January 2012 - Linux-audit - Linux-Audit List Archives

what does the arch= hex number represent?

by Peter Moody

What does the hex number after arch= mean? 64bit seems to always be c000003e and 32bit seems to be 40000003, but I'd feel a lot better setting up log monitoring if I knew what they actually represented. $ sudo auditctl -l LIST_RULES: exit,always arch=3221225534 (0xc000003e) ... Cheers, peter -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038

14 years, 1 month

2
1
0 / 0

Capture System Time Changes

by Rye, Gene R.

I am using both the NISPOM and STIG rules for my audit.rules file. As root, if I perform a system time change, it does not capture this information in either /var/log/secure or var/log/audit/audit.log. How can I capture when someone changes the time or attempts to change the time?

14 years, 1 month

2
1
0 / 0

linux auditd: Not getting log for chmod syscall

by bharat gupta

Hi, I am using redhat 6, and trying to create logs for some system call using the rule given below: *-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod* After running command chmod i was not able to get any log, but when i used strace command i have seen that syscall have been called. I also checked that auditd service is running properly. May you guide me why i am not able to get any log message. i also checked by writting rule for 32 bit, but problem still not resolved. -- Bharat Gupta IIT -Roorkee

14 years, 1 month

3
3
0 / 0

Path ignored but syscall event still logged

by Max Williams

Hi All, I have a system that is logging many events for a path that I think should be ignored... [root@host1 ~]# auditctl -l LIST_RULES: exit,always dir=/etc/audit (0xa) perm=wa key=auditd_configuration LIST_RULES: exit,always dir=/etc/audisp (0xb) perm=wa key=auditd_configuration LIST_RULES: exit,always watch=/etc/libaudit.conf perm=wa key=auditd_configuration LIST_RULES: exit,always watch=/etc/sysconfig/auditd perm=wa key=auditd_configuration LIST_RULES: exit,never dir=/etc/lvm/cache (0xe) syscall=all LIST_RULES: exit,never dir=/opt (0x4) syscall=all LIST_RULES: exit,never dir=/tmp (0x4) syscall=all LIST_RULES: exit,never dir=/naab1 (0x6) syscall=all LIST_RULES: exit,never dir=/naab2 (0x6) syscall=all LIST_RULES: exit,never dir=/ab1 (0x4) syscall=all LIST_RULES: exit,never dir=/ab2 (0x4) syscall=all LIST_RULES: exit,always perm=a key=file_attributes LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=1074292226 (0x40086602) key=file_attributes syscall=ioctl LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=-2146933247 (0x80086601) key=file_attributes syscall=ioctl LIST_RULES: exit,always arch=3221225534 (0xc000003e) exit=-13 (0xfffffff3) key=invalid_logical_access syscall=open LIST_RULES: exit,always dir=/bin (0x4) perm=wa key=bin_modification LIST_RULES: exit,always dir=/boot (0x5) perm=wa key=boot_modification LIST_RULES: exit,always dir=/etc (0x4) perm=wa key=etc_modification LIST_RULES: exit,always dir=/home (0x5) perm=wa key=home_modification LIST_RULES: exit,always dir=/lib (0x4) perm=wa key=lib_modification LIST_RULES: exit,always dir=/lib64 (0x6) perm=wa key=lib64_modification LIST_RULES: exit,always dir=/root (0x5) perm=wa key=root_modification LIST_RULES: exit,always dir=/sbin (0x5) perm=wa key=sbin_modification LIST_RULES: exit,always dir=/usr (0x4) perm=wa key=usr_modification LIST_RULES: exit,always dir=/var/spool/at (0xd) perm=wa key=misc_var LIST_RULES: exit,always dir=/var/spool/cron (0xf) perm=wa key=misc_var LIST_RULES: exit,never dir=/var (0x4) syscall=all LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=dir_operations syscall=mkdir,rmdir,unlinkat LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=link_operation syscall=rename,link,unlink,symlink LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=special_device_creation syscall=mknod,mknodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=mount_operation syscall=mount,umount2 LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=kernel_module syscall=create_module,init_module,delete_module LIST_RULES: exclude,always msgtype=CRED_ACQ (0x44f) LIST_RULES: exclude,always msgtype=CRED_DISP (0x450) LIST_RULES: exclude,always msgtype=CRYPTO_KEY_USER (0x964) LIST_RULES: exclude,always msgtype=CRYPTO_SESSION (0x967) LIST_RULES: exclude,always msgtype=LOGIN (0x3ee) LIST_RULES: exclude,always msgtype=USER_ACCT (0x44d) LIST_RULES: exclude,always msgtype=USER_AUTH (0x44c) LIST_RULES: exclude,always msgtype=USER_CMD (0x463) LIST_RULES: exclude,always msgtype=USER_END (0x452) LIST_RULES: exclude,always msgtype=USER_LOGIN (0x458) LIST_RULES: exclude,always msgtype=USER_START (0x451) [root@host1 ~]# tail /var/log/audit/audit.log node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=3 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958573 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00 node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=2 name="temp_checkpoint.checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00 node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=3 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958614 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00 node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=4 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958644 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00 node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=4 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00 node=host1.domain type=SYSCALL msg=audit(1324401918.113:223550511): arch=c000003e syscall=82 success=yes exit=0 a0=7ecdb0 a1=7d10e0 a2=7f6c0782dcd4 a3=0 items=4 ppid=14614 pid=16951 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534 fsuid=3534 egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=9372 comm="db-update.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/db_v2/bin/db-update.impl.gcc4p64" key="link_operation" node=host1.domain type=SYSCALL msg=audit(1324401918.113:223550512): arch=c000003e syscall=82 success=yes exit=0 a0=9a6e50 a1=92e9f0 a2=7fe84e682cd4 a3=0 items=4 ppid=14595 pid=14937 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534 fsuid=3534 egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=10226 comm="multitool.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/bin/multitool" key="link_operation" node=host1.domain type=CWD msg=audit(1324401918.113:223550511): cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873" node=host1.domain type=CWD msg=audit(1324401918.113:223550512): cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4ef0423c-38fe" node=host1.domain type=PATH msg=audit(1324401918.113:223550511): item=0 name="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873" inode=30932995 dev=fd:0d mode=040755 ouid=3534 ogid=9001 rdev=00:00 [root@host1 ~]# I'm referring to event ID 223550511 (key is link_operation) in the logs which is using a path of '/naab1/...' How come this event is not ignored due to the 8th rule? I think I'm missing something. Many thanks, Max ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________

