November 2015 - Linux-audit - Linux-Audit List Archives

How do I get complete list of audit event types

by Satish Chandra Kilaru

Hi I want to understand the logs in /var/log/audit/audit.log. Where can I get complete list of audit event types and what they mean? --Satish Please Donate to www.wikipedia.org

7 years

4
5
0 / 0

[RFC PATCH 0/7] audit: clean up audit queue handling

by Richard Guy Briggs

This set of patches cleans up a number of corner cases in the management of the audit queue. Richard Guy Briggs (7): audit: don't needlessly reset valid wait time audit: include auditd's threads in audit_log_start() wait exception audit: allow systemd to use queue reserves audit: wake up threads if queue switched from limited to unlimited audit: allow audit_cmd_mutex holders to use reserves audit: wake up audit_backlog_wait queue when auditd goes away. audit: wake up kauditd_thread after auditd registers kernel/audit.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-)

8 years, 6 months

4
22
0 / 0

[PATCH 00/15] Rework tty audit

by Peter Hurley

Hi Greg, This patch series overhauls tty audit support. The goal was to simplify and speed up tty auditing, which was a significant performance hit even when disabled. The main features of this series are: * Remove reference counting; the purpose of reference counting the per- process tty_audit_buf was to prevent premature deletion if the buffer was in-use when tty auditing was exited for the process. However, since the process is single-threaded at tty_audit_exit(), the buffer cannot be in-use by another thread. Patch 11/15. * Remove functionally dead code, such as tty_put_user(). Patch 2/15. * Atomically modify tty audit enable/disable flags to support lockless read. Patch 9/15. Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> for patch 9/15 which removes an audit field from the signal_struct. Cc: Oleg Nesterov <oleg(a)redhat.com> to confirm my understanding of the single-threadedness of if (group_dead) tty_audit_exit(), called from do_exit(). Patch 11/15 Requires: "tty: audit: Fix audit source" Regards, Peter Hurley (15): tty: audit: Early-out pty master reads earlier tty: audit: Never audit packet mode tty: audit: Remove icanon mode from call chain tty: audit: Defer audit buffer association tty: audit: Take siglock directly tty: audit: Ignore current association for audit push tty: audit: Combine push functions tty: audit: Track tty association with dev_t tty: audit: Handle tty audit enable atomically tty: audit: Remove false memory optimization tty: audit: Remove tty_audit_buf reference counting tty: audit: Simplify first-use allocation tty: audit: Check audit enable first tty: audit: Always push audit buffer before TIOCSTI tty: audit: Poison tty_audit_buf while process exits drivers/tty/n_tty.c | 25 ++---- drivers/tty/tty_audit.c | 231 ++++++++++++++---------------------------------- include/linux/audit.h | 4 + include/linux/sched.h | 1 - include/linux/tty.h | 12 +-- kernel/audit.c | 27 +++--- 6 files changed, 97 insertions(+), 203 deletions(-) -- 2.6.3

8 years, 11 months

4
41
0 / 0

Audit Framework and namespaces

by Gulland, Scott A

Does the audit framework work with linux namespaces? Scott Gulland HP Networking, CEB R&D 916.785.1497 Hewlett-Packard Company 8000 Foothills Blvd; MS - 5505 Roseville, CA 95747 USA [hp]<http://www.hp.com/>

