[patch 1/3] auditsc: fix kernel-doc notation
by akpm@linux-foundation.org
From: Randy Dunlap <randy.dunlap(a)oracle.com>
Fix auditsc kernel-doc notation:
Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): No description found for parameter 'attr'
Warning(linux-2.6.28-git7//kernel/auditsc.c:2156): Excess function parameter 'u_attr' description in '__audit_mq_open'
Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): No description found for parameter 'notification'
Warning(linux-2.6.28-git7//kernel/auditsc.c:2204): Excess function parameter 'u_notification' description in '__audit_mq_notify'
Signed-off-by: Randy Dunlap <randy.dunlap(a)oracle.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
kernel/auditsc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff -puN kernel/auditsc.c~auditsc-fix-kernel-doc-notation kernel/auditsc.c
--- a/kernel/auditsc.c~auditsc-fix-kernel-doc-notation
+++ a/kernel/auditsc.c
@@ -2149,7 +2149,7 @@ int audit_set_loginuid(struct task_struc
* __audit_mq_open - record audit data for a POSIX MQ open
* @oflag: open flag
* @mode: mode bits
- * @u_attr: queue attributes
+ * @attr: queue attributes
*
*/
void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
@@ -2196,7 +2196,7 @@ void __audit_mq_sendrecv(mqd_t mqdes, si
/**
* __audit_mq_notify - record audit data for a POSIX MQ notify
* @mqdes: MQ descriptor
- * @u_notification: Notification event
+ * @notification: Notification event
*
*/
_
17 years
- 1
- 0
[PATCH] integrity: audit update
by Mimi Zohar
- Force audit result to be either 0 or 1.
- make template names const
- Add new stand-alone message type: AUDIT_INTEGRITY_RULE
Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com>
---
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 930939a..4fa2810 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -36,7 +36,8 @@
* 1500 - 1599 kernel LSPP events
* 1600 - 1699 kernel crypto events
* 1700 - 1799 kernel anomaly records
- * 1800 - 1999 future kernel use (maybe integrity labels and related events)
+ * 1800 - 1899 kernel integrity events
+ * 1900 - 1999 future kernel use
* 2000 is for otherwise unclassified kernel audit messages (legacy)
* 2001 - 2099 unused (kernel)
* 2100 - 2199 user space anomaly records
@@ -130,6 +131,7 @@
#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
+#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e3c16a2..165eb53 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -47,7 +47,7 @@ struct ima_template_data {
struct ima_template_entry {
u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */
- char *template_name;
+ const char *template_name;
int template_len;
struct ima_template_data template;
};
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a148a25..3cd58b6 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -15,7 +15,7 @@
#include <linux/module.h>
#include "ima.h"
-static char *IMA_TEMPLATE_NAME = "ima";
+static const char *IMA_TEMPLATE_NAME = "ima";
/*
* ima_store_template - store ima template measurements
diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c
index 8a0f1e2..1e082bb 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -22,16 +22,18 @@ static int ima_audit;
static int __init ima_audit_setup(char *str)
{
unsigned long audit;
- int rc;
- char *op;
+ int rc, result = 0;
+ char *op = "ima_audit";
+ char *cause;
rc = strict_strtoul(str, 0, &audit);
if (rc || audit > 1)
- printk(KERN_INFO "ima: invalid ima_audit value\n");
+ result = 1;
else
ima_audit = audit;
- op = ima_audit ? "ima_audit_enabled" : "ima_audit_not_enabled";
- integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, NULL, op, 0, 0);
+ cause = ima_audit ? "enabled" : "not_enabled";
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
+ op, cause, result, 0);
return 1;
}
__setup("ima_audit=", ima_audit_setup);
@@ -47,20 +49,21 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
return;
ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno);
- audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u",
+ audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u ses=%u",
current->pid, current->cred->uid,
- audit_get_loginuid(current));
+ audit_get_loginuid(current),
+ audit_get_sessionid(current));
audit_log_task_context(ab);
switch (audit_msgno) {
case AUDIT_INTEGRITY_DATA:
case AUDIT_INTEGRITY_METADATA:
case AUDIT_INTEGRITY_PCR:
+ case AUDIT_INTEGRITY_STATUS:
