[RFC] Auditing user command execution
by Diego Woitasen
Hi,
I received a requirement from one of my customer to audit what the
users do after sudo. To be sure that only user sessions are audited
I'm using the pam_script module to insert and remove a rule when the
users logins and logouts, respectively. I'm doing this because if you
have a persistent rule and you restart a daemon, the audit system will
report the daemon actions, even if the user logouts.
I configured the pam_script in /etc/pam.d/sudo and pam_loginuid in
/etc/pam.d/{login,ssh}.
The command line that I'm using to add/remove the rule to audit execs is:
/sbin/auditctl [-a|-d] entry,always -S execve -F auid=$AUID
Let me know if anybody has a better way to do this.
Regards,
Diego
--
Diego Woitasen
13 years, 1 month
[PATCH] Kernel: Audit Support For The ARM Platform (Re-post requested)
by Nathaniel Husted
This patch provides functionality to audit system call events on the
ARM platform. The implementation was based off the structure of the
MIPS platform and information in this
(http://lists.fedoraproject.org/pipermail/arm/2009-October/000382.html)
mailing list thread. The required audit_syscall_exit and
audit_syscall_entry checks were added to ptrace using the standard
registers for system call values (r0 through r3). A thread information
flag was added for auditing (TIF_SYSCALL_AUDIT) and a meta-flag was
added (_TIF_SYSCALL_WORK) to simplify modifications to the syscall
entry/exit. Now, if either the TRACE flag is set or the AUDIT flag is
set, the syscall_trace function will be executed. The prober changes
were made to Kconfig to allow CONFIG_AUDITSYSCALL to be enabled.
Due to platform availability limitations, this patch was only tested
on the Android platform running the modified "android-goldfish-2.6.29"
kernel. A test compile was performed using Code Sourcery's
cross-compilation toolset and the current linux-3.0 stable kernel. The
changes compile without error. I'm hoping, due to the simple modifications,
the patch is "obviously correct".
Signed-off-by: Nathaniel Husted <nhusted(a)gmail.com>
---
diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
linux-3.0-vanilla/arch/arm/include/asm/thread_info.h
linux-3.0-modified/arch/arm/include/asm/thread_info.h
--- linux-3.0-vanilla/arch/arm/include/asm/thread_info.h 2011-07-21
19:17:23.000000000 -0700
+++ linux-3.0-modified/arch/arm/include/asm/thread_info.h 2011-08-02
14:04:29.005599252 -0700
@@ -129,6 +129,7 @@ extern void vfp_flush_hwstate(struct thr
/*
* thread information flags:
* TIF_SYSCALL_TRACE - syscall trace active
+ * TIF_SYSCAL_AUDIT - syscall auditing active
* TIF_SIGPENDING - signal pending
* TIF_NEED_RESCHED - rescheduling necessary
* TIF_NOTIFY_RESUME - callback before returning to user
@@ -139,6 +140,7 @@ extern void vfp_flush_hwstate(struct thr
#define TIF_NEED_RESCHED 1
#define TIF_NOTIFY_RESUME 2 /* callback before returning to user */
#define TIF_SYSCALL_TRACE 8
+#define TIF_SYSCALL_AUDIT 9
#define TIF_POLLING_NRFLAG 16
#define TIF_USING_IWMMXT 17
#define TIF_MEMDIE 18 /* is terminating due to OOM killer */
@@ -150,12 +152,17 @@ extern void vfp_flush_hwstate(struct thr
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
#define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
+
#define _TIF_POLLING_NRFLAG (1 << TIF_POLLING_NRFLAG)
#define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
#define _TIF_FREEZE (1 << TIF_FREEZE)
#define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK)
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
+/* Checks for any syscall work in entry-common.S */
+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
+
/*
* Change these and you break ASM code in entry-common.S
*/
diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
linux-3.0-vanilla/arch/arm/kernel/entry-common.S
linux-3.0-modified/arch/arm/kernel/entry-common.S
--- linux-3.0-vanilla/arch/arm/kernel/entry-common.S 2011-07-21
19:17:23.000000000 -0700
+++ linux-3.0-modified/arch/arm/kernel/entry-common.S 2011-08-02
14:01:28.747720225 -0700
@@ -87,7 +87,7 @@ ENTRY(ret_from_fork)
get_thread_info tsk
ldr r1, [tsk, #TI_FLAGS] @ check for syscall tracing
mov why, #1
- tst r1, #_TIF_SYSCALL_TRACE @ are we tracing syscalls?
