September 2007 - Linux-audit - Linux-Audit List Archives

[PATCH] missing audispd-pconfig.h in Makefile.am

by Klaus Heinrich Kiwi

The audispd-pconfig.h file is missing from the noinst_HEADERS list at audisp/Makefile.am, rendering in a broken 'make dist' target Signed-off-by: Klaus Heinrich Kiwi <klausk(a)br.ibm.com> diff -purN audit-1.6.2/audisp/Makefile.am audit-1.6.2_khk/audisp/Makefile.am --- audit-1.6.2/audisp/Makefile.am 2007-09-12 13:04:00.000000000 -0300 +++ audit-1.6.2_khk/audisp/Makefile.am 2007-09-27 15:51:20.000000000 -0300 @@ -25,7 +25,7 @@ CONFIG_CLEAN_FILES = Makefile.in *.rej * AUTOMAKE_OPTIONS = no-dependencies INCLUDES = -I.. -I${top_srcdir}/lib sbin_PROGRAMS = audispd -noinst_HEADERS = audispd-config.h audispd-llist.h queue.h audispd-builtins.h +noinst_HEADERS = audispd-config.h audispd-pconfig.h audispd-llist.h queue.h audispd-builtins.h LIBS = -L${top_srcdir}/src/mt -lauditmt LDADD = -lpthread AM_CFLAGS = -D_REENTRANT

