Proposed additions to ausearch
by Burn Alting
I want to add a number of features to ausearch and would like the list
to make comment on my proposals before implementing same.
#1
Have ausearch only output whole events (all supplemental records of an
event must be present in the audit.log files to be output) and maintain
state to know the last whole event displayed.
The use case is for when one periodically processes the audit log files
and the last log file opened does not necessarily hold whole events for
the last few events in the file.
One could possibly achieve this using the --start/--end arguments to
ausearch but it would be challenging to work out the appropriate
start/end times on a high log throughput system.
My plan is to maintain state recording the last whole event displayed
along with details of the file it resided in (eg inode, etc).
#2
Add a 'parser friendly' option to ausearch's -i output such that it is
more friendly for parsing. As we know, the -i argument causes output in
the form of
- a "header" comprising
- the node if present as a key value pair
- the event type as a key value pair
- the message date/time and serial
- a colon
- a series of key value pairs
The new option would have output that
- surrounds all values with double quotes
- escape embedded double quote and backslash characters in the value
with the backslash character '\'
- translate embedded newlines or carriage returns into '\n' and '\r'
respectively
- translate all non-printing characters into escaped octal values or
some other recommended text based format.
#3
Add an option to include the original value as well as the interpreted
value when interpretation (-i) is requested. This would be for specified
keys or, key types.
One use case would be for user or group names to include the original
uid/gids. This is to aid de-conflicting inadvertent user or group
attribution across an enterprise environment.
The option would have arguments that identify what key values will have
both original and interpreted values.
Regards
Burn Alting
11 years, 7 months
[PATCH] [BZ905179] audit: omit check for uid and gid validity in audit rules and data
by Richard Guy Briggs
audit rule additions containing "-F auid!=4294967295" were failing with EINVAL.
UID_INVALID (and GID_INVALID) is actually a valid uid (gid) for setting and
testing against audit rules. Remove the check for invalid uid and gid when
parsing rules and data for logging.
Revert part of ca57ec0f00c3f139c41bf6b0a5b9bcc95bbb2ad7 (2012-09-11) to fix
this.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditfilter.c | 12 ------------
1 files changed, 0 insertions(+), 12 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f9fc54b..457ee39 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -360,10 +360,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
/* bit ops not implemented for uid comparisons */
if (f->op == Audit_bitmask || f->op == Audit_bittest)
goto exit_free;
-
f->uid = make_kuid(current_user_ns(), f->val);
- if (!uid_valid(f->uid))
- goto exit_free;
break;
case AUDIT_GID:
case AUDIT_EGID:
@@ -372,10 +369,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
/* bit ops not implemented for gid comparisons */
if (f->op == Audit_bitmask || f->op == Audit_bittest)
goto exit_free;
-
f->gid = make_kgid(current_user_ns(), f->val);
- if (!gid_valid(f->gid))
- goto exit_free;
break;
case AUDIT_PID:
case AUDIT_PERS:
@@ -469,10 +463,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
/* bit ops not implemented for uid comparisons */
if (f->op == Audit_bitmask || f->op == Audit_bittest)
goto exit_free;
-
f->uid = make_kuid(current_user_ns(), f->val);
- if (!uid_valid(f->uid))
- goto exit_free;
break;
case AUDIT_GID:
case AUDIT_EGID:
@@ -482,10 +473,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
/* bit ops not implemented for gid comparisons */
if (f->op == Audit_bitmask || f->op == Audit_bittest)
goto exit_free;
-
f->gid = make_kgid(current_user_ns(), f->val);
- if (!gid_valid(f->gid))
- goto exit_free;
break;
case AUDIT_PID:
case AUDIT_PERS:
--
1.7.1
11 years, 7 months
Kernel patches needed
by Steve Grubb
Hi,
I was just doing some validation work to make sure the newly converted
ausearch is producing the exact same output as it used to...and found a couple
items that needs patching.
1) AUDIT_TTY events are not recording a subject field.
2) AVC records can sometimes have dev="md1". The dev field is documented as
being the numeric device number. Cases like this should be changed to
"devname" which can be encoded.
3) We might need a supplemental record for *setxattr. The flags field is the
fifth argument and not recorded anywhere.
Thanks,
-Steve
11 years, 7 months
[PATCH] ausearch: Minor bugs and enhanced interpret output
by Burn Alting
All,
Please find attached a patch against the latest svn repository for your
review.
This patch
a. Fixes a bug where if print_recv() is passed a zero value, no output
is generated
b. When print_clone_flags() cannot interpret the passed flags, will
print the flags as a hex value, rather than a decimal.
c. Fixes a bug in that the last value printed on a line has a space
appended.
d. Parses the op key value for CONFIG_CHANGE as a string.
e. Introduces a new option to ausearch, --einterpret that, like the
--interpret option, generates human readable output, but has the
additional feature of making the output easier to parse. See ausearch
manual for sub-options.
