Granting CAP_AUDIT_WRITE to X/dbus/...
by Laurent Bigonville
Hello,
I was wondering now that the xserver can run as non-root shouldn't the
CAP_WRITE_AUDIT file capability be set on the Xorg executable? Same
question for AVC denials logging with dbus session bus[0]?
And in general, does anybody has an opinion about giving this
capability to $random executable?
Cheers,
Laurent Bigonville
[0] See: https://bugs.freedesktop.org/show_bug.cgi?id=83856
10 years, 1 month
Logging not resumed after low disk space
by Laurent Bigonville
Hello,
Yesterday, I apparently run out of diskspace. Today I was wondering why
there was no new audit trails in the logs.
systemctl status auditd showed me:
Audit daemon is low on disk space for logging
Audit daemon is suspending logging due to low disk space.
Shouldn't the daemon resume the logging when free disk space is
available again?
I had to restart the daemon completely as reloading it was not enough.
Cheers,
Laurent Bigonville
10 years, 1 month
rhel6/7 question
by LC Bruzenak
Are there any issues with a RHEL7 auditd collecting events from RHEL6
submitters?
How about any interpretation issues, on the RHEL7 side, of these events?
Thanks in advance,
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
10 years, 1 month
path watcher
by John Haxby
Hello,
We have an internal group auditing updates to files but who would like
to be able to monitor the actual modification rather than the possible
intent to modify.
The example they gave is that some program opens a file
O_WRONLY|O_APPEND but in most cases it does not subsequently write to
the file. For them, the usual auditctl -p path -w wa causes lots of
false positives.
Historically, I know, that -w wa is triggered by the open(2) flags
rather than actual modifications because "[t]he read & write syscalls
are omitted from this set since they would overwhelm the logs." Reading
this again now, it looks a little specious as it seems quite easy to
overwhelm the logs anyway.
Is there any reason why a file watcher should not use the fsnotify
FS_ACCESS/MODIFY/ATTRIB masks before I go haring off to try to implement
that?
jch
10 years, 1 month
[PATCH net-next] netfilter: create audit records for ebtables replaces
by Nicolas Dichtel
This is already done for x_tables (family AF_INET and AF_INET6), let's do it
for AF_BRIDGE also.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com>
---
net/bridge/netfilter/ebtables.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 6d69631b9f4d..4ba0c5c78778 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -26,6 +26,7 @@
#include <asm/uaccess.h>
#include <linux/smp.h>
#include <linux/cpumask.h>
+#include <linux/audit.h>
#include <net/sock.h>
/* needed for logical [in,out]-dev filtering */
#include "../br_private.h"
@@ -1126,6 +1127,20 @@ static int do_replace(struct net *net, const void __user *user,
}
ret = do_replace_finish(net, &tmp, newinfo);
+#ifdef CONFIG_AUDIT
+ if (audit_enabled) {
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(current->audit_context, GFP_KERNEL,
+ AUDIT_NETFILTER_CFG);
+ if (ab) {
+ audit_log_format(ab, "table=%s family=%u entries=%u",
+ tmp.name, AF_BRIDGE,
+ tmp.nentries);
+ audit_log_end(ab);
+ }
+ }
+#endif
if (ret == 0)
return ret;
free_entries:
--
1.9.0
10 years, 1 month
[PATCH] arm: prevent BUG_ON in audit_syscall_entry()
by AKASHI Takahiro
BUG_ON() in audit_syscall_entry() will be hit if user issues syscall(-1)
while syscall auditing is enabled (that is, by starting auditd).
In fact, syscall(-1) just fails (not signaled despite the expectation,
this is another minor bug), but the succeeding syscall hits BUG_ON.
When auditing syscall(-1), audit_syscall_entry() is called anyway, but
audit_syscall_exit() is not called and then 'in_syscall' flag in thread's
audit context is kept on. In this way, audit_syscall_entry() against
the succeeding syscall will see BUG_ON(in_syscall).
This patch fixes this bug by
1) enforcing syscall exit tracing, including audit_syscall_exit(), to be
executed in all cases,
2) handling user-issued syscall(-1) with arm_syscall().
