kauditd is writing too many lines in syslog
by Aaron Lewis
Hi,
I'm not sure if this is the default behavior,
I'm using audit 2.3.2, and I've configured auditd not to log anything
(NOLOG option), and I set the queue buffer to 10240 messages.
When the buffer is full or auditd is suddenly killed or for some other
reason, it seems to write a lot of things to dmesg or
/var/log/messages
So, did kauditd wrote all these? I already killed auditd process but I
can still see logs piling up.
Can I ask kauditd not print anything if user space program cannot
handle that much message?
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
12 years
[PATCH] Prevent per,success and exit fields from disappearing in syscall audit log
by Paul Davies C
This patch prevents the per, success and the exit fields from disappearing
from the audit system call log.
Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com>
---
kernel/auditsc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..3871466 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1300,10 +1300,14 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
context->arch, context->major);
if (context->personality != PER_LINUX)
audit_log_format(ab, " per=%lx", context->personality);
+ else
+ audit_log_format(ab, " per=(null)");
if (context->return_valid)
audit_log_format(ab, " success=%s exit=%ld",
(context->return_valid==AUDITSC_SUCCESS)?"yes":"no",
context->return_code);
+ else
+ audit_log_format(ab, " success=(null) exit=(null)");
audit_log_format(ab,
" a0=%lx a1=%lx a2=%lx a3=%lx items=%d",
--
1.7.9.5
12 years
[PATCH] audit: remove pr_info for every network namespace
by Eric Paris
A message about creating the audit socket might be fine at startup, but
a pr_info for every single network namespace created on a system isn't
useful.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/audit.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2df247d..5dd3dfa 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1068,8 +1068,6 @@ static int __net_init audit_net_init(struct net *net)
struct audit_net *aunet = net_generic(net, audit_net_id);
- pr_info("initializing netlink socket in namespace\n");
-
aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
if (aunet->nlsk == NULL) {
audit_panic("cannot initialize netlink socket in namespace");
--
1.8.4.2
12 years, 1 month
[PATCH] audit: Modify a set of system calls in audit class definitions
by AKASHI Takahiro
Each asm-generic/audit_xx.h defines a set of system calls for respective
audit permssion class (read, write, change attribute or exec).
This patch changes two entries:
1) fchown in audit_change_attr.h
Make fchown included by its own because in asm-generic/unistd.h, for example,
fchown always exists while chown is optional. This change is necessary at
least for arm64.
2) truncate64 in audit_write.h
Add missing truncate64/ftruncate64 as well as truncate/ftruncate
Signed-off-by: AKASHI Takahiro <takahiro.akashi(a)linaro.org>
---
include/asm-generic/audit_change_attr.h | 4 +++-
include/asm-generic/audit_write.h | 6 ++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/include/asm-generic/audit_change_attr.h b/include/asm-generic/audit_change_attr.h
index 89b73e5..a186553 100644
--- a/include/asm-generic/audit_change_attr.h
+++ b/include/asm-generic/audit_change_attr.h
@@ -4,9 +4,11 @@ __NR_chmod,
__NR_fchmod,
#ifdef __NR_chown
__NR_chown,
-__NR_fchown,
__NR_lchown,
#endif
+#ifdef __NR_fchown
+__NR_fchown,
+#endif
__NR_setxattr,
__NR_lsetxattr,
__NR_fsetxattr,
diff --git a/include/asm-generic/audit_write.h b/include/asm-generic/audit_write.h
index e7020c5..274575d 100644
--- a/include/asm-generic/audit_write.h
+++ b/include/asm-generic/audit_write.h
@@ -10,6 +10,12 @@ __NR_truncate,
#ifdef __NR_truncate64
__NR_truncate64,
#endif
+#ifdef __NR_ftruncate
+__NR_ftruncate,
+#endif
+#ifdef __NR_ftruncate64
+__NR_ftruncate64,
+#endif
#ifdef __NR_bind
__NR_bind, /* bind can affect fs object only in one way... */
#endif
--
1.7.9.5
12 years, 1 month
[PATCH audit-next 1/2] audit: revert commit listen in all network namespaces
by Gao feng
This patch reverts the commit 1a938bec0090dc49abdb471e978e0d8155186845
"listen in all network namespaces",this commit brings the dependence
of net namespace for audit. it's a pain when we implement audit namespace.
we have to do lots of works to make sure audit socket is valid.
and unshare namespace will make things more worse.