Regards
Burn Alting
11 years, 7 months
[PATCH] auparse: add a check to au->source_list to ensure it not null
by 车烈权
Hi all:
I found a bug the process auvrt generate a coredump when there is no file
named audit.log, In the case the /var/log/audit/audit.log removed by
someone.
I make a patch to solve this problem.
Index: auparse/auparse.c
===================================================================
--- auparse/auparse.c (版本 814)
+++ auparse/auparse.c (工作副本)
@@ -806,7 +806,7 @@
case AUSOURCE_FILE:
case AUSOURCE_FILE_ARRAY:
// if the first time through, open file
- if (au->list_idx == 0 && au->in == NULL) {
+ if (au->list_idx == 0 && au->in == NULL &&
au->source_list != NULL) {
if (au->source_list[au->list_idx] == NULL) {
errno = 0;
return -2;
[clq@localhost trunk]# auvirt
Unable to open /var/log/audit/audit.log (No such file or directory)
No log file
Segmentation fault (core dumped)
The backtrace is as follows:
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `./tools/auvirt/.libs/lt-auvirt'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810
810 if (au->source_list[au->list_idx] ==
NULL) {
Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.107.el6.x86_64
(gdb) bt
#0 0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810
#1 auparse_next_event (au=0x682830) at auparse.c:958
#2 0x00007fb2cc547c52 in auparse_first_record (au=<value optimized out>) at
auparse.c:1131
#3 0x00007fb2cc547d77 in ausearch_next_event (au=0x682830) at auparse.c:923
#4 0x00000000004043b8 in main (argc=<value optimized out>, argv=<value
optimized out>) at auvirt.c:1542
(gdb) f 0
#0 0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810
810 if (au->source_list[au->list_idx] ==
NULL) {
(gdb) p *au
$1 = {source = AUSOURCE_LOGS, source_list = 0x0, list_idx = 0, in = 0x0,
line_number = 0, next_buf = 0x0, off = 0, cur_buf = 0x0,
line_pushed = 0, le = {head = 0x0, cur = 0x0, cnt = 0, e = {sec = 0, milli
= 0, serial = 0, host = 0x0}}, expr = 0x680c90,
find_field = 0x0, search_where = AUSEARCH_STOP_EVENT, parse_state =
EVENT_EMPTY, databuf = {flags = 0, alloc_size = 0,
alloc_ptr = 0x0, offset = 0, len = 0, max_len = 0}, callback = 0,
callback_user_data = 0x0, callback_user_data_destroy = 0}
(gdb) p au->source_list
$2 = (char **) 0x0
(gdb)
Best Regards!
11 years, 7 months
[PATCH] audit: add child record before the create to handle case where create fails
by Jeff Layton
Historically, when a syscall that creates a dentry fails, you get an audit
record that looks something like this (when trying to create a file named
"new" in "/tmp/tmp.SxiLnCcv63"):
type=PATH msg=audit(1366128956.279:965): item=0 name="/tmp/tmp.SxiLnCcv63/new" inode=2138308 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
This record makes no sense since it's associating the inode information for
"/tmp/tmp.SxiLnCcv63" with the path "/tmp/tmp.SxiLnCcv63/new". The recent
patch I posted to fix the audit_inode call in do_last fixes this, by making it
look more like this:
type=PATH msg=audit(1366128765.989:13875): item=0 name="/tmp/tmp.DJ1O8V3e4f/" inode=141 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
While this is more correct, if the creation of the file fails, then we
have no record of the filename that the user tried to create.
This patch adds a call to audit_inode_child to may_create. This creates
an AUDIT_TYPE_CHILD_CREATE record that will sit in place until the
create succeeds. When and if the create does succeed, then this record
will be updated with the correct inode info from the create.
Signed-off-by: Jeff Layton <jlayton(a)redhat.com>
---
fs/namei.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 85e40d1..e2a32e1 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2263,6 +2263,7 @@ static int may_delete(struct inode *dir,struct dentry *victim,int isdir)
*/
static inline int may_create(struct inode *dir, struct dentry *child)
{
+ audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);
if (child->d_inode)
return -EEXIST;
if (IS_DEADDIR(dir))
--
1.7.1
11 years, 7 months
[PATCH] auparse: add a check to au->source_list to ensure it not null
by liequan che
Hi all:
I found a bug the process auvrt generate a coredump when there is no file
named audit.log, In the case the /var/log/audit/audit.log removed by
someone.
I make a patch to solve this problem.