18 years

2
1
0 / 0

[PATCH] audit=0 appears not to completely disable auditing

by Steve Grubb

Hi, There was a bz, 231371, reporting that current upstream kernels do not completely disable auditing when boot with audit=0 and the audit daemon not configured to run. You can reproduce the problem by: service auditd stop auditctl -e 0 auditctl -w /etc/passwd and you'd get an event in syslog: Mar 9 15:43:04 localhost kernel: audit(1173472984.321:982): auid=4294967295 subj=user_u:system_r:auditctl_t:s0 op=add rule key=(null) list=4 res=1 The patch below solves this problem by checking audit_enabled before creating an audit event. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com> diff -urp linux-2.6.18.x86_64.orig/kernel/audit.c linux-2.6.18.x86_64/kernel/audit.c --- linux-2.6.18.x86_64.orig/kernel/audit.c 2007-03-09 14:08:18.000000000 -0500 +++ linux-2.6.18.x86_64/kernel/audit.c 2007-03-09 14:06:59.000000000 -0500 @@ -238,46 +238,50 @@ void audit_log_lost(const char *message) static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) { - int old = audit_rate_limit; + if (audit_enabled) { + int old = audit_rate_limit; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_rate_limit=%d old=%d by auid=%u subj=%s", - limit, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_rate_limit=%d old=%d by auid=%u", - limit, old, loginuid); + limit, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_rate_limit=%d old=%d by auid=%u", + limit, old, loginuid); + } audit_rate_limit = limit; return 0; } static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) { - int old = audit_backlog_limit; + if (audit_enabled) { + int old = audit_backlog_limit; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_backlog_limit=%d old=%d by auid=%u subj=%s", - limit, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_backlog_limit=%d old=%d by auid=%u", - limit, old, loginuid); + limit, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_backlog_limit=%d old=%d by auid=%u", + limit, old, loginuid); + } audit_backlog_limit = limit; return 0; } @@ -289,21 +293,23 @@ static int audit_set_enabled(int state, if (state != 0 && state != 1) return -EINVAL; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (audit_enabled || state) { + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_enabled=%d old=%d by auid=%u subj=%s", - state, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_enabled=%d old=%d by auid=%u", - state, old, loginuid); + state, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_enabled=%d old=%d by auid=%u", + state, old, loginuid); + } audit_enabled = state; return 0; } @@ -317,21 +323,23 @@ static int audit_set_failure(int state, && state != AUDIT_FAIL_PANIC) return -EINVAL; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (audit_enabled) { + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_failure=%d old=%d by auid=%u subj=%s", - state, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_failure=%d old=%d by auid=%u", - state, old, loginuid); + state, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_failure=%d old=%d by auid=%u", + state, old, loginuid); + } audit_failure = state; return 0; } @@ -536,22 +544,26 @@ static int audit_receive_msg(struct sk_b if (err < 0) return err; } if (status_get->mask & AUDIT_STATUS_PID) { - int old = audit_pid; - if (sid) { - if ((err = selinux_ctxid_to_string( - sid, &ctx, &len))) - return err; - else + if (audit_enabled) { + int old = audit_pid; + if (sid) { + if ((err = selinux_ctxid_to_string( + sid, &ctx, &len))) + return err; + else + audit_log(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE, + "audit_pid=%d old=%d by auid=%u subj=%s", + status_get->pid, old, + loginuid, ctx); + kfree(ctx); + } else audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_pid=%d old=%d by auid=%u subj=%s", - status_get->pid, old, - loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_pid=%d old=%d by auid=%u", - status_get->pid, old, loginuid); + status_get->pid, old, + loginuid); + } audit_pid = status_get->pid; } if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c --- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2007-03-09 14:08:18.000000000 -0500 +++ linux-2.6.18.x86_64/kernel/auditfilter.c 2007-03-09 14:05:54.000000000 -0500 @@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih; /* Inotify events we care about. */ #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF +extern int audit_enabled; + void audit_free_parent(struct inotify_watch *i_watch) { struct audit_parent *parent; @@ -897,7 +899,6 @@ static void audit_update_watch(struct au struct audit_watch *owatch, *nwatch, *nextw; struct audit_krule *r, *nextr; struct audit_entry *oentry, *nentry; - struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { @@ -937,13 +938,18 @@ static void audit_update_watch(struct au call_rcu(&oentry->rcu, audit_free_rule_rcu); } - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=updated rules specifying path="); - audit_log_untrustedstring(ab, owatch->path); - audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); - audit_log_format(ab, " list=%d res=1", r->listnr); - audit_log_end(ab); - + if (audit_enabled) { + struct audit_buffer *ab; + ab = audit_log_start(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE); + audit_log_format(ab, + "op=updated rules specifying path="); + audit_log_untrustedstring(ab, owatch->path); + audit_log_format(ab, " with dev=%u ino=%lu\n", + dev, ino); + audit_log_format(ab, " list=%d res=1", r->listnr); + audit_log_end(ab); + } audit_remove_watch(owatch); goto add_watch_to_parent; /* event applies to a single watch */ } @@ -962,25 +968,28 @@ static void audit_remove_parent_watches( struct audit_watch *w, *nextw; struct audit_krule *r, *nextr; struct audit_entry *e; - struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); parent->flags |= AUDIT_PARENT_INVALID; list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { list_for_each_entry_safe(r, nextr, &w->rules, rlist) { e = container_of(r, struct audit_entry, rule); - - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=remove rule path="); - audit_log_untrustedstring(ab, w->path); - if (r->filterkey) { - audit_log_format(ab, " key="); - audit_log_untrustedstring(ab, r->filterkey); - } else - audit_log_format(ab, " key=(null)"); - audit_log_format(ab, " list=%d res=1", r->listnr); - audit_log_end(ab); - + if (audit_enabled) { + struct audit_buffer *ab; + ab = audit_log_start(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE); + audit_log_format(ab, "op=remove rule path="); + audit_log_untrustedstring(ab, w->path); + if (r->filterkey) { + audit_log_format(ab, " key="); + audit_log_untrustedstring(ab, + r->filterkey); + } else + audit_log_format(ab, " key=(null)"); + audit_log_format(ab, " list=%d res=1", + r->listnr); + audit_log_end(ab); + } list_del(&r->rlist); list_del_rcu(&e->list); call_rcu(&e->rcu, audit_free_rule_rcu); @@ -1409,6 +1418,9 @@ static void audit_log_rule_change(uid_t { struct audit_buffer *ab; + if (!audit_enabled) + return; + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (!ab) return;

18 years

4
5
0 / 0

How to read audit log?

by Scott Ehrlich

As I've reviewed the audit log of a system with audit 1.5.2 installed, I discovered the format is something I wasn't used to, and performing a man on auditd, auditctl, and a few others didn't help clarify anything. Could someone please produce a sample audit log line or two and break down what each piece means, or direct me to a web page that does so? I had initially expected some form of date/time stamp, but looking at the first set of decimal-separated digits couldn't help me decipher a date/time. Thanks for any assistance. Scott

18 years

6
7
0 / 0

audit 1.6.2 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Add support for searching by posix regular expressions in auparse - Route DEAMON events into rt interface - If event pipe is full, try again after doing local logging - Optionally add node/machine name to records in audit daemon - Update ausearch/aureport to specify nodes to search on - Fix segfault interpretting saddr fields in avcs This release focuses on optionally adding node=name field to audit daemon logged records. ausearch/report/parse were updated to support this format. This will allow the originating host to be captured in files if they are copied to another machine. The reporting fixups is in preparation for having remote logging where the audit logs are aggregated into 1 common log. There were a few self explanatory bug fixes listed above. Please let me know if you run across any problems with this release. -Steve

