[PATCH] Abnormal End of Processes
by Steve Grubb
Hi,
I have been working on some code that detects abnormal events based on audit
system events. One kind of event that we currently have no visibility for is
when a program terminates due to segfault - which should never happen on a
production machine. And if it did, you'd want to investigate it. Attached is a
patch that collects these events and sends them into the audit system.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.20.i686.orig/fs/exec.c linux-2.6.20.i686/fs/exec.c
--- linux-2.6.20.i686.orig/fs/exec.c 2007-04-19 09:34:51.000000000 -0400
+++ linux-2.6.20.i686/fs/exec.c 2007-04-19 09:27:26.000000000 -0400
@@ -1458,6 +1458,10 @@ int do_coredump(long signr, int exit_cod
int fsuid = current->fsuid;
int flag = 0;
int ispipe = 0;
+ extern int audit_enabled;
+
+ if (unlikely(audit_enabled) && signr != SIGQUIT && signr != SIGABRT)
+ audit_core_dumps(signr);
binfmt = current->binfmt;
if (!binfmt || !binfmt->core_dump)
diff -urp linux-2.6.20.i686.orig/include/linux/audit.h linux-2.6.20.i686/include/linux/audit.h
--- linux-2.6.20.i686.orig/include/linux/audit.h 2007-04-19 09:35:13.000000000 -0400
+++ linux-2.6.20.i686/include/linux/audit.h 2007-04-19 09:33:12.000000000 -0400
@@ -111,6 +111,7 @@
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
@@ -376,6 +377,7 @@ static inline void audit_inode_update(co
if (unlikely(!audit_dummy_context()))
__audit_inode_update(inode);
}
+void audit_core_dumps(long signr);
/* Private API (for audit.c only) */
extern unsigned int audit_serial(void);
@@ -461,6 +463,7 @@ extern int audit_n_rules;
#define audit_inode(n,i) do { ; } while (0)
#define audit_inode_child(d,i,p) do { ; } while (0)
#define audit_inode_update(i) do { ; } while (0)
+#define audit_core_dumps(i) do { ; } while (0)
#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
#define audit_get_loginuid(c) ({ -1; })
#define audit_log_task_context(b) do { ; } while (0)
diff -urp linux-2.6.20.i686.orig/kernel/auditsc.c linux-2.6.20.i686/kernel/auditsc.c
--- linux-2.6.20.i686.orig/kernel/auditsc.c 2007-04-19 09:35:27.000000000 -0400
+++ linux-2.6.20.i686/kernel/auditsc.c 2007-04-19 09:30:42.000000000 -0400
@@ -1935,3 +1935,36 @@ void __audit_signal_info(int sig, struct
selinux_get_task_sid(tsk, &audit_sig_sid);
}
}
+
+/**
+ * audit_core_dumps - record information about processes that end abnormally
+ * @sig: signal value
+ *
+ * If a process ends with a core dump, something fishy is going on and we
+ * should record the event for investigation.
+ */
+void audit_core_dumps(long signr)
+{
+ struct audit_buffer *ab;
+ u32 sid;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+ audit_log_format(ab, "auid=%u uid=%u gid=%u",
+ audit_get_loginuid(current->audit_context),
+ current->uid, current->gid);
+ selinux_get_task_sid(current, &sid);
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+
+ if (selinux_sid_to_string(sid, &ctx, &len))
+ audit_log_format(ab, " ssid=%u", sid);
+ else
+ audit_log_format(ab, " subj=%s", ctx);
+ kfree(ctx);
+ }
+ audit_log_format(ab, " pid=%d comm=", current->pid);
+ audit_log_untrustedstring(ab, current->comm);
+ audit_log_format(ab, " sig=%ld", signr);
+ audit_log_end(ab);
+}
18 years, 10 months
[RFC] NISPOM audit rules - first draft
by Steve Grubb
Hi,
Posting this in case anyone has comments good or bad. This is aimed at current
upstream kernels as of 2.6.19 or later.
-Steve
##
## This file contains the a sample audit configuration intended to
## meet the NISPOM Chapter 8 rules.
##
## This file should be saved as /etc/audit/audit.rules.
##
## Remove any existing rules
-D
## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 8192
## Audit 1, 1(a) (a) Enough information to determine the date and time
## of action (e.g., common network time), the system locale of the action,
## the system entity that initiated or completed the action, the resources
## involved, and the action involved.
## changes to the time
-a entry,always -S adjtimex -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change
## system locale
-a exit,always -S sethostname -k system-locale
-w /etc/issue -p wa -k CFG_issue -k system-locale
-w /etc/issue.net -p wa -k CFG_issue.net -k system-locale
## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
## This is covered by patches to login, gdm, and openssh
## Audit 1, 1(c) Successful and unsuccessful accesses to
## security-relevant objects and directories, including
## creation, open, close, modification, and deletion.
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
-a exit,always -F perm=a -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## Audit 1, 1(d) Changes in user authenticators.