Index: auparse/auparse.c
===================================================================
--- auparse/auparse.c (版本 814)
+++ auparse/auparse.c (工作副本)
@@ -806,7 +806,7 @@
case AUSOURCE_FILE:
case AUSOURCE_FILE_ARRAY:
// if the first time through, open file
- if (au->list_idx == 0 && au->in == NULL) {
+ if (au->list_idx == 0 && au->in == NULL &&
au->source_list != NULL) {
if (au->source_list[au->list_idx] == NULL) {
errno = 0;
return -2;
[clq@localhost trunk]# auvirt
Unable to open /var/log/audit/audit.log (No such file or directory)
No log file
Segmentation fault (core dumped)
The backtrace is as follows:
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `./tools/auvirt/.libs/lt-auvirt'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810
810 if (au->source_list[au->list_idx]
== NULL) {
Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.107.el6.x86_64
(gdb) bt
#0 0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810
#1 auparse_next_event (au=0x682830) at auparse.c:958
#2 0x00007fb2cc547c52 in auparse_first_record (au=<value optimized out>)
at auparse.c:1131
#3 0x00007fb2cc547d77 in ausearch_next_event (au=0x682830) at auparse.c:923
#4 0x00000000004043b8 in main (argc=<value optimized out>, argv=<value
optimized out>) at auvirt.c:1542
(gdb) f 0
#0 0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810
810 if (au->source_list[au->list_idx]
== NULL) {
(gdb) p *au
$1 = {source = AUSOURCE_LOGS, source_list = 0x0, list_idx = 0, in = 0x0,
line_number = 0, next_buf = 0x0, off = 0, cur_buf = 0x0,
line_pushed = 0, le = {head = 0x0, cur = 0x0, cnt = 0, e = {sec = 0,
milli = 0, serial = 0, host = 0x0}}, expr = 0x680c90,
find_field = 0x0, search_where = AUSEARCH_STOP_EVENT, parse_state =
EVENT_EMPTY, databuf = {flags = 0, alloc_size = 0,
alloc_ptr = 0x0, offset = 0, len = 0, max_len = 0}, callback = 0,
callback_user_data = 0x0, callback_user_data_destroy = 0}
(gdb) p au->source_list
$2 = (char **) 0x0
(gdb)
Best Regards!
11 years, 7 months
[GIT PULL] Audit changes for 3.10
by Eric Paris
Al used to send pull requests every couple of years but he told me to
just start pushing them to you directly.
The following changes since commit 19f949f52599ba7c3f67a5897ac6be14bfcb1200:
Linux 3.8 (2013-02-18 15:58:34 -0800)
are available in the git repository at:
git://git.infradead.org/users/eparis/audit.git master
for you to fetch changes up to 2a0b4be6dd655e24990da1d0811e28b9277f8b12:
audit: fix message spacing printing auid (2013-05-08 00:02:19 -0400)
Most of the changes are in audit* files so you shouldn't much care. Our
touching outside of core audit code is pretty straight forward. A couple
of interface changes which hit net/. A simple argument bug calling audit
functions in namei.c and the removal of some assembly branch prediction
code on ppc.
Looks like you are going to have 2 merge failures due to patches which
came in through akpm.
The first in kernel/audit.c is a simple resolution. My tree is correct
deleting those 3 lines.
The second in kernel/audit.h is a little worse. You want to take my
tree. Remove the #ifdef CONFIG_AUDIT and #endif towards the end of the
new code. Then you want to remove the line declaring extern int
audit_enabled;
I'm attaching my merge resolution commit as a reference.
----------------------------------------------------------------
Andrew Morton (1):
auditsc: remove audit_set_context() altogether - fold it into its caller
Anton Blanchard (2):
audit: Syscall rules are not applied to existing processes on non-x86
powerpc: Remove static branch prediction in 64bit traced syscall path
Chen Gang (1):
kernel: audit: beautify code, for extern function, better to check its parameters by itself
Dmitry Monakhov (1):
audit: destroy long filenames correctly
Eric Paris (17):
audit: use data= not msg= for AUDIT_USER_TTY messages
Audit: do not print error when LSMs disabled
audit: fix build break when AUDIT_DEBUG == 2
audit: allow checking the type of audit message in the user filter
audit: make validity checking generic
audit: remove the old depricated kernel interface
audit: stop pushing loginid, uid, sessionid as arguments
audit: push loginuid and sessionid processing down
audit: use a consistent audit helper to log lsm information
helper for some session id stuff
audit: use spin_lock_irqsave/restore in audit tty code
audit: do not needlessly take a spinlock in copy_signal
audit: do not needlessly take a lock in tty_audit_exit
audit: use spin_lock in audit_receive_msg to process tty logging
audit: fix event coverage of AUDIT_ANOM_LINK
Revert "audit: move kaudit thread start from auditd registration to kaudit init"
audit: fix message spacing printing auid
Eric W. Biederman (1):
audit: Make testing for a valid loginuid explicit.