18 years

1
0
0 / 0

sudo false negative in audit trails

by Todd, Charles

Greetings, I'm chasing down a false negative I'm getting in my ausearch output which makes it look like successful sudo access results in a failed CRED_ACQ record. Is anyone else seeing this? I'm going to list out my system specs, but please actually look at a sudo run in your system (if similar) before writing off my non-standard pieces: - RHEL4u4 (2.6.9.-42.0.2) - audit-1.0.15 - quest-sudo-1.6.8p12q76 - pam 0.77-66.17 Command: # ausearch -m CRED_ACQ |grep sudo |tail -1 type=CRED_ACQ msg=audit(1190207432.508:168552): user pid=13971 uid=0 auid=1110 msg='PAM setcred: user=root exe="/opt/quest/bin/sudo" (hostname=?, addr=?, terminal=pts/1 result=Permission denied)' They're all like that. Remember - the sudo actually granted me access as requested. /etc/pam.d/sudo looks like this, as generated by quest-sudo: auth [ignore=ignore success=done default=die] pam_vas3.so create_homedir account [ignore=ignore success=done default=die] pam_vas3.so password [ignore=ignore success=done default=die] pam_vas3.so session [ignore=ignore success=done default=die] pam_vas3.so create_homedir For those unfamiliar with Quest's VAS (Vintella Authentication System), it's basically a commercialized, polished winbindd from Samba 3. They have open-sourced their changes to the base package (good citizens) as they are basically kerberizing some of the tools. Sudo was modified to support treating Active Directory roles as Unix groups (e.g. DOMAIN\Administrators can run shells, but no one else). I've reviewed the base sudo package source code and could find no changelog entries to the part that tells PAM whether or not success was made. I know that sudo has to tell PAM who tells auditd whether or not VAS authenticated the user. Sudo works just find though - it's only the auditing which is squirelly. Original sudo page that interacts with PAM: http://www.sudo.ws/cgi-bin/cvsweb/sudo/auth/pam.c?rev=1.43&content-type= text/x-cvsweb-markup&only_with_tag=SUDO_1_6_8p1 Quests modifications to the same file: http://rc.quest.com/viewvc/sudo/tags/sudo-1.6.8p12q76/auth/pam.c?revisio n=77&view=markup So, I'm not so sure it's in sudo, but perhaps some bug between PAM and sudo that I don't understand. Can anyone else replicate this? As for PAM, well, 0.77 is very old, but it's the newest that RedHat has integrated. RedHat has not posted any PAM changes related to sudo since my package above. At least RHEL5 is using 0.99. Thanks for your time, Charlie Todd Ball Aerospace & Technologies Corp. This message and any enclosures are intended only for the addressee. Please notify the sender by email if you are not the intended recipient. If you are not the intended recipient, you may not use, copy, disclose, or distribute this message or its contents or enclosures to any other person and any such actions may be unlawful. Ball reserves the right to monitor and review all messages and enclosures sent to or from this email address.

18 years, 1 month

2
1
0 / 0

Format of EXECVE

by Matthew Booth

Firstly, on RHEL4 U5, I've noticed that if an argument has spaces in it, it won't be pretty printed in the EXECVE record. E.g.: # /bin/echo foo EXECVE... argv[1]="foo" # /bin/echo "foo bar" EXECVE... argv[1]=1234ABCD Is that a feature? Secondly, I noticed that the sequence of messages is: SYSCALL EXECVE CWD PATH I'm considering expanding argv[0] of EXECVE to be an absolute path. However, that would mean either buffering things or moving EXECVE after the PATH record. Would that break any contract, or reasonable expectations that anyone's aware of? Thanks, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

