audit 2.0 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The Changelog is:
- Remove system-config-audit
- Get rid of () from userspace originating events
- Removed old syscall rules API - not needed since 2.6.16
- Remove all use of the old rule structs from API
- Fix uninitialized variable in auditd log rotation
- Add libcap-ng support for audispd plugins
- Removed ancient defines that are part of kernel 2.6.29 headers
- Bump soname number for libaudit
- In auditctl, deprecate the entry filter and move rules to exit filter
- Parse integrity audit records in ausearch/report (Mimi Zohar)
- Updated syscall table for 2.6.31 kernel
- Remove support for the legacy negate syscall rule operator
- In auditd reset syslog warnings if disk space becomes available
This release has some major changes that linux distros will want to take
notice of. The first is that system-config-audit has been removed from the
package. It can now be found here:
https://fedorahosted.org/system-config-audit/
There were audit events that originate in user space that has this suffix added:
(hostname=?, addr=?, terminal=? res=failed) The parenthesis have now been
removed so that its purely name=value. Any program linked to libauparse will
not notice any difference.
This release removes the old kernel API for sending audit rules to the kernel.
This was only needed for kernels prior to 2.6.16. by now distros should be
shipping something newer than that. This release also bumps the soname number
so that we compile all packages in a distribution to make sure that the change
in API does not cause a problem in a third party application. Svn has been
branched and will be maintained for a little while so that distros that can't
make the jump to 2.0 right now have a something with bug fixes in it.
Libcap-ng support has been added so that all audispd plugins drop all
capabilities after staring up. If you don't have libcap-ng it still runs the
way it used to.
While cleaning up, I removed all the superfluous defines that we had in place to
allow compiling with much older kernels. The minimum kernel headers needed is
2.6.29. Since 2.6.31 should be out soon, this should work fine with new OS
releases under development.
As stated in an RFC much earlier in the year, we now move all audit rules to
the exit filter to simplify rule writing. A warning is emitted if a rule is
targeted for the entry filter. At some point in the future we will be able to
remove the syscall entry filter in the kernel.
This release adds full support for integrity audit records and updates the
kernel syscall table for the 2.6.31 kernel. And if low disk space actions have
syslog as the action, we now reset that flag internally to auditd when we see
that disk space has been freed up.
Big update...big changes. Might not see this in a distro right away. But
please let me know if you run across any problems with this release.
-Steve
15 years, 4 months
- 1
- 0
need rules help
by LC Bruzenak
I searched the list for an example but see nothing applicable.
I need to be able to exclude the following event example:
node=jcdx type=PATH msg=audit(07/20/2009 00:00:16.469:24295) : item=0
name=/var/opt/jcdx/tracks/mltrackdb/AcousticTracks.inst/040fd238ede9dfbbc19e012c7633836f/AcousticTracks
node=jcdx type=CWD msg=audit(07/20/2009 00:00:16.469:24295) : cwd=/
node=jcdx type=SYSCALL msg=audit(07/20/2009 00:00:16.469:24295) :
arch=i386 syscall=stat64 success=no exit=-13(Permission denied)
a0=8813598 a1=ffdfed24 a2=c91ff4 a3=ffdfee5c items=1 ppid=1 pid=2747
auid=unset uid=root gid=unknown(450) euid=root suid=root fsuid=root
egid=unknown(450) sgid=unknown(450) fsgid=unknown(450) tty=(none)
ses=4294967295 comm=mtdb exe=/opt/jcdx/sbin/mtdb
subj=system_u:system_r:jcdx_mtdb_t:s0-s6:c0.c511 key=(null)
node=jcdx type=AVC msg=audit(07/20/2009 00:00:16.469:24295) : avc:
denied { search } for pid=2747 comm=mtdb
name=040fd238ede9dfbbc19e012c7633836f dev=dm-0 ino=71632
scontext=system_u:system_r:jcdx_mtdb_t:s0-s6:c0.c511
tcontext=system_u:object_r:jcdx_stdb_var_t:s15:c0.c1023 tclass=dir
I thought that the following would work:
-a never,exit -F subj_type=jcdx_mtdb_t -F obj_type=jcdx_stdb_var_t
but it doesn't stop the event from getting into the log.
I saw Steve's suggestion back in January about using the exclude rule,
but that one says "only msgtype field works with exclude filter", so I
cannot include any other "-F" options.
Any ideas?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
15 years, 4 months
- 2
- 7
[PATCH 1/2] Audit: reorganize struct audit_watch to save 8 bytes
by Eric Paris
pahole showed that struct audit_watch had two holes:
struct audit_watch {
atomic_t count; /* 0 4 */
/* XXX 4 bytes hole, try to pack */
char * path; /* 8 8 */
dev_t dev; /* 16 4 */
/* XXX 4 bytes hole, try to pack */
long unsigned int ino; /* 24 8 */
struct audit_parent * parent; /* 32 8 */
struct list_head wlist; /* 40 16 */
struct list_head rules; /* 56 16 */
/* --- cacheline 1 boundary (64 bytes) was 8 bytes ago --- */
/* size: 72, cachelines: 2, members: 7 */
/* sum members: 64, holes: 2, sum holes: 8 */
/* last cacheline: 8 bytes */
}; /* definitions: 1 */
by moving dev after count we save 8 bytes, actually improving cacheline
usage. There are typically very few of these in the kernel so it won't be
a large savings, but it's a good thing no matter what.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/audit_watch.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index cfaa248..aa8babc 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -45,8 +45,8 @@
struct audit_watch {
atomic_t count; /* reference count */
- char *path; /* insertion path */
dev_t dev; /* associated superblock device */
+ char *path; /* insertion path */
unsigned long ino; /* associated inode number */
struct audit_parent *parent; /* associated parent */
struct list_head wlist; /* entry in parent->watches list */
15 years, 4 months
- 1
- 1