In the next patch, I will add a compare function for audit
netlink socket, and this will make audit socket global. all
user space audit netlink will communicate with this global
socket, and kernel will send message to user space through
this socket. this will make things easy and we needn't to
consider the complicate cases.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
kernel/audit.c | 61 ++++++++++------------------------------------------------
kernel/audit.h | 4 ----
2 files changed, 10 insertions(+), 55 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index ff1d1d7..b62153a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -63,7 +63,6 @@
#include <linux/freezer.h>
#include <linux/tty.h>
#include <linux/pid_namespace.h>
-#include <net/netns/generic.h>
#include "audit.h"
@@ -124,7 +123,6 @@ static atomic_t audit_lost = ATOMIC_INIT(0);
/* The netlink socket. */
static struct sock *audit_sock;
-int audit_net_id;
/* Hash for inode-based rules */
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
@@ -415,7 +413,6 @@ static void kauditd_send_skb(struct sk_buff *skb)
audit_pid);
audit_log_lost("auditd disappeared\n");
audit_pid = 0;
- audit_sock = NULL;
}
/* we might get lucky and get this in the next auditd */
audit_hold_skb(skb);
@@ -501,15 +498,13 @@ int audit_send_list(void *_dest)
{
struct audit_netlink_list *dest = _dest;
struct sk_buff *skb;
- struct net *net = get_net_ns_by_pid(dest->pid);
- struct audit_net *aunet = net_generic(net, audit_net_id);
/* wait for parent to finish and send an ACK */
mutex_lock(&audit_cmd_mutex);
mutex_unlock(&audit_cmd_mutex);
while ((skb = __skb_dequeue(&dest->q)) != NULL)
- netlink_unicast(aunet->nlsk, skb, dest->portid, 0);
+ netlink_unicast(audit_sock, skb, dest->portid, 0);
kfree(dest);
@@ -544,15 +539,13 @@ out_kfree_skb:
static int audit_send_reply_thread(void *arg)
{
struct audit_reply *reply = (struct audit_reply *)arg;
- struct net *net = get_net_ns_by_pid(reply->pid);
- struct audit_net *aunet = net_generic(net, audit_net_id);
mutex_lock(&audit_cmd_mutex);
mutex_unlock(&audit_cmd_mutex);
/* Ignore failure. It'll only happen if the sender goes away,
because our timeout is set to infinite. */
- netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0);
+ netlink_unicast(audit_sock, reply->skb, reply->portid, 0);
kfree(reply);
return 0;
}
@@ -822,7 +815,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid;
audit_nlk_portid = NETLINK_CB(skb).portid;
- audit_sock = skb->sk;
}
if (s.mask & AUDIT_STATUS_RATE_LIMIT) {
err = audit_set_rate_limit(s.rate_limit);
@@ -1072,57 +1064,24 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
-static int __net_init audit_net_init(struct net *net)
-{
- struct netlink_kernel_cfg cfg = {
- .input = audit_receive,
- };
-
- struct audit_net *aunet = net_generic(net, audit_net_id);
-
- pr_info("audit: initializing netlink socket in namespace\n");
-
- aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
- if (aunet->nlsk == NULL) {
- audit_panic("cannot initialize netlink socket in namespace");
- return -ENOMEM;
- }
- aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
- return 0;
-}
-
-static void __net_exit audit_net_exit(struct net *net)
-{
- struct audit_net *aunet = net_generic(net, audit_net_id);
- struct sock *sock = aunet->nlsk;
- if (sock == audit_sock) {
- audit_pid = 0;
- audit_sock = NULL;
- }
-
- rcu_assign_pointer(aunet->nlsk, NULL);
- synchronize_net();
- netlink_kernel_release(sock);
-}
-
-static struct pernet_operations audit_net_ops __net_initdata = {
- .init = audit_net_init,
- .exit = audit_net_exit,
- .id = &audit_net_id,
- .size = sizeof(struct audit_net),
-};
-
/* Initialize audit support at boot time. */
static int __init audit_init(void)
{
int i;
+ struct netlink_kernel_cfg cfg = {
+ .input = audit_receive,
+ };
if (audit_initialized == AUDIT_DISABLED)
return 0;
pr_info("audit: initializing netlink subsys (%s)\n",
audit_default ? "enabled" : "disabled");
- register_pernet_subsys(&audit_net_ops);
+ audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg);
+ if (!audit_sock)
+ audit_panic("cannot initialize netlink socket");
+ else
+ audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
skb_queue_head_init(&audit_skb_queue);
skb_queue_head_init(&audit_skb_hold_queue);
diff --git a/kernel/audit.h b/kernel/audit.h
index 0719b45..16380bd 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -253,10 +253,6 @@ struct audit_netlink_list {
int audit_send_list(void *);
-struct audit_net {
- struct sock *nlsk;
-};
-
extern int selinux_audit_rule_update(void);
extern struct mutex audit_filter_mutex;
--
1.8.4.2
12 years, 1 month
[SOLVED] Re: Clear kernel audit buffer?
