[RFC PATCH 0/7] audit: clean up audit queue handling
by Richard Guy Briggs
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audit: wake up threads if queue switched from limited to unlimited
audit: allow audit_cmd_mutex holders to use reserves
audit: wake up audit_backlog_wait queue when auditd goes away.
audit: wake up kauditd_thread after auditd registers
kernel/audit.c | 20 +++++++++++++++-----
1 files changed, 15 insertions(+), 5 deletions(-)
8 years, 4 months
[PATCH 00/15] Rework tty audit
by Peter Hurley
Hi Greg,
This patch series overhauls tty audit support. The goal was to simplify
and speed up tty auditing, which was a significant performance hit even
when disabled.
The main features of this series are:
* Remove reference counting; the purpose of reference counting the per-
process tty_audit_buf was to prevent premature deletion if the
buffer was in-use when tty auditing was exited for the process.
However, since the process is single-threaded at tty_audit_exit(),
the buffer cannot be in-use by another thread. Patch 11/15.
* Remove functionally dead code, such as tty_put_user(). Patch 2/15.
* Atomically modify tty audit enable/disable flags to support lockless
read. Patch 9/15.
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: Peter Zijlstra <peterz(a)infradead.org>
for patch 9/15 which removes an audit field from the signal_struct.
Cc: Oleg Nesterov <oleg(a)redhat.com>
to confirm my understanding of the single-threadedness of
if (group_dead) tty_audit_exit(), called from do_exit(). Patch 11/15
Requires: "tty: audit: Fix audit source"
Regards,
Peter Hurley (15):
tty: audit: Early-out pty master reads earlier
tty: audit: Never audit packet mode
tty: audit: Remove icanon mode from call chain
tty: audit: Defer audit buffer association
tty: audit: Take siglock directly
tty: audit: Ignore current association for audit push
tty: audit: Combine push functions
tty: audit: Track tty association with dev_t
tty: audit: Handle tty audit enable atomically
tty: audit: Remove false memory optimization
tty: audit: Remove tty_audit_buf reference counting
tty: audit: Simplify first-use allocation
tty: audit: Check audit enable first
tty: audit: Always push audit buffer before TIOCSTI
tty: audit: Poison tty_audit_buf while process exits
drivers/tty/n_tty.c | 25 ++----
drivers/tty/tty_audit.c | 231 ++++++++++++++----------------------------------
include/linux/audit.h | 4 +
include/linux/sched.h | 1 -
include/linux/tty.h | 12 +--
kernel/audit.c | 27 +++---
6 files changed, 97 insertions(+), 203 deletions(-)
--
2.6.3
8 years, 9 months
Audit Framework and namespaces
by Gulland, Scott A
Does the audit framework work with linux namespaces?
Scott Gulland
HP Networking, CEB R&D
916.785.1497
Hewlett-Packard Company
8000 Foothills Blvd; MS - 5505
Roseville, CA 95747
USA
[hp]<http://www.hp.com/>
8 years, 10 months
[RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag
by Paul Moore
Previously we were emitting seccomp audit records regardless of the
audit_enabled setting, a deparature from the rest of audit. This
patch makes seccomp auditing consistent with the rest of the audit
record generation code in that when audit_enabled=0 nothing is logged
by the audit subsystem.
The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
code change was in the audit_seccomp() definition.
