Audit format utility
by Steve Grubb
Hello,
I have been doing some thinking about allowing user defined formats to be
declared as a parameter to ausearch. Before I commit to that, I thought it
might be interesting to create a "mockup". I have placed a utility here:
http://people.redhat.com/sgrubb/files/auformat.tar.gz
Just untar it and run make.
$ ./auformat
Usage: auformat <format-string> [path-to-log] --fill
What this means is that you can give it a path to a file. If you don't do that,
it will read from stdin. Then it will output the fields that you specify. To
specify fields start with a % and then put the name as seen in logs. A couple examples:
%auid %pid %path %exe
This will dump the raw value. But suppose you wanted the interpreted values?
Tell it to interpret by giving uppercase:
%AUID %SYSCALL %RES %PATH
Not all events have all fields. By default it will emit a message to stderr
about this. But, you can give it --fill which will print "(none)" in that case.
So, a use might be:
# ausearch --start today -m login --raw | ~sgrubb/test/auformat/auformat "%time %AUID %ses %RES\n"
The app also has 4 virtual field names: date, time, milli, serial. These
relate to the event timestamp which you couldn't specify any other way.
In any event, I am putting this out to see what people think.
-Steve
10 years, 1 month
[PATCH V4 0/4] audit by executable name
by Richard Guy Briggs
This is a part of Peter Moody, my and Eric Paris' work to implement
audit by executable name.
Please see the accompanying userspace patch:
https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
The userspace interface is not expected to change appreciably unless something
important has been overlooked. Setting and deleting rules works as expected.
If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.
Here's a test run:
# /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
# /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Mon Jun 30 14:15:06 2014
type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1 subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" key="touch_tmp" list=4 res =1
# /usr/local/sbin/auditctl -l
-a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
# touch /tmp/test
# /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Wed Jul 2 12:18:47 2014
type=UNKNOWN[1327] msg=audit(1404317927.319:132): proctitle=746F756368002F746D702F74657374
type=PATH msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997 dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144 dev=00:20 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1404317927.319:132): cwd="/root"
type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2 success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2 ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="touch_tmp"
Revision history:
v4: Re-order and squash down fixups
Fix audit_dup_exe() to copy pathname string before calling audit_alloc_mark().
v3: Rationalize and rename some function names and clean up get/put and free code.
Rename several "watch" references to "mark".
Rename audit_remove_rule() to audit_remove_mark_rule().
Let audit_free_rule() take care of calling audit_remove_mark().
Put audit_alloc_mark() arguments in same order as watch, tree and inode.
Move the access to the entry for audit_match_signal() to the beginning
of the function in case the entry found is the same one passed in.
This will enable it to be used by audit_remove_mark_rule().
https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
v2: Misguided attempt to add in audit_exe similar to watches
https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
v1.5: eparis' switch to fsnotify
https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
v1: Change to path interface instead of inode
https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
v0: Peter Moodie's original patches
https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
Next step:
Get full-path notify working.
Eric Paris (3):
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
Richard Guy Briggs (1):
audit: avoid double copying the audit_exe path string
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 2 +
kernel/Makefile | 2 +-
kernel/audit.h | 39 +++++++
kernel/audit_exe.c | 49 +++++++++
kernel/audit_fsnotify.c | 237 ++++++++++++++++++++++++++++++++++++++++++++
kernel/auditfilter.c | 51 +++++++++-
kernel/auditsc.c | 16 +++
8 files changed, 394 insertions(+), 3 deletions(-)
create mode 100644 kernel/audit_exe.c
create mode 100644 kernel/audit_fsnotify.c
10 years, 1 month
[PATCH] selinux: hooks: cleanup orphan keywords in audit log text
by Richard Guy Briggs
Convert audit_log() call to WARN_ONCE().
Rename "type=" to nlmsg_type=" to avoid confusion with the audit record
type.