by Aaron Lewis
Thanks Steve & Richard, I get it.
On Tue, Jan 14, 2014 at 10:47 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
> On 14/01/14, Steve Grubb wrote:
>> On Tuesday, January 14, 2014 01:09:52 PM Aaron Lewis wrote:
>> > Yes, I did run auditctl -D to clear all rules. And during testing I
>> > have enlarged the buffer queue to 10240 messages.
>> >
>> > Did you mean that once -D is issued, the buffer will be cleared by
>> > auditd, but not by linux kernel?
>>
>> There is no way to directly clear the in kernel buffer. The audit system is
>> supposed to keep events for disposition. If there was a simple command to dump
>> events, that would be a simple way to circumvent detection. So, the best way
>> to drain the queues is to give auditd more priority so it runs more often and
>> longer before its time slice is up. You don't need to log to disk. But
>> something has to read the events to get them out.
>
> What Steve said.
>
> The -D option has nothing directly to do with the queue. It simply
> shuts off most of the the taps filling your sink. You still need to
> drain the sink after it has filled/overflowed.
>
>> -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs(a)redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
12 years, 1 month
Re: [PATCH v3 3/3] audit: Audit proc cmdline value
by William Roberts
On Thu, Jan 16, 2014 at 8:40 AM, William Roberts
<bill.c.roberts(a)gmail.com> wrote:
> On Thu, Jan 16, 2014 at 7:11 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
>> On Thursday, January 16, 2014 07:03:34 AM William Roberts wrote:
>>> On Thu, Jan 16, 2014 at 6:02 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
>>> > On Wednesday, January 15, 2014 09:08:39 PM William Roberts wrote:
>>> >> >> > Try this,
>>> >> >> >
>>> >> >> > cp /bin/ls 'test test test'
>>> >> >> > auditctll -a always,exit -F arch=b64 -S stat -k test
>>> >> >> > ./test\ test\ test './test\ test\ test'
>>> >> >> > auditctl -D
>>> >> >> > ausearch --start recent --key test
>>> >> >> >
>>> >> >> >> On the event of weird chars, it gets hex escaped.
>>> >> >> >
>>> >> >> > and its all in 1 lump with no escaping to figure out what is what.
>>> >> >>
>>> >> >> Un-escape it. ausearch does this with paths. Then if you need to parse
>>> >> >> it, do it.
>>> >> >
>>> >> > How can you? When you unescape cmdline for the example I gave, you will
>>> >> > have "./test test test ./test test test". Which program ran and how
>>> >> > many
>>> >> > arguments were passed? If we are trying to improve on what comm=
>>> >> > provides
>>> >> > by having the full information, I have to be able to find out exactly
>>> >> > what the program name was so it can be used for searching. If that
>>> >> > can't
>>> >> > be done, then we don't need this addition in its current form.
>>> >>
>>> >> In your example, you will have an execve record, with it parsed, will you
>>> >> not?
>>> >
>>> > Only if you change your patch.