## Covered by patches to libpam
## Audit 1, 1(e) The blocking or blacklisting of a user ID,
## terminal, or access port and the reason for the action.
## Covered by patches to pam_tally
## Audit 1, 1(f) Denial of access resulting from an excessive
## number of unsuccessful logon attempts.
## Covered by patches to pam_tally
## Audit 1, 2 Audit Trail Protection. The contents of audit trails
## shall be protected against unauthorized access, modification,
## or deletion.
## This should be covered by file permissions, but we can watch it
## to see any activity
-w /var/log/audit/ -k audit-logs
-w /var/log/audit/audit.log -k audit-logs
#-w /var/log/audit/audit.log.1 -k audit-logs
#-w /var/log/audit/audit.log.2 -k audit-logs
#-w /var/log/audit/audit.log.3 -k audit-logs
#-w /var/log/audit/audit.log.4 -k audit-logs
## Put your own watches after this point
# -w /your-file -p rwxa -k mykey
18 years, 10 months
Abnormal End of Processes
by Steve Grubb
Hi,
I have been working on some code that detects abnormal events based on
audit system events. One kind of event that we currently have no visibility for is
when a program terminates due to segfault - which should never happen on a
production machine. And if it did, you'd want to investigate it. Attached is a
patch that collects these events and sends them into the audit system.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.18.x86_64.orig/fs/exec.c linux-2.6.18.x86_64/fs/exec.c
--- linux-2.6.18.x86_64.orig/fs/exec.c 2007-04-13 17:26:19.000000000 -0400
+++ linux-2.6.18.x86_64/fs/exec.c 2007-04-13 17:25:34.000000000 -0400
@@ -49,6 +49,7 @@
#include <linux/acct.h>
#include <linux/cn_proc.h>
#include <linux/audit.h>
+#include <linux/selinux.h>
#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -1462,6 +1463,32 @@ int do_coredump(long signr, int exit_cod
int fsuid = current->fsuid;
int flag = 0;
int ispipe = 0;
+ extern int audit_enabled;
+
+ if (unlikely(audit_enabled) && signr != SIGQUIT && signr != SIGABRT) {
+ struct audit_buffer *ab;
+ u32 sid;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+ audit_log_format(ab, "auid=%u uid=%u gid=%u",
+ audit_get_loginuid(current->audit_context),
+ current->uid, current->gid);
+ selinux_get_task_sid(current, &sid);
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+
+ if (selinux_ctxid_to_string(sid, &ctx, &len))
+ audit_log_format(ab, " ssid=%u", sid);
+ else
+ audit_log_format(ab, " subj=%s", ctx);
+ kfree(ctx);
+ }
+ audit_log_format(ab, " pid=%d comm=", current->pid);
+ audit_log_untrustedstring(ab, current->comm);
+ audit_log_format(ab, " sig=%ld", signr);
+ audit_log_end(ab);
+ }
binfmt = current->binfmt;
if (!binfmt || !binfmt->core_dump)
diff -urp linux-2.6.18.x86_64.orig/include/linux/audit.h linux-2.6.18.x86_64/include/linux/audit.h
--- linux-2.6.18.x86_64.orig/include/linux/audit.h 2007-04-13 17:26:21.000000000 -0400
+++ linux-2.6.18.x86_64/include/linux/audit.h 2007-04-13 17:20:37.000000000 -0400
@@ -111,6 +111,7 @@
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
18 years, 10 months
wierd audit problems on one RHEL ES4 box
by Bill Tangren
I just implemented a new rule set for auditing, and now the audit daemon won't
start. It died a few hours before the logs were due to be rotated. Even though
the auditd is dead, auditing is still being done, but the output is going to
/var/log/messages, NOT to /var/log/audit, as before. When I did a
service auditd status
I got a
auditd locked, but pid exists
message. I tried to start it, but it wouldn't start. I rebooted, and it wouldn't
come back up. I changed back to the old rule set and tried to restart. No joy. I
rebooted again. It failed on start up. This is the rule set I tried:
# First rule - delete all
-D
# Feel free to add below this line. See auditctl man page
# Increase the buffers to survive stress events
-b 256
-e 1
# Audit Failed opens
-a exit,always -S open -F success!=0
#
# Audit success and failure of delete
-a exit,always -S unlink -S rmdir
#
# Audit success and failure of admin actions
#-a task,always -F uid=0
-w /var/log/audit/ -k ADMIN
-w /etc/auditd.conf -k ADMIN
-w /etc/audit.rules -k ADMIN
-a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit
-a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler
#
# Audit success and failure of login/logout
# on by default with update 4.
#
# Audit sucess and failure of permissions
-a entry,possible -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32
-S lchown -S lchown32
I don't know whether or not this rule set is an issue, but the change and the
problems occurred at about the same time.
This is what I have in my auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = SYNC
freq = 0
num_logs = 15
max_log_file = 95
max_log_file_action = ignore
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
When I try to restart the auditd, no error messages I can see show up in
/var/log/messages. I've implemented these rules on other RHEL ES 4 boxes,
without problems.
Any ideas what is wrong?
18 years, 10 months
Relation of syscall names to System.map
by Matthew Booth
I was recently going through syscalls I'm auditing and matching them up
to symbols in System.map starting with 'sys_'. I noted that the two
don't appear to be completely related. The system in question is RHEL 4
x86_64. Specifically I noted:
* sys_stime is in System.map, but 'stime' is not recognised by auditctl
* sys_umount2 is not in System.map, but is recognised by auditctl
Am I looking for a relationship which doesn't exist? Is there a better
way to get a definitive, locally generated list of all auditable
syscalls on a particular machine?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
18 years, 10 months
audit 1.5.2 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- New event dispatcher (James Antill)
- Apply patches fixing man pages and Makefile.am (Philipp Hahn)
- Apply patch correcting python libs permissions (Philipp Hahn)
- Fix auditd segfault on reload
- Fix bug in auparse library for file pointers and descriptors
- Extract subject information out of daemon events for ausearch
Please note that the audit event dispatcher will be changing again in the next
release. This is the current area of work and this one is considered
temporary. This release is primarily to get some other needed fixes out for
people to use. I should have a new release next week.
Please let me know if there are any problems with this release.
-Steve
18 years, 10 months