Added "protocol=" to help track down which protocol (NETLINK_AUDIT?) was used
within the netlink protocol family.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/selinux/hooks.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 83d06db..28ec61c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4681,10 +4681,9 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
if (err) {
if (err == -EINVAL) {
- audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
- "SELinux: unrecognized netlink message"
- " type=%hu for sclass=%hu\n",
- nlh->nlmsg_type, sksec->sclass);
+ WARN_ONCE(1, "selinux_nlmsg_perm: unrecognized netlink message:"
+ " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
+ sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
if (!selinux_enforcing || security_get_allow_unknown())
err = 0;
}
--
1.7.1
10 years, 1 month
[PATCH] selinux: services: cleanup orphan keywords in audit log text
by Richard Guy Briggs
Restructure to keyword=value pairs without spaces. Drop superfluous words in
text. Make invalid_context a keyword. Change result= keyword to seresult=.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/selinux/ss/services.c | 14 ++++++++------
1 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4bca494..e822910 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -728,7 +728,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
if (context_struct_to_string(tcontext, &t, &tlen))
goto out;
audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "security_validate_transition: denied for"
+ "op=security_validate_transition seresult=denied"
" oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
o, n, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
out:
@@ -877,7 +877,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
audit_log(current->audit_context,
GFP_ATOMIC, AUDIT_SELINUX_ERR,
"op=security_bounded_transition "
- "result=denied "
+ "seresult=denied "
"oldcontext=%s newcontext=%s",
old_name, new_name);
}
@@ -1351,8 +1351,8 @@ static int compute_sid_handle_invalid_context(
if (context_struct_to_string(newcontext, &n, &nlen))
goto out;
audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "security_compute_sid: invalid context %s"
- " for scontext=%s"
+ "op=security_compute_sid invalid_context=%s"
+ " scontext=%s"
" tcontext=%s"
" tclass=%s",
n, s, t, sym_name(&policydb, SYM_CLASSES, tclass-1));
@@ -2584,8 +2584,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
rc = convert_context_handle_invalid_context(&newcon);
if (rc) {
if (!context_struct_to_string(&newcon, &s, &len)) {
- audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
- "security_sid_mls_copy: invalid context %s", s);
+ audit_log(current->audit_context,
+ GFP_ATOMIC, AUDIT_SELINUX_ERR,
+ "op=security_sid_mls_copy "
+ "invalid_context=%s", s);
kfree(s);
}
goto out_unlock;
--
1.7.1
10 years, 1 month
disable zos-remote from configuration
by Philip Dizon
Hi,
I'm currently getting this error trying to cross compile audit
zos-remote-plugin.c:39:18: fatal error: lber.h: No such file or directory
Short of building ldap, is it possible to just disable zos-remote plugin
from the configuration?
Thanks
Philip
10 years, 1 month
Changing Syslog facility
by Marcus Inskip
Hi,
I’m trying to change the logging facility of audispd to local2 to send logs off to a remote server via Rsyslog without logging twice is this possible?
Many thanks in advance,
Marcus
10 years, 1 month
[PATCH] audit: remove open_arg() function that is never used
by Richard Guy Briggs
open_arg() was added in commit 55669bfa "audit: AUDIT_PERM support"
and never used. Remove it.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 8 --------
1 files changed, 0 insertions(+), 8 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e17443..63a74a7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -126,14 +126,6 @@ struct audit_tree_refs {
struct audit_chunk *c[31];
};
-static inline int open_arg(int flags, int mask)
-{
- int n = ACC_MODE(flags);
- if (flags & (O_TRUNC | O_CREAT))
- n |= AUDIT_PERM_WRITE;
- return n & mask;
-}
-
static int audit_match_perm(struct audit_context *ctx, int mask)
{
unsigned n;
--
1.7.1
10 years, 1 month
[PATCH] audit: restore AUDIT_LOGINUID unset ABI
by Richard Guy Briggs
A regression was caused by commit 780a7654cee8:
audit: Make testing for a valid loginuid explicit.
(which in turn attempted to fix a regression caused by e1760bd)
When audit_krule_to_data() fills in the rules to get a listing, there was a
missing clause to convert back from AUDIT_LOGINUID_SET to AUDIT_LOGINUID.
This broke userspace by not returning the same information that was sent and
expected.