>>>
>>> My patch has nothing to do with the emitting of an execve record. You
>>> will get an
>>> execve record with the arguments parsed out. Its not even really
>>> "parsing" as each
>>> element is in a NULL terminated char * array.
>>
>> That is what I am telling you is wrong. We can't have a string that can't be
>> parsed later. If you reformat the output as an execve record, then we have
>> something that is trustworthy.
>
Formatting of the string does not change the trust worthiness of its value. If
I told you your name was JoEy, I could re-type it like this Joey and
its still not
true. I think the part of this your confusing is that this is really
proctitle. On desktops
the execution environment simply takes all the cmdline args and dumps
it there. But,
this is not always the case. The reason your arguments and command are
well formatted
on exec is becuase of the interface to the kernel. Its in a char *
array. Their is NO parsing
that is done on the kernels behalf. Accessing each value is just a
matter of indexing the array.
Parsing "cmdline", which again is arbitrary and controlled via
setproctitle() is not needed,
because its arbitrary. However, the fact that its arbitrary does not
affect its usefulness. Many
values used in the audit records, like comm (prctl()), can be
manipulated by executing programs. But it
may help a user to deduce what is going on.
>>
>>
>>> >> cmdline does not necessarily represent the arguments or process name.
>>> >> Sometimes it does, sometimes it doesn't. Just treat the thing as one
>>> >> string, perhaps do some form of substring matching in a tool.
>>> >
>>> > You are missing the point. The point is that you are trying to place trust
>>> > in something that can be gamed. The audit system is designed such that it
>>> > cannot be fooled very easily. Each piece of the subject and object are
>>> > separated so that programs can be written to analyze events. What I am
>>> > trying to say is now you are making something that concatenates fields
>>> > with no way to regroup them later to reconstruct what really happened,
>>> >
>>> >> To make this clear, I am not trying to improve on what comm provides.
>>> >> comm provides
>>> >> 16 chars for per thread name. The key is, its per thread, and can be
>>> >> anything. The
>>> >> "cmdline" value, is an arbitrary spot that is a global entity for the
>>> >> process. So in my change, all things coming into these events will have a
>>> >> similar cmdline audit. Which may help in narrowing down on whats going on
>>> >> in the system
>>> >
>>> > It needs to be more trustworthy than this.
>>>
>>> Its as trustworthy as comm, its as trustworthy as path, etc. The audit
>>> subsystem already prints many
>>> untrusted values to aid in narrowing down the process, or to observe a
>>> running processes behavior; this
>>> is no different.
>>
>> Sure it is. comm is 1 entity on the value side of the name value pair. If it
>> is detected as being special, its encoded so that it can be correctly
>> dissected later. What you are creating cannot be correctly dissected. Please
>> try the example I gave you and think about it a bit.
>
Your example BTW, can be parsed. I have an FSM on my
whiteboard that will do it. But you don't need to parse it. Again,
as I stated above it might not be set to your example. If you have
a process that does this:
prctl(PR_SET_NAME, "./test \test \test");
You will see that comm now has white space and other chars.
I think to help avoid this confusion, I will change the keyword from
cmdline= to proctitle=
re-adding mailing list, accidentally dropped.
12 years, 1 month
[PATCH v3 1/3] mm: Create utility function for accessing a tasks commandline value
by William Roberts
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Acked-by: David Rientjes <rientjes(a)google.com>
Acked-by: Stephen Smalley <sds(a)tycho.nsa.gov>
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
include/linux/mm.h | 1 +
mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 3552717..01e7970 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1134,6 +1134,7 @@ void account_page_writeback(struct page *page);
int set_page_dirty(struct page *page);
int set_page_dirty_lock(struct page *page);
int clear_page_dirty_for_io(struct page *page);
+int get_cmdline(struct task_struct *task, char *buffer, int buflen);
/* Is the vma a continuation of the stack vma above it? */
static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
diff --git a/mm/util.c b/mm/util.c
index 808f375..43b4419 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -413,6 +413,54 @@ unsigned long vm_commit_limit(void)
* sysctl_overcommit_ratio / 100) + total_swap_pages;
}
+/**
+ * get_cmdline() - copy the cmdline value to a buffer.
