
0
0 / 0

Writtign to audit with an application

by geckiv

I was wondering if anyone had a good example of how to write to the audit log on linux for a custom application wanting to log events. Also how that would work. I found a little information but I have been unable to get anything to work properly. Does it write to the demon then write to the /var/log/auit/audit.log? Also how do yo set this up so not just any one or any process write to that log? Thanks, Frank

19 years

2
7
0 / 0

[PATCH 0/4] audit obj cleanups

by Amy Griffis

Re-posting patches to clean up auditing for syscall objects. - stop logging bogus object labels - handle edge cases for xattr and mqueue calls - try harder to log only 1 PATH record per object Rebased to current git and folded memory corruption fix from Al.

19 years

1
4
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit March 2007