The rule:
auditctl -a exit,never -F auid=-1
gives:
auditctl -l
LIST_RULES: exit,never f24=0 syscall=all
when it should give:
LIST_RULES: exit,never auid=-1 (0xffffffff) syscall=all
Cc: stable(a)vger.kernel.org # v3.10-rc1+
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditfilter.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 40ed981..d0715a7 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -630,6 +630,13 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule)
data->buflen += data->values[i] =
audit_pack_string(&bufp, krule->filterkey);
break;
+ case AUDIT_LOGINUID_SET:
+ if (!f->val) {
+ data->fields[i] = AUDIT_LOGINUID;
+ data->values[i] = AUDIT_UID_UNSET;
+ break;
+ }
+ /* fallthrough if set */
default:
data->values[i] = f->val;
}
--
1.7.1
10 years, 1 month
[PATCH v2] arm: prevent BUG_ON in audit_syscall_entry()
by AKASHI Takahiro
BUG_ON() in audit_syscall_entry() will be hit if user issues syscall(-1)
while syscall auditing is enabled (that is, by starting auditd).
------------[ cut here ]------------
kernel BUG at /home/akashi/arm/armv7/linux/kernel/auditsc.c:1534!
Internal error: Oops - BUG: 0 [#1] SMP ARM
Modules linked in:
CPU: 0 PID: 61 Comm: syscall_arm Not tainted 3.17.0-rc4 #60
task: ea0c4380 ti: ea48e000 task.ti: ea48e000
PC is at __audit_syscall_entry+0xe4/0x110
LR is at 0xea0c4380
pc : [<c02b2ae8>] lr : [<ea0c4380>] psr: 20000013
sp : ea48ff68 ip : 00000001 fp : 0000869c
r10: 00000200 r9 : ea48e000 r8 : c020f4e4
r7 : 000000c5 r6 : ea48e000 r5 : ea48ffb0 r4 : ea490800
r3 : bef1e718 r2 : 00000001 r1 : 000000c5 r0 : 40000028
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 10c5387d Table: 8a4ac059 DAC: 00000015
Process syscall_arm (pid: 61, stack limit = 0xea48e250)
Stack: (0xea48ff68 to 0xea490000)
ff60: 540e7a69 3ab5e840 00000200 000000c5 ea48ffb0 ea48e000
ff80: 000000c5 c02114bc bef1e718 00000001 b6efdb58 ffffffff 08400000 000000c5
ffa0: c020f4e4 c020f49c b6efdb58 ffffffff 00000001 bef1e718 bef1e718 00000001
ffc0: b6efdb58 ffffffff 08400000 000000c5 00000000 b6f22850 00000008 0000869c
ffe0: 000000c5 bef1e704 b6ea315f b6e318e6 20000030 00000001 00000000 00000000
[<c02b2ae8>] (__audit_syscall_entry) from [<c02114bc>] (syscall_trace_enter+0xf0/0x120)
[<c02114bc>] (syscall_trace_enter) from [<c020f49c>] (__sys_trace+0xc/0x38)
Code: e584500c e5842004 e28dd00c e8bd80f0 (e7f001f2)
---[ end trace 0c4441660aba5692 ]---
In fact, syscall(-1) just fails (not signaled despite the expectation,
this is another minor bug), but the succeeding syscall hits BUG_ON.
When auditing syscall(-1), audit_syscall_entry() is called anyway, but
audit_syscall_exit() is not called and then 'in_syscall' flag in thread's
audit context is kept on. In this way, audit_syscall_entry() against
the succeeding syscall will see BUG_ON(in_syscall).
This patch fixes this bug by
1) preventing syscall tracing, ftrace tracepoint and audit, from being
executed in case of invalid or pseudo system calls,
2) handling user-issued syscall(-1) with arm_syscall().