9 years

4
5
0 / 0

[RFC PATCH] audit: force seccomp event logging to honor the audit_enabled flag

by Paul Moore

Previously we were emitting seccomp audit records regardless of the audit_enabled setting, a deparature from the rest of audit. This patch makes seccomp auditing consistent with the rest of the audit record generation code in that when audit_enabled=0 nothing is logged by the audit subsystem. The bulk of this patch is moving the CONFIG_AUDIT block ahead of the CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real code change was in the audit_seccomp() definition. Reported-by: Tony Jones <tonyj(a)suse.de> Signed-off-by: Paul Moore <pmoore(a)redhat.com> --- include/linux/audit.h | 204 +++++++++++++++++++++++++------------------------ 1 file changed, 104 insertions(+), 100 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 20eba1e..476bc12 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -113,6 +113,107 @@ struct filename; extern void audit_log_session_info(struct audit_buffer *ab); +#ifdef CONFIG_AUDIT +/* These are defined in audit.c */ + /* Public API */ +extern __printf(4, 5) +void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, + const char *fmt, ...); + +extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); +extern __printf(2, 3) +void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); +extern void audit_log_end(struct audit_buffer *ab); +extern bool audit_string_contains_control(const char *string, + size_t len); +extern void audit_log_n_hex(struct audit_buffer *ab, + const unsigned char *buf, + size_t len); +extern void audit_log_n_string(struct audit_buffer *ab, + const char *buf, + size_t n); +extern void audit_log_n_untrustedstring(struct audit_buffer *ab, + const char *string, + size_t n); +extern void audit_log_untrustedstring(struct audit_buffer *ab, + const char *string); +extern void audit_log_d_path(struct audit_buffer *ab, + const char *prefix, + const struct path *path); +extern void audit_log_key(struct audit_buffer *ab, + char *key); +extern void audit_log_link_denied(const char *operation, + struct path *link); +extern void audit_log_lost(const char *message); +#ifdef CONFIG_SECURITY +extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); +#else +static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) +{ } +#endif + +extern int audit_log_task_context(struct audit_buffer *ab); +extern void audit_log_task_info(struct audit_buffer *ab, + struct task_struct *tsk); + +extern int audit_update_lsm_rules(void); + + /* Private API (for audit.c only) */ +extern int audit_filter_user(int type); +extern int audit_filter_type(int type); +extern int audit_rule_change(int type, __u32 portid, int seq, + void *data, size_t datasz); +extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); + +extern u32 audit_enabled; +#else /* CONFIG_AUDIT */ +static inline __printf(4, 5) +void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, + const char *fmt, ...) +{ } +static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, + gfp_t gfp_mask, int type) +{ + return NULL; +} +static inline __printf(2, 3) +void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) +{ } +static inline void audit_log_end(struct audit_buffer *ab) +{ } +static inline void audit_log_n_hex(struct audit_buffer *ab, + const unsigned char *buf, size_t len) +{ } +static inline void audit_log_n_string(struct audit_buffer *ab, + const char *buf, size_t n) +{ } +static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, + const char *string, size_t n) +{ } +static inline void audit_log_untrustedstring(struct audit_buffer *ab, + const char *string) +{ } +static inline void audit_log_d_path(struct audit_buffer *ab, + const char *prefix, + const struct path *path) +{ } +static inline void audit_log_key(struct audit_buffer *ab, char *key) +{ } +static inline void audit_log_link_denied(const char *string, + const struct path *link) +{ } +static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) +{ } +static inline int audit_log_task_context(struct audit_buffer *ab) +{ + return 0; +} +static inline void audit_log_task_info(struct audit_buffer *ab, + struct task_struct *tsk) +{ } +#define audit_enabled 0 +#endif /* CONFIG_AUDIT */ + #ifdef CONFIG_AUDIT_COMPAT_GENERIC #define audit_is_compat(arch) (!((arch) & __AUDIT_ARCH_64BIT)) #else @@ -212,6 +313,9 @@ void audit_core_dumps(long signr); static inline void audit_seccomp(unsigned long syscall, long signr, int code) { + if (!audit_enabled) + return; + /* Force a record to be reported if a signal was delivered. */ if (signr || unlikely(!audit_dummy_context())) __audit_seccomp(syscall, signr, code); @@ -446,106 +550,6 @@ static inline bool audit_loginuid_set(struct task_struct *tsk) return uid_valid(audit_get_loginuid(tsk)); } -#ifdef CONFIG_AUDIT -/* These are defined in audit.c */ - /* Public API */ -extern __printf(4, 5) -void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, - const char *fmt, ...); - -extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type); -extern __printf(2, 3) -void audit_log_format(struct audit_buffer *ab, const char *fmt, ...); -extern void audit_log_end(struct audit_buffer *ab); -extern bool audit_string_contains_control(const char *string, - size_t len); -extern void audit_log_n_hex(struct audit_buffer *ab, - const unsigned char *buf, - size_t len); -extern void audit_log_n_string(struct audit_buffer *ab, - const char *buf, - size_t n); -extern void audit_log_n_untrustedstring(struct audit_buffer *ab, - const char *string, - size_t n); -extern void audit_log_untrustedstring(struct audit_buffer *ab, - const char *string); -extern void audit_log_d_path(struct audit_buffer *ab, - const char *prefix, - const struct path *path); -extern void audit_log_key(struct audit_buffer *ab, - char *key); -extern void audit_log_link_denied(const char *operation, - struct path *link); -extern void audit_log_lost(const char *message); -#ifdef CONFIG_SECURITY -extern void audit_log_secctx(struct audit_buffer *ab, u32 secid); -#else -static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) -{ } -#endif - -extern int audit_log_task_context(struct audit_buffer *ab); -extern void audit_log_task_info(struct audit_buffer *ab, - struct task_struct *tsk); - -extern int audit_update_lsm_rules(void); - - /* Private API (for audit.c only) */ -extern int audit_filter_user(int type); -extern int audit_filter_type(int type); -extern int audit_rule_change(int type, __u32 portid, int seq, - void *data, size_t datasz); -extern int audit_list_rules_send(struct sk_buff *request_skb, int seq); - -extern u32 audit_enabled; -#else /* CONFIG_AUDIT */ -static inline __printf(4, 5) -void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, - const char *fmt, ...) -{ } -static inline struct audit_buffer *audit_log_start(struct audit_context *ctx, - gfp_t gfp_mask, int type) -{ - return NULL; -} -static inline __printf(2, 3) -void audit_log_format(struct audit_buffer *ab, const char *fmt, ...) -{ } -static inline void audit_log_end(struct audit_buffer *ab) -{ } -static inline void audit_log_n_hex(struct audit_buffer *ab, - const unsigned char *buf, size_t len) -{ } -static inline void audit_log_n_string(struct audit_buffer *ab, - const char *buf, size_t n) -{ } -static inline void audit_log_n_untrustedstring(struct audit_buffer *ab, - const char *string, size_t n) -{ } -static inline void audit_log_untrustedstring(struct audit_buffer *ab, - const char *string) -{ } -static inline void audit_log_d_path(struct audit_buffer *ab, - const char *prefix, - const struct path *path) -{ } -static inline void audit_log_key(struct audit_buffer *ab, char *key) -{ } -static inline void audit_log_link_denied(const char *string, - const struct path *link) -{ } -static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) -{ } -static inline int audit_log_task_context(struct audit_buffer *ab) -{ - return 0; -} -static inline void audit_log_task_info(struct audit_buffer *ab, - struct task_struct *tsk) -{ } -#define audit_enabled 0 -#endif /* CONFIG_AUDIT */ static inline void audit_log_string(struct audit_buffer *ab, const char *buf) { audit_log_n_string(ab, buf, strlen(buf));

