[RFC] [PATCH] - auditing cmdline
by William Roberts
all,
I sent out some patches a while back (12/2) that affect mm, procfs and
audit. The audit patch (PATCH 3/3) was ack'd on by Richard Guy Briggs.
But the other patches I have not heard anything on.
Patches:
[PATCH 1/3] mm: Create utility functions for accessing a tasks commandline value
[PATCH 2/3] proc: Update get proc_pid_cmdline() to use mm.h helpers
[PATCH 3/3 audit: Audit proc cmdline value
Link to mailer archive:
https://www.mail-archive.com/search?l=linux-kernel@vger.kernel.org&q=from...
Thanks for any help.
--
Respectfully,
William C Roberts
10 years, 10 months
capturing audit data with ausearch -i
by Levy, Mark (ESS)
Hi,
Were trying to find a way to capture the linux audit data and then pass it thru to ausearch -I and then send the data to our SEIM product for ingestion.
Does the audispd allow the ausearch -I to be used as an arg?
What would be the best way to attempt this?
We would be collecting from hundreds of linux servers.
Thanks for your input.
Mark
10 years, 10 months
Exclude /usr/libexec/mysqld from audit.rules
by Derek Warner
ALCON,
We have a Centos machine running Centos 6 and it uses mysql. When a
standard user operates the system, our /var/log/messages gets filled up
with around 2gb of audit data rather quickly. Here is the audit.
Dec 6 15:22:12 aaa-bbb audispd: node=aaa-bbb.ccc.ddd.eee type=SYSCALL
msg=audit(1386361331.932:3572423): arch=c000003e syscall=142 success=no
exit=-22 a0=1f46 a1=7f5e6357e290 a2=d3b6f8 a3=1f68 items=0 ppid=2518
pid=8006 auid=4294967295 uid=496 gid=492 euid=496 suid=496 fsuid=496
egid=492 sgid=492 fsgid=492 tty=(none) ses=4294967295 comm="mysqld"
exe="/usr/libexec/mysqld" key=(null)
I have tried the following:
-a exit,never -F path=/usr/libexec/mysqld
When using "-F" I noticed in one RHEL forum someone used -F exe=
However in CENTOS exe is not a recognized field when using -F
We do not wish to audit this data, can someone please help me exclude the
audit?
V/R
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner(a)riptidesoftware.com
derek.a.warner(a)us.army.mil
10 years, 10 months
[PATCH] audit: process errors from filter user rules
by Richard Guy Briggs
Errors from filter user rules were previously ignored, and worse, an error on
a AUDIT_NEVER rule disabled logging on that rule. On -ESTALE, retry up to 5
times. On error on AUDIT_NEVER rules, log.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 2 +-
kernel/auditfilter.c | 44 +++++++++++++++++++++++++++++++-------------
2 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 4cbc945..c93cf06 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -706,7 +706,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return 0;
err = audit_filter_user(msg_type);
- if (err == 1) {
+ if (err) { /* match or error */
err = 0;
if (msg_type == AUDIT_USER_TTY) {
err = tty_audit_push_current();
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b4c6e03..1a7dfa5 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1272,8 +1272,8 @@ static int audit_filter_user_rules(struct audit_krule *rule, int type,
break;
}
- if (!result)
- return 0;
+ if (result <= 0)
+ return result;
}
switch (rule->action) {
case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
@@ -1286,19 +1286,37 @@ int audit_filter_user(int type)
{
enum audit_state state = AUDIT_DISABLED;
struct audit_entry *e;
- int ret = 1;
-
- rcu_read_lock();
- list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
- if (audit_filter_user_rules(&e->rule, type, &state)) {
- if (state == AUDIT_DISABLED)
- ret = 0;
- break;
+ int rc, count = 0, retry = 0, ret = 1; /* Audit by default */
+#define FILTER_RETRY_LIMIT 5
+
+ do {
+ rcu_read_lock();
+ list_for_each_entry_rcu(e,
+ &audit_filter_list[AUDIT_FILTER_USER],
+ list) {
+ retry = 0;
+ rc = audit_filter_user_rules(&e->rule, type, &state);
+ if (rc > 0) {
+ if (state == AUDIT_DISABLED)
+ ret = 0;
+ break;
+ } else if (rc < 0) {
+ if (rc == -ESTALE && count < FILTER_RETRY_LIMIT) {
+ rcu_read_unlock();
+ count++;
+ retry = 1;
+ cond_resched();
+ } else {
+ ret = rc;
+ }
+ break;
+ }
}
- }
- rcu_read_unlock();
+ if (!retry)
+ rcu_read_unlock();
+ } while (retry);
- return ret; /* Audit by default */
+ return ret;
}
int audit_filter_type(int type)
--
1.7.1
10 years, 10 months
Re: [BUG][PATCH] audit: audit_log_start running on auditd should not stop
by Richard Guy Briggs
On Tue, Oct 15, 2013 at 02:30:34PM +0800, Gao feng wrote:
> Hi Toshiyuki-san,
Toshiuki and Gao,
> On 10/15/2013 12:43 PM, Toshiyuki Okajima wrote:
> > The backlog cannot be consumed when audit_log_start is running on auditd
> > even if audit_log_start calls wait_for_auditd to consume it.
