Realtime parsing with Auparse
by Wouter van Verre
Hi all,
I am looking to do some real time parsing with audit. After some testing I figured it would be easier to the parsing in a plugin on the local machine and then send the parsed data to a remote machine for storage.
After reading the audit-parse.txt document I am not quite sure how to proceed. Given that the plugin will receive data on stdin, how would I go about setting the auparse library up (for example, what ausource_t should I specify to initialise the auparse_state_t object) to enable real time parsing?
Many thanks,
Wouter
11 years
Remote logging with autitd
by Wouter van Verre
Hi all,
I am trying to set up logging using the audit framework, but I have some questions about how the system works and how the components fit together.
My use case is as follows:
* I would like to have one or more servers on my network capturing data, including TTY sessions.
* I would then like to have these servers (the 'client servers') submit the data to another server on the network (the 'central server').
* This central server would then write the incoming data to disk, and do some processing on the data as well.
My current idea on how to implement this is to:
* Run auditd + audisp + audisp-remote on every client server.
* Use pam_tty_audit.so on every client server for the TTY logging.
* Run auditd on the central server to receive the data and write it to disk.
* Either implement my processing tool such that it can be used instead of the dispatcher, or implement it as a plugin for audisp?
I'd love some feedback on whether this set up makes sense. In particular on whether receiving the data with auditd on the central server is the best way to go? And on which option is recommended for implementing the processing tool? I would think that a custom plugin for audisp would be best? If so, is there any documentation on how to go about implementing a plugin for audisp that I could read?
I have already experimented with this set up a bit, and have come to the conclusion that I am not sure how things work...
I have implemented a single client running auditd + audisp + audisp-remote with logging of TTY session (using pam_tty_audit.so), and a central server running auditd (with auditd configured to listen to port 60).
This seems to work to an extent:
* On the client server all the data is logged to /var/log/audit/audit.log and I can see it there.
* On the client server I can run "aureport --tty" and I will see the TTY session data represented more easily.
* When I am on the central server I can run "aureport --tty" and see the TTY session data for session on the client server.
My conclusion based on this is that the central server must be receiving and storing data properly?
* However, when I look at /var/log/audit/audit.log on the central server I can only see audit data for that server. So my question is, where does the audit data from the client server get stored?
* When I connect a very simple program to the auditd daemon (instead of the default dispatcher) it doesn't seem to receive any input at the moment, even though "aureport --tty" is showing that the daemon has been receiving data in the mean time...
Any help or pointers would be highly appreciated :)
Many thanks in advance,
Wouter
11 years
[PATCH] audit: convert status version to a feature bitmap
by Richard Guy Briggs
The version field defined in the audit status structure was found to have
limitations in terms of its expressibility of features supported. This is
distict from the get/set features call to be able to command those features
that are present.
Converting this field from a version number to a feature bitmap will allow
distributions to selectively backport and support certain features and will
allow upstream to be able to deprecate features in the future. It will allow
userspace clients to first query the kernel for which features are actually
present and supported. Currently, EINVAL is returned rather than EOPNOTSUP,
which isn't helpful in determining if there was an error in the command, or if
it simply isn't supported yet. Past features are not represented by this
bitmap, but their use may be converted to EOPNOTSUP if needed in the future.
Since "version" is too generic to convert with a #define, use a union in the
struct status, introducing the member "feature_bitmap" unionized with
"version".