Reported-by: Tony Jones <tonyj(a)suse.de>
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
include/linux/audit.h | 204 +++++++++++++++++++++++++------------------------
1 file changed, 104 insertions(+), 100 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 20eba1e..476bc12 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -113,6 +113,107 @@ struct filename;
extern void audit_log_session_info(struct audit_buffer *ab);
+#ifdef CONFIG_AUDIT
+/* These are defined in audit.c */
+ /* Public API */
+extern __printf(4, 5)
+void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
+ const char *fmt, ...);
+
+extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
+extern __printf(2, 3)
+void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
+extern void audit_log_end(struct audit_buffer *ab);
+extern bool audit_string_contains_control(const char *string,
+ size_t len);
+extern void audit_log_n_hex(struct audit_buffer *ab,
+ const unsigned char *buf,
+ size_t len);
+extern void audit_log_n_string(struct audit_buffer *ab,
+ const char *buf,
+ size_t n);
+extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
+ const char *string,
+ size_t n);
+extern void audit_log_untrustedstring(struct audit_buffer *ab,
+ const char *string);
+extern void audit_log_d_path(struct audit_buffer *ab,
+ const char *prefix,
+ const struct path *path);
+extern void audit_log_key(struct audit_buffer *ab,
+ char *key);
+extern void audit_log_link_denied(const char *operation,
+ struct path *link);
+extern void audit_log_lost(const char *message);
+#ifdef CONFIG_SECURITY
+extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
+#else
+static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
+{ }
+#endif
+
+extern int audit_log_task_context(struct audit_buffer *ab);
+extern void audit_log_task_info(struct audit_buffer *ab,
+ struct task_struct *tsk);
+
+extern int audit_update_lsm_rules(void);
+
+ /* Private API (for audit.c only) */
+extern int audit_filter_user(int type);
+extern int audit_filter_type(int type);
+extern int audit_rule_change(int type, __u32 portid, int seq,
+ void *data, size_t datasz);
+extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
+
+extern u32 audit_enabled;
+#else /* CONFIG_AUDIT */
+static inline __printf(4, 5)
+void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
+ const char *fmt, ...)
+{ }
+static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
+ gfp_t gfp_mask, int type)
+{
+ return NULL;
+}
+static inline __printf(2, 3)
+void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
+{ }
+static inline void audit_log_end(struct audit_buffer *ab)
+{ }
+static inline void audit_log_n_hex(struct audit_buffer *ab,
+ const unsigned char *buf, size_t len)
+{ }
+static inline void audit_log_n_string(struct audit_buffer *ab,
+ const char *buf, size_t n)
+{ }
+static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
+ const char *string, size_t n)
+{ }
+static inline void audit_log_untrustedstring(struct audit_buffer *ab,
+ const char *string)
+{ }
+static inline void audit_log_d_path(struct audit_buffer *ab,
+ const char *prefix,
+ const struct path *path)
+{ }
+static inline void audit_log_key(struct audit_buffer *ab, char *key)
+{ }
+static inline void audit_log_link_denied(const char *string,
+ const struct path *link)
+{ }
+static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
+{ }
+static inline int audit_log_task_context(struct audit_buffer *ab)
+{
+ return 0;
+}
+static inline void audit_log_task_info(struct audit_buffer *ab,
+ struct task_struct *tsk)
+{ }
+#define audit_enabled 0
+#endif /* CONFIG_AUDIT */
+
#ifdef CONFIG_AUDIT_COMPAT_GENERIC
#define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT))
#else
@@ -212,6 +313,9 @@ void audit_core_dumps(long signr);
static inline void audit_seccomp(unsigned long syscall, long signr, int code)
{
+ if (!audit_enabled)
+ return;
+
/* Force a record to be reported if a signal was delivered. */
if (signr || unlikely(!audit_dummy_context()))
__audit_seccomp(syscall, signr, code);
@@ -446,106 +550,6 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
return uid_valid(audit_get_loginuid(tsk));
}
-#ifdef CONFIG_AUDIT
-/* These are defined in audit.c */
- /* Public API */
-extern __printf(4, 5)
-void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
- const char *fmt, ...);
-
-extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
-extern __printf(2, 3)
-void audit_log_format(struct audit_buffer *ab, const char *fmt, ...);
-extern void audit_log_end(struct audit_buffer *ab);
-extern bool audit_string_contains_control(const char *string,
- size_t len);
-extern void audit_log_n_hex(struct audit_buffer *ab,
- const unsigned char *buf,
- size_t len);
-extern void audit_log_n_string(struct audit_buffer *ab,
- const char *buf,
- size_t n);
-extern void audit_log_n_untrustedstring(struct audit_buffer *ab,
- const char *string,
- size_t n);
-extern void audit_log_untrustedstring(struct audit_buffer *ab,
- const char *string);
-extern void audit_log_d_path(struct audit_buffer *ab,
- const char *prefix,
- const struct path *path);
-extern void audit_log_key(struct audit_buffer *ab,
- char *key);
-extern void audit_log_link_denied(const char *operation,
- struct path *link);
-extern void audit_log_lost(const char *message);
-#ifdef CONFIG_SECURITY
-extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
-#else
-static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
-{ }
-#endif
-
-extern int audit_log_task_context(struct audit_buffer *ab);
-extern void audit_log_task_info(struct audit_buffer *ab,
- struct task_struct *tsk);
-
-extern int audit_update_lsm_rules(void);
-
- /* Private API (for audit.c only) */
-extern int audit_filter_user(int type);
-extern int audit_filter_type(int type);
-extern int audit_rule_change(int type, __u32 portid, int seq,
- void *data, size_t datasz);
-extern int audit_list_rules_send(struct sk_buff *request_skb, int seq);
-
-extern u32 audit_enabled;
-#else /* CONFIG_AUDIT */
-static inline __printf(4, 5)
-void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
- const char *fmt, ...)
