May 2012 - Linux-audit - Linux-Audit List Archives

by LC Bruzenak

I know I can go look at the code, however I figured I'd ask here first about the limits on the user message in both audit_log_user_message and ausearch. With audit_log_user_message the maximum length allowed appears to be around MAX_AUDIT_MESSAGE_LENGTH-100. I think it may depend on the executable name length (and other stuff auto-pushed into the string) which is why I say "around". Even when I get a successful return value (from audit_log_user_message), I don't get my string back out in "ausearch" unless it is WAY smaller - ~1K or less I think. Any ideas/thoughts? This is the latest (1.7.11-2) audit package. Thx, LCB. -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

11 years, 3 months

5
17
0 / 0

linux-audit: reconstruct path names from syscall events?

by John Feuerstein

Hi, I would like to audit all changes to a directory tree using the linux auditing system[1]. # auditctl -a exit,always -F dir=/etc/ -F perm=wa It seems like the GNU coreutils are enough to break the audit trail. The resulting SYSCALL events provide CWD and multiple PATH records, depending on the syscall. If one of the PATH records is relative, I can reconstruct the absolute path using the CWD record. However, that does not work for the whole *at syscall family (unlinkat(2), renameat(2), linkat(2), ...); accepting paths relative to a given directory file descriptor. GNU coreutils are prominent users, for example "rm -r" making use of unlinkat(2) to prevent races. Things like dup(2) and fd passing via unix domain sockets come to mind. It's the same old story again: mapping fds to path names is ambiguous at best, if not impossible. I wonder why such incomplete file system auditing rules are considered sufficient in the CAPP/LSPP/NISPOM/STIG rulesets? Here's a simplified example: $ cd /tmp $ mkdir dir $ touch dir/file $ ls -ldi /tmp /tmp/dir /tmp/dir/file 2057 drwxrwxrwt 9 root root 380 Sep 17 00:02 /tmp 58781 drwxr-xr-x 2 john john 40 Sep 17 00:02 /tmp/dir 56228 -rw-r--r-- 1 john john 0 Sep 17 00:02 /tmp/dir/file $ cat > unlinkat.c #include <unistd.h> #include <fcntl.h> int main(int argc, char **argv) { int dirfd = open("dir", O_RDONLY); unlinkat(dirfd, "file", 0); return 0; } ^D $ make unlinkat cc unlinkat.c -o unlinkat $ sudo autrace ./unlinkat Waiting to execute: ./unlinkat Cleaning up... Trace complete. You can locate the records with 'ausearch -i -p 32121' $ ls -li dir total 0 Now, looking at the resulting raw SYSCALL event for unlinkat(2): type=SYSCALL msg=audit(1316210542.899:779): arch=c000003e syscall=263 success=yes exit=0 a0=3 a1=400690 a2=0 a3=0 items=2 ppid=32106 pid=32121 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=36 comm="unlinkat" exe="/tmp/unlinkat" key=(null) type=CWD msg=audit(1316210542.899:779): cwd="/tmp" type=PATH msg=audit(1316210542.899:779): item=0 name="/tmp" inode=58781 dev=00:0e mode=040755 ouid=1000 ogid=1000 rdev=00:00 type=PATH msg=audit(1316210542.899:779): item=1 name="file" inode=56228 dev=00:0e mode=0100644 ouid=1000 ogid=1000 rdev=00:00 type=EOE msg=audit(1316210542.899:779): - From this event alone, there's no way to answer "Who unlinked /tmp/dir/file?". For what it's worth, the provided path names would be exactly the same if we had unlinked "/tmp/dir/dir/dir/dir/dir/file". - PATH item 0 reports the inode of "/tmp/dir" (58781, see ls output above), however, the reported path name is "/tmp" (bug?). In this example I've used autrace, which traces everything, so I could possibly search for a previous open(2) of inode 58781. And indeed, there it is: type=SYSCALL msg=audit(1316210542.899:778): arch=c000003e syscall=2 success=yes exit=3 a0=40068c a1=0 a2=7fff22724fc8 a3=0 items=1 ppid=32106 pid=32121 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=36 comm="unlinkat" exe="/tmp/unlinkat" key=(null) type=CWD msg=audit(1316210542.899:778): cwd="/tmp" type=PATH msg=audit(1316210542.899:778): item=0 name="dir" inode=58781 dev=00:0e mode=040755 ouid=1000 ogid=1000 rdev=00:00 type=EOE msg=audit(1316210542.899:778): Great, so inode 58781 was opened using "/tmp/dir", and therefore, the relative path "file" given to unlinkat(2) above could possibly translate to "/tmp/dir/path"... not really feeling confident here. - All file system auditing rules in various rulesets and the examples in the documentation add the "-F perm=wa" (or similar) filter, so the open(2) wouldn't even make it into the audit trail. - If you can handle the volume and log all open(2), what happens if the open(2) was done hours, days, weeks, ... ago? - What if the open(2) was done by another process which passed the fd on a unix domain socket? It looks like the kernel auditing code should provide ... item=0 name="/tmp/dir" inode=58781 ... in the unlinkat(2) syscall event above. Looking up the unlinkat(2) documentation: int unlinkat(int dirfd, const char *pathname, int flags); If the pathname given in pathname is relative, then it is interpreted relative to the directory referred to by the file descriptor dirfd (rather than relative to the current working directory of the calling process, as is done by unlink(2) and rmdir(2) for a relative pathname). If the pathname given in pathname is relative and dirfd is the special value AT_FDCWD, then pathname is interpreted relative to the current working directory of the calling process (like unlink(2) and rmdir(2)). As you might see, there's not only the fd->pathname problem, but also the special case for AT_FDCWD. In this case the kernel side should probably just duplicate CWD's path name into item 0's path name. But that's just unlinkat(2), there are a lot more. What am I missing here? Is there no way to audit a directory tree? I've looked at alternatives: Inotify watches won't scale to big trees and events lack so much detail that they can't be used for auditing. Fanotify, while providing the pid, still lacks a lot of events and passes fds; the example code relies on readlink("/proc/self/fd/..."). Thanks, John [1] http://people.redhat.com/sgrubb/audit/ -- John Feuerstein <john(a)feurix.com>

