[PATCH -v3 1/5] Capabilities: document the order of arguments to cap_issubset
by Eric Paris
Document the order of arguments for cap_issubset. It's not instantly clear
which order the argument should be in. So give an example.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
include/linux/capability.h | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 9d1fe30..9f44150 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -454,6 +454,13 @@ static inline int cap_isclear(const kernel_cap_t a)
return 1;
}
+/*
+ * Check if "a" is a subset of "set".
+ * return 1 if ALL of the capabilities in "a" are also in "set"
+ * cap_issubset(0101, 1111) will return 1
+ * return 0 if ANY of the capabilities in "a" are not in "set"
+ * cap_issubset(1111, 0101) will return 0
+ */
static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
{
kernel_cap_t dest;
16 years, 1 month
openssh logout not being audited on fc5
by Wieprecht, Karen M.
All,
been google-ing all day, so sorry if this info is common knowledge, but I can't seem to find it.
Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor requirement (miserable task that it is), and I have to make this system be NISPOM compliant. Unfortunately, ssh logout isn't showing up in my audit logs, and although I have an idea why, I can't seem to find what I think I need ... The system I am building has the following:
OS = FC5
audit subsystem = 1.3-2
openssh = 4.3p2-4.12
kernel = 2.6.20-1.2320-fc5
My RHEL4 systems capture ssh logout just fine , and they are at earlier versions of both openssh and the audit subsystem... I found a note from a colleague about needing openssh >= 4.3p2-4.13 to fix the ssh logout problem for (I think) SuSe 10.1, so I thought I'd try and find a later version of open ssh or at least a src.rpm to build a newer version for fc5 , but I didn't have much luck. Found a 4.3p2-16 src.rpm for el5, but of course, that didn't build properly on my fc5 system .
Anyone know if I'm chasing my tail? maybe something else will fix this for FC5 (newer audit pkg? )? Recommendations would be most appreciated. If you all think I DO need a newer openssh version, anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12?
Thanks,
Karen Wieprecht
16 years, 1 month
[PATCH -v2 1/4] CAPABILITIES: add cpu endian vfs caps structure
by Eric Paris
This patch add a generic cpu endian caps structure and externally available
functions which retrieve fcaps information from disk. This information is
necessary so fcaps information can be collected and recorded by the audit
system.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
include/linux/capability.h | 7 ++
security/commoncap.c | 129 ++++++++++++++++++++++++--------------------
2 files changed, 78 insertions(+), 58 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 9d1fe30..9d64a9c 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -96,6 +96,13 @@ typedef struct kernel_cap_struct {
__u32 cap[_KERNEL_CAPABILITY_U32S];
} kernel_cap_t;
+/* exact same as vfs_cap_data but in cpu endian and always filled completely */
+struct cpu_vfs_cap_data {
+ __u32 magic_etc;
+ kernel_cap_t permitted;
+ kernel_cap_t inheritable;
+};
+
#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
diff --git a/security/commoncap.c b/security/commoncap.c
index 3976613..8bb95ed 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -202,17 +202,70 @@ int cap_inode_killpriv(struct dentry *dentry)
return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
}
-static inline int cap_from_disk(struct vfs_cap_data *caps,
- struct linux_binprm *bprm, unsigned size)
+static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
+ struct linux_binprm *bprm)
{
+ unsigned i;
+ int ret = 0;
+
+ if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
+ bprm->cap_effective = true;
+ else
+ bprm->cap_effective = false;
+
+ CAP_FOR_EACH_U32(i) {
+ __u32 permitted = caps->permitted.cap[i];
+ __u32 inheritable = caps->inheritable.cap[i];
+
+ /*
+ * pP' = (X & fP) | (pI & fI)
+ */
+ bprm->cap_post_exec_permitted.cap[i] =
+ (current->cap_bset.cap[i] & permitted) |
+ (current->cap_inheritable.cap[i] & inheritable);
+
+ if (permitted & ~bprm->cap_post_exec_permitted.cap[i]) {
+ /*
+ * insufficient to execute correctly
+ */
+ ret = -EPERM;
+ }
+ }
+
+ /*
+ * For legacy apps, with no internal support for recognizing they
+ * do not have enough capabilities, we return an error if they are
+ * missing some "forced" (aka file-permitted) capabilities.