14 years, 1 month

2
11
0 / 0

linux audit: not getting log for chmod

by bharat gupta

> > Hi, > > I am using redhat 6, and trying to create logs for some system call using > the rule given below: > > *-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 > -F auid!=4294967295 -k perm_mod* > > -> After running command chmod i was not able to get any log, but when i > used strace command i have seen that syscall have been called. > -> I also checked that auditd service is running properly. > -> May you guide me why i am not able to get any log message. > -> I also checked by writting rule for 32 bit, but problem still not > resolved. > > ->When i have run the command "auditctl -l |grep chmod" i got the output as given below: LIST_RULES: exit,always arch=1073741827 (0x40000003) auid>=500 (0x1f4) auid!=-1 (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat -> when i am using strace command it is showing that "fchmodat" system call have been called and i have included that in my rule but still i am not getting any log. strace command and its output is given below: *Command* : strace -o /root/bharat/chmodSystemCallOutput.txt chmod 765 /root/bharat/test02 *Output*: execve("/bin/chmod", ["chmod", "765", "/root/bharat/test02"], [/* 31 vars */]) = 0 brk(0) = 0xdbe000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa36aaa2000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=70036, ...}) = 0 mmap(NULL, 70036, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa36aa90000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\355\1\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1907344, ...}) = 0 mmap(NULL, 3737768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa36a4f3000 mprotect(0x7fa36a67a000, 2097152, PROT_NONE) = 0 mmap(0x7fa36a87a000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7fa36a87a000 mmap(0x7fa36a87f000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa36a87f000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa36aa8f000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa36aa8e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa36aa8d000 arch_prctl(ARCH_SET_FS, 0x7fa36aa8e700) = 0 mprotect(0x7fa36a87a000, 16384, PROT_READ) = 0 mprotect(0x7fa36aaa3000, 4096, PROT_READ) = 0 munmap(0x7fa36aa90000, 70036) = 0 brk(0) = 0xdbe000 brk(0xddf000) = 0xddf000 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=99158752, ...}) = 0 mmap(NULL, 99158752, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa364662000 close(3) = 0 umask(0) = 077 stat("/root/bharat/test02", {st_mode=S_IFREG|0777, st_size=18, ...}) = 0 fchmodat(AT_FDCWD, "/root/bharat/test02", 0765) = 0 close(1) = 0 close(2) = 0 exit_group(0) -- Bharat Gupta IIT -Roorkee

14 years, 1 month

1
0
0 / 0

Relying on syscall record for information and useless key/value duplication

by Eric Paris

So I realized today that we have overlapping information in records and I don't like it. A great example would be the MAC_STATUS record and how you can get duplicate info. Looking at that following output. type=MAC_STATUS msg=audit(1326314451.473:1018): enforcing=0 old_enforcing=1 auid=4166 ses=2 type=SYSCALL msg=audit(1326314451.473:1018): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffc73e1200 a2=1 a3=0 items=0 ppid=3110 pid=21435 auid=4166 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) What you see is that the MAC_STATUS record tells us more than about the mac status. It also includes the auid and ses. Why only that info? Why not other info like the SELinux context? What really bothers me is that We already get that info (and a lot more info) in the SYSCALL record. I believe this is bogus. What I'd like to do is to create a new record called the 'TASK_INFO' record that will contain: ppid pid auid uid gid euid suid fsuid egid sgid fsgid tty ses comm exe subj And have this record be 'automagically' emitted any time any record is emitted. Thus we don't have information duplication and even if you have rules to exclude the SYSCALL record you still get all the info you ever needed for the MAC_STATUS record you wanted. Does this make sense? Is there a reason not to do this? It makes the code smaller, faster, easier to maintainer, and MUCH easier to prove correct and complete. It logically separates the info that is from the task doing the action from the records which are supposed to report on individual actions. Shouldn't MAC_STATUS be about the mac status? Shouldn't config change records be about the config that changed? Shouldn't the xfrm records be about XFRM? Obviously attributing these actions to a given task is important, but it isn't being put where it belongs.

14 years, 1 month

3
4
0 / 0

Consolidate Audit's msgs

by dump＠tzib.net

Hi, I was wondering if there had already been an effort or solution to consolidate msgs from auditd into a single line. I'm talking about buffering the messages until EOE (or timing out/empty buffer if EOE doesn't come on errors), and concatenating messages with the same ID into a single message. Potentially also transforming the message syntax while at it. I'm asking because some loggers will only accept specific message formats. I looked at the plugins, but, from what I gather, the kernel sends the messages as raw strings and I'm not sure of the performance/memory impact when auditd cranks out a lot of messages. An alternative could be to send all the msgs as text to a remote auditd host using audispd-remote, and processing the log file on that host. It means even more messages to process however and I'm not sure the text file interface will be fast enough/might have too much disk activity and break often, etc. if auditd again, cranks out a lot of messages from many hosts (like several thousand per second). Any insight?