-{ }
-static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
- gfp_t gfp_mask, int type)
-{
- return NULL;
-}
-static inline __printf(2, 3)
-void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
-{ }
-static inline void audit_log_end(struct audit_buffer *ab)
-{ }
-static inline void audit_log_n_hex(struct audit_buffer *ab,
- const unsigned char *buf, size_t len)
-{ }
-static inline void audit_log_n_string(struct audit_buffer *ab,
- const char *buf, size_t n)
-{ }
-static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
- const char *string, size_t n)
-{ }
-static inline void audit_log_untrustedstring(struct audit_buffer *ab,
- const char *string)
-{ }
-static inline void audit_log_d_path(struct audit_buffer *ab,
- const char *prefix,
- const struct path *path)
-{ }
-static inline void audit_log_key(struct audit_buffer *ab, char *key)
-{ }
-static inline void audit_log_link_denied(const char *string,
- const struct path *link)
-{ }
-static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
-{ }
-static inline int audit_log_task_context(struct audit_buffer *ab)
-{
- return 0;
-}
-static inline void audit_log_task_info(struct audit_buffer *ab,
- struct task_struct *tsk)
-{ }
-#define audit_enabled 0
-#endif /* CONFIG_AUDIT */
static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
{
audit_log_n_string(ab, buf, strlen(buf));
8 years, 11 months
Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
by Paul Moore
Does anyone out there build kernels with CONFIG_AUDIT=y and
CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the
CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT,
does anyone have any objections?
--
paul moore
www.paul-moore.com
8 years, 11 months
ANN: Experimental Fedora Rawhide kernels (selinux-next and audit-next)
by Paul Moore
For the past few weeks I've been building experimental Fedora Rawhide kernels
with all of the SELinux and audit kernel patches targeted for linux-next
included. It has worked out reasonably well, and with the exception of getting
a working Linux 4.4-rc1 build this week, it has proven to be relatively easy
to manage. If you would like to help with testing and don't mind the
instability that comes with development kernels, the Fedora COPR repository
link is below.
I've been doing at least one build each week, sometimes more, and I expect to
continue with that frequency. I also perform a quick sanity check on each
successful build, including running the SELinux and audit testsuites; however,
there may be times when the kernel is simply broken, so exercise caution and
please don't run these kernels on anything critical.
* https://copr.fedoraproject.org/coprs/pcmoore/kernel-secnext
--
paul moore
www.paul-moore.com
8 years, 11 months
seccomp and audit_enabled
by Tony Jones
Hi.
What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0? Opera browser makes use of a sandbox and if audit_enabled == 0 (and no auditd is running) there is a lot of messages dumped to the klog. The fix to __audit_seccomp() is trivial, similar to c2412d91c and I can send a patch, I'm just not sure if seccomp is somehow special?
Thanks
Tony
8 years, 11 months
filtering system calls with auid -1
by ocakan
Hi!
My aim is to audit only commands executed by root (interactively) and avc
denied messages (selinux)
Some details about my audit-test-system and current audit configuration.