audit_log_format(ab, " op=%s cause=%s", op, cause);
break;
case AUDIT_INTEGRITY_HASH:
audit_log_format(ab, " op=%s hash=%s", op, cause);
break;
- case AUDIT_INTEGRITY_STATUS:
default:
audit_log_format(ab, " op=%s", op);
}
@@ -73,6 +76,6 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
if (inode)
audit_log_format(ab, " dev=%s ino=%lu",
inode->i_sb->s_id, inode->i_ino);
- audit_log_format(ab, " res=%d", result);
+ audit_log_format(ab, " res=%d", !result ? 0 : 1);
audit_log_end(ab);
}
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 573780c..ffbe259 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -137,7 +137,7 @@ static int ima_measurements_show(struct seq_file *m, void *v)
ima_putc(m, &namelen, sizeof namelen);
/* 4th: template name */
- ima_putc(m, e->template_name, namelen);
+ ima_putc(m, (void *)e->template_name, namelen);
/* 5th: template specific data */
ima_template_show(m, (struct ima_template_data *)&e->template,
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index cf227db..0b0bb8c 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -20,7 +20,7 @@
#include "ima.h"
/* name for boot aggregate entry */
-static char *boot_aggregate_name = "boot_aggregate";
+static const char *boot_aggregate_name = "boot_aggregate";
int ima_used_chip;
/* Add the boot aggregate to the IMA measurement list and extend
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 23810e0..b5291ad 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -12,7 +12,6 @@
*/
#include <linux/module.h>
#include <linux/list.h>
-#include <linux/audit.h>
#include <linux/security.h>
#include <linux/magic.h>
#include <linux/parser.h>
@@ -239,8 +238,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
char *p;
int result = 0;
- ab = audit_log_start(current->audit_context, GFP_KERNEL,
- AUDIT_INTEGRITY_STATUS);
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
entry->action = -1;
while ((p = strsep(&rule, " \n")) != NULL) {
@@ -345,15 +343,14 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
AUDIT_SUBJ_TYPE);
break;
case Opt_err:
- printk(KERN_INFO "%s: unknown token: %s\n",
- __FUNCTION__, p);
+ audit_log_format(ab, "UNKNOWN=%s ", p);
break;
}
}
if (entry->action == UNKNOWN)
result = -EINVAL;
- audit_log_format(ab, "res=%d", result);
+ audit_log_format(ab, "res=%d", !result ? 0 : 1);
audit_log_end(ab);
return result;
}
@@ -367,7 +364,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
*/
int ima_parse_add_rule(char *rule)
{
- const char *op = "add_rule";
+ const char *op = "update_policy";
struct ima_measure_rule_entry *entry;
int result = 0;
int audit_info = 0;
@@ -394,8 +391,12 @@ int ima_parse_add_rule(char *rule)
mutex_lock(&ima_measure_mutex);
list_add_tail(&entry->list, &measure_policy_rules);
mutex_unlock(&ima_measure_mutex);
- } else
+ } else {
kfree(entry);
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
+ NULL, op, "invalid policy", result,
+ audit_info);
+ }
return result;
}
--
1.5.6.6
17 years
- 2
- 3
audit-viewer event file question
by LC Bruzenak
Is there a way to specify on the command line a way to tell the
audit-viewer to read a specific raw event file?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
17 years
- 2
- 1
integrity: audit
by Mimi Zohar
integrity: audit
This patch adds support to auditd for integrity messages, which are
issued as a result of the integrity patchset that was applied to the
security-testing-2.6/#next tree.
Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com>
Index: audit-1.7.11/src/ausearch-parse.c
===================================================================
--- audit-1.7.11.orig/src/ausearch-parse.c
+++ audit-1.7.11/src/ausearch-parse.c
@@ -49,6 +49,7 @@ static int parse_login(const lnode *n, s
static int parse_daemon(const lnode *n, search_items *s);
static int parse_sockaddr(const lnode *n, search_items *s);
static int parse_avc(const lnode *n, search_items *s);
+static int parse_integrity(const lnode *n, search_items *s);
static int parse_kernel_anom(const lnode *n, search_items *s);
static int parse_simple_message(const lnode *n, search_items *s);
static int parse_tty(const lnode *n, search_items *s);
@@ -123,6 +124,9 @@ int extract_search_items(llist *l)
case AUDIT_MAC_POLICY_LOAD...AUDIT_MAC_UNLBL_STCDEL:
ret = parse_simple_message(n, s);
break;
+ case AUDIT_INTEGRITY_DATA...AUDIT_INTEGRITY_PCR:
+ ret = parse_integrity(n, s);
+ break;
