June 2014 - Linux-audit - Linux-Audit List Archives

[PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log

by Tony Jones

This patch came from our L3 department. AppArmor LSM is logging using the common_lsm_audit() call but the audit userspace parsing code expects to see an SELinux tclass field. This patch doesn't address the lack of support for AppArmor in "aureport --avc". Talking to Seth Arnold, Canonical apparently has patches for this; if this is true perhaps they can post for inclusion. Based-on-work-by: William Preston <wpreston(a)suse.com> Signed-off-by: Tony Jones <tonyj(a)suse.de> --- a/src/ausearch-parse.c 2014-05-21 14:45:22.000000000 +0200 +++ b/src/ausearch-parse.c 2014-05-21 14:53:55.000000000 +0200 @@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea // Now get the class...its at the end, so we do things different str = strstr(term, "tclass="); - if (str == NULL) { - rc = 9; - goto err; + if (str) { + str += 7; + term = strchr(str, ' '); + if (term) + *term = 0; + an.avc_class = strdup(str); + if (term) + *term = ' '; } - str += 7; - term = strchr(str, ' '); - if (term) - *term = 0; - an.avc_class = strdup(str); - if (term) - *term = ' '; if (audit_avc_init(s) == 0) { alist_append(s->avc, &an);

10 years, 6 months

4
15
0 / 0

Fwd: 3.15: kernel BUG at kernel/auditsc.c:1525!

by Andy Lutomirski

Steve Grubb pointed out that I forgot to cc: linux-audit. --Andy ---------- Forwarded message ---------- From: Andy Lutomirski <luto(a)amacapital.net> Date: Mon, Jun 16, 2014 at 2:35 PM Subject: Re: 3.15: kernel BUG at kernel/auditsc.c:1525! To: Richard Weinberger <richard(a)nod.at>, "H. Peter Anvin" <hpa(a)zytor.com>, X86 ML <x86(a)kernel.org> Cc: Toralf Förster <toralf.foerster(a)gmx.de>, Eric Paris <eparis(a)redhat.com>, Linux Kernel <linux-kernel(a)vger.kernel.org> [cc: hpa, x86 list] On Mon, Jun 16, 2014 at 1:43 PM, Richard Weinberger <richard(a)nod.at> wrote: > Am 16.06.2014 22:41, schrieb Toralf Förster: >> Well, might be the mail:subject should be adapted, b/c the issue can be triggered in a 3.13.11 kernel too. >> Unfortunately it does not appear within an UML guest, therefore an automated bisecting isn't possible I fear. > > You could try KVM. :) Before you do that, just to clarify: What bitness is your kernel? That is, are you on 32-bit or 64-bit kernel? What bitness is your test case? 'file a.out' will say. What does /proc/cpuinfo say in flags? Can you try the attached patch? It's only compile-tested. To hpa, etc: It appears that entry_32.S is missing any call to the audit exit hook on the badsys path. If I'm diagnosing this bug report correctly, this causes OOPSes. The the world at large: it's increasingly apparent that no one (except maybe the blackhats) has ever scrutinized the syscall auditing code. This is two old severe bugs in the code that have probably been there for a long time. --Andy -- Andy Lutomirski AMA Capital Management, LLC

10 years, 6 months

1
0
0 / 0

Re: [oss-security] CVE request: Another Linux syscall auditing bug

by Steve Grubb

Hi, Reminder again...please report bugs to linux-audit mail list. On Thursday, June 19, 2014 06:26:38 PM Andy Lutomirski wrote: > On a 32-bit x86 kernel with syscall auditing enabled, syscall(1000) > will cause an OOPS. This problem goes at least as far back as Linux > 3.11 and appears to be present in Linux 3.15 as well. I suspect that > this bug is very old. > > In order to see this bug, you'll need syscall auditing on (auditctl -e > 1 will do that) and you'll need 'sep' in flags in /proc/cpuinfo. That > means that qemu -cpu qemu64 will not be exposed to this bug, but qemu > -cpu host will on any recent CPU. > > Mitigations include: > - Running under ptrace or strace. > - Using any seccomp filter at all (phew!) > - Turning off SEP (which is a big slowdown on all syscalls) > - auditctl -a task,never > > I'd be rather surprised if this can be used for anything other than > DoS, although the same underlying bug could potentially have more > serious consequences. > > This bug was found (inadvertently, I presume) by Toralf Förster. The > patch here: > > http://lkml.kernel.org/g/CALCETrW7U4AHG-a9oPbOt31z3wgzhjSu8b+yGpdM4+vNinKgsA > @mail.gmail.com > > is reported to fix the bug, but it should not be considered to be > well-tested. > > --Andy