18 years, 1 month

3
3
0 / 0

[PATCH]: xfrm audit calls

by Joy Latten

This patch modifies the current ipsec audit layer by breaking it up into purpose driven audit calls. So far, the only audit calls made are when add/delete an SA/policy. It had been discussed to give each key manager it's own calls to do this, but I found there to be much redundnacy since they did the exact same things, except for how they got auid and sid, so I combined them. The below audit calls can be made by any key manager. Hopefully, this is ok. I compiled and tested with CONFIG_AUDITSYSCALLS on and off. Regards, Joy Latten Signed-off-by: Joy Latten <latten(a)austin.ibm.com> diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22-rc6/include/linux/audit.h --- linux-2.6.22/include/linux/audit.h 2007-09-11 13:59:49.000000000 -0500 +++ linux-2.6.22-rc6/include/linux/audit.h 2007-09-11 14:10:57.000000000 -0500 @@ -108,10 +108,11 @@ #define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */ #define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */ #define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */ -#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */ -#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ -#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ -#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ +#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Not used */ +#define AUDIT_MAC_IPSEC_DELSA 1412 /* Not used */ +#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */ +#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */ +#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22-rc6/include/net/xfrm.h --- linux-2.6.22/include/net/xfrm.h 2007-09-11 13:59:49.000000000 -0500 +++ linux-2.6.22-rc6/include/net/xfrm.h 2007-09-11 14:10:57.000000000 -0500 @@ -12,6 +12,7 @@ #include <linux/ipsec.h> #include <linux/in6.h> #include <linux/mutex.h> +#include <linux/audit.h> #include <net/sock.h> #include <net/dst.h> @@ -421,15 +422,46 @@ extern unsigned int xfrm_policy_count[XF /* Audit Information */ struct xfrm_audit { - uid_t loginuid; + u32 loginuid; u32 secid; }; #ifdef CONFIG_AUDITSYSCALL -extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, - struct xfrm_policy *xp, struct xfrm_state *x); +static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid) +{ + struct audit_buffer *audit_buf = NULL; + char *secctx; + u32 secctx_len; + + audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_IPSEC_EVENT); + if (audit_buf == NULL) + return NULL; + + audit_log_format(audit_buf, "auid=%u", auid); + + if (sid != 0 && + security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { + audit_log_format(audit_buf, " subj=%s", secctx); + security_release_secctx(secctx, secctx_len); + } else + audit_log_task_context(audit_buf); + return audit_buf; +} + +extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, + u32 auid, u32 sid); +extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, + u32 auid, u32 sid); +extern void xfrm_audit_state_add(struct xfrm_state *x, int result, + u32 auid, u32 sid); +extern void xfrm_audit_state_delete(struct xfrm_state *x, int result, + u32 auid, u32 sid); #else -#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) +#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0) +#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0) +#define xfrm_audit_state_add(x, r, a, s) do { ; } while (0) +#define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0) #endif /* CONFIG_AUDITSYSCALL */ static inline void xfrm_pol_hold(struct xfrm_policy *policy) diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22-rc6/net/key/af_key.c --- linux-2.6.22/net/key/af_key.c 2007-09-11 13:59:52.000000000 -0500 +++ linux-2.6.22-rc6/net/key/af_key.c 2007-09-11 14:10:58.000000000 -0500 @@ -27,7 +27,6 @@ #include <linux/proc_fs.h> #include <linux/init.h> #include <net/xfrm.h> -#include <linux/audit.h> #include <net/sock.h> @@ -1461,8 +1460,8 @@ static int pfkey_add(struct sock *sk, st else err = xfrm_state_update(x); - xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + xfrm_audit_state_add(x, err ? 0 : 1, + audit_get_loginuid(current->audit_context), 0); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -1515,8 +1514,8 @@ static int pfkey_delete(struct sock *sk, c.event = XFRM_MSG_DELSA; km_state_notify(x, &c); out: - xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + xfrm_audit_state_delete(x, err ? 