case AUDIT_KERNEL:
case AUDIT_IPC:
case AUDIT_SELINUX_ERR:
@@ -1150,6 +1154,105 @@ static int parse_sockaddr(const lnode *n
return 0;
}
+
+static int parse_integrity(const lnode *n, search_items *s)
+{
+ char *ptr, *str, *term;
+ int rc=0;
+
+ term = n->message;
+ // get integrity:
+ str = strstr(term, "integrity: ");
+ if (str) {
+ ptr = str + 11;
+ }
+
+ // get pid
+ str = strstr(term, "pid=");
+ if (str) {
+ ptr = str + 4;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 2;
+ *term = 0;
+ errno = 0;
+ s->pid = strtoul(ptr, NULL, 10);
+ if (errno)
+ return 3;
+ *term = ' ';
+ }
+
+ // get uid
+ str = strstr(term, " uid=");
+ if (str) {
+ ptr = str + 4;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 4;
+ *term = 0;
+ errno = 0;
+ s->uid = strtoul(ptr, NULL, 10);
+ if (errno)
+ return 5;
+ *term = ' ';
+ }
+
+ // get loginuid
+ str = strstr(n->message, "auid=");
+ if (str) {
+ ptr = str + 5;
+ term = strchr(ptr, ' ');
+ if (term == NULL)
+ return 6;
+ *term = 0;
+ errno = 0;
+ s->loginuid = strtoul(ptr, NULL, 10);
+ if (errno)
+ return 7;
+ *term = ' ';
+ }
+
+ str = strstr(term, "comm=");
+ if (str) {
+ str += 5;
+ if (*str == '"') {
+ str++;
+ term = strchr(str, '"');
+ if (term == NULL)
+ return 8;
+ *term = 0;
+ s->comm = strdup(str);
+ *term = '"';
+ } else
+ s->comm = unescape(str);
+ }
+
+ str = strstr(term, " name=");
+ if (str) {
+ str += 6;
+ if (common_path_parser(s, str))
+ return 9;
+ }
+
+ // and results (usually last)
+ str = strstr(term, "res=");
+ if (str != NULL) {
+ ptr = str + 4;
+ term = strchr(ptr, ' ');
+ if (term)
+ *term = 0;
+ errno = 0;
+ s->success = strtoul(ptr, NULL, 10);
+ if (errno)
+ return 10;
+ if (term)
+ *term = ' ';
+ }
+
+ return 0;
+}
+
+
/* FIXME: If they are in permissive mode or hit an auditallow, there can
* be more that 1 avc in the same syscall. For now, we pickup just the first.
*/
Index: audit-1.7.11/lib/libaudit.h
===================================================================
--- audit-1.7.11.orig/lib/libaudit.h
+++ audit-1.7.11/lib/libaudit.h
@@ -174,6 +174,11 @@ extern "C" {
#ifndef AUDIT_ANOM_ABEND
#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
#endif
+#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
+#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
+#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
+#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
+#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
#define AUDIT_FIRST_ANOM_MSG 2100
#define AUDIT_LAST_ANOM_MSG 2199
#define AUDIT_ANOM_LOGIN_FAILURES 2100 // Failed login limit reached
Index: audit-1.7.11/lib/msg_typetab.h
===================================================================
--- audit-1.7.11.orig/lib/msg_typetab.h
+++ audit-1.7.11/lib/msg_typetab.h
@@ -122,6 +122,12 @@ _S(AUDIT_MAC_UNLBL_STCADD, "MA
_S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL" )
_S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" )
_S(AUDIT_ANOM_ABEND, "ANOM_ABEND" )
+_S(AUDIT_INTEGRITY_DATA, "INTEGRITY_DATA" )
+_S(AUDIT_INTEGRITY_METADATA, "INTEGRITY_METADATA" )
+_S(AUDIT_INTEGRITY_STATUS, "INTEGRITY_STATUS" )
+_S(AUDIT_INTEGRITY_HASH, "INTEGRITY_HASH" )
+_S(AUDIT_INTEGRITY_PCR, "INTEGRITY_PCR" )
+
#ifdef WITH_APPARMOR
_S(AUDIT_AA, "APPARMOR" )
_S(AUDIT_APPARMOR_AUDIT, "APPARMOR_AUDIT" )
Index: audit-1.7.11/system-config-audit/src/lists.py
===================================================================
--- audit-1.7.11.orig/system-config-audit/src/lists.py
+++ audit-1.7.11/system-config-audit/src/lists.py
@@ -160,6 +160,11 @@ audit.AUDIT_LAST_KERN_ANOM_MSG,
audit.AUDIT_ANOM_PROMISCUOUS,
audit.AUDIT_ANOM_ABEND,
audit.AUDIT_KERNEL,
+audit.AUDIT_INTEGRITY_DATA,
+audit.AUDIT_INTEGRITY_METADATA,
+audit.AUDIT_INTEGRITY_STATUS,
+audit.AUDIT_INTEGRITY_HASH,
+audit.AUDIT_INTEGRITY_PCR,
)
# From code in src/auditctl.c
Index: audit-1.7.11/lib/netlink.c
===================================================================
--- audit-1.7.11.orig/lib/netlink.c
+++ audit-1.7.11/lib/netlink.c
@@ -182,7 +182,8 @@ static int adjust_reply(struct audit_rep
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
case AUDIT_FIRST_EVENT...AUDIT_LAST_KERN_ANOM_MSG:
- rep->message = NLMSG_DATA(rep->nlh);
+ case AUDIT_INTEGRITY_DATA...AUDIT_INTEGRITY_PCR:
+ rep->message = NLMSG_DATA(rep->nlh);
break;
case AUDIT_SIGNAL_INFO:
rep->signal_info = NLMSG_DATA(rep->nlh);
17 years
- 2
- 3