12 years, 1 month

6
21
0 / 0

AUDIT_SIGNAL_INFO

by Matthew Booth

Under what circumstances will the RHEL 4 kernel generate a message of type AUDIT_SIGNAL_INFO? My understanding is that it should be sent when a process sends a signal to the audit daemon, however I have not observed that. Any ideas? Thanks, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

12 years, 6 months

3
4
0 / 0

Near Term Audit Road Map

by Steve Grubb

Hi, With the proposals sent to the list, I wanted to talk about how this might play out code-wise. With regard to the current code base, I am working on a 1.8 release. This would represent finishing the remote logging app and nothing more. The 1.8 series would become just an update series just like the 1.0.x series did. In parallel with finishing remote logging, I would release a 2.0 version. Patches applied to 1.8 would also be applied to 2.0. A 2.1 release would signify the completion of remote logging that branch. I would recommend this branch for all distributions pulling new code in. The 2.0 branch will also have a couple more changes. I want to split up the audit source code a little bit. I want to drop the system-config-audit code and let it become standalone package updated and distributed separately. I also want to drop all audispd-plugins in the 2.0 branch and have them released separately. They cause unnecessary build dependencies for the audit package. During the work for a 2.2 release, I would also like to pull the audispd program inside auditd. In the past, I tried to keep auditd lean and single purpose, but with adding remote logging and kerberos support, we already have something that is hard to analyze. So, to improve performance and decrease system load, the audit daemon will also do event dispatching. Would this proposal impact anyone in a Bad Way? Thanks, -Steve

12 years, 6 months

4
11
0 / 0

ausearch & aureport fail from cron

by dean＠defreitas.net

12 years, 6 months

3
2
0 / 0

Audit logs rotation problem

by Nicolas GORALSKI

Hi all I've a got a problem on my audit log rotation. Because we've got a lot of logs on our server (a little bit of rules and lot of activities), we've decided to rotate logs every hours to compress, backup and delete them. I'm using the command "/etc/init.d/auditd rotate" to rotate them, no other commands. By the way we have some errors, sometimes logs are rotated twice. The rotation job was successful and we have as a result this compressed file : audit_20120507-0940--20120507-1040.log.gz The file contain in the firts line this information about the previous rotation at 9h40 type=DAEMON_ROTATE msg=audit(1336376401.094:8139): auditd sending auid=0 pid=20084 subj=root:system_r:initrc_t:s0 But we have a second file created a few seconds after the previous one named : audit_20120507-1040--20120507-1040.log.gz The first line contain this text : type=DAEMON_ROTATE msg=audit(1336380001.723:8140): auditd error getting usr1 info - no change, sending auid=? pid=? subj=? res=failed My search on the internet doesn't give me any clues about a solution. Does anybody have any clues ? I'm using RH ES 5.7 with auditd 1.7.18 Regards.

