Re: [PATCH] Fix to:WARNING: please, no space before tabs modified: kernel/auditfilter.c
by Paul Moore
On Sunday, October 25, 2015 09:00:49 PM Scott Matheina wrote:
> Signed-off-by: Scott Matheina <scott(a)matheina.com>
> ---
> kernel/auditfilter.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
[NOTE: Adding the linux-audit list to the CC line]
Applied, but I modified the patch subject line to "audit: fix comment block
whitespace" as the original was a bit verbose. You can check the mailing list
archive, or the git log, to see what people typically use for patch subject
lines.
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 7714d93..b8ff9e1 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -39,13 +39,13 @@
> * Locking model:
> *
> * audit_filter_mutex:
> - * Synchronizes writes and blocking reads of audit's filterlist
> - * data. Rcu is used to traverse the filterlist and access
> - * contents of structs audit_entry, audit_watch and opaque
> - * LSM rules during filtering. If modified, these structures
> - * must be copied and replace their counterparts in the filterlist.
> - * An audit_parent struct is not accessed during filtering, so may
> - * be written directly provided audit_filter_mutex is held.
> + * Synchronizes writes and blocking reads of audit's filterlist
> + * data. Rcu is used to traverse the filterlist and access
> + * contents of structs audit_entry, audit_watch and opaque
> + * LSM rules during filtering. If modified, these structures
> + * must be copied and replace their counterparts in the filterlist.
> + * An audit_parent struct is not accessed during filtering, so may
> + * be written directly provided audit_filter_mutex is held.
> */
>
> /* Audit filter lists, defined in <linux/audit.h> */
--
paul moore
www.paul-moore.com
9 years
Should audit_seccomp check audit_enabled?
by Andy Lutomirski
I would argue that, if auditing is off, audit_seccomp shouldn't do
anything. After all, unlike e.g. selinux, seccomp is not a systemwide
policy, and seccomp signals might be ordinary behavior that's internal
to the seccomp-using application. IOW, for people with audit compiled
in and subscribed by journald but switched off, I think that the
records shouldn't be emitted.
If you agree, I can send the two-line patch.
--Andy
--
Andy Lutomirski
AMA Capital Management, LLC
9 years
[ARCHIVE DEBUG 00/13] audit_debug: diagnostics for audit internal workings
by Richard Guy Briggs
A number of diagnostic patches including a /proc/audit* interface to get
a better view of what is happenning with what frequency in the audit
queue code.
Richard Guy Briggs (13):
audit_debug: set reserve to same size as backlog
audit_debug: squawk when digging into reserve
audit_debug: proc instrumentation
audit_debug: add /proc counters for overflows, waiters, recovers,
reserves
audit_debug: proc debug output easier to paste
audit_debug: don't let systemd change config
audit_debug: instrument audit_cmd_mutex contention
audit_debug: seperate out audit_titles in proc display
netlink_debug: instrument timing of calls by init/systemd or
audit_pid
audit_debug: bark on impossible reserve process conditions in while
loop
audit_debug: instrument audit_receive timing
audit_debug: list processes and frequencies waiting for auditd
audit_debug: print inode nr for each path when listing exe rules
include/linux/skbuff.h | 16 ++++
kernel/audit.c | 219 ++++++++++++++++++++++++++++++++++++++++++++--
kernel/audit.h | 2 +
kernel/audit_fsnotify.c | 5 +
kernel/auditfilter.c | 1 +
net/netlink/af_netlink.c | 16 ++++
6 files changed, 250 insertions(+), 9 deletions(-)
9 years
how costly is flush = sync vs incremental?
by Bond Masuda
i'm trying to figure out how costly it is to set flush=sync vs
incremental in auditd.conf. In theory, it would seem like it is more
expensive, but by how much? At what level of paranoia about not losing
audit logs does it make sense to use flush=sync or is it not much more
costly and one might as well use that setting?
Thoughts?