14 years, 1 month

2
1
0 / 0

MAC_IPSEC_EVENT Logged without rules

by Diego Woitasen

Hi, I have a machine with IPSEC running (Strongswan) and audit to register some user events. The weird thing is that I'm getting this messages logged without having any rule: Jan 6 00:21:43 nodovpn668 audispd: node=nodovpn668 type=MAC_IPSEC_EVENT msg=audit(1325820103.059:2953): op=SA-notfound src=172.16.0.59 dst=172.16.0.181 spi=2351148309(0x8c23ad15) seqno=1463943698 My workaround is: auditctl -a exclude,always -F msgtype=MAC_IPSEC_EVENT Bug or Am I missing something? Regards, Diego -- Diego Woitasen

14 years, 1 month

2
1
0 / 0

GUI audit review interface?

by Steve M. Zak

Hi, Does Red hat provide a GUI interface to view and filter the audit log? Are you aware of any third party tools? Thanks! Steve M. Zak -- This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com

14 years, 1 month

2
1
0 / 0

[PATCH 1/5] audit: allow interfield comparison in audit rules

by Eric Paris

We wish to be able to audit when a uid=500 task accesses a file which is uid=0. Or vice versa. This patch introduces a new audit filter type AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields should be compared. At this point we only define the task->uid vs inode->uid, but other comparisons can be added. Signed-off-by: Eric Paris <eparis(a)redhat.com> --- include/linux/audit.h | 4 ++++ kernel/auditfilter.c | 5 ++++- kernel/auditsc.c | 30 +++++++++++++++++++++++++++++- 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index c1048b6..7bf31e2 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -182,7 +182,10 @@ * AUDIT_UNUSED_BITS is updated if need be. */ #define AUDIT_UNUSED_BITS 0x07FFFC00 +/* AUDIT_FIELD_COMPARE rule list */ +#define AUDIT_COMPARE_UID_TO_OBJ_UID 1 +#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_UID_TO_OBJ_UID /* Rule fields */ /* These are useful when checking the * task structure at task creation time @@ -225,6 +228,7 @@ #define AUDIT_FILETYPE 108 #define AUDIT_OBJ_UID 109 #define AUDIT_OBJ_GID 110 +#define AUDIT_FIELD_COMPARE 111 #define AUDIT_ARG0 200 #define AUDIT_ARG1 (AUDIT_ARG0+1) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index f10605c..a6c3f1a 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -526,7 +526,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, goto exit_free; break; case AUDIT_FILTERKEY: - err = -EINVAL; if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN) goto exit_free; str = audit_unpack_string(&bufp, &remain, f->val); @@ -543,6 +542,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, if (f->val & ~S_IFMT) goto exit_free; break; + case AUDIT_FIELD_COMPARE: + if (f->val > AUDIT_MAX_FIELD_COMPARE) + goto exit_free; + break; default: goto exit_free; } diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 37ad085..efb1763 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -463,6 +463,32 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree) return 0; } +static int audit_field_compare(struct task_struct *tsk, + const struct cred *cred, + struct audit_field *f, + struct audit_context *ctx, + struct audit_names *name) +{ + struct audit_names *n; + + switch (f->val) { + case AUDIT_COMPARE_UID_TO_OBJ_UID: + if (name) { + return audit_comparator(cred->uid, f->op, name->uid); + } else if (ctx) { + list_for_each_entry(n, &ctx->names_list, list) { + if (audit_comparator(cred->uid, f->op, n->uid)) + return 1; + } + } + break; + default: + WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n"); + return 0; + } + return 0; +} + /* Determine if any context name data matches a rule's watch data */ /* Compare a task_struct with an audit_rule. Return 1 on match, 0 * otherwise. @@ -693,8 +719,10 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_FILETYPE: result = audit_match_filetype(ctx, f->val); break; + case AUDIT_FIELD_COMPARE: + result = audit_field_compare(tsk, cred, f, ctx, name); + break; } - if (!result) return 0; } -- 1.7.1

14 years, 1 month

2
7
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit January 2012