Gao feng (1):
audit: remove duplicate export of audit_enabled
Jeff Layton (1):
audit: vfs: fix audit_inode call in O_CREAT case of do_last
Matvejchikov Ilya (1):
audit: improve GID/EGID comparation logic
Rakib Mullick (1):
auditsc: Use kzalloc instead of kmalloc+memset.
Richard Guy Briggs (4):
audit: refactor hold queue flush
audit: flatten kauditd_thread wait queue code
audit: move kaudit thread start from auditd registration to kaudit init
audit: add an option to control logging of passwords with pam_tty_audit
arch/powerpc/kernel/entry_64.S | 2 +-
drivers/tty/tty_audit.c | 104 +++++++++++++++--------------------
fs/namei.c | 2 +-
include/linux/audit.h | 48 ++++++++++------
include/linux/sched.h | 1 +
include/linux/tty.h | 6 +-
include/uapi/linux/audit.h | 4 +-
kernel/audit.c | 516 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------------------------------------
kernel/audit.h | 156 ++++++++++++++++++++++++++++++++++++++++++++++++++++
kernel/auditfilter.c | 360 +++++++++++++++++++++++++++++++++++++-----------------------------------------------------------------------------------
kernel/auditsc.c | 421 +++++++++++++++-----------------------------------------------------------------------------------------------------------------------------
net/socket.c | 6 +-
12 files changed, 749 insertions(+), 877 deletions(-)
11 years, 7 months
Re: [PATCH RFC 10/48] Audit: change type of audit_ever_enabled to bool
by Matt Helsley
On Tue, May 07, 2013 at 10:20:31AM +0800, Gao feng wrote:
> It's better to define audit_ever_enabled as bool
>
> Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
> ---
> kernel/audit.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 4595a9e..1138ff5 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -76,7 +76,7 @@ static int audit_initialized;
> #define AUDIT_OFF 0
> #define AUDIT_ON 1
> #define AUDIT_LOCKED 2
> -int audit_ever_enabled;
> +bool audit_ever_enabled;
I think you're better off placing this at the beginning of the series
and submitting it separately since it's only incidentally related to
this RFC.
Cheers,
-Matt Helsley
11 years, 7 months
[PATCH] auparse: add a check to au->source_list to ensure it not null
by 车烈权
Hi all:
I found a bug the process auvrt generate a coredump when there is no file
named audit.log, In the case the /var/log/audit/audit.log removed by
someone.
I make a patch to solve this problem.
Index: auparse/auparse.c
===================================================================
--- auparse/auparse.c (版本 814)
+++ auparse/auparse.c (工作副本)
@@ -806,7 +806,7 @@
case AUSOURCE_FILE:
case AUSOURCE_FILE_ARRAY:
// if the first time through, open file
- if (au->list_idx == 0 && au->in == NULL) {
+ if (au->list_idx == 0 && au->in == NULL &&
au->source_list != NULL) {
if (au->source_list[au->list_idx] == NULL) {
errno = 0;
return -2;
[clq@localhost trunk]# auvirt
Unable to open /var/log/audit/audit.log (No such file or directory)
No log file
Segmentation fault (core dumped)
The backtrace is as follows:
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Core was generated by `./tools/auvirt/.libs/lt-auvirt'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810
810 if (au->source_list[au->list_idx] ==
NULL) {
Missing separate debuginfos, use: debuginfo-install
glibc-2.12-1.107.el6.x86_64
(gdb) bt
#0 0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810
#1 auparse_next_event (au=0x682830) at auparse.c:958
#2 0x00007fb2cc547c52 in auparse_first_record (au=<value optimized out>) at
auparse.c:1131
#3 0x00007fb2cc547d77 in ausearch_next_event (au=0x682830) at auparse.c:923
#4 0x00000000004043b8 in main (argc=<value optimized out>, argv=<value
optimized out>) at auvirt.c:1542
(gdb) f 0
#0 0x00007fb2cc547b24 in retrieve_next_line (au=0x682830) at auparse.c:810
810 if (au->source_list[au->list_idx] ==
NULL) {
(gdb) p *au
$1 = {source = AUSOURCE_LOGS, source_list = 0x0, list_idx = 0, in = 0x0,
line_number = 0, next_buf = 0x0, off = 0, cur_buf = 0x0,
line_pushed = 0, le = {head = 0x0, cur = 0x0, cnt = 0, e = {sec = 0, milli
= 0, serial = 0, host = 0x0}}, expr = 0x680c90,
find_field = 0x0, search_where = AUSEARCH_STOP_EVENT, parse_state =
EVENT_EMPTY, databuf = {flags = 0, alloc_size = 0,
alloc_ptr = 0x0, offset = 0, len = 0, max_len = 0}, callback = 0,
callback_user_data = 0x0, callback_user_data_destroy = 0}
(gdb) p au->source_list
$2 = (char **) 0x0
(gdb)
Best Regards!
11 years, 7 months