9 years
[PATHC] Use more rpm macros in audit.spec
by Łukasz Stelmach
Hi,
We are preparing spec for audit in Tizen. Please find attached a small
patch that changes a few hardcoded paths to rpm macros. I havn't changed
"/sbin" to %{_sbindir} nor "/%{_lib}", however, I'd like to ask do you
still want to keep files in "/sbin" and "/lib"?
Kind regards,
--
Łukasz Stelmach
Samsung R&D Institute Poland
Samsung Electronics
9 years
where can I find documentation on audit log formats?
by Bond Masuda
I'm writing a tool to put audit logs into a database. I can guess at the
format based on samples of logs I'm seeing, but I would feel better if I
could find documentation that shows all the different types of audit log
messages and what is in those messages.
Thanks
Bond
9 years
Audit record created by echo "ThisIsATest" >>/tmp/test/file11
by Boyd Memmott
Hi
I have an audit question concerning echo "ThisIsATest" >>/tmp/test/file11
I have a rule: -w /tmp/test -p war -S all -k thekey
It produces the following audit record.
type=SYSCALL msg=audit(1444398577.247:1581): arch=c000003e syscall=2 success=yes exit=3 a0=1f5bca0 a1=441 a2=1b6 a3=20 items=2 ppid=17766 pid=17808 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="bash" exe="/bin/bash" key="thekey"
type=CWD msg=audit(1444398577.247:1581): cwd="/tmp/test"
type=PATH msg=audit(1444398577.247:1581): item=0 name="/tmp/test" inode=1436 dev=00:2e mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1444398577.247:1581): item=1 name="file11" inode=6797 dev=00:2e mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
I understand bash is the executable, because ">" is writing to the file via a file handle.
Is there another switch or rule that would improve the audit record to capture echo as being the initiator of the command??
Thank you
Boyd
9 years
monitoring deletion of directories?
by Bond Masuda
with linux audit, how do I monitor the deletion of directories? I am
already monitoring the unlink syscall, but it only seems to monitor
deleted files.
thanks
Bond
9 years
[RFC PATCH v2 0/5] kdbus LSM/SELinux hooks
by Paul Moore
I got a little distracted with some other tasks so it has taken me a
bit longer than I had hoped to get v2 of this patchset out, but
better late than never they say ...
This revision incorporates all of Stephen's comments and adds support
for auditing kdbus service names; see each patch's changelog for more
details. Please take a look and comment, I'm especially interested
to hear what people have to say about the kdbusfs labeling, right now
it is very barebones, and I'm not sure if we want to support more
options (transitions, etc.).
Also, Smack folks, it would be great if I heard something from you
guys about the viability of these hooks for Smack.
---
Paul Moore (5):
kdbus: add creator credentials to the endpoints
lsm: introduce hooks for kdbus
lsm: add support for auditing kdbus service names
selinux: introduce kdbus names into the policy
selinux: introduce kdbus access controls
include/linux/lsm_audit.h | 2
include/linux/security.h | 126 +++++++++++++++++++++++++++++
ipc/kdbus/bus.c | 13 +--
ipc/kdbus/connection.c | 73 +++++++++++------
ipc/kdbus/endpoint.c | 14 +--
ipc/kdbus/endpoint.h | 3 -
ipc/kdbus/fs.c | 10 ++
ipc/kdbus/message.c | 19 +++-
ipc/kdbus/metadata.c | 6 -
ipc/kdbus/node.c | 11 +--
ipc/kdbus/node.h | 5 +
security/lsm_audit.c | 4 +
security/security.c | 50 ++++++++++++
security/selinux/hooks.c | 152 +++++++++++++++++++++++++++++++++++
security/selinux/include/classmap.h | 4 +
security/selinux/include/security.h | 5 +
security/selinux/ss/policydb.c | 88 +++++++++++++++++---
security/selinux/ss/policydb.h | 3 -
security/selinux/ss/services.c | 38 +++++++++
19 files changed, 540 insertions(+), 86 deletions(-)
9 years