Signed-off-by: AKASHI Takahiro <takahiro.akashi(a)linaro.org>
---
arch/arm/include/asm/traps.h | 1 +
arch/arm/kernel/entry-common.S | 4 ++--
arch/arm/kernel/ptrace.c | 47 +++++++++++++++++++++++++---------------
3 files changed, 32 insertions(+), 20 deletions(-)
diff --git a/arch/arm/include/asm/traps.h b/arch/arm/include/asm/traps.h
index f555bb3..de01145 100644
--- a/arch/arm/include/asm/traps.h
+++ b/arch/arm/include/asm/traps.h
@@ -49,6 +49,7 @@ static inline int in_exception_text(unsigned long ptr)
extern void __init early_trap_init(void *);
extern void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame);
extern void ptrace_break(struct task_struct *tsk, struct pt_regs *regs);
+extern int arm_syscall(int no, struct pt_regs *regs);
extern void *vectors_page;
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index e52fe5a..28d3931 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -426,7 +426,6 @@ ENTRY(vector_swi)
local_restart:
ldr r10, [tsk, #TI_FLAGS] @ check for syscall tracing
stmdb sp!, {r4, r5} @ push fifth and sixth args
-
tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
bne __sys_trace
@@ -476,10 +475,11 @@ __sys_trace:
cmp scno, #-1 @ skip the syscall?
bne 2b
add sp, sp, #S_OFF @ restore stack
- b ret_slow_syscall
+ b __sys_trace_return_skipped
__sys_trace_return:
str r0, [sp, #S_R0 + S_OFF]! @ save returned r0
+__sys_trace_return_skipped:
mov r0, sp
bl syscall_trace_exit
b ret_slow_syscall
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index 0c27ed6..68b42cd 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -930,7 +930,9 @@ static void tracehook_report_syscall(struct pt_regs *regs,
asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
{
- current_thread_info()->syscall = scno;
+ int orig_scno;
+
+ current_thread_info()->syscall = orig_scno = scno;
/* Do the secure computing check first; failures should be fast. */
if (secure_computing(scno) == -1)
@@ -941,31 +943,40 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
scno = current_thread_info()->syscall;
- if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
- trace_sys_enter(regs, scno);
+ if (scno >= 0 && scno < NR_syscalls) {
+ if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
+ trace_sys_enter(regs, scno);
+
+ audit_syscall_entry(AUDIT_ARCH_ARM, scno,
+ regs->ARM_r0, regs->ARM_r1,
+ regs->ARM_r2, regs->ARM_r3);
+ }
- audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0, regs->ARM_r1,
- regs->ARM_r2, regs->ARM_r3);
+ /* user-issued syscall of -1 */
+ if (scno == -1 && orig_scno == -1)
+ arm_syscall(scno, regs);
return scno;
}
asmlinkage void syscall_trace_exit(struct pt_regs *regs)
{
- /*
- * Audit the syscall before anything else, as a debugger may
- * come in and change the current registers.
- */
- audit_syscall_exit(regs);
+ if (current_thread_info()->syscall < NR_syscalls) {
+ /*
+ * Audit the syscall before anything else, as a debugger may
+ * come in and change the current registers.
+ */
+ audit_syscall_exit(regs);
- /*
- * Note that we haven't updated the ->syscall field for the
- * current thread. This isn't a problem because it will have
- * been set on syscall entry and there hasn't been an opportunity
- * for a PTRACE_SET_SYSCALL since then.
- */
- if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
- trace_sys_exit(regs, regs_return_value(regs));
+ /*
+ * Note that we haven't updated the ->syscall field for the
+ * current thread. This isn't a problem because it will have
+ * been set on syscall entry and there hasn't been
+ * an opportunity for a PTRACE_SET_SYSCALL since then.
+ */
+ if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
+ trace_sys_exit(regs, regs_return_value(regs));
+ }
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
--
1.7.9.5
10 years, 1 month
User Account Lifecycle Auditing Specification
by Steve Grubb
Hello,
Recently I run across a problem where the events being sent by a program that
enrolls users and groups was found to be not sending the right events. Some of
the events were correct, some were wrong. In wanting to correct this problem
(and write verification suites later) I thought it might be nice to have some
specifications written up so that there is a common understanding that may be
referred to. This will allow correction of misbehaving programs and people to
better understand what this handful of events mean in a larger context.
The document was added to the audit project page. A direct link can be found
here:
http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt
I would appreciate feedback and/or comments. I will also try to write up a
couple other areas that need some clarification in the near future.
-Steve
10 years, 1 month