+ */
+ return bprm->cap_effective ? ret : 0;
+}
+
+int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
+{
+ struct inode *inode = dentry->d_inode;
__u32 magic_etc;
unsigned tocopy, i;
- int ret;
+ int size;
+ struct vfs_cap_data caps;
+
+ memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
+
+ if (!inode || !inode->i_op || !inode->i_op->getxattr)
+ return -ENODATA;
+
+ size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
+ XATTR_CAPS_SZ);
+ if (size == -ENODATA || size == -EOPNOTSUPP) {
+ /* no data, that's ok */
+ return -ENODATA;
+ }
+ if (size < 0)
+ return size;
if (size < sizeof(magic_etc))
return -EINVAL;
- magic_etc = le32_to_cpu(caps->magic_etc);
+ cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
switch ((magic_etc & VFS_CAP_REVISION_MASK)) {
case VFS_CAP_REVISION_1:
@@ -229,46 +282,13 @@ static inline int cap_from_disk(struct vfs_cap_data *caps,
return -EINVAL;
}
- if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
- bprm->cap_effective = true;
- } else {
- bprm->cap_effective = false;
- }
-
- ret = 0;
-
CAP_FOR_EACH_U32(i) {
- __u32 value_cpu;
-
- if (i >= tocopy) {
- /*
- * Legacy capability sets have no upper bits
- */
- bprm->cap_post_exec_permitted.cap[i] = 0;
- continue;
- }
- /*
- * pP' = (X & fP) | (pI & fI)
- */
- value_cpu = le32_to_cpu(caps->data[i].permitted);
- bprm->cap_post_exec_permitted.cap[i] =
- (current->cap_bset.cap[i] & value_cpu) |
- (current->cap_inheritable.cap[i] &
- le32_to_cpu(caps->data[i].inheritable));
- if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
- /*
- * insufficient to execute correctly
- */
- ret = -EPERM;
- }
+ if (i >= tocopy)
+ break;
+ cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
+ cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
}
-
- /*
- * For legacy apps, with no internal support for recognizing they
- * do not have enough capabilities, we return an error if they are
- * missing some "forced" (aka file-permitted) capabilities.
- */
- return bprm->cap_effective ? ret : 0;
+ return 0;
}
/* Locate any VFS capabilities: */
@@ -276,8 +296,7 @@ static int get_file_caps(struct linux_binprm *bprm)
{
struct dentry *dentry;
int rc = 0;
- struct vfs_cap_data vcaps;
- struct inode *inode;
+ struct cpu_vfs_cap_data vcaps;
bprm_clear_caps(bprm);
@@ -285,24 +304,18 @@ static int get_file_caps(struct linux_binprm *bprm)
return 0;
dentry = dget(bprm->file->f_dentry);
- inode = dentry->d_inode;
- if (!inode->i_op || !inode->i_op->getxattr)
- goto out;
- rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps,
- XATTR_CAPS_SZ);
- if (rc == -ENODATA || rc == -EOPNOTSUPP) {
- /* no data, that's ok */
- rc = 0;
+ rc = get_vfs_caps_from_disk(dentry, &vcaps);
+ if (rc < 0) {
+ if (rc == -EINVAL)
+ printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
+ __func__, rc, bprm->filename);
+ else if (rc == -ENODATA)
+ rc = 0;
goto out;
}
- if (rc < 0)
- goto out;
- rc = cap_from_disk(&vcaps, bprm, rc);
- if (rc == -EINVAL)
- printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
- __func__, rc, bprm->filename);
+ rc = bprm_caps_from_vfs_caps(&vcaps, bprm);
out:
dput(dentry);
16 years, 1 month
[PATCH] Audit: make audit=0 actually turn off audit
by Eric Paris
Currently audit=0 on the kernel command line does absolutely nothing.