Convert existing AUDIT_VERSION_* macros over to AUDIT_FEATURE_BITMAP*
counterparts, leaving the former for backwards compatibility.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 17 +++++++++++++----
kernel/audit.c | 2 +-
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4d100c8..74aa584 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -322,9 +322,15 @@ enum {
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
-#define AUDIT_VERSION_BACKLOG_LIMIT 1
-#define AUDIT_VERSION_BACKLOG_WAIT_TIME 2
-#define AUDIT_VERSION_LATEST AUDIT_VERSION_BACKLOG_WAIT_TIME
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP ( AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
+ AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME )
+
+/* deprecated: AUDIT_VERSION_* */
+#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP
+#define AUDIT_VERSION_BACKLOG_LIMIT AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT
+#define AUDIT_VERSION_BACKLOG_WAIT_TIME AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME
/* Failure-to-log actions */
#define AUDIT_FAIL_SILENT 0
@@ -403,7 +409,10 @@ struct audit_status {
__u32 backlog_limit; /* waiting messages limit */
__u32 lost; /* messages lost */
__u32 backlog; /* messages waiting in queue */
- __u32 version; /* audit api version number */
+ union {
+ __u32 version; /* deprecated: audit api version num */
+ __u32 feature_bitmap; /* bitmap of kernel audit features */
+ };
__u32 backlog_wait_time;/* message queue wait timeout */
};
diff --git a/kernel/audit.c b/kernel/audit.c
index 8ee4508..c9d0e30 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -842,7 +842,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
s.backlog_limit = audit_backlog_limit;
s.lost = atomic_read(&audit_lost);
s.backlog = skb_queue_len(&audit_skb_queue);
- s.version = AUDIT_VERSION_LATEST;
+ s.feature_bitmap = AUDIT_FEATURE_BITMAP;
s.backlog_wait_time = audit_backlog_wait_time;
audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
break;
--
1.7.1
11 years
How to make audit available
by Gisela Cheng
Hello,
I am running 'Linux zp93k1 3.10.0-123.e17.6.s390x .... When I check
audit status:
So audit function is missing from the kernel. How do I make it
available?
Thanks.
Gisela Cheng
giselac(a)us.ibm.com
11 years
stig.rules example in audit-2.3.7
by Andrew Ruch
Hello,
I was looking through the stig.rules file that is provided with RHEL
6.6 and I noticed some differences that I couldn't find in the actual
STIG. After looking at some of the items, I thought maybe they only
apply to RHEL 7. Could someone provide some clarification on the
following:
- removed ftruncate
- added open_by_handle_at
- added finit_module
- added sections regarding containers
Thanks,
Andrew Ruch
11 years
audispd audit-remote plugin and uid, gid, euid, suid, fsuid, egid, sgid, fsgid
by Wojtczak Arkadiusz
Hello,
Lets assume that *id = uid or gid or euid or suid or fsuid or egid or sgid or fsgid.
Audispd audit-remote (au-remote.conf) plugin sends native (numeric) uid, gid, euid, suid, fsuid, egid, sgid, fsgid.
I want to correlate logs from many Linux boxes so I need to have *ids resolved to user/group names, similar to ausearch witch option "-interpret". Is there any way to enrich events with user/group names in au-remote or even earlier - in auditd or audit?
I've considered forking audit-remote to use auparse (injecting additional code somewhere near line 412 of audisp-remote.c) or doing something like "tail ... --follow audit.log | ausearch ... -i". Am I correct that to be 100% sure that user or group corresponds to appropriate *id the mapping process has to be done in the kernel? Otherwise there is low probability that during the time gap between actual event and "ausearch -i" someone could change *id or user/group name.
Any help would be appreciated.
Best regards,
Arkadiusz Wojtczak
Mainframe Security Expert
[cid:image001.png@01CFFF57.9D84FDD0]
PKO Bank Polski
Departament Bezpieczeństwa
Biuro Bezpieczeństwa Informatycznego
02-515 Warszawa, ul. Puławska 15
t: 22 521 68 80
k: 666 824 168
Nie drukuj tej wiadomości, ani innych dokumentów, jeśli nie jest to konieczne.