10 years, 6 months

1
0
0 / 0

[PATCH] audit: fix dangling keywords in integrity ima message output

by Richard Guy Briggs

Replace spaces in op keyword labels in log output since userspace audit tools can't parse orphaned keywords. Reported-by: Steve Grubb <sgrubb(a)redhat.com> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_policy.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 734e946..61c95af 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -214,7 +214,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, hash_start = 1; case IMA_XATTR_DIGEST: if (iint->flags & IMA_DIGSIG_REQUIRED) { - cause = "IMA signature required"; + cause = "IMA-signature-required"; status = INTEGRITY_FAIL; break; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a9c3d3c..dbdc528 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -330,7 +330,7 @@ void __init ima_init_policy(void) void ima_update_policy(void) { const char *op = "policy_update"; - const char *cause = "already exists"; + const char *cause = "already-exists"; int result = 1; int audit_info = 0; @@ -654,7 +654,7 @@ ssize_t ima_parse_add_rule(char *rule) /* Prevent installed policy from changing */ if (ima_rules != &ima_default_rules) { integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, - NULL, op, "already exists", + NULL, op, "already-exists", -EACCES, audit_info); return -EACCES; } @@ -680,7 +680,7 @@ ssize_t ima_parse_add_rule(char *rule) if (result) { kfree(entry); integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, - NULL, op, "invalid policy", result, + NULL, op, "invalid-policy", result, audit_info); return result; } -- 1.7.1

10 years, 6 months

2
2
0 / 0

auditing access to directories with restricted access

by jon.bird＠generaldynamics.uk.com

Hi, I am trying to set up some audit rules to monitor failed accesses to a given folder - here is the basics: -a exit,always -S open -k fk_open -F dir=/recorder/ -F success=0 Here are the permissions on the folder: drwxrwx--- 3 red red 4096 Jun 4 10:39 recorder and the contents: drwxrwx--- 3 red red 4096 Jun 4 12:05 . drwxr-xr-x 21 root root 1024 Jun 4 10:38 .. drwx------ 2 root root 16384 Apr 24 15:49 lost+found -rw-rw---- 1 root root 6 Jun 4 12:05 test.txt If I run as user "red" ie. Who does have permission to write to this folder but then try and replace the "text.txt" file (which is owned by root) I get: reduser@unit:~ echo test >test.txt -sh: can't create test.txt: Permission denied Along with a corresponding entry in the audit log which is what I'm expected. However if I run as another use which does not have permission to access this folder and try the same thing: blackuser@unit:~ echo test >/recorder/test.txt -sh: can't create /recorder/test.txt: Permission denied But I don't get anything captured in the audit log. I've tried a few incarnations of the rule, including setting up similar arrangements and having the daemon monitor the parent folder (thinking the access will show up there) but I can't get this scenario to be detected by the audit daemon. If I remove the file system filter (ie. So I see all failed accesses) then it does get logged but this generates way too much traffic to be of much use. I've also done an strace call around the command and verified that (in this latter scenario) is it definitely the open call which is generating the permission denied error and it is. This is using audit-2.3.6 on a 3.2.55 kernel. Any help appreciated, Jon. -- Jon Bird, CEng MBCS Software Engineer Electronic Systems General Dynamics United Kingdom Ltd. Castleham Road, St Leonards on Sea, East Sussex, TN38 9NJ Telephone: +441424798278 Email: jon.bird(a)generaldynamics.uk.com Website: www.generaldynamics.uk.com This email and any files attached are intended for the addressee and may contain information of a confidential nature. If you are not the intended recipient, be aware that this email was sent to you in error and you should not disclose, distribute, print, copy or make other use of this email or its attachments. Such actions, in fact, may be unlawful. In compliance with the various Regulations and Acts, General Dynamics United Kingdom Limited reserves the right to monitor (and examine for viruses) all emails and email attachments, both inbound and outbound. Email communications and their attachments may not be secure or error- or virus-free and the company does not accept liability or responsibility for such matters or the consequences thereof. General Dynamics United Kingdom Limited, Registered Office: 21 Holborn Viaduct, London EC1A 2DY. Registered in England and Wales No: 1911653.