Audit always loads and always uses its resources such as creating the
kernel netlink socket. This patch causes audit=0 to actually disable
audit. Audit will use no resources and starting the userspace auditd
daemon will not cause the kernel audit system to activate.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/audit.c | 28 +++++++++++++++++++++-------
1 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 4414e93..d8646c2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -61,8 +61,11 @@
#include "audit.h"
-/* No auditing will take place until audit_initialized != 0.
+/* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
* (Initialization happens after skb_init is called.) */
+#define AUDIT_DISABLED -1
+#define AUDIT_UNINITIALIZED 0
+#define AUDIT_INITIALIZED 1
static int audit_initialized;
#define AUDIT_OFF 0
@@ -965,6 +968,9 @@ static int __init audit_init(void)
{
int i;
+ if (audit_initialized == AUDIT_DISABLED)
+ return 0;
+
printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
audit_default ? "enabled" : "disabled");
audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, 0,
@@ -976,7 +982,7 @@ static int __init audit_init(void)
skb_queue_head_init(&audit_skb_queue);
skb_queue_head_init(&audit_skb_hold_queue);
- audit_initialized = 1;
+ audit_initialized = AUDIT_INITIALIZED;
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
@@ -999,13 +1005,21 @@ __initcall(audit_init);
static int __init audit_enable(char *str)
{
audit_default = !!simple_strtol(str, NULL, 0);
- printk(KERN_INFO "audit: %s%s\n",
- audit_default ? "enabled" : "disabled",
- audit_initialized ? "" : " (after initialization)");
- if (audit_initialized) {
+ if (!audit_default)
+ audit_initialized = AUDIT_DISABLED;
+
+ printk(KERN_INFO "audit: %s", audit_default ? "enabled" : "disabled");
+
+ if (audit_initialized == AUDIT_INITIALIZED) {
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
+ } else if (audit_initialized == AUDIT_UNINITIALIZED) {
+ printk(" (after initialization)");
+ } else {
+ printk(" (until reboot)");
}
+ printk("\n");
+
return 1;
}
@@ -1146,7 +1160,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
int reserve;
unsigned long timeout_start = jiffies;
- if (!audit_initialized)
+ if (audit_initialized != AUDIT_INITIALIZED)
return NULL;
if (unlikely(audit_filter_type(type)))
16 years, 1 month
audit 1.7.9 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Fix uninitialized variable in aureport causing segfault
- Quieten down the gssapi not supported messages
- Fix bug interpreting i386 logs on x86_64 machines
- If kernel is in immutable mode, auditd should not send enable command
- Fix ausearch/report recent and now time keyword lookups
- If hostname is empty string when logging, make it NULL
- Starting adding unit tests to src/test
- Created aulast program
- prelude plugin should pull auid for login alert from 2nd uid field
- Add system boot, shutdown, and run level change events
- Update audisp-prelude LDFLAGS
- Add max_restarts to audispd.conf to limit times a plugin is restarted
- Expand session detection in ausearch
This is mostly a bug fix release. Most of those should be self explanatory
from the description.
This release also adds a new analytical tool, aulast. This is a
re-implementation of the "last" and "lastb" programs based off of audit logs.
the output is identical in format with those utmp based programs. To get the
analysis to work correctly, I needed to introduce 3 new types: SYSTEM_BOOT,
SYSTEM_SHUTDOWN, and SYSTEM_RUNLEVEL. I had to patch upstart to send the
appropriate events, too. The patch against upstart 0.3.9 is here:
http://people.redhat.com/sgrubb/files/upstart/upstart-0.3.9-audit.patch
I will be porting the patch to 0.5 shortly and will post that patch to the
same directory for anyone that needs it.
Because this is based off of audit logs and we may need to debug the analysis,
I added a --proof and --extract option. The --proof option lists the audit
event serial numbers that were used to determine the final state of the
login/logout. This will let you go back and look at them in more detail if
needed. The --extract option will output a condensed raw audit log to
aulast.log in the current working directory that has the events used in
creating the report.
