audit 1.7.3 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Fix path processing in AVC records.
- auparse_find_field_next() wasn't resetting field ptr going to next record.
- auparse_find_field() wasn't checking current field before iterating
- cleanup some string handling in audisp-prelude plugin
- Update auditctl man page
- Fix output of keys in ausearch interpretted mode
- Fix ausearch/report --start now to not be reset to midnight
- Added auparse_goto_record_num function
- Prelude plugin now uses auparse_goto_record_num to avoid skipping a record
- audispd now has a priority boost config option
- Look for laddr in avcs reported via prelude
- Detect page 0 mmaps and alert via prelude
This is mostly a bug fix release. The prelude work has been showing a few
problems in libauparse. They are cleaned up now. The string handling in the
prelude plugin was not as robust as it could have been. That's now working
better.
The auparse library got a new function. You can now seek to a specific record
in addition to just iterating to them. This was needed because the analysis
part of the prelude plugin could sometimes cause part of an event to not be
examined for a particular problem.
It also turns out that we are starting to have some issues where the audit
event dispatcher is not getting enough time slices to handle all the events
that it needs to. The solution was to add another config option where it can
get a priority boost above the audit daemon's so that it can keep things
empty. The default boost for the audit daemon was increased also.
I also added detection of page 0 mmaps via SE Linux AVCs to the prelude
plugin.
Please let me know if you run across any problems with this release.
-Steve
16 years, 7 months
Aureport and Cron
by Mathis, Jim
Hello,
OS: RH ES 5.1
Kernel: 2.6.X
When I run aureport from the command line it works properly. When I run
the same command via a cron job aureport runs without error but the info
within report is not correct. The problem when running via cron is that
the range time in logs is incorrect. As follows:
Range of time in logs: 12/31/69 19:00:00.000 - 12/31/69 19:00:00.000
Selected time for report: 05/06/08 00:00:01 - 05/06/08 12:42:01
Now notice the range time in logs when the same aureport command is ran
from the command line. As follows:
Range of time in logs: 05/02/2008 06:40:01.347 - 05/06/2008 11:31:42.642
Selected time for report: 05/02/2008 06:40:01 - 05/06/2008 11:31:42.642
So the question is why is aureport using a log time of 12/31/69 via cron
vice 05/XX/08 as per the command line. Thanks.
P.S. aureport -t indictaes proper log times for the audit.logs within
/var/logs/audit
-Jim
16 years, 7 months
minor rule questions
by LC Bruzenak
MINOR: It appears that there needs to be a space between the "key=xxx"
and "list=N" results from "ausearch -i -ts today":
...
type=CONFIG_CHANGE msg=audit(05/08/2008 10:34:57.259:151) : auid=unset
subj=system_u:system_r:auditctl_t:s0-s15:c0.c1023 op=add rule key=CFG
key=postfixlist=4 res=1
...
I'm sure this one is on startup when the audit.rules file is parsed and
the auditctls all happen. And what does the "list=N" part represent?
Would it be the following (i.e. exit):
#define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 8 months
Re: [PATCH v4] selinux: support deferred mapping of contexts
by Eric Paris
On Wed, May 7, 2008 at 11:23 AM, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
>
>
> On Wed, 2008-05-07 at 11:17 -0400, Eric Paris wrote:
> > > I assume we do NOT want to use this variant interface when getting
> > > contexts to display in audit messages, as we want the audit messages to
> > > correspond to the actual denial and to yield proper policy if turned
> > > into an allow rule.
> >
> > Is there any way we could get them both displayed if there is a
> > denial? Might be interesting to know both that the denial was
> > actually unlabeled_t object but also what the 'incorrect' label
> > was.....
>
> Easy to do kernel-side, but requires a new avc audit field that won't
> cause any complaints by audit userland or tools like audit2allow.
Well, I'm not concerned about audit userland, if they can't handle
arbitrary users or the audit subsystem that's an audit failure. As to
audit2allow I'm clueless but I guess i could take a look if others
think it is an interesting piece of knowledge...
-Eric
16 years, 8 months
audit rule question
by LC Bruzenak
Q: Manpage says :
"-S [Syscall name or number|all]"
..."You may also specify multiple syscalls in the same rule as a comma
separated list with no spaces in between. Doing so improves performance
since fewer rules need to be evaluated."...
So I'd have thought that this would work:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -k time-change
but only this does:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
Restarting auditd says:
There was an error in line 165 of /etc/audit/audit.rules
Am I misunderstanding this option, or is there a manpage or code error?
audit-1.7.2-6.fc9.x86_64
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 8 months
ausearch question
by LC Bruzenak
I was wondering what a "-ts now" would return from my audit data.
I thought maybe it would be similar to a "tail" of the data, but that's
not what I got.
Is this what you'd expect?:
[root@hugo ~]# date ; ausearch -i -ts now --just-one
Thu May 1 14:05:10 EDT 2008
----
type=DAEMON_START msg=audit(05/01/2008 09:14:40.029:3602) : auditd
start, ver=1.7.2 format=raw kernel=2.6.25-1.fc9.x86_64 auid=unset
pid=2003 res=success
Most of the relevant data is in the record, however:
[root@hugo ~]# uname -a
Linux hugo 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008
x86_64 x86_64 x86_64 GNU/Linux
[root@hugo ~]# rpm -qa | grep audit
audit-libs-1.7.2-6.fc9.i386
audit-1.7.2-6.fc9.x86_64
audit-libs-python-1.7.2-6.fc9.x86_64
audit-libs-devel-1.7.2-6.fc9.x86_64
audit-libs-devel-1.7.2-6.fc9.i386
audit-libs-1.7.2-6.fc9.x86_64
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 8 months