10 years, 6 months

3
3
0 / 0

[PATCH] audit: use union for audit_field values since they are mutually exclusive

by Richard Guy Briggs

Since only one of val, uid and gid are used at any given time, combine them to reduce the size of the struct audit_field. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- include/linux/audit.h | 8 +++++--- kernel/auditfilter.c | 2 -- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 1ae0089..06141b3 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -66,9 +66,11 @@ struct audit_krule { struct audit_field { u32 type; - u32 val; - kuid_t uid; - kgid_t gid; + union { + u32 val; + kuid_t uid; + kgid_t gid; + }; u32 op; char *lsm_str; void *lsm_rule; diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index b65a138..ea8d389 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -422,8 +422,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, f->type = data->fields[i]; f->val = data->values[i]; - f->uid = INVALID_UID; - f->gid = INVALID_GID; f->lsm_str = NULL; f->lsm_rule = NULL; -- 1.7.1

10 years, 6 months

1
1
0 / 0

aulast only displaying reboot pseudo-users

by Laurent Bigonville

Hello, On my machine with audit 2.3.6 the following call to aulast is only displaying the "reboot" pseudo-users and not the actual logins: ausearch --start this-month --raw | aulast --stdin Passing the "--bad" option to aulast, seems to correctly return the failed login attempt. Also, adding the login name to the aulast command doesn't seems to work at all even with the --bad option. OTOH, the aulastlog command seems to work as expected. An idea? Cheers, Laurent Bigonville

10 years, 6 months

4
17
0 / 0

[PATCH] audit: use atomic_t to simplify audit_serial()

by Richard Guy Briggs

Since there is already a primitive to do this operation in the atomic_t, use it to simplify audit_serial(). Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- kernel/audit.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 218899b..d41266c 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1257,19 +1257,9 @@ err: */ unsigned int audit_serial(void) { - static DEFINE_SPINLOCK(serial_lock); - static unsigned int serial = 0; + static atomic_t serial = ATOMIC_INIT(0); - unsigned long flags; - unsigned int ret; - - spin_lock_irqsave(&serial_lock, flags); - do { - ret = ++serial; - } while (unlikely(!ret)); - spin_unlock_irqrestore(&serial_lock, flags); - - return ret; + return atomic_add_return(1, &serial); } static inline void audit_get_stamp(struct audit_context *ctx, -- 1.7.1

10 years, 6 months

1
0
0 / 0

[PATCH] audit: reduce scope of audit_log_fcaps

by Richard Guy Briggs

audit_log_fcaps() isn't used outside kernel/audit.c. Reduce its scope. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- kernel/audit.c | 2 +- kernel/audit.h | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index bdd0172..3225a5d 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1637,7 +1637,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap) } } -void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) +static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) { kernel_cap_t *perm = &name->fcap.permitted; kernel_cap_t *inh = &name->fcap.inheritable; diff --git a/kernel/audit.h b/kernel/audit.h index 7bb6573..3cdffad 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -222,7 +222,6 @@ extern void audit_copy_inode(struct audit_names *name, const struct inode *inode); extern void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap); -extern void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name); extern void audit_log_name(struct audit_context *context, struct audit_names *n, struct path *path, int record_num, int *call_panic); -- 1.7.1

10 years, 6 months

1
0
0 / 0

[PATCH] audit: reduce scope of audit_net_id

by Richard Guy Briggs

audit_net_id isn't used outside kernel/audit.c. Reduce its scope. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 59c0bbe..bdd0172 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -126,7 +126,7 @@ static atomic_t audit_lost = ATOMIC_INIT(0); /* The netlink socket. */ static struct sock *audit_sock; -int audit_net_id; +static int audit_net_id; /* Hash for inode-based rules */ struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS]; -- 1.7.1

10 years, 6 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit June 2014