12 years, 7 months

2
2
0 / 0

Invitation to connect on LinkedIn

by Aaron Lippold

LinkedIn ------------ I'd like to add you to my professional network on LinkedIn. - Aaron Aaron Lippold Computer Scientist and Senior Technology Advisor at DISA Washington D.C. Metro Area Confirm that you know Aaron Lippold: https://www.linkedin.com/e/69obwb-h2caes7q-6s/isd/7140513257/pdS5zYZx/?hs... -- You are receiving Invitation to Connect emails. Click to unsubscribe: http://www.linkedin.com/e/69obwb-h2caes7q-6s/LpvUzKiDH5xJeeHGnCAaDqsckAKS... (c) 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.

12 years, 7 months

2
1
0 / 0

auditctl exit code

by Stephen Quinney

I am using Linux Audit version 2.1.3 and I'm wondering if the following behaviour of auditctl is intentional. When I do a complete list of the current rules (with auditctl -l) I get an exit code of zero, as expected. When I do a list which is restricted to a particular key (auditctl -l -k foo) I get 255. It doesn't matter which of my keys I use and there are no error messages sent to stderr to indicate a problem. The auditctl manpage doesn't say what various exit values mean so I'm not sure what type of error is occurring. Stephen Quinney -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

12 years, 7 months

2
3
0 / 0

Rule Compatibility Issues With Old Version of Audit

by Patrick Synor

I am struggling here quite a bit trying to implement a ruleset to help us log PCI related events. I was able to get a good ruleset that I am using successfully on RHEL5 which consists of the following rules: -a exclude,always -F msgtype=CWD -a exit,never -F arch=b32 -F path=/var/log/audit/audit.log -a exit,never -F arch=b32 -F path=/var/log/messages -a always,exit -F euid=0 -F perm=wxa -k ROOT_ACTION -a exit,always -S all -F dir=/var/log -k LOG_ACCESS -a exit,always -F arch=b32 -F dir=/var/log -S truncate -S unlink -S rename -S unlinkat -k LOGS_INIT -a exit,always -F arch=b64 -F dir=/var/log -S truncate -S unlink -S rename -S unlinkat -k LOGS_INIT -w /etc -p wa -k CONF_ACCESS However, when I started deploying this I ran into some RHEL4 servers, and it appears the version of audit on the RHEL4 servers is 1.0.16. This version doesn't seem to like the rules above. For example, the first rule results in the following: Append rule - bad keyword exclude,always Changing this rule to -a entry,never -F msgtype=CWD results in: -F unknown field: msgtype=CWD And -a always,exit -S all -F euid=0 -k ROOT_ACTION results in: filterkey option needs a watch given prior to it So clearly a lot has changed from this version to the version on the RHEL5 box (1.7.18). Anyhow, since upgrading the RHEL4 boxes for this isn't an option, I am trying to figure out what I can do to possibly modify these rules to work with the older version, or replace the older version with a newer version for the sake of this project. From what I understand, the kernel on the RHEL4 box (2.6.9-103.EL) may not allow this since I understand that the versions of audit are generally kernel dependant. Additionally, just looking at some of the dependencies on the audit-libs package on the RHEL4 box I am seeing that a lot of critical things depend on it (e.g. PAM, passwd, shadow-utils, openssh-server, etc.) so removing it and replacing it will likely be quite a mess. If anyone has any input or suggestions I would greatly appreciate it. Ideally, we shouldn't have any RHEL4 boxes today, but the case is that we do, and they cannot be upgraded for the sake of this project, so creative solutions are welcomed, and encouraged. Thanks! -Pat ------------------ Patrick Synor Web Hosting Engineer RouteOne CONFIDENTIALITY NOTE: This message and any attachments are confidential, may contain information that is privileged and is intended only for the use of the addressee. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. This message is not meant to constitute an electronic signature or evidence intent to contract electronically.

12 years, 7 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit May 2012