audit 2.3.2 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Put RefuseManualStop in the right systemd section (#969345)
- Add legacy restart scripts for systemd support
- Add more syscall argument interpretations
- Add 'unset' keyword for uid & gid values in auditctl
- In ausearch, parse obj in IPC records
- In ausearch, parse subj in DAEMON_ROTATE records
- Fix interpretation of MQ_OPEN and MQ_NOTIFY events
- In auditd, restart dispatcher on SIGHUP if it had previously exited
- In audispd, exit when no active plugins are detected on reconfigure
- In audispd, clear signal mask set by libev so that SIGHUP works again
- In audispd, track binary plugins and restart if binary was updated
- In audispd, make sure we send signals to the correct process
- In auditd, clear signal mask when spawning any child process
- In audispd, make builtin plugins respond to SIGHUP
- In auparse, interpret mode flags of open syscall if O_CREAT is passed
- In audisp-remote, don't make address lookup always a permanent failure
- In audisp-remote, remove EOE events more efficiently
- In auditd, log the reason when email account is not valid
- In audisp-remote, change default remote_ending action to reconnect
- Add support for Aarch64 processors
This release's main focus was some maintenance of the audispd program. It was
found to not be working as intended due to some changes to signal masks in
auditd a couple years ago.
Also in auditctl, you can now use 'unset' to mean a user id of 4294967295 or
-1. This should look nicer as:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
can now be:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=500 -F
auid!=unset -k access
Some work was done in audisp-remote so that getaddrinfo failures are not
permanent failures. Sometimes DNS lookup fails for various reasons. This makes
it more forgiving. Also, the way that EOE (End of Event) records are strippped
out was improved so that it should be more efficient time-wise.
It was found that ausearch couldn't match a couple fields IPC and DAEMON_ROTATE
events. These were fixed. And lastly, initial support was created for 64 bit
ARM processors.
Please let me know if you run across any problems with this release.
-Steve
11 years, 4 months
How to make audit match only one rule?
by zhu xiuming
HI
I have two rules in my audit rules
-a always,exit -F arch=b32 -S execve -k EXEC_LOG
-w /etc/passwd -p wra -k identity
When I enter
cat /etc/passwd on the console
Both rules are matched and there is redundant information in the log. How
to make sure there is only one rule matched.
Thanks a lot.
11 years, 4 months
why auid always unset?
by zhu xiuming
I read my audit logs.I always see lots of auid values are 4294967295. Even
when I delete a file, the value is still 4294967295?
I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is still
the same value?
I wonder what is wrong?
11 years, 5 months
[PATCH] kaudit: prevent an older auditd shutdown from orphaning a newer auditd startup
by Richard Guy Briggs
There have been reports of auditd restarts resulting in kaudit not being able
to find a newly registered auditd. It results in reports such as:
kernel: [ 2077.233573] audit: *NO* daemon at audit_pid=1614
kernel: [ 2077.234712] audit: audit_lost=97 audit_rate_limit=0 audit_backlog_limit=320
kernel: [ 2077.234718] audit: auditd disappeared
(previously mis-spelled "dissapeared")
One possible cause is a race between the shutdown of an older auditd and a
newer one. If the newer one sets the daemon pid to itself in kauditd before
the older one has cleared the daemon pid, the newer daemon pid will be erased.
This could be caused by an automated system, or by manual intervention, but in
either case, there is no use in having the older daemon clear the daemon pid
reference since its old pid is no longer being referenced. This patch will
prevent that specific case, returning an error of EACCES.
The case for preventing a newer auditd from registering itself if there is an
existing auditd is a more difficult case that is beyond the scope of this
patch.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..7cb7486 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -686,6 +686,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (status_get->mask & AUDIT_STATUS_PID) {
int new_pid = status_get->pid;
+ if ((!new_pid) && (task_tgid_vnr(current) != audit_pid))
+ return -EACCES;
if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid;
--
1.7.1
11 years, 5 months
[PATCH] audit: restore order of tty and ses fields in log output
by Richard Guy Briggs
When being refactored from audit_log_start() to audit_log_task_info(), in
commit e23eb920 the tty and ses fields in the log output got transposed.
Restore to original order to avoid breaking search tools.
Cc: stable(a)vger.kernel.org # v3.6
Cc: Eric Paris <eparis(a)redhat.com>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..63b2dd5 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1590,7 +1590,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
audit_log_format(ab,
" ppid=%ld pid=%d auid=%u uid=%u gid=%u"
" euid=%u suid=%u fsuid=%u"
- " egid=%u sgid=%u fsgid=%u ses=%u tty=%s",
+ " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
sys_getppid(),
tsk->pid,
from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
@@ -1602,7 +1602,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
from_kgid(&init_user_ns, cred->egid),
from_kgid(&init_user_ns, cred->sgid),
from_kgid(&init_user_ns, cred->fsgid),
- audit_get_sessionid(tsk), tty);
+ tty, audit_get_sessionid(tsk));
get_task_comm(name, tsk);
audit_log_format(ab, " comm=");
--
1.7.1
11 years, 5 months
chmod32, lchmod32, etc?
by leam hall
Morning all! My first post to the list.