0 : 1, + audit_get_loginuid(current->audit_context), 0); xfrm_state_put(x); return err; @@ -2268,8 +2267,8 @@ static int pfkey_spdadd(struct sock *sk, err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp, hdr->sadb_msg_type != SADB_X_SPDUPDATE); - xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); + xfrm_audit_policy_add(xp, err ? 0 : 1, + audit_get_loginuid(current->audit_context), 0); if (err) goto out; @@ -2352,8 +2351,8 @@ static int pfkey_spddelete(struct sock * if (xp == NULL) return -ENOENT; - xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + xfrm_audit_policy_delete(xp, err ? 0 : 1, + audit_get_loginuid(current->audit_context), 0); if (err) goto out; @@ -2613,8 +2612,8 @@ static int pfkey_spdget(struct sock *sk, return -ENOENT; if (delete) { - xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + xfrm_audit_policy_delete(xp, err ? 0 : 1, + audit_get_loginuid(current->audit_context), 0); if (err) goto out; diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c linux-2.6.22-rc6/net/xfrm/xfrm_policy.c --- linux-2.6.22/net/xfrm/xfrm_policy.c 2007-09-11 13:59:52.000000000 -0500 +++ linux-2.6.22-rc6/net/xfrm/xfrm_policy.c 2007-09-11 14:13:05.000000000 -0500 @@ -23,7 +23,6 @@ #include <linux/netfilter.h> #include <linux/module.h> #include <linux/cache.h> -#include <linux/audit.h> #include <net/xfrm.h> #include <net/ip.h> @@ -850,10 +849,9 @@ xfrm_policy_flush_secctx_check(u8 type, continue; err = security_xfrm_policy_delete(pol); if (err) { - xfrm_audit_log(audit_info->loginuid, - audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 0, - pol, NULL); + xfrm_audit_policy_delete(pol, 0, + audit_info->loginuid, + audit_info->secid); return err; } } @@ -865,10 +863,9 @@ xfrm_policy_flush_secctx_check(u8 type, continue; err = security_xfrm_policy_delete(pol); if (err) { - xfrm_audit_log(audit_info->loginuid, - audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, - 0, pol, NULL); + xfrm_audit_policy_delete(pol, 0, + audit_info->loginuid, + audit_info->secid); return err; } } @@ -909,8 +906,8 @@ int xfrm_policy_flush(u8 type, struct xf hlist_del(&pol->byidx); write_unlock_bh(&xfrm_policy_lock); - xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); + xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, + audit_info->secid); xfrm_policy_kill(pol); killed++; @@ -930,11 +927,9 @@ int xfrm_policy_flush(u8 type, struct xf hlist_del(&pol->byidx); write_unlock_bh(&xfrm_policy_lock); - xfrm_audit_log(audit_info->loginuid, - audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 1, - pol, NULL); - + xfrm_audit_policy_delete(pol, 1, + audit_info->loginuid, + audit_info->secid); xfrm_policy_kill(pol); killed++; @@ -2150,123 +2145,6 @@ int xfrm_bundle_ok(struct xfrm_policy *p EXPORT_SYMBOL(xfrm_bundle_ok); -#ifdef CONFIG_AUDITSYSCALL -/* Audit addition and deletion of SAs and ipsec policy */ - -void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, - struct xfrm_policy *xp, struct xfrm_state *x) -{ - - char *secctx; - u32 secctx_len; - struct xfrm_sec_ctx *sctx = NULL; - struct audit_buffer *audit_buf; - int family; - extern int audit_enabled; - - if (audit_enabled == 0) - return; - - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA || - type == AUDIT_MAC_IPSEC_DELSA) && !x); - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD || - type == AUDIT_MAC_IPSEC_DELSPD) && !xp); - - audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); - if (audit_buf == NULL) - return; - - switch(type) { - case AUDIT_MAC_IPSEC_ADDSA: - audit_log_format(audit_buf, "SAD add: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_DELSA: - audit_log_format(audit_buf, "SAD delete: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_ADDSPD: - audit_log_format(audit_buf, "SPD add: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_DELSPD: - audit_log_format(audit_buf, "SPD delete: auid=%u", auid); - break; - default: - return; - } - - if (sid != 0 && - security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) { - audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); - } else - audit_log_task_context(audit_buf); - - if (xp) { - family = xp->selector.family; - if (xp->security) - sctx = xp->security; - } else { - family = x->props.family; - if (x->security) - sctx = x->security; - } - - if (sctx) - audit_log_format(audit_buf, - " sec_alg=%u sec_doi=%u sec_obj=%s", - sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str); - - switch(family) { - case AF_INET: - { - struct in_addr saddr, daddr; - if (xp) { - saddr.s_addr = xp->selector.saddr.a4; - daddr.s_addr = xp->selector.daddr.a4; - } else { - saddr.s_addr = x->props.saddr.a4; - daddr.s_addr = x->id.daddr.a4; - } - audit_log_format(audit_buf, - " src=%u.