Re: [PATCH RFC 09/48] Audit: make audit_enabled per user namespace
by Aristeu Rozanski
On Tue, May 07, 2013 at 10:20:30AM +0800, Gao feng wrote:
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 684599b..33e6584 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -441,7 +441,8 @@ extern int audit_filter_type(int type);
> extern int audit_receive_filter(int type, int pid, int seq,
> void *data, size_t datasz, kuid_t loginuid,
> u32 sessionid, u32 sid);
> -extern int audit_enabled;
> +#define audit_enabled (init_user_ns.audit.enabled)
> +#define audit_enabled_ns (ns->audit.enabled)
> #else /* CONFIG_AUDIT */
> static inline __printf(4, 5)
> void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
> @@ -487,6 +488,7 @@ static inline void audit_set_user_ns(struct user_namespace *ns)
> static inline void audit_free_user_ns(struct user_namespace *ns)
> { }
> #define audit_enabled 0
> +#define audit_enabled_ns(ns) 0
conflicting definitions here. maybe the first one should be
#define audit_enabled_ns(ns) (ns->audit.enabled)?
> @@ -285,14 +282,15 @@ static int audit_do_config_change(char *function_name, int *to_change,
> u32 sid)
> {
> int allow_changes, rc = 0, old = *to_change;
> + struct user_namespace *ns = current_user_ns();
>
> /* check if we are locked */
> - if (audit_enabled == AUDIT_LOCKED)
> + if (ns->audit.enabled == AUDIT_LOCKED)
then you don't use the macro you introduced?
> @@ -609,7 +608,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
> char *ctx = NULL;
> u32 len;
>
> - if (!audit_enabled) {
> + if (!init_user_ns.audit.enabled) {
> *ab = NULL;
> return rc;
> }
same here
--
Aristeu
11 years, 5 months
audit 2.3 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- The clone(2) man page is really clone(3), fix interpretation of clone syscall
- Add systemd support for reload (#901533)
- Allow -F msgtype on the user filter
- Add legacy support for resuming logging under systemd (#830780)
- Add legacy support for rotating logs under systemd (#916611)
- In auditd, collect SIGUSR2 info for DAEMON_RESUME events
- Updated man pages
- Update libev to 4.15
- Update syscall tables for 3.9 kernel
- Interpret MQ_OPEN events
- Add augenrules support (Burn Alting)
- Consume less stack sending audit events
I had planned calling this 2.2.4, but since the augenrules program went in, I
thought this is a major release because something landed that everyone should
pay attention to. In case it wasn't apparent from the thread what this does,
I'll now explain it a bit.
Several people have asked for a way to deposit rules into a directory so that
based on what is installed, rules can also be added. This makes it easier to
have a core system that gets packages, config, and files added to make it a
different kind of server or desktop. My guess is that it will be mostly used to
add watches on setuid apps which can differ from machine type to machine type.
The place where these rules are stored is /etc/audit/rules.d. Compiling rules
from that directory will result in a new file being written to
/etc/audit/audit.rules. That means it can overwrite existing rules. Since we
don't want that to happen by accident, augenrules is disabled by default.
To enable it on a SysVinit system, go into /etc/sysconfig/auditd and find the
USE_AUGENRULES variable and set it to "yes". Then copy existing rules into
/etc/audit/rules.d and restart the audit daemon.
For systemd based systems, copy /lib/systemd/system/auditd.service to
/etc/systemd/system/auditd.service. Then find a commented out ExecStartPost
variable and uncomment it. Then delete/comment out the auditctl line. The --
load option to augenrules will call auditctl for you. Also copy any existing
rules into /etc/audit/rules.d so they don't get lost. Then restart auditd.
In both cases, you can check to make sure you have rules loaded with auditctl
-l.
Aside from this major change, this release focused on improving the systemd
support for legacy commands, such as: service auditd rotate, service auditd
resume. this release also trims about 15k of stack space from logging events
via pam, it updates the libev version, and it improves interpretations.
Please let me know if you run across any problems with this release.
-Steve
11 years, 6 months
[PATCH 1/2] audit: use given values in tty_audit enable api
by Richard Guy Briggs
In send/GET, we don't want the kernel to lie about what value is set.