Signed-off-by: AKASHI Takahiro <takahiro.akashi(a)linaro.org>
---
arch/arm/kernel/entry-common.S | 4 ++--
arch/arm/kernel/ptrace.c | 10 +++++++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index e52fe5a..28d3931 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -426,7 +426,6 @@ ENTRY(vector_swi)
local_restart:
ldr r10, [tsk, #TI_FLAGS] @ check for syscall tracing
stmdb sp!, {r4, r5} @ push fifth and sixth args
-
tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
bne __sys_trace
@@ -476,10 +475,11 @@ __sys_trace:
cmp scno, #-1 @ skip the syscall?
bne 2b
add sp, sp, #S_OFF @ restore stack
- b ret_slow_syscall
+ b __sys_trace_return_skipped
__sys_trace_return:
str r0, [sp, #S_R0 + S_OFF]! @ save returned r0
+__sys_trace_return_skipped:
mov r0, sp
bl syscall_trace_exit
b ret_slow_syscall
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index 0c27ed6..f3339c8 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -928,9 +928,13 @@ static void tracehook_report_syscall(struct pt_regs *regs,
regs->ARM_ip = ip;
}
+extern int arm_syscall(int, struct pt_regs *);
+
asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
{
- current_thread_info()->syscall = scno;
+ int orig_scno;
+
+ current_thread_info()->syscall = orig_scno = scno;
/* Do the secure computing check first; failures should be fast. */
if (secure_computing(scno) == -1)
@@ -947,6 +951,10 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0, regs->ARM_r1,
regs->ARM_r2, regs->ARM_r3);
+ /* user-issued syscall of -1 */
+ if (scno == -1 && orig_scno == -1)
+ arm_syscall(scno, regs);
+
return scno;
}
--
1.7.9.5
10 years, 1 month
How to exclude a directory?
by leam hall
I'm looking for a way to not audit events in a directory tree. Is
there such an option?
Thanks!
Leam
--
Mind on a Mission
10 years, 1 month
[PATCH V4 0/8] namespaces: log namespaces per task
by Richard Guy Briggs
The purpose is to track namespace instances in use by logged processes from the
perspective of init_*_ns by assigning each a per-kernel, per-boot serial
number.
1/8 defines a function to generate them and assigns them.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had the right to change
reserved and is not necessarily unique if there is more than one proc fs). It
could be argued that the inode numbers have now become a defacto interface and
can't change now, but I'm proposing this approach to see if this helps address
some of the objections to the earlier patchset.
2/8 adds access functions to get to the serial numbers in a similar way to
inode access for namespace proc operations.
3/8 implements, as suggested by Serge Hallyn, making these serial numbers
available in /proc/self/ns/{ipc,mnt,net,pid,user,uts}_snum. I chose "snum"
instead of "seq" for consistency with inum and there are a number of other uses
of "seq" in the namespace code.
4/8 Document proc's ns entries structure in Documentation/filesystems/proc.txt
5/8 exposes proc's ns entries structure which lists a number of useful
operations per namespace type for other subsystems to use.
6/8 provides an example of usage for audit_log_task_info() which is used by
syscall audits, among others. audit_log_task() and audit_common_recv_message()
would be other potential use cases.
Proposed output format:
This differs slightly from Aristeu's patch because of the label conflict with
"pid=" due to including it in existing records rather than it being a seperate
record. It has now returned to being a seperate record. The serial numbers
are printed in hex.
type=NS_INFO msg=audit(1408577535.306:82): netns=8 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5
7/8 tracks the creation and deletion of of namespaces, listing the type of
namespace instance, related namespace id if there is one and the newly minted
serial number.