%u.%u.%u dst=%u.%u.%u.%u", - NIPQUAD(saddr), NIPQUAD(daddr)); - } - break; - case AF_INET6: - { - struct in6_addr saddr6, daddr6; - if (xp) { - memcpy(&saddr6, xp->selector.saddr.a6, - sizeof(struct in6_addr)); - memcpy(&daddr6, xp->selector.daddr.a6, - sizeof(struct in6_addr)); - } else { - memcpy(&saddr6, x->props.saddr.a6, - sizeof(struct in6_addr)); - memcpy(&daddr6, x->id.daddr.a6, - sizeof(struct in6_addr)); - } - audit_log_format(audit_buf, - " src=" NIP6_FMT " dst=" NIP6_FMT, - NIP6(saddr6), NIP6(daddr6)); - } - break; - } - - if (x) - audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", - (unsigned long)ntohl(x->id.spi), - (unsigned long)ntohl(x->id.spi), - x->id.proto == IPPROTO_AH ? "AH" : - (x->id.proto == IPPROTO_ESP ? - "ESP" : "IPCOMP")); - - audit_log_format(audit_buf, " res=%u", result); - audit_log_end(audit_buf); -} - -EXPORT_SYMBOL(xfrm_audit_log); -#endif /* CONFIG_AUDITSYSCALL */ - int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) { int err = 0; @@ -2412,6 +2290,70 @@ void __init xfrm_init(void) xfrm_input_init(); } +#ifdef CONFIG_AUDITSYSCALL +static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp, + struct audit_buffer *audit_buf) +{ + if (xp->security) + audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", + xp->security->ctx_alg, xp->security->ctx_doi, + xp->security->ctx_str); + + switch(xp->selector.family) { + case AF_INET: + audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", + NIPQUAD(xp->selector.saddr.a4), + NIPQUAD(xp->selector.daddr.a4)); + break; + case AF_INET6: + { + struct in6_addr saddr6, daddr6; + + memcpy(&saddr6, xp->selector.saddr.a6, + sizeof(struct in6_addr)); + memcpy(&daddr6, xp->selector.daddr.a6, + sizeof(struct in6_addr)); + audit_log_format(audit_buf, + " src=" NIP6_FMT " dst=" NIP6_FMT, + NIP6(saddr6), NIP6(daddr6)); + } + break; + } +} + +void +xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid) +{ + struct audit_buffer *audit_buf; + extern int audit_enabled; + + if (audit_enabled == 0) + return; + audit_buf = xfrm_audit_start(sid, auid); + if (audit_buf == NULL) + return; + audit_log_format(audit_buf, " op=SPD-add res=%u", result); + xfrm_audit_common_policyinfo(xp, audit_buf); + audit_log_end(audit_buf); +} + +void +xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, u32 auid, u32 sid) +{ + struct audit_buffer *audit_buf; + extern int audit_enabled; + + if (audit_enabled == 0) + return; + audit_buf = xfrm_audit_start(sid, auid); + if (audit_buf == NULL) + return; + audit_log_format(audit_buf, " op=SPD-delete res=%u", result); + xfrm_audit_common_policyinfo(xp, audit_buf); + audit_log_end(audit_buf); +} +#endif + #ifdef CONFIG_XFRM_MIGRATE static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp, struct xfrm_selector *sel_tgt) diff -urpN linux-2.6.22/net/xfrm/xfrm_state.c linux-2.6.22-rc6/net/xfrm/xfrm_state.c --- linux-2.6.22/net/xfrm/xfrm_state.c 2007-09-11 13:59:52.000000000 -0500 +++ linux-2.6.22-rc6/net/xfrm/xfrm_state.c 2007-09-11 14:12:37.000000000 -0500 @@ -19,7 +19,6 @@ #include <linux/ipsec.h> #include <linux/module.h> #include <linux/cache.h> -#include <linux/audit.h> #include <asm/uaccess.h> #include "xfrm_hash.h" @@ -301,8 +300,8 @@ expired: if (!err && x->id.spi) km_state_expired(x, 1, 0); - xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + xfrm_audit_state_delete(x, err ? 0 : 1, + audit_get_loginuid(current->audit_context), 0); out: spin_unlock(&x->lock); @@ -403,11 +402,9 @@ xfrm_state_flush_secctx_check(u8 proto, hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { if (xfrm_id_proto_match(x->id.proto, proto) && (err = security_xfrm_state_delete(x)) != 0) { - xfrm_audit_log(audit_info->loginuid, - audit_info->secid, - AUDIT_MAC_IPSEC_DELSA, - 0, NULL, x); - + xfrm_audit_state_delete(x, 0, + audit_info->loginuid, + audit_info->secid); return err; } } @@ -443,10 +440,9 @@ restart: spin_unlock_bh(&xfrm_state_lock); err = xfrm_state_delete(x); - xfrm_audit_log(audit_info->loginuid, - audit_info->secid, - AUDIT_MAC_IPSEC_DELSA, - err ? 