I'm getting errors on a RHEL 5 box when I add audit rules for chown32 and
lchown32.
Info on the box:
Linux myhost 2.6.18-348.6.1.el5 #1 SMP Fri Apr 26 09:21:26 EDT 2013 x86_64
x86_64 x86_64 GNU/Linux
Error:
service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Syscall name unknown: chown32
There was an error in line 215 of /etc/audit/audit.rules
Line 215:
-a exit,always -F arch=b64 -S chown32
What else can I look at to trouble-shoot?
Thanks!
Leam
--
Mind on a Mission <http://leamhall.blogspot.com/>
11 years, 5 months
[PATCH] audit: update AUDIT_INODE filter rule to comparator function
by Richard Guy Briggs
It appears this one comparison function got missed in f368c07d (and 9c937dcc).
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 3c8a601..cb23f7d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -566,7 +566,7 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_INODE:
if (name)
- result = (name->ino == f->val);
+ result = audit_comparator(name->ino, f->op, f->val);
else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
if (audit_comparator(n->ino, f->op, f->val)) {
--
1.7.1
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
11 years, 5 months
[Part1 PATCH 00/22] Add namespace support for audit
by Gao feng
This patchset is first part of namespace support for audit.
in this patchset, the mainly resources of audit system have
been isolated. the audit filter, rules havn't been isolated
now. It will be implemented in Part2. We finished the isolation
of user audit message in this patchset.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, And since the flag of system
call clone is in short supply, we can't provide a new flag such
as CLONE_NEWAUDIT to enable audit namespace separately. so the
user namespace may be the best choice.
[Patch 4/21] add a compare function pointer for netlink table,
so audit subsystem can use it's self-defined compare function
to make sure audit netlink sockets can communicate with each
other when they in the same user namespace. this patch has been
merged into David's net-next tree.
There is one point that some people may dislike,in [PATCH 3/21],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns. It also means if we only unshare the
user namespace, the audit is unavailable since we don't have audit
netlink socket. if we should unshare user and net namespace both.
change from RFC:
1, Move the cleanup patches to the head of this patchset.
2, Fix a scheduling while atomic BUG. This bug is caused by
kthread_stop in audit_free_user_ns.
3, Only allow init user namespace to change backlog_limit.
4, Audit subsystem is available only when kernel side audit
netlink socket has been created.
5, Only isolate the basic resources of audit, and only make
user audit message namespace aware.
This patchset is based on linus' linux tree.
You can pull this patchset from:
git://github.com/gao-feng/auditns.git
The following changes since commit 8177a9d79c0e942dcac3312f15585d0344d505a5
"lseek(fd, n, SEEK_END) does *not* go to eof - n"
are available in the git repository at:
git://github.com/gao-feng/auditns.git
for you to fetch changes up to 85c36b981ac692ec18e362ba484629a457d50cb2
"Audit: Allow GET,SET,USER MSG operations in uninit user namespace"
Gao feng (22):
Audit: change type of audit_ever_enabled to bool
Audit: remove duplicate comments
Audit: make audit kernel side netlink sock per userns
netlink: Add compare function for netlink_table
Audit: implement audit self-defined compare function
Audit: make audit_skb_queue per user namespace
Audit: make audit_skb_hold_queue per user namespace
Audit: make kauditd_task per user namespace
Audit: make audit_nlk_portid per user namesapce
Audit: make audit_enabled per user namespace
Audit: make audit_ever_enabled per user namespace
Audit: make audit_initialized per user namespace
Audit: only allow init user namespace to change rate limit
Audit: only allow init user namespace to change audit_failure
Audit: only allow init user namespace to change backlog_limit
Audit: make kauditd_wait per user namespace
Audit: make audit_backlog_wait per user namespace
Audit: introduce new audit logging interface for user namespace
Audit: pass proper user namespace to audit_log_common_recv_msg
Audit: Log audit config change in uninit user namespace
Audit: send reply message to the auditd in proper user namespace
Audit: Allow GET,SET,USER MSG operations in uninit user namespace
include/linux/audit.h | 39 +++-
include/linux/netlink.h | 1 +
include/linux/user_namespace.h | 33 ++-
kernel/audit.c | 452 +++++++++++++++++++++++++----------------
kernel/audit.h | 7 +-
kernel/auditsc.c | 11 +-
kernel/user_namespace.c | 3 +
net/netlink/af_netlink.c | 32 ++-
net/netlink/af_netlink.h | 1 +
9 files changed, 387 insertions(+), 192 deletions(-)
--
1.8.1.4
11 years, 5 months