### MY CONFIGURATION:
uname -a:
Linux centos6 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015
x86_64 x86_64 x86_64 GNU/Linux
### cat /proc/cmdline:
ro root=UUID=63f8768a-2eee-4472-8ebc-43372292a93b rd_NO_LUKS
LANG=en_US.UTF-8 KEYBOARDTYPE=pc KEYTABLE=de-latin1-nodeadkeys rd_NO_MD
SYSFONT=latarcyrheb-sun16 rd_NO_LVM rd_NO_DM rhgb audit=1
### rpm -q audit:
audit-2.3.7-5.el6.x86_64
### auditctl -l:
-a never,exit -S all -F auid!=-1
-a never,exit -S all -F auid!=0 -F auid<500
-a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
-a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
-a always,exclude -F msgtype=CWD
### auditctl -s:
AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
lost=0 backlog=0
### /etc/init.d/auditd status:
auditd (pid 4232) is running...
### grep -Hrn loginuid /etc/pam.d/:
/etc/pam.d/login:9:session required pam_loginuid.so
/etc/pam.d/sshd:9:session required pam_loginuid.so
/etc/pam.d/remote:9:session required pam_loginuid.so
/etc/pam.d/ssh-keycat:4:session required pam_loginuid.so
-----
MY QUESTION:
With the above listed configuration I still get audit.log entries with
auid=-1 including cron and anacron entries.
EXAMPLE AUDIT.LOG SNIPPET:
type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_ACQ msg=audit(1447748821.214:1370): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_START msg=audit(1447748821.215:1371): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=SYSCALL msg=audit(1447748821.215:1372): arch=c000003e syscall=59
success=yes exit=0 a0=7f24d92992d6 a1=7ffdc67f7a90 a2=7f24d9299340 a3=8
items=2 ppid=5863 pid=5865 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="root-commands"
type=EXECVE msg=audit(1447748821.215:1372): argc=3 a0="/bin/sh" a1="-c"
a2=636174202F6574632F736861646F7720263E2F6465762F6E756C6C
type=PATH msg=audit(1447748821.215:1372): item=0 name="/bin/sh"
inode=1045010 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1447748821.215:1372): item=1 name=(null) inode=1044483
dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=SYSCALL msg=audit(1447748821.216:1373): arch=c000003e syscall=59
success=yes exit=0 a0=e388c0 a1=e38e20 a2=e37b00 a3=7ffc3c6a4a20 items=2
ppid=5865 pid=5866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cat" exe="/bin/cat"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="root-commands"
type=EXECVE msg=audit(1447748821.216:1373): argc=2 a0="cat" a1="/etc/shadow"
type=PATH msg=audit(1447748821.216:1373): item=0 name="/bin/cat"
inode=1044629 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:bin_t:s0 nametype=NORMAL
type=PATH msg=audit(1447748821.216:1373): item=1 name=(null) inode=1044483
dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=CRED_DISP msg=audit(1447748821.217:1374): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_END msg=audit(1447748821.217:1375): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
What am I missing or doing wrong? I also tried working with pam_tty_audit
and aureport --tty but that is too detailed as every keypress gets logged.
Cheers,
Orhan
8 years, 11 months
[PATCH] kernel-audit: Delete unnecessary checks before two function calls
by SF Markus Elfring
From: Markus Elfring <elfring(a)users.sourceforge.net>
Date: Sun, 15 Nov 2015 12:38:33 +0100
The functions consume_skb() and kfree_skb() test whether their argument
is NULL and then return immediately.
Thus the tests around their calls are not needed.
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring <elfring(a)users.sourceforge.net>
---
kernel/audit.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 5ffcbd3..1e8e228 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -509,8 +509,7 @@ static void flush_hold_queue(void)
* if auditd just disappeared but we
* dequeued an skb we need to drop ref
*/
- if (skb)
- consume_skb(skb);
+ consume_skb(skb);
}
static int kauditd_thread(void *dummy)
@@ -1232,9 +1231,7 @@ static void audit_buffer_free(struct audit_buffer *ab)
if (!ab)
return;
- if (ab->skb)
- kfree_skb(ab->skb);
-
+ kfree_skb(ab->skb);
spin_lock_irqsave(&audit_freelist_lock, flags);
if (audit_freelist_count > AUDIT_MAXFREE)
kfree(ab);
--
2.6.2
8 years, 11 months