Powszechna Kasa Oszczędności Bank Polski Spółka Akcyjna z siedzibą w Warszawie przy ul. Puławskiej 15, 02-515 Warszawa, zarejestrowana w Sądzie Rejonowym dla m.st. Warszawy w Warszawie, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod nr KRS 0000026438; NIP: 525-000-77-38 REGON: 016298263; kapitał zakładowy (kapitał wpłacony) 1 250 000 000 PLN / Powszechna Kasa Oszczędności Bank Polski S.A. registered in the District Court for the Capital City of Warsaw, 13th Commercial Division of the National Court Register under KRS number 0000026438, Tax Identification Number (NIP): 525-000-77-38, REGON: 016298263, share capital 1,250,000,000 PLN.
Niniejsza wiadomość może zawierać poufną i prawnie zastrzeżoną korespondencję między naszą Firmą i Klientem. Jeżeli nie jesteście Państwo jej adresatem informujemy, że otrzymali ją Państwo omyłkowo oraz, że przeglądanie, rozpowszechnianie lub kopiowanie jest zabronione. W przypadku omyłkowego otrzymania niniejszej wiadomości, prosimy o niezwłoczne powiadomienie o tym nadawcy i wykasowanie oryginału. / This message may contain a confidential and privileged our Company and Client communication. If you are not the intended recipient, you are hereby notified that you have received this message in error - any review, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete the original.
11 years, 1 month
Audit/Auditd/Audispd documentation
by Wojtczak Arkadiusz
Hi,
I've been searching for Audit documentation and stumbled upon following conversation:
http://www.redhat.com/archives/linux-audit/2006-September/msg00081.html
Has anything changed since 2006?
I need to write set of rules to correlate audit events from many systems. Following information would be very useful:
1) Event formats - What fields will be generated for particular event type? Which fields are common to all event types? What type of data will be in those fields (binary/encoded/ASCII/UNICODE)? What do those fields describe?
2) For all event types - description when (in what circumstances) are generated events of this type
3) How do DAC event types relate to AVC (which fields are common, which are not)
Best regards,
Arkadiusz Wojtczak
Ekspert
[cid:image001.png@01CFFF52.E9321B50]
PKO Bank Polski
Departament Bezpieczeństwa
Biuro Bezpieczeństwa Informatycznego
02-515 Warszawa, ul. Puławska 15
t: 22 521 68 80
k: 666 824 168
Nie drukuj tej wiadomości, ani innych dokumentów, jeśli nie jest to konieczne.
Powszechna Kasa Oszczędności Bank Polski Spółka Akcyjna z siedzibą w Warszawie przy ul. Puławskiej 15, 02-515 Warszawa, zarejestrowana w Sądzie Rejonowym dla m.st. Warszawy w Warszawie, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod nr KRS 0000026438; NIP: 525-000-77-38 REGON: 016298263; kapitał zakładowy (kapitał wpłacony) 1 250 000 000 PLN / Powszechna Kasa Oszczędności Bank Polski S.A. registered in the District Court for the Capital City of Warsaw, 13th Commercial Division of the National Court Register under KRS number 0000026438, Tax Identification Number (NIP): 525-000-77-38, REGON: 016298263, share capital 1,250,000,000 PLN.
Niniejsza wiadomość może zawierać poufną i prawnie zastrzeżoną korespondencję między naszą Firmą i Klientem. Jeżeli nie jesteście Państwo jej adresatem informujemy, że otrzymali ją Państwo omyłkowo oraz, że przeglądanie, rozpowszechnianie lub kopiowanie jest zabronione. W przypadku omyłkowego otrzymania niniejszej wiadomości, prosimy o niezwłoczne powiadomienie o tym nadawcy i wykasowanie oryginału. / This message may contain a confidential and privileged our Company and Client communication. If you are not the intended recipient, you are hereby notified that you have received this message in error - any review, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete the original.