+ * @task: the task whose cmdline value to copy.
+ * @buffer: the buffer to copy to.
+ * @buflen: the length of the buffer. Larger cmdline values are truncated
+ * to this length.
+ * Returns the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte.
+ */
+int get_cmdline(struct task_struct *task, char *buffer, int buflen)
+{
+ int res = 0;
+ unsigned int len;
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ goto out;
+ if (!mm->arg_end)
+ goto out_mm; /* Shh! No looking before we're done */
+
+ len = mm->arg_end - mm->arg_start;
+
+ if (len > buflen)
+ len = buflen;
+
+ res = access_process_vm(task, mm->arg_start, buffer, len, 0);
+
+ /*
+ * If the nul at the end of args has been overwritten, then
+ * assume application is using setproctitle(3).
+ */
+ if (res > 0 && buffer[res-1] != '\0' && len < buflen) {
+ len = strnlen(buffer, res);
+ if (len < res) {
+ res = len;
+ } else {
+ len = mm->env_end - mm->env_start;
+ if (len > buflen - res)
+ len = buflen - res;
+ res += access_process_vm(task, mm->env_start,
+ buffer+res, len, 0);
+ res = strnlen(buffer, res);
+ }
+ }
+out_mm:
+ mmput(mm);
+out:
+ return res;
+}
/* Tracepoints definitions. */
EXPORT_TRACEPOINT_SYMBOL(kmalloc);
--
1.7.9.5
12 years, 1 month
audit 2.3.3 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Documentation updates
- Add AUDIT_USER_MAC_CONFIG_CHANGE event for MAC policy changes
- Update interpreting scheduler policy names
- Update automake files to automake-1.13.4
- Remove CAP_COMPROMISE_KERNEL interpretation
- Parse name field in AVC's (#1049916)
- Add missing typedef for auparse_type_t enumeration (#1053424)
- Fix parsing encoded filenames in records
- Parse SECCOMP events
Please let me know if you run across any problems with this release.
-Steve
12 years, 1 month
[PATCH] audit: allow unlimited backlog queue
by Richard Guy Briggs
Since audit can already be disabled by "audit=0" on the kernel boot line, or by
the command "auditctl -e 0", it would be more useful to have the
audit_backlog_limit set to zero mean effectively unlimited (limited only by
system resources).
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Steve,
These are userspace source code documentation changes in what's going in
upstream. See:
audit: allow unlimited backlog queue
git://toccata2.tricolour.ca/linux-2.6-rgb.git
https://lkml.org/lkml/2013/10/22/356
https://www.redhat.com/archives/linux-audit/2013-October/msg00029.html
trunk/docs/auditctl.8 | 2 +-
trunk/src/auditctl.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8
index 0ee1a83..dbb911d 100644
--- a/trunk/docs/auditctl.8
+++ b/trunk/docs/auditctl.8
@@ -8,7 +8,7 @@ The \fBauditctl\fP program is used to control the behavior, get status, and add
.SH OPTIONS
.TP
.BI \-b\ backlog
-Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.
+Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action. Setting this to "0" (which is dangerous) implies an unlimited queue, limited only by system resources.
.TP
\fB\-e\fP [\fB0\fP..\fB2\fP]
Set enabled flag. When \fB0\fP is passed, this can be used to temporarily disable auditing. When \fB1\fP is passed as an argument, it will enable auditing. To lock the audit configuration so that it can't be changed, pass a \fB2\fP as the argument. Locking the configuration is intended to be the last command in audit.rules for anyone wishing this feature to be active. Any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index 325b0a7..5b544a1 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -107,7 +107,7 @@ static void usage(void)
" -a <l,a> Append rule to end of <l>ist with <a>ction\n"
" -A <l,a> Add rule at beginning of <l>ist with <a>ction\n"
" -b <backlog> Set max number of outstanding audit buffers\n"
- " allowed Default=64\n"
+ " allowed. Default=64 Unlimited=0(dangerous)\n"
" -c Continue through errors in rules\n"
" -C f=f Compare collected fields if available:\n"
" Field name, operator(=,!=), field name\n"
--
1.7.1
12 years, 1 month