0 : 1, NULL, x); + xfrm_audit_state_delete(x, err ? 0 : 1, + audit_info->loginuid, + audit_info->secid); xfrm_state_put(x); spin_lock_bh(&xfrm_state_lock); @@ -1821,3 +1817,70 @@ void __init xfrm_state_init(void) INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); } +#ifdef CONFIG_AUDITSYSCALL +static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x, + struct audit_buffer *audit_buf) +{ + if (x->security) + audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", + x->security->ctx_alg, x->security->ctx_doi, + x->security->ctx_str); + + switch(x->props.family) { + case AF_INET: + audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", + NIPQUAD(x->props.saddr.a4), + NIPQUAD(x->id.daddr.a4)); + break; + case AF_INET6: + { + struct in6_addr saddr6, daddr6; + + memcpy(&saddr6, x->props.saddr.a6, + sizeof(struct in6_addr)); + memcpy(&daddr6, x->id.daddr.a6, + sizeof(struct in6_addr)); + audit_log_format(audit_buf, + " src=" NIP6_FMT " dst=" NIP6_FMT, + NIP6(saddr6), NIP6(daddr6)); + } + break; + } +} + +void +xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid) +{ + struct audit_buffer *audit_buf; + extern int audit_enabled; + + if (audit_enabled == 0) + return; + audit_buf = xfrm_audit_start(sid, auid); + if (audit_buf == NULL) + return; + audit_log_format(audit_buf, " op=SAD-add res=%u",result); + xfrm_audit_common_stateinfo(x, audit_buf); + audit_log_format(audit_buf, " spi=%lu(0x%lx)", + (unsigned long)x->id.spi, (unsigned long)x->id.spi); + audit_log_end(audit_buf); +} + +void +xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid) +{ + struct audit_buffer *audit_buf; + extern int audit_enabled; + + if (audit_enabled == 0) + return; + audit_buf = xfrm_audit_start(sid, auid); + if (audit_buf == NULL) + return; + audit_log_format(audit_buf, " op=SAD-delete res=%u",result); + xfrm_audit_common_stateinfo(x, audit_buf); + audit_log_format(audit_buf, " spi=%lu(0x%lx)", + (unsigned long)x->id.spi, (unsigned long)x->id.spi); + audit_log_end(audit_buf); +} +#endif /* CONFIG_AUDITSYSCALL */ diff -urpN linux-2.6.22/net/xfrm/xfrm_user.c linux-2.6.22-rc6/net/xfrm/xfrm_user.c --- linux-2.6.22/net/xfrm/xfrm_user.c 2007-09-11 13:59:52.000000000 -0500 +++ linux-2.6.22-rc6/net/xfrm/xfrm_user.c 2007-09-11 14:10:58.000000000 -0500 @@ -31,7 +31,6 @@ #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #include <linux/in6.h> #endif -#include <linux/audit.h> static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type) { @@ -462,8 +461,8 @@ static int xfrm_add_sa(struct sk_buff *s else err = xfrm_state_update(x); - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, + NETLINK_CB(skb).sid); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -545,8 +544,8 @@ static int xfrm_del_sa(struct sk_buff *s km_state_notify(x, &c); out: - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid, + NETLINK_CB(skb).sid); xfrm_state_put(x); return err; } @@ -1155,8 +1154,8 @@ static int xfrm_add_policy(struct sk_buf * a type XFRM_MSG_UPDPOLICY - JHS */ excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; err = xfrm_policy_insert(p->dir, xp, excl); - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid, + NETLINK_CB(skb).sid); if (err) { security_xfrm_policy_free(xp); @@ -1401,8 +1400,9 @@ static int xfrm_get_policy(struct sk_buf MSG_DONTWAIT); } } else { - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + xfrm_audit_policy_delete(xp, err ? 0 : 1, + NETLINK_CB(skb).loginuid, + NETLINK_CB(skb).sid); if (err != 0) goto out; @@ -1650,8 +1650,8 @@ static int xfrm_add_pol_expire(struct sk err = 0; if (up->hard) { xfrm_policy_delete(xp, p->dir); - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); + xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid, + NETLINK_CB(skb).sid); } else { // reset the timers here? @@ -1686,8 +1686,8 @@ static int xfrm_add_sa_expire(struct sk_ if (ue->hard) { __xfrm_state_delete(x); - xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); + xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid, + NETLINK_CB(skb).sid); } err = 0; out:

18 years, 1 month

3
3
0 / 0

Expanding PATH records to be absolute paths

by Matthew Booth

As I mentioned in my austream email, I need to be able to rewrite outgoing PATH records to have absolute paths. I can obviously do this from scratch, and if there's no better way then this is what I will do. However, I'm aware that work has gone on in the userspace message parsing area, and I'd like to avoid reinventing the wheel. I have a few constraints, though: * Must work on libraries shipped with RHEL 4.5 If necessary, I will import bits of code from later versions into austream, however I'm not prepared to require updating from the shipped audit-libs. If I need to do this, how can I minimise maintenance pain? Maybe separate parsing libraries into a separate package and depend on it? * Must work on a stream I don't write anything to disk. It must work on messages as read from the audit netlink socket. * It must be fast I need to remain sure that I can put the tool into a performance critical environment with confidence that I won't kill it. If I were going to do this from scratch, I'd cache CWD records and rewrite PATH records on the way through. I don't believe any other record requires this. AVC paths are already absolute, and I don't think there are any other paths. Is this right? Thanks, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

18 years, 1 month

2
1
0 / 0

Announcing austream

by Matthew Booth

austream is a utility to stream audit logs to a remote hosts via syslog. Its features are: * Works on both auditd and laus (on laus it's a dispatcher) * Messages sent immediately off-node * Sends syslog packets directly, without going through syslogd * Very low overhead, even at extreme volume (8,000 events/sec) Tested platforms are RHEL 4 U4+ and RHEL 3 U8+. There are a few caveats, though. Foremost is the fact that it's not a dispatcher: it replaces auditd. This is because, to date, development has been tightly focused on a single set of requirements. It's still under development. Some bigger items on my todo list are: * Message inspection to turn PATH records into absolute paths * Limited output buffering * Option to run as a dispatcher * Host it somewhere The git repository is available at git://heisenbug.com/austream.git. Please have a look. Patches welcome. To build: ./configure TARGET=(laus|auditd) make or make rpm If you build the auditd rpm, when it installs it will add itself to /etc/inittab. Make sure you configure the destination in /etc/sysconfig/austream before doing 'telinit q'. Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

18 years, 1 month

1
0
0 / 0

Re: Integrity auditing

by Steve Grubb

On Wednesday 05 September 2007 09:46:06 Mimi Zohar wrote: > On Wed, 2007-07-18 at 08:05 -0700, Steve G wrote: > > MRPP places some requirements on intergrity checking. Maybe it tells you > > more information about what's required. More info: > > > > http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm?id=PP_OS_ML_MR2.0_V1.91 This ^^^ spells out some requirements for INTEGRITY checks. > > Might ought to be an integrity audit record type rather than avc. This > > way aureport can separate it out for its summary report. In > > /usr/include/linux/audit.h is this note: > > > > * 1800 - 1999 future kernel use (maybe integrity labels and related > > events) > > > > So, we could assign the 1800 block to kernel integrity checking. I think > > we'd need information access decision, creation, modification, and > > deletion of integrity information/labels. We also probably need the > > ability to audit by integrity, too. For a detailed audit discussion, I'd > > recommend linux-audit mail list or at least cc'ing it > > I would assume that the integrity label would be managed by the LIM > provider itself. In which case, does it make sense to audit the LIM > provider's creation, modification or deletion of the integrity label stored > as an xattr? Yes. That is required per section FMT_MSA.1(4), assuming this hardware assisted integrity checking code needs to go through any kind of certification. > IMA, a LIM provider, implements integrity_measure, which does not require > an integrity label. It is, however, important to log/audit PCR invalidation > errors. I propose adding the following audit numbers for integrity. > > Add to audit.h: > #define AUDIT_INTEGRITY 1800 /* Integrity verify success/failure > */ #define AUDIT_INTEGRITY_ERR 1801 /* Internal integrity errors */ > #define AUDIT_INTEGRITY_PCR 1802 /* PCR invalidation errors */ What about configuration changes to it? Can you select the hash algorithm used? What about enable/disable of checking? Does this integrity scheme cover only objects or does it also cover subjects? What does a typical integrity label look like? Is there anything like a mass relabel after installation? Are there any self-tests for the hardware or keys stored within it? > Add to integrity.h: > void integrity_audit(char *function, const unsigned char *fname, char > *cause); void integrity_audit_pcr(const unsigned char *fname, char *cause); > void integrity_audit_err(char *cause); Actually, it would be nice to see the messages being generated to see if they have everything needed and that they conform to audit system specs. Thanks, -Steve

18 years, 1 month

2
4
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit September 2007