Proposed output format for initial namespace creation:
type=AUDIT_NS_INIT_UTS msg=audit(1408577534.868:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_utsns=0 utsns=2 res=1
type=AUDIT_NS_INIT_USER msg=audit(1408577534.868:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_userns=0 userns=3 res=1
type=AUDIT_NS_INIT_PID msg=audit(1408577534.868:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_pidns=0 pidns=4 res=1
type=AUDIT_NS_INIT_MNT msg=audit(1408577534.868:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_mntns=0 mntns=5 res=1
type=AUDIT_NS_INIT_IPC msg=audit(1408577534.868:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_ipcns=0 ipcns=1 res=1
type=AUDIT_NS_INIT_NET msg=audit(1408577533.500:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_netns=0 netns=7 res=1
And a CLONE action would result in:
type=type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 old_netns=7 netns=8 res=1
type=type=AUDIT_NS_INIT_MNT msg=audit(1408577535.307:83): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 old_mntns=5 mntns=9 res=1
While deleting a namespace would result in:
type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 mntns=9 res=1
8/8 change audit startup from __initcall to subsys_initcall to get it started
earlier to be able to receive initial namespace log messages.
v3 -> v4:
Seperate out the NS_INFO message from the SYSCALL message.
Moved audit_log_namespace_info() out of audit_log_task_info().
Use a seperate message type per namespace type for each of INIT/DEL.
Make ns= easier to search across NS_INFO and NS_INIT/DEL_XXX msg types.
Add /proc/<pid>/ns/ documentation.
Fix dynamic initial ns logging.
v2 -> v3:
Use atomic64_t in ns_serial to simplify it.
Avoid funciton duplication in proc, keying on dentry.
Squash down audit patch to avoid rcu sleep issues.
Add tracking for creation and deletion of namespace instances.
v1 -> v2:
Avoid rollover by switching from an int to a long long.
Change rollover behaviour from simply avoiding zero to raising a BUG.
Expose serial numbers in /proc/<pid>/ns/*_snum.
Expose ns_entries and use it in audit.
Notes:
As for CAP_AUDIT_READ, a patchset has been accepted upstream to check
capabilities of userspace processes that try to join netlink broadcast groups.
This set does not try to solve the non-init namespace audit messages and
auditd problem yet. That will come later, likely with additional auditd
instances running in another namespace with a limited ability to influence the
master auditd. I echo Eric B's idea that messages destined for different
namespaces would have to be tailored for that namespace with references that
make sense (such as the right pid number reported to that pid namespace, and
not leaking info about parents or peers).
Questions:
Is there a way to link serial numbers of namespaces involved in migration of a
container to another kernel? It sounds like what is needed is a part of a
mangement application that is able to pull the audit records from constituent
hosts to build an audit trail of a container.
What additional events should list this information?
Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL
(and now CAP_AUDIT_READ) in init_user_ns can get to this information in
the init namespace at the moment from audit. *However*, the addition of the
proc/<pid>/ns/*_snum does make it available to other processes now.
Richard Guy Briggs (8):
namespaces: assign each namespace instance a serial number
namespaces: expose namespace instance serial number in proc_ns_operations
namespaces: expose ns instance serial numbers in proc
Documentation: add a section for /proc/<pid>/ns/
namespaces: expose ns_entries
audit: log namespace serial numbers
audit: log creation and deletion of namespace instances
audit: initialize at subsystem time rather than device time
Documentation/filesystems/proc.txt | 16 +++++++
fs/mount.h | 1 +
fs/namespace.c | 20 +++++++++
fs/proc/namespaces.c | 35 ++++++++++++----
include/linux/audit.h | 15 +++++++
include/linux/ipc_namespace.h | 1 +
include/linux/nsproxy.h | 8 ++++
include/linux/pid_namespace.h | 1 +
include/linux/proc_ns.h | 2 +
include/linux/user_namespace.h | 1 +
include/linux/utsname.h | 1 +
include/net/net_namespace.h | 1 +
include/uapi/linux/audit.h | 13 ++++++
init/version.c | 1 +
ipc/msgutil.c | 1 +
ipc/namespace.c | 20 +++++++++
kernel/audit.c | 78 +++++++++++++++++++++++++++++++++++-
kernel/auditsc.c | 2 +
kernel/nsproxy.c | 17 ++++++++
kernel/pid.c | 1 +
kernel/pid_namespace.c | 19 +++++++++
kernel/user.c | 1 +
kernel/user_namespace.c | 20 +++++++++
kernel/utsname.c | 21 ++++++++++
net/core/net_namespace.c | 27 ++++++++++++-
security/integrity/ima/ima_api.c | 2 +
26 files changed, 314 insertions(+), 11 deletions(-)
10 years, 2 months