[PATCH/RFC] audit: improve GID/EGID comparation logic
by Matvejchikov Ilya
It is useful to extend GID/EGID comparation logic to be able to
match not only the exact EID/EGID values but the group/egroup also.
Signed-off-by: Matvejchikov Ilya <matvejchikov(a)gmail.com>
---
kernel/auditsc.c | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 47b7fc1..a233faf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -491,9 +491,23 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_GID:
result = audit_comparator(cred->gid, f->op, f->val);
+ if (f->op == Audit_equal) {
+ if (!result)
+ result = in_group_p((gid_t)f->val);
+ } else if (f->op == Audit_not_equal) {
+ if (result)
+ result = !in_group_p((gid_t)f->val);
+ }
break;
case AUDIT_EGID:
result = audit_comparator(cred->egid, f->op, f->val);
+ if (f->op == Audit_equal) {
+ if (!result)
+ result = in_egroup_p((gid_t)f->val);
+ } else if (f->op == Audit_not_equal) {
+ if (result)
+ result = !in_egroup_p((gid_t)f->val);
+ }
break;
case AUDIT_SGID:
result = audit_comparator(cred->sgid, f->op, f->val);
--
1.7.3.4
14 years
Daemon start problems
by Stephen Quinney
I'm seeing some problems with the audit daemon not starting at
boot-time on a RHEL6 machine. If I login as root after the boot
sequence has finished it can be manually started without any
problems. At first I thought this might be a bad interaction with the
readahead tool (as noted in the technical docs for RHEL6) so I removed
that package entirely but the problem remains.
We have a slightly peculiar environment due to the config management
tool we use so I'm fairly confident this is our problem rather than a
bug in the auditd code. However, I'm struggling to debug why it is
failing each time. All I get back from the daemon is an exit code of
1, this seems to mean "generic or unspecified error", and no useful
error messages so I'm a bit stuck on what to do next.
Any suggestions?
Stephen Quinney
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
14 years
[RFC] Virtual machine related events support
by Marcelo Cerri
Hi,
We are working on a project in which we need to get some events from
audit log related to virtual machine events and filter these events per
guests. Currently, the audit tools doesn't support this kind of search.
However we are willing to implement the necessary features to support it
and we'd like to receive some feedback from audit stakeholders on our
proposal.
Most of these records are generated by libvirt, but some of them are
generated by SELinux (as AVC denials). To get events generated by
libvirt, we'd like to search through audit records using the both "uuid"
and "vm" fields.
The following records are examples of both types of records that we
intend to filter:
type=VIRT_RESOURCE msg=audit(1319602467.134:33): user pid=14103 uid=0
auid=4294967295 ses=4294967295 msg='resrc=disk reason=start
vm="CentOS-Guest" uuid=41ffecd5-037e-0059-b074-ab2bf354fd0a old-disk="?"
new-disk="/var/lib/libvirt/images/CentOS-Guest.img":
exe="/usr/sbin/libvirtd" (hostname=?, addr=?, terminal=? res=success)'
type=AVC msg=audit(1318529059.690:801): avc: denied { read } for
pid=31199 comm="qemu-kvm" name="RHEL6.img" dev=dm-0 ino=524635
scontext=system_u:system_r:svirt_t:s0:c99,c999
tcontext=system_u:object_r:svirt_image_t:s0:c390,c835 tclass=file
While "vm" field contains the domain name and it's a more user friendly
identifier, it's intended to be a unique only within the scope of a
single host. On the other hand, "uuid" field is intended to be a global
identifier.
We'd like to create a stand-alone tool, similar to aulast, to filter
this kind of events and that could be part of audit's tools. It'd be
able to list VM specific events, and filter these events by UUID or VM
name if needed. We are intended to support the following usage/options
(any suggestions are welcome):
Usage: auvirt [ options ] [ uuid | vm-name ]
Options:
--summary(default)
Write a formatted output containing summarized information as
considered time period, total number of VM specific events,
total
number of events by type (start, stop, resource change) and
total
number of AVC events.
--raw
Write records related to guests as shown in audit.log. The
output may contain the following record types: VIRT_CONTROL,
VIRT_RESOURCE, VIRT_MACHINE_ID and AVC.
-f file, --stdin
Same as aulast.
We intend to correlate AVC denial events to guests through the security
label used by a guest in a specific period.
Another proposal would be change ausearch to support two new search
options:
-uu, --uuid vm-uuid
Search for an event with the given UUID.
-vm, --vm-name vm-name
Search for an event with the given virtual machine name.
However, these fields are defined by libvirt and it may be a good idea
to add to libaudit a new "audit_log_*" function to enforce a standard
message format for VM related events that could be used by other
virtualization tools.
Please, send your commentaries and suggestions.
Regards,
Marcelo Cerri
14 years
filter specific file from specific program
by Lance Dillon
I have a need to filter a file from auditing, but only from a specific process.
We are running splunk, and indexing /var/log/audit/audit.log. We want audit.log
to be monitored, so we are using a dir watch on /var/log/audit, but we just
don't want splunk access to be reported. Filtering on obj_type doesn't work (-F
obj_type=auditd_log_t), because it filters everything, not that specific
process. However, it actually spawns another process to do the actual access,
so I can't filter on pid either. It runs unconfined, so I can't filter on
subj_type=unconfined_t, because that would filter way too much.
It was suggested to me to use audit roles. If this is something separate from
selinux context, perhaps someone can point me in the right direction? I only
want to filter out (not audit) access to audit.log from the specific process
/opt/splunkforwarder/bin/splunkd (and any forks it may do).
I've been looking at creating a separate selinux context for splunk, which will
do the trick, but is proving harder than I thought because it ends up forking
off other programs, like top and rpm and nptdate, that run under different
contexts than splunk (unconfined_t, rpm_t, and ntpdate_t respectively), so being
confined to a splunk_t type prevents those programs from running properly.
If anybody has any idea, or can point me in the right direction, i would
appreciate it.
Thanks
14 years
help- auditing sys admin commands
by MS PRAVEEN
Can some body help me here to find a rule/ solution to audit only commands
are its arguments executed by users and root . I dont need any more other
events audited since that can fill my free space .
Please help me here
--
Thanks & Regards,
Praveen M S
14 years
watch with -p wa catching fstat calls?
by Peter Moody
I've got a watch looking at /dev/mem
auditctl -w /dev/mem -k kernel -p wa
which I understand means that auditd is looking for writes or attribute
changes to /dev/mem (according to the manpage for auditctl)
The weird thing is that auditd seems to be flagging calls to fstat, and I'm
not sure why auditd would be doing this since.
2011-11-30T14:02:42.624523-08:00 node/x.x.x.x audispd: node=node
type=PATH msg=audit(1322690562.613:38): item=0 name="/dev/mem"
inode=1358 dev=00:05 mode=020640 ouid=0 ogid=15 rdev=01:01
2011-11-30T14:02:42.624494-08:00 node/x.x.x.x audispd: node=node
type=CWD msg=audit(1322690562.613:38): cwd="/"
2011-11-30T14:02:42.624480-08:00 node/x.x.x.x audispd: node=node
type=SYSCALL msg=audit(1322690562.613:38): arch=40000003 syscall=5
per=400000 success=yes exit=3 a0=8048f6c a1=2 a2=180 a3=0 items=1
ppid=4132 pid=4199 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="IrqRouteTbl"
exe="/opt/hp/hp-health/bin/IrqRouteTbl" key="kernel"
running kernel 2.6.38.8 on ubuntu with auditd version 1.7.13-1ubuntu2.
Cheers,
peter
14 years