11 years, 1 month
[GIT PULL] Audit fixes for 3.18
by Paul Moore
Hi Linus,
After he sent the initial audit pull request for 3.18, Eric asked me to take
over the management of the audit tree, hence this pull request to fix a couple
of problems with audit. As you can see below, the changes are minimal: adding
some whitespace to a string so userspace parses it correctly, and fixing a
problem with audit's usage of fsnotify that was causing audit watch rules to
be lost. Neither of these patches were very controversial on the mailing
lists and they fix real problems, getting them into 3.18 would be a good
thing.
As of about ten minutes ago, the audit tree applied cleanly on top of your
tree.
Thanks,
-Paul
---
The following changes since commit 2991dd2b0117e864f394c826af6df144206ce0db:
audit: rename audit_log_remove_rule to disambiguate for trees (2014-10-10
15:30:25 -0400)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-3.18
for you to fetch changes up to 799b601451b21ebe7af0e6e8f6e2ccd4683c5064:
audit: keep inode pinned (2014-11-11 14:20:22 -0500)
----------------------------------------------------------------
Miklos Szeredi (1):
audit: keep inode pinned
Richard Guy Briggs (1):
audit: AUDIT_FEATURE_CHANGE message format missing delimiting space
kernel/audit.c | 2 +-
kernel/audit_tree.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
--
paul moore
security and virtualization @ redhat
11 years, 1 month
Re: [PATCH] audit_tree: keep inode pinned
by Richard Guy Briggs
On 14/11/04, Miklos Szeredi wrote:
> From: Miklos Szeredi <mszeredi(a)suse.cz>
Hi Miklos,
> Audit rules disappear when an inode they watch is evicted from the cache.
> This is likely not what we want.
>
> The guilty commit is "fsnotify: allow marks to not pin inodes in core",
> which didn't take into account that audit_tree adds watches with a zero
> mask.
>
> Adding any mask should fix this.
Nice find! Do you have a quick reproducer to detect this?
> Fixes: 90b1e7a57880 ("fsnotify: allow marks to not pin inodes in core")
> Signed-off-by: Miklos Szeredi <mszeredi(a)suse.cz>
> Cc: stable(a)vger.kernel.org # 2.6.36+
> ---
> kernel/audit_tree.c | 1 +
> 1 file changed, 1 insertion(+)
>
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -154,6 +154,7 @@ static struct audit_chunk *alloc_chunk(i
> chunk->owners[i].index = i;
> }
> fsnotify_init_mark(&chunk->mark, audit_tree_destroy_watch);
> + chunk->mark.mask = FS_IN_IGNORED;
> return chunk;
> }
>
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
11 years, 1 month
Re: [PATCH] audit_tree: keep inode pinned
by Paul Moore
On Tue, Nov 4, 2014 at 5:27 AM, Miklos Szeredi <miklos(a)szeredi.hu> wrote:
> From: Miklos Szeredi <mszeredi(a)suse.cz>
>
> Audit rules disappear when an inode they watch is evicted from the cache.
> This is likely not what we want.
>
> The guilty commit is "fsnotify: allow marks to not pin inodes in core",
> which didn't take into account that audit_tree adds watches with a zero
> mask.
>
> Adding any mask should fix this.
>
> Fixes: 90b1e7a57880 ("fsnotify: allow marks to not pin inodes in core")
> Signed-off-by: Miklos Szeredi <mszeredi(a)suse.cz>
> Cc: stable(a)vger.kernel.org # 2.6.36+
> ---
> kernel/audit_tree.c | 1 +
> 1 file changed, 1 insertion(+)
Thanks for your help on this, I've merged this into the audit
stable-3.18 branch; I plan on pushing this to Linus later this week.
* git://git.infradead.org/users/pcmoore/audit stable-3.18
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -154,6 +154,7 @@ static struct audit_chunk *alloc_chunk(i
> chunk->owners[i].index = i;
> }
> fsnotify_init_mark(&chunk->mark, audit_tree_destroy_watch);
> + chunk->mark.mask = FS_IN_IGNORED;
> return chunk;
> }
--
paul moore
www.paul-moore.com
11 years, 1 month