In recv/SET, the values are already filtered and don't need cleansing.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index d596e53..64354eb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -872,7 +872,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
struct task_struct *tsk = current;
spin_lock_irq(&tsk->sighand->siglock);
- s.enabled = tsk->signal->audit_tty != 0;
+ s.enabled = tsk->signal->audit_tty;
spin_unlock_irq(&tsk->sighand->siglock);
audit_send_reply(NETLINK_CB(skb).portid, seq,
@@ -890,7 +890,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return -EINVAL;
spin_lock_irq(&tsk->sighand->siglock);
- tsk->signal->audit_tty = s->enabled != 0;
+ tsk->signal->audit_tty = s->enabled;
spin_unlock_irq(&tsk->sighand->siglock);
break;
}
--
1.7.1
11 years, 6 months
[PATCH] pam_tty_audit: add an option to control logging of passwords: log_passwd
by Richard Guy Briggs
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode with echo set to off to do this. This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command.
Adding a member to the struct audit_tty_status passed in by pam_tty_audit
allows control of logging passwords per task.
This can be used with older kernels since it checks for the needed structure
members at compile time.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
configure.in | 15 +++++++++++++++
modules/pam_tty_audit/Makefile.am | 3 +++
modules/pam_tty_audit/pam_tty_audit.8.xml | 15 +++++++++++++++
modules/pam_tty_audit/pam_tty_audit.c | 23 ++++++++++++++++++++++-
4 files changed, 55 insertions(+), 1 deletions(-)
diff --git a/configure.in b/configure.in
index 515b301..02963a8 100644
--- a/configure.in
+++ b/configure.in
@@ -386,6 +386,19 @@ if test x"$WITH_LIBAUDIT" != xno ; then
fi
if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+ AC_CHECK_MEMBER(
+ [struct audit_tty_status.log_passwd],
+ [
+ HAVE_AUDIT_TTY_STATUS_LOG_PASSWD=yes
+ AC_DEFINE([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD], 1, [Define to 1 if struct audit_tty_status.log_passwd exists.])
+ ],
+ [
+ HAVE_AUDIT_TTY_STATUS_LOG_PASSWD=""
+ AC_MSG_WARN([The struct audit_tty_status.log_passwd member is needed for the log_passwd option. The log_passwd option is disabled.])
+ ],
+ [[#include <libaudit.h>]]
+ )
fi
else
LIBAUDIT=""
@@ -393,6 +406,8 @@ fi
AC_SUBST(LIBAUDIT)
AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
[test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
+AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD],
+ [test "x$HAVE_AUDIT_TTY_STATUS_LOG_PASSWD" = xyes])
AC_CHECK_HEADERS(xcrypt.h crypt.h)
AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
diff --git a/modules/pam_tty_audit/Makefile.am b/modules/pam_tty_audit/Makefile.am
index 6378483..ee897e7 100644
--- a/modules/pam_tty_audit/Makefile.am
+++ b/modules/pam_tty_audit/Makefile.am
@@ -16,6 +16,9 @@ XMLS = README.xml pam_tty_audit.8.xml
securelibdir = $(SECUREDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+if HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ AM_CFLAGS += -DHAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+endif
AM_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index 447b845..552353c 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -77,6 +77,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>log_passwd</option>
+ </term>
+ <listitem>
+ <para>
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
+ This is the mode in which the tty is placed during password entry.
+ By default, passwords are not logged. This option may not be
+ available on older kernels (3.9?).
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -161,6 +174,8 @@ session required pam_tty_audit.so disable=* enable=root
<para>
pam_tty_audit was written by Miloslav Trmač
<mitr(a)redhat.com>.
+ The log_passwd option was added by Richard Guy Briggs
+ <rgb(a)redhat.com>.
</para>
</refsect1>
diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
index 080f495..b8f3821 100644
--- a/modules/pam_tty_audit/pam_tty_audit.c
+++ b/modules/pam_tty_audit/pam_tty_audit.c
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
struct audit_tty_status *old_status, new_status;
const char *user;
int i, fd, open_only;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ int log_passwd;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
(void)flags;
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
command = CMD_NONE;
open_only = 0;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 0;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
for (i = 0; i < argc; i++)
{
if (strncmp (argv[i], "enable=", 7) == 0
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
}
else if (strcmp (argv[i], "open_only") == 0)
open_only = 1;
+ else if (strcmp (argv[i], "log_passwd") == 0)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 1;
+#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+ pam_syslog (pamh, LOG_WARNING,
+ "pam_tty_audit: The log_passwd option was not available at compile time.");
+#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your kernel."
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
else
{
pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
}
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
- if (old_status->enabled == new_status.enabled)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ new_status.log_passwd = log_passwd;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+ if (old_status->enabled == new_status.enabled
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+ && old_status->log_passwd == new_status.log_passwd
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+ )
{
open_only = 1; /* to clean up old_status */
goto ok_fd;
--
1.7.1
11 years, 6 months