> > The situation is a deadlock because only auditd can consume the backlog.
> > If the other process needs to send the backlog, it can be also stopped
> > by the deadlock.
> >
> > So, audit_log_start running on auditd should not stop.
> >
> > You can see the deadlock with the following reproducer:
> > # auditctl -a exit,always -S all
> > # reboot
> Hmm, I see, There may be other code paths that auditd can call audit_log_start except
> audit_log_config_change. so it's better to handle this problem in audit_log_start.
>
> but current task is only meaningful when gfp_mask & __GFP_WAIT is true.
> so maybe the below patch is what you want.
I have been following this thread with interest. I like the general
evolution of this patch. The first patch was a bit too abrupt, dropping
too much, but this one makes much more sense. I would be tempted to
make the reserve even bigger.
I see that you should be using a kernel that has included commit
8ac1c8d5 (which made it into v3.12-rc3)
audit: fix endless wait in audit_log_start()
That was an obvious bug, but I was still concerned about the cause of
the initial wait. There are other fixes and ideas in the works that
should alleviate some of the pressure to make the service more usable.
https://lkml.org/lkml/2013/9/18/453
I have tested with and without this v3 patch and I don't see any
significant difference with the reproducer provided above. I'm also
testing with a reproducer of the endless wait bug (readahead-collector).
What are your expected results? What are your actual results in each
case? How are they different?
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 7b0e23a..10b4545 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1095,7 +1095,9 @@ struct audit_buffer *audit_log_start(struct audit_context
> struct audit_buffer *ab = NULL;
> struct timespec t;
> unsigned int uninitialized_var(serial);
> - int reserve;
> + int reserve = 5; /* Allow atomic callers to go up to five
> + entries over the normal backlog limit */
> +
> unsigned long timeout_start = jiffies;
>
> if (audit_initialized != AUDIT_INITIALIZED)
> @@ -1104,11 +1106,12 @@ struct audit_buffer *audit_log_start(struct audit_contex
> if (unlikely(audit_filter_type(type)))
> return NULL;
>
> - if (gfp_mask & __GFP_WAIT)
> - reserve = 0;
> - else
> - reserve = 5; /* Allow atomic callers to go up to five
> - entries over the normal backlog limit */
> + if (gfp_mask & __GFP_WAIT) {
> + if (audit_pid && audit_pid == current->pid)
> + gfp_mask &= ~__GFP_WAIT;
> + else
> + reserve = 0;
> + }
>
> while (audit_backlog_limit
> && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserv
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
10 years, 10 months
[PATCH 3.8 050/152] audit: printk USER_AVC messages when audit isn't enabled
by Kamal Mostafa
3.8.13.14 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyler Hicks <tyhicks(a)canonical.com>
commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream.
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.
AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
audit-disabled case for discarding user messages").
When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.
It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
introduced this bug.
Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: linux-audit(a)redhat.com
Acked-by: Kees Cook <keescook(a)chromium.org>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Kamal Mostafa <kamal(a)canonical.com>
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 8a667f10..1da9782 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -615,7 +615,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
char *ctx = NULL;
u32 len;
- if (!audit_enabled) {
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
return rc;
}
--
1.8.3.2
10 years, 11 months
[3.8.y.z extended stable] Patch "audit: printk USER_AVC messages when audit isn't enabled" has been added to staging queue
by Kamal Mostafa
This is a note to let you know that I have just added a patch titled
audit: printk USER_AVC messages when audit isn't enabled
to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree
which can be found at:
http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/l...
