More info on remote logging
by Konstantin Ryabitsev
Hi, all:
I'm interested in sending audit logs to a central logging server. One
option is using the builtin syslog plugin for audisp, but I also see
audisp-remote that mentions sending logs to a remote server.
Unfortunately, I'm having trouble finding more information about that
(such as "what kind of a remote server" and "how do you set up a
remote server").
Also a suggestion -- the syslog plugin for audisp doesn't specify the
facility, so the default facility (LOG_USER) is used. Perhaps this can
be made configurable so I could configure syslog to only send audit
logs to remote without duplicating them in /var/log/messages (e.g. set
facility to local9 and only send it to a remote server, not locally)?
Currently that's not possible and I end up wasting space by having
audit logs both in /var/log/audit/audit.log and in /var/log/messages.
Turning off af_unix is an option, but that has a significant drawback
of complicating ausearch/aureport.
Regards,
--
McGill University IT Security
Konstantin "Kay" Ryabitsev
Montréal, Québec
14 years, 10 months
the PATH record
by Juraj Hlista
Hello,
I need to get the absolute path from audit events. An audit event can
contain a relative path in the PATH record - if I concatenate the path
in the CWD record with the relative path in the PATH record, do I
always get the absolute path?
Also, some audit events contain more than one PATH record, for example:
type=SYSCALL msg=audit(1274190814.081:7): arch=c000003e syscall=165
success=yes exit=0 a0=1783fe0 a1=1784000 a2=1784020
a3=ffffffffc0ed0006 items=2 ppid=26725 pid=26726 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="mount" exe="/bin/mount" key=(null)
type=CWD msg=audit(1274190814.081:7): cwd="/"
type=PATH msg=audit(1274190814.081:7): item=0 name="/media/flash"
inode=15592 dev=08:02 mode=040700 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1274190814.081:7): item=1 name=(null) inode=395117
dev=00:0c mode=060660 ouid=0 ogid=6 rdev=08:11
Is the first PATH record more important than the others? I need to get
the "/media/flash" from the audit event.
14 years, 10 months
Dropping auid for daemons started via sudo
by Konstantin Ryabitsev
Hello:
I'm dealing with a set of machines with unrestricted sudo for admins
("sudo -s"). It's not something I can immediately change (though I'm
working toward a more restrictive attitude and policy). I'm trying to
at least do some auditing via the following audit rule:
-a always,exit -F arch=b32 -S execve -F uid=0 -F auid>=500 -F
auid!=4294967295 -k privileged
-a always,exit -F arch=b64 -S execve -F uid=0 -F auid>=500 -F
auid!=4294967295 -k privileged
It mostly does the right thing, except for cases when an admin logs in
and restarts a service. If it's running a privileged process, that
process will have an auid of the user that last ran "service foo
restart".
Is there a way to drop auid for services restarted by individual
admins? I'm not sure if run_init does it, but I can't use it anyway
because selinux is disabled on those machines.
Thanks for any advice.
Regards,
--
McGill University IT Security
Konstantin "Kay" Ryabitsev
Montréal, Québec
14 years, 10 months
[PATCH 1/4] audit: make filetype matching consistent with other filters
by Eric Paris
Every other filter that matches part of the inodes list collected by audit
will match against any of the inodes on that list. The filetype matching
however had a strange way of doing things. It allowed userspace to
indicated if it should match on the first of the second name collected by
the kernel. Name collection ordering seems like a kernel internal and
making userspace rules get that right just seems like a bad idea. As it
turns out the userspace audit writers had no idea it was doing this and
thus never overloaded the value field. The kernel always checked the first
name collected which for the tested rules was always correct.
This patch just makes the filetype matching like the major, minor, inode,
and LSM rules in that it will match against any of the names collected. It
also changes the rule validation to reject the old unused rule types.
Noone new it was there. Noone used it. Why keep around the extra code?
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/auditfilter.c | 4 ++--
kernel/auditsc.c | 19 +++++++++----------
2 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index eb76754..30ccdb9 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -385,7 +385,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
goto exit_free;
break;
case AUDIT_FILETYPE:
- if ((f->val & ~S_IFMT) > S_IFMT)
+ if (f->val & ~S_IFMT)
goto exit_free;
break;
case AUDIT_INODE:
@@ -536,7 +536,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
goto exit_free;
break;
case AUDIT_FILETYPE:
- if ((f->val & ~S_IFMT) > S_IFMT)
+ if (f->val & ~S_IFMT)
goto exit_free;
break;
default:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b87a63b..cda4011 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -301,21 +301,20 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
}
}
-static int audit_match_filetype(struct audit_context *ctx, int which)
+static int audit_match_filetype(struct audit_context *ctx, int val)
{
- unsigned index = which & ~S_IFMT;
- mode_t mode = which & S_IFMT;
+ int index;
+ mode_t mode = (mode_t)val;
if (unlikely(!ctx))
return 0;
- if (index >= ctx->name_count)
- return 0;
- if (ctx->names[index].ino == -1)
- return 0;
- if ((ctx->names[index].mode ^ mode) & S_IFMT)
- return 0;
- return 1;
+ for (index = 0; index < ctx->name_count; index++) {
+ if ((ctx->names[index].ino != -1) &&
+ ((ctx->names[index].mode & S_IFMT) == mode))
+ return 1;
+ }
+ return 0;
}
/*
14 years, 11 months
Exec call auditing
by Wahaj Ali
Hello,
As part of my course I am required to look at the auditing code in the linux
kernel, more specifically the part where the exec() calls are being logged.
I would really appreciate any help, especially regarding where exactly that
code in the whole database can be found, i.e. the part of the code that is
logging the environment variables. My guess so far is that
audit_log_single_execve_arg in auditsc.c is doing most part of the work.
I would be really grateful for your help.
Regards,
Wahaj Ali
14 years, 11 months
audit file creation/deletion
by Richard Maciel
Is it possible to audit only the events of creation and deletion of files?
I know that I can use a watch rule with a write filter to check if a
file or directory is being created/delete, but this rule also generates
audit entries when a file (inside the directory being tracked) is
modified. Is there a way to prevent this?
Best Regards,
--
Richard Maciel, MSc
IBM Linux Technology Center
rmaciel(a)linux.vnet.ibm.com
14 years, 11 months
Suppressed messages
by Fulda, Paul R (IS)
All,
Running Red Hat 5.4 and I have auditd turned off so that the audit logs
go to /var/log/messages, this way I can forward all of the logs to a
centralized log server. Probably other ways to do this but this setup
works well on our Fedora 8 machines. Question I have is that I am
getting a lot of "kernel: printk: 39 messages suppressed" messages in
the /var/log/messages file. On fedora 8, this does not happen,
everything comes through with no suppression. Any ideas on what changed
in auditing that would cause this?
Thanks!
14 years, 11 months
year value for ausearch?
by LC Bruzenak
Just got word back from a non-US fielded system that the ausearch -ts
DAY/MONTH/YEAR doesn't work, e.g. :
% ausearch -ts 04/29/2010
says that the year value is invalid
but
% ausearch -ts 04/29/10 works.
Something with locale? It's F10 audit.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
14 years, 11 months