+ tst r1, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
beq ret_slow_syscall
mov r1, sp
mov r0, #1 @ trace exit [IP = 1]
@@ -443,7 +443,7 @@ ENTRY(vector_swi)
1:
#endif
- tst r10, #_TIF_SYSCALL_TRACE @ are we
tracing syscalls?
+ tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
bne __sys_trace
cmp scno, #NR_syscalls @ check upper syscall limit
diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
linux-3.0-vanilla/arch/arm/kernel/ptrace.c
linux-3.0-modified/arch/arm/kernel/ptrace.c
--- linux-3.0-vanilla/arch/arm/kernel/ptrace.c 2011-07-21
19:17:23.000000000 -0700
+++ linux-3.0-modified/arch/arm/kernel/ptrace.c 2011-08-02
14:44:09.949722828 -0700
@@ -926,11 +926,6 @@ asmlinkage int syscall_trace(int why, st
{
unsigned long ip;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
- return scno;
- if (!(current->ptrace & PT_PTRACED))
- return scno;
-
/*
* Save IP. IP is used to denote syscall entry/exit:
* IP = 0 -> entry, = 1 -> exit
@@ -938,6 +933,25 @@ asmlinkage int syscall_trace(int why, st
ip = regs->ARM_ip;
regs->ARM_ip = why;
+ /* perform a secure computing check first */
+ if (regs->ARM_ip)
+ secure_computing(scno);
+
+ if (unlikely(current->audit_context)) {
+ if (!ip)
+ audit_syscall_exit(AUDITSC_RESULT(regs->ARM_r0),
+ regs->ARM_r0);
+ else
+ audit_syscall_entry(AUDIT_ARCH_ARMEB, scno,
+ regs->ARM_r0, regs->ARM_r1,
+ regs->ARM_r2, regs->ARM_r3);
+ }
+
+ if (!test_thread_flag(TIF_SYSCALL_TRACE))
+ return scno;
+ if (!(current->ptrace & PT_PTRACED))
+ return scno;
+
current_thread_info()->syscall = scno;
/* the 0x80 provides a way for the tracing parent to distinguish
diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
linux-3.0-vanilla/init/Kconfig linux-3.0-modified/init/Kconfig
--- linux-3.0-vanilla/init/Kconfig 2011-07-21 19:17:23.000000000 -0700
+++ linux-3.0-modified/init/Kconfig 2011-08-02 14:02:06.359364526 -0700
@@ -355,7 +355,7 @@ config AUDIT
config AUDITSYSCALL
bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PPC || S390 || IA64 || UML ||
SPARC64 || SUPERH)
+ depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 ||
SUPERH || ARM)
default y if SECURITY_SELINUX
help
Enable low-overhead system-call auditing infrastructure that
13 years, 1 month
audit without python?
by Jason
Is it possible to compile and use audit without needing python? If so, how?
Jason
13 years, 2 months
Regarding bug 435682
by Alexander
Here's a patch for version 2.1.3 which solves bug 435682 (
https://bugzilla.redhat.com/show_bug.cgi?id=435682).
Patched auditctl allows to specify files having spaces in ther names - just
surround a filename with apostrophes.
