A question about the directory watch in audit_tree.c in kernel
by zhangxiliang
HI,
When I use "auditctl -w /home" to watch a directory, nothing about the
directory changed can be output.
I found the "audit tree handle_event" in audit_tree.c in kernel. It
implements as follows:
static void handle_event(struct inotify_watch *watch, u32 wd, u32 mask,
u32 cookie, const char *dname, struct inode *inode)
{
struct audit_chunk *chunk = container_of(watch, struct audit_chunk, watch);
if (mask & IN_IGNORED) {
evict_chunk(chunk);
put_inotify_watch(watch);
}
}
In "handle_event", the mask can be "IN_MOVED_FROM", "IN_MOVED_TO",
"IN_DELETE_SELF", "IN_IGNORED" and so on.
Why it only deals with the mask " IN_IGNORED" and ignores the other
mask?
--
Regards
Zhang Xiliang
--------------------------------------------------
Zhang Xiliang
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) 8/F., Civil Defense
Building, No.189 Guangzhou Road, Nanjing, 210029, China
TEL: +86+25-86630566-838
COINS: 79955-838
FAX: +86+25-83317685
MAIL: zhangxiliang(a)cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may
contain information that is privileged, confidential and exempt from
disclosure under applicable law. If you are not an intended recipient of this
communication, you are hereby notified that any dissemination, distribution or
copying hereof is strictly prohibited. If you have received this
communication in error, please notify me by reply e-mail, permanently delete
this communication from your system, and destroy any hard copies you may have
printed.
17 years
NISPOM Auditing
by Mathis, Jim
Hello,
Is there a way to setup a watch log to report if a user attempted to
"cd" to a directory that they didn't have permission to access. I have
watch logs in place but it doesn't seem to report when a "cd" is
attempted and permission is denied. Thanks.
-Jim
17 years
[PATCH] remove useless argument type in audit_filter_user()
by Peng Haitao
The second argument "type" is not used in audit_filter_user(), so I think that type can be removed. If I'm wrong, please tell me.
Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com>
---
include/linux/audit.h | 2 +-
kernel/audit.c | 2 +-
kernel/auditfilter.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2af9ec0..018f143 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -537,7 +537,7 @@ extern void audit_log_d_path(struct audit_buffer *ab,
struct path *path);
extern void audit_log_lost(const char *message);
/* Private API (for audit.c only) */
-extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
+extern int audit_filter_user(struct netlink_skb_parms *cb);
extern int audit_filter_type(int type);
extern int audit_receive_filter(int type, int pid, int uid, int seq,
void *data, size_t datasz, uid_t loginuid, u32 sid);
diff --git a/kernel/audit.c b/kernel/audit.c
index b782b04..136e559 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -645,7 +645,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
return 0;
- err = audit_filter_user(&NETLINK_CB(skb), msg_type);
+ err = audit_filter_user(&NETLINK_CB(skb));
if (err == 1) {
err = 0;
if (msg_type == AUDIT_USER_TTY) {
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 2f2914b..46337f2 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1714,7 +1714,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
return 1;
}
-int audit_filter_user(struct netlink_skb_parms *cb, int type)
+int audit_filter_user(struct netlink_skb_parms *cb)
{
enum audit_state state = AUDIT_DISABLED;
struct audit_entry *e;
--
1.5.3
--
Regards
Peng Haitao
17 years
A question about auditd_reply_list and auditd_consumer_data in Audit.c and Auditd-event.c
by chuli
HI,
I have read source code in Audit-1.6.5 about auditd part. I looked up into functions equeue_event(),event_thread_main() in Auditd-event.c,get_reply(),send_audit_event() and main function in Auditd.c. I don't know why it must use a list (auditd_reply_list) here. It seems rep->next is never be used and it's null so that the else branch of if (consumer_data.head == NULL) in equeue_event() will never be reached.
I feel unsure about above codes. Am I wrong?
Regards
Chu Li
17 years
[PATCH] kernel/audit.c: nlh->nlmsg_type is gotten more than once
by Peng Haitao
The first argument "nlh->nlmsg_type" of audit_receive_filter() should be modified to "msg_type" in audit_receive_msg().
Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com>
---
kernel/audit.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index b782b04..48fa3d0 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -686,7 +686,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
/* fallthrough */
case AUDIT_LIST:
- err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
+ err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
uid, seq, data, nlmsg_len(nlh),
loginuid, sid);
break;
@@ -705,7 +705,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
/* fallthrough */
case AUDIT_LIST_RULES:
- err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
+ err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
uid, seq, data, nlmsg_len(nlh),
loginuid, sid);
break;
--
1.5.3
--
Regards
Peng Haitao
17 years, 1 month
Cooked audit log format
by Matthew Booth
As recently mentioned, Linux audit logs[1] are fairly hideous, and
although machine readability may have been a design goal, I'd argue
they're not too friendly in that regard either. I suspect, in fact, that
the principal driver has been machine producability ;)
I've noticed that a number of utilities cook the logs slightly. I've
shied away from this to date because I want to be able to leverage
existing tools. However, if some standard emerged (or has emerged and I
missed it) for cooked logs, I'd be extremely interested in implementing
that.
Simple starters would include:
* Translating the architecture and syscall names into human.
* Jumping one way or the other with the hex strings business.
* Translating socket addresses into human.
* Translating timestamps into human.
* Ditching uninteresting records, such as PATH with no name for the
dynamic linker, and 2 PATH records when execing a script.
with an ultimate goal of:
* Defining an expected set of data for every system call and putting
them all on a single line in a well defined format.