Right now, aulast is not "node" aware. But if you have aggregated logs and
want to use the program, you can pipe it with ausearch. Something like:
ausearch --start today --node test.machine --raw | aulast --stdin
Aulast also requires that the kernel support the session identifier in the
user space originating audit records. I believe that means you need to be
running kernel 2.6.25 or newer or have those patches backported.
Please let me know if you run across any problems with this release.
-Steve
16 years, 1 month
FW: Time field not readable
by Kirkwood, David A.
I have removed the packages audit-2.4.1, audit-libs-2.4.1,
audit-libs-devel-2,4,1 and SnareLinux and added via rpm
audit-libs-1.0.14-1, audit-libs-1.0.4-1 and audit-1.0.14-1. The time
field is still not readable when I used ausearch or aureport utilities.
Have I missed something? I am comparing the system to a known good
system and they appear to be identical.
All help is appreciated.
Thanks,
David A. Kirkwood
SAIC
david.a.kirkwood(a)saic.com
kirkwoodd(a)saic.com
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, November 03, 2008 11:13 AM
To: linux-audit(a)redhat.com
Cc: Kirkwood, David A.
Subject: Re: Time field not readable
On Monday 03 November 2008 10:50:05 Kirkwood, David A. wrote:
> I have had the audit running on multiple system for some time using
> auditctl version 1.0.14 and everything is working just the way I want
> it. I have been given a RHEL4u4 system ( which is what the others are)
> and it havs auditctl version 1.2.1.
RHEL4 must use the audit tools from the 1.0.X series. There were many
changes
that cause incompatibility with anything newer. Yes, install the 1.0.14
copy
and it should work better.
-Steve
16 years, 1 month
question
by David Flatley
If you would indulge my simpler in comparison question of the group. I
am setting up audit
on heavy usage systems. I have setup my auditd.conf to rotate the files
once they get to 70
meg and allow up to 12 rotated files. I created a cron that runs hourly to
look and see if
a ninth rotated file exists and if so run "ausearch -i" outputted to a file
and store the
file, then remove the rotated files. I run the cron to avoid losing data if
there is alot of activity
and rotated files are rolled off. I also have to balance performance with
auditing in this
arrangement.
My question is: is there a better way to do this?
Thanks.
16 years, 1 month
Time field not readable
by Kirkwood, David A.
I have had the audit running on multiple system for some time using
auditctl version 1.0.14 and everything is working just the way I want
it. I have been given a RHEL4u4 system ( which is what the others are)
and it havs auditctl version 1.2.1. The time field started out working
but ended up as not readable. It seems to have revered to the message
id information instead of the time.
The audit rules files are identical and consist of:
-D
-b 8192
-f 2
-a exit,always -S all -F exit=-13
In version 1.0.4 I can use a line llike
Ausearch -I -x /usr/bin/passwd | grep USER_CHAUTHTOK to get
password changes whether they pass or fail
Which is anouth difference
The main difference, however is that the time, although starting out
correctly in 1.2.1 degrades to
Monday 03,November,2008 ,..403:202
If the two versions are different, can I just replace auditctl 1.2.1
with auditctl 1.0.14 to get this system up quickly? If so, do I need to
change any other files?
Thanks
David A. Kirkwood
SAIC
david.a.kirkwood(a)saic.com
kirkwoodd(a)saic.com
Phone: (727) 502-8310
Fax: (727) 822-7776
16 years, 1 month
RE:Time field not readable
by Kirkwood, David A.
Additionally, I noted that the auditd is a different size and date. I
checked some other execultable such as login, su, etc and that are all
the same size and date, so, additionally can I also downgrade the
auditd?
Thanks,
David A. Kirkwood
SAIC
david.a.kirkwood(a)saic.com
kirkwoodd(a)saic.com
Phone: (727) 502-8310
Fax: (727) 822-7776
16 years, 1 month
