RHEL 6 audit.rules question
by Dan White
Does the system allow for the import/include of groups of rules in other files -
like logrotate and /etc/logrotate.d/* ?
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
10 years, 3 months
[PATCH audit] reconfigure: Apply log_group change
by Lubomir Rintel
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1118313
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1118262
---
src/auditd-event.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index 4fa266e..66dff34 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -1130,6 +1130,12 @@ static void reconfigure(struct auditd_consumer_data *data)
// log format
oconf->log_format = nconf->log_format;
+ // log group
+ if (oconf->log_group != nconf->log_group) {
+ oconf->log_group = nconf->log_group;
+ need_reopen = 1;
+ }
+
// action_mail_acct
if (strcmp(oconf->action_mail_acct, nconf->action_mail_acct)) {
free((void *)oconf->action_mail_acct);
--
1.8.3.1
10 years, 3 months
file watch: separating file reads and writes
by Jon Smith
I'm running CentOS-6.5-i386-minimal.
I recently used auditd to setup a watch on a specific file (-w /path/to/my/file -p warx), but found it difficult to distinguish system calls that were modifying the file vs. reading from the file when using ausearch/aureport.
In response to that, I separated out the watches by keys:
-w /patch/to/my/file -p wa thisisawrite
-w /path/to/my/file -p r thisisaread
And then ran both aureport -k and aureport -f to join the keys to the system calls by event number.
Am I wholly approaching this the wrong way, or is there an easier way to distinguish between a syscall that reads from a file vs. writes to a file?
Assuming this is the correct approach, would there then be a benefit to adding the key to the aureport -f output? I find it awkward to have to combine the two commands to get the necessary information.
Regards,
Jon Smith
10 years, 3 months
[PATCH] [STABLE] audit: remove superfluous new- prefix in AUDIT_LOGIN messages
by Richard Guy Briggs
The new- prefix on ses and auid are un-necessary and break ausearch.
Upstream-commit: aa589a1
Cc: stable(a)vger.kernel.org # v3.14-rc1 to v3.14
Reported-by: Steve Grubb <sgrubb(a)redhat.com>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 37e6216..619b58d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1991,7 +1991,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
if (!ab)
return;
audit_log_format(ab, "pid=%d uid=%u"
- " old-auid=%u new-auid=%u old-ses=%u new-ses=%u"
+ " old-auid=%u auid=%u old-ses=%u ses=%u"
" res=%d",
current->pid, uid,
oldloginuid, loginuid, oldsessionid, sessionid,
--
1.7.1
10 years, 3 months
[PATCH 0/3] [RFC] X32: fix syscall_get_nr while not breaking seccomp BPF
by Richard Guy Briggs
This set reverts commit 8b4b9f2 which broke audit and potentially other users
of syscall_get_nr() which depend on that call as named without being overloaded
by architecture bits. It will satisfy other regular users of syscall_get_nr()
and syscall_get_arch() without changing the seccomp interface to BPF.
A new ARCH definition, AUDIT_ARCH_X86_X32, was added for syscall_get_arch().
Cc: Paul Moore <pmoore(a)redhat.com>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: Al Viro <aviro(a)redhat.com>
Cc: Will Drewry <wad(a)chromium.org>
Cc: H. Peter Anvin <hpa(a)zytor.com>
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Link: http://lkml.kernel.org/r/cover.1405023592.git.rgb@redhat.com
Richard Guy Briggs (3):
audit: add AUDIT_ARCH_X86_X32 arch definition
seccomp: give BPF x32 bit when restoring x32 filter
Revert "x86: remove the x32 syscall bitmask from syscall_get_nr()"
arch/x86/include/asm/syscall.h | 8 ++++++--
include/uapi/linux/audit.h | 1 +
kernel/seccomp.c | 6 ++++++
3 files changed, 13 insertions(+), 2 deletions(-)
10 years, 3 months
[PATCH v2 0/2] Fix auditsc DoS and mark it BROKEN
by Andy Lutomirski
CONFIG_AUDITSYSCALL is awful. Patch 2 enumerates some reasons.
Patch 1 fixes a nasty DoS and possible information leak. It should
be applied and backported.
Patch 2 is optional. I leave it to other peoples' judgment.
Andy Lutomirski (2):
auditsc: audit_krule mask accesses need bounds checking
audit: Move CONFIG_AUDITSYSCALL into staging and update help text
Andy Lutomirski (2):
auditsc: audit_krule mask accesses need bounds checking
audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text
init/Kconfig | 13 ++++++++-----
kernel/auditsc.c | 27 ++++++++++++++++++---------
2 files changed, 26 insertions(+), 14 deletions(-)
--
1.9.3
10 years, 3 months
[PATCH 00/12] [V3] audit by executable name
by Richard Guy Briggs
This is a part of Peter Moody, my and Eric Paris' work to implement
audit by executable name.
The fixup! patches are intended to be autosquashed down by git in the final set
of patches to be submitted, but they have been included here to show progress.
Some are quite obvious.
Please see the accompanying userspace patch:
https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
The userspace interface is not expected to change appreciably unless something
important has been overlooked. Setting and deleting rules works as expected.
If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.
Here's a test run:
# /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
# /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Mon Jun 30 14:15:06 2014
type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1 subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" key="touch_tmp" list=4 res =1
# /usr/local/sbin/auditctl -l
-a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
# touch /tmp/test
# /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Wed Jul 2 12:18:47 2014
type=UNKNOWN[1327] msg=audit(1404317927.319:132): proctitle=746F756368002F746D702F74657374
type=PATH msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997 dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144 dev=00:20 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1404317927.319:132): cwd="/root"
type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2 success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2 ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="touch_tmp"
Revision history:
v3: rationalize and rename some function names and clean up get/put and free code.
v2: misguided attempt to add in audit_exe similar to watches
https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
v1.5: eparis' switch to fsnotify
https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
v1: change to path interface instead of inode
https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
v0: Peter Moodie's original patches
Next step:
Get full-path notify working.
Eric Paris (3):
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
Richard Guy Briggs (9):
fixup! audit: clean simple fsnotify implementation
fixup! audit: convert audit_exe to audit_fsnotify
fixup! audit: clean simple fsnotify implementation
audit: avoid double copying the audit_exe path string
fixup! audit: convert audit_exe to audit_fsnotify
fixup! audit: clean simple fsnotify implementation
fixup! audit: implement audit by executable
fixup! audit: clean simple fsnotify implementation
fixup! audit: clean simple fsnotify implementation
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 2 +
kernel/Makefile | 2 +-
kernel/audit.h | 39 +++++++
kernel/audit_exe.c | 46 +++++++++
kernel/audit_fsnotify.c | 237 ++++++++++++++++++++++++++++++++++++++++++++
kernel/auditfilter.c | 51 +++++++++-
kernel/auditsc.c | 16 +++
8 files changed, 391 insertions(+), 3 deletions(-)
create mode 100644 kernel/audit_exe.c
create mode 100644 kernel/audit_fsnotify.c
10 years, 4 months