Is anybody doing any work in this direction?
Matt
[1] Of course, they're really accounting logs produced by the accounting
daemon. If you actually audit your accounting logs, this seemingly
pedantic point can become quite confusing.
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
17 years, 1 month
open() syscall and success=0 question
by Keith Kaple
Hi, I'm fairly new to auditd, I just want to make sure I understand this correctly, the "unsuccessfull opens" manpage example was recently changed from:
auditctl -a exit,always -S open -F success!=0
to
auditctl -a exit,always -S open -F success=0
The logic of 'success' is defined as:
success If the exit value is >= 0 this is true/yes otherwise its false/no. When writing a rule, use a 1 for true/yes and a 0 for false/no
So, for open() returning a positive number that is the file descriptor which the process will read/write from and thus success is true or 1. When open fails, the open() manpage says it will return -1 so that will make success false or 0. When success is false, auditd seems to use the negated value of ERRNO to populate the exit= field, is that correct? So a rule such as:
auditctl -a exit,always -S open -F success=0 -F exit=-13
Would log only permission related failures, correct?
thanks,
Keith
--
| |
. | | | . | | | .
' '
C I S C O
GGSG VoIP
17 years, 1 month
need debug suggestions on system freeze
by LC Bruzenak
I need some suggestions for debugging an issue I'm having.
I have a Dell Vostro laptop I've been using successfully for a while
(details below). It has some user apps running but doesn't seem
overburdened. I am running mls policy in permissive mode.
However, recently the following happens:
PART 1 (prelude relay disabled):
* audit is enabled, there are 2 audisp plugins (prelude and af_unix).
* The audispd.conf q_depth = 128
* I go to our project source directory and start an "svn up"
* In another window as root I "tail -f /var/syslog/messages":
...
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:40 comms audispd: queue is full - dropping event
May 9 13:51:42 comms auditd[3629]: Audit daemon rotating log files with
keep option
May 9 13:52:10 comms prelude-manager: WARNING: Failover enabled:
connection error with 192.168.31.120:4690: Connection timed out
* Very soon after this the machine locks up. The above is the last entry
in the messages log. Only the "caps lock" and some other "lock" icon on
the keyboard (but not scroll lock) flash, and I have no inbound network
connection & the screen is blank. I cannot get to a terminal with
<ALT><F4> . The only option is power cycle.
* After reboot, if I "service auditd stop" then repeat the svn stuff
there is no freeze, no messages. I suspect it is something with file
traversals and the audit dispatcher/prelude. It also happened once when
doing a "rm -rf " on a directory with many files under my home
directory.
* I purposely have a lot of audit logs left in the directory:
[root@hugo ~]# ls -1 /var/log/audit | wc -l
90
* I purposely have the prelude parent manager (relay-to machine)
disabled.
* The machine was not exceptionally busy in userland according to the
"top" I had running in another window. Here is the header from that (the
"top" process was running, all others sleeping):
top - 13:52:40 up 19 min, 3 users, load average: 0.14, 0.16, 0.12
Tasks: 156 total, 1 running, 155 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.2%us, 0.3%sy, 0.0%ni, 99.5%id, 0.0%wa, 0.0%hi, 0.0%si,
0.0%st
Mem: 2060944k total, 912324k used, 1148620k free, 210276k buffers
Swap: 6835000k total, 0k used, 6835000k free, 240760k cached
* The freeze-up happens faster (I believe) if I leave the audispd.conf
q_depth = 80 (default).
Details:
[root@hugo ~]# uname -a
Linux hugo 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008
x86_64 x86_64 x86_64 GNU/Linux
[root@hugo ~]# rpm -qa | grep audit-
audit-libs-1.7.2-6.fc9.i386
audit-1.7.2-6.fc9.x86_64
audit-libs-1.7.2-6.fc9.x86_64
...
* I have lots of audit rules, plan to add more:
[root@hugo ~]# auditctl -l | wc -l
84
* Disk is not full:
[root@hugo ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
108G 7.2G 101G 7% /
/dev/sda1 190M 20M 161M 11% /boot
tmpfs 1007M 48K 1007M 1% /dev/shm
PART 2:
So - then I enabled the relaying prelude-manager. The svn update got
farther, and I thought maybe that was the cause of the original problem.
However, I saw this first in the messages log:
...
May 9 15:31:36 comms audispd: queue is full - dropping event
May 9 15:31:36 comms audispd: queue is full - dropping event
May 9 15:31:36 comms audispd: queue is full - dropping event
May 9 15:31:36 comms audispd: queue is full - dropping event
May 9 15:31:38 comms audispd: queue is full - dropping event
May 9 15:31:38 comms audispd: queue is full - dropping event
May 9 15:31:38 comms audispd: queue is full - dropping event
May 9 15:31:38 comms audispd: queue is full - dropping event
May 9 15:31:38 comms auditd[3682]: Audit daemon rotating log files with
keep option
May 9 15:31:43 comms auditd[3682]: Audit daemon rotating log files with
keep option
May 9 15:31:48 comms auditd[3682]: Audit daemon rotating log files with
keep option
May 9 15:31:53 comms auditd[3682]: Audit daemon rotating log files with
keep option
Then the same freeze-up happens as described above.
Any suggestions or other data I can provide to help debug?
In the meantime I will increase the audispd.conf q_depth and retest.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
17 years, 1 month