This patch is scheduled to be released in version 3.8.13.14.
If you, or anyone else, feels it should not be added to this tree, please
reply to this email.
For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
Thanks.
-Kamal
------
>From 413f7cab725f1afa8c51f638fa4d335fc64beb14 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks(a)canonical.com>
Date: Thu, 25 Jul 2013 18:02:55 -0700
Subject: audit: printk USER_AVC messages when audit isn't enabled
commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream.
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.
AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
audit-disabled case for discarding user messages").
When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.
It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
introduced this bug.
Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: linux-audit(a)redhat.com
Acked-by: Kees Cook <keescook(a)chromium.org>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Kamal Mostafa <kamal(a)canonical.com>
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 8a667f10..1da9782 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -615,7 +615,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
char *ctx = NULL;
u32 len;
- if (!audit_enabled) {
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
return rc;
}
--
1.8.3.2
10 years, 11 months
Converting relative path to absolute path
by Aaron Lewis
Hi,
If I access a file with relative path, the PATH audit message would be
a relative path as well.
I wonder if I can change this behavior without modifying the kernel?
(It seem audit daemon just receive the msg= field from kernel directly)
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
10 years, 11 months
Re: [PATCH] - auditing cmdline
by William Roberts
Sigh...I sent this back out from another emai address and got bounced
from the lists... resending. Sorry for the cruft.
On Fri, Dec 6, 2013 at 7:34 AM, William Roberts <WRoberts(a)tresys.com> wrote:
> I sent out 3 patches on 12/2/2013. I didn't get any response. I thought I added the right people based on get_maintainers script.
>
> Can anyone comment on these or point me in the right direction?
>
> RGB, Can you at least ACK the audit subsystem patch " audit: Audit proc cmdline value"?
>
> Thank you,
> Bill
>
> -----Original Message-----
> From: owner-linux-mm(a)kvack.org [mailto:owner-linux-mm@kvack.org] On Behalf Of William Roberts
> Sent: Monday, December 02, 2013 1:11 PM
> To: linux-audit(a)redhat.com; linux-mm(a)kvack.org; linux-kernel(a)vger.kernel.org; rgb(a)redhat.com; viro(a)zeniv.linux.org.uk
> Cc: sds(a)tycho.nsa.gov
> Subject: [PATCH] - auditing cmdline
>
> This patch series relates to work started on the audit mailing list.
> It eventually involved touching other modules, so I am trying to pull in those owners as well. In a nutshell I add new utility functions for accessing a processes cmdline value as displayed in proc/<self>/cmdline, and then refactor procfs to use the utility functions, and then add the ability to the audit subsystem to record this value.
>
> Thanks for any feedback and help.
>
> [PATCH 1/3] mm: Create utility functions for accessing a tasks
> [PATCH 2/3] proc: Update get proc_pid_cmdline() to use mm.h helpers
> [PATCH 3/3] audit: Audit proc cmdline value
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo(a)kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont(a)kvack.org"> email(a)kvack.org </a>
--
Respectfully,
William C Roberts
10 years, 11 months
[PATCH 3.11 003/272] audit: printk USER_AVC messages when audit isn't enabled
by Luis Henriques
3.11.10.1 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyler Hicks <tyhicks(a)canonical.com>
commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream.
When the audit=1 kernel parameter is absent and auditd is not running,
AUDIT_USER_AVC messages are being silently discarded.
AUDIT_USER_AVC messages should be sent to userspace using printk(), as
mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
audit-disabled case for discarding user messages").
When audit_enabled is 0, audit_receive_msg() discards all user messages
except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
special case AUDIT_USER_AVC messages in both functions.
It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
introduced this bug.
Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com>
Cc: Al Viro <viro(a)zeniv.linux.org.uk>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: linux-audit(a)redhat.com
Acked-by: Kees Cook <keescook(a)chromium.org>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Luis Henriques <luis.henriques(a)canonical.com>
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 7b0e23a..f5dc4b5 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
int rc = 0;
uid_t uid = from_kuid(&init_user_ns, current_uid());
- if (!audit_enabled) {
+ if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
*ab = NULL;
return rc;
}
--
1.8.3.2
10 years, 11 months