Hope this will help someone who encountered the same problem. And, maybe,
the bug will be closed at last :)
13 years, 2 months
Error deleting rule during shutdown with -e 2
by Daniel Neuberger
All,
When stopping auditd during a system shutdown, I see the following error:
Error deleting rule (Operation not permitted)
My audit.rules file looks like:
------------------------
-D
[trimmed]
-a always,exit -F arch=b32 -S open -S openat -F exit=-EPERM -k access4
-w /etc/sudoers -p wa -k actions -p wax
[trimmed]
-e 2
------------------------
The only ways I've found to fix this is to remove the -e 2 option, but
we need our rules to be immutable?
Also based on looking at the auditd init script, setting
AUDITD_CLEAN_STOP=no during shutdown would work, but I don't want to
modify the script.
Any other ideas?
Thanks.
- Daniel
13 years, 2 months
auditing account lockouts
by Steve M. Zak
Hi,
Through experimentation and per Red Hat tech support when the deny=x switch is set in /etc/pam.d/login as below
auth required pam_tally2.so deny=5 onerr=fail
the lockout happens at 5 failed attempts, but the audit trail does not record it until the next try.
Does the audit system provide a way to show that the lockout has occurred when the deny number is reached? Ideally this would be some system log that uses a variation of "Account locked"
Thanks!
____________________________________________
Steve M. Zak,
--
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com
13 years, 2 months
question on audit_backlog settings and how to prevent the sytem from hanging due to audit overload
by larry.erdahl@usbank.com
I have a 5.4 Redhat that I'm using Snare to control the audit rules with.
Recently this server hung on me and pointed to the SnareDispatcher as the
cause. You can see from the samples below the dispatcher was running at 99
- 100%.
The morning of the hang Auditd peaked at ~200,000 event's/hour, up from
~50,000 events per hour. Is there away to protect the server from hanging
during unexpected loads like this?
I'm assuming from what I've read, I'll need to increase the audit_backlog
level to something higher. Before increasing the number of buffers I'd
like to get a clearer understanding of their size and how increasing
these buffers my impact my over all system performance. Are there any
recommendations on what the settings should be or a formula that I could
use to determine the proper setting.
I am looking into what may of caused the spike, but I'd like to know what
my options to keep from having another system hang
Any help would be appreciated
Sep 30 01:29:16 <servername> kernel: audit: audit_backlog=321 >
audit_backlog_limit=320
Sep 30 01:29:16<servername> kernel: audit: audit_lost=1 audit_rate_limit=0
audit_backlog_limit=320
Sep 30 01:29:16 <servername> kernel: audit: backlog limit exceeded
Sep 30 01:29:16 <servername> kernel: audit: audit_backlog=321 >
audit_backlog_limit=320
Sep 30 01:29:16 <servername> auditmanager: Received wakeup signal before
sleep finished
And this is in the process monitoring
1:16:06 4545 99.8 0 99.8 140848 3292 12 0 484 0
0 SnareDispatchHe 4.16 12
1:21:07 4545 99.9 0 99.9 140848 3292 12 0 484 0
0 SnareDispatchHe 4.16 12
1:26:07 4545 100 0 100 140848 3292 12 0 484 0
0 SnareDispatchHe 4.17 12
1:31:07 4545 99.7 0 99.7 140848 3292 12 0 484 0
0 SnareDispatchHe 4.15 12
1:36:07 4545 99.9 0 99.9 140848 3292 12 0 484 0
0 SnareDispatchHe 4.16 12
1:41:07 4545 99.9 0 99.9 140848 3292 12 0 484 0
0 SnareDispatchHe 4.16 12
1:46:08 4545 99.9 0 99.9 140848 3292 12 0 484 0
0 SnareDispatchHe 4.16 12
1:51:08 4545 82.8 0 82.8 140848 3292 12 0 484 0
0 SnareDispatchHe 3.45 12
Thanks....
Larry E. Erdahl
Information Security Services
Computer Security Incident Response Team (CSIRT)
1 Meridian Crossing
Richfield, MN 55423
Mail Code: EP-MN-MS6I
Office Phone: (612)973-7153
U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.
---------------------------------------------------------------------
13 years, 2 months