9 years

3
3
0 / 0

Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?

by Paul Moore

Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections? -- paul moore www.paul-moore.com

9 years

2
4
0 / 0

ANN: Experimental Fedora Rawhide kernels (selinux-next and audit-next)

by Paul Moore

For the past few weeks I've been building experimental Fedora Rawhide kernels with all of the SELinux and audit kernel patches targeted for linux-next included. It has worked out reasonably well, and with the exception of getting a working Linux 4.4-rc1 build this week, it has proven to be relatively easy to manage. If you would like to help with testing and don't mind the instability that comes with development kernels, the Fedora COPR repository link is below. I've been doing at least one build each week, sometimes more, and I expect to continue with that frequency. I also perform a quick sanity check on each successful build, including running the SELinux and audit testsuites; however, there may be times when the kernel is simply broken, so exercise caution and please don't run these kernels on anything critical. * https://copr.fedoraproject.org/coprs/pcmoore/kernel-secnext -- paul moore www.paul-moore.com

9 years, 1 month

1
0
0 / 0

seccomp and audit_enabled

by Tony Jones

Hi. What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0? Opera browser makes use of a sandbox and if audit_enabled == 0 (and no auditd is running) there is a lot of messages dumped to the klog. The fix to __audit_seccomp() is trivial, similar to c2412d91c and I can send a patch, I'm just not sure if seccomp is somehow special? Thanks Tony

9 years, 1 month

4
13
0 / 0

filtering system calls with auid -1

by ocakan

Hi! My aim is to audit only commands executed by root (interactively) and avc denied messages (selinux) Some details about my audit-test-system and current audit configuration. ### MY CONFIGURATION: uname -a: Linux centos6 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux ### cat /proc/cmdline: ro root=UUID=63f8768a-2eee-4472-8ebc-43372292a93b rd_NO_LUKS LANG=en_US.UTF-8 KEYBOARDTYPE=pc KEYTABLE=de-latin1-nodeadkeys rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_NO_LVM rd_NO_DM rhgb audit=1 ### rpm -q audit: audit-2.3.7-5.el6.x86_64 ### auditctl -l: -a never,exit -S all -F auid!=-1 -a never,exit -S all -F auid!=0 -F auid<500 -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands -a always,exclude -F msgtype=CWD ### auditctl -s: AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192 lost=0 backlog=0 ### /etc/init.d/auditd status: auditd (pid 4232) is running... ### grep -Hrn loginuid /etc/pam.d/: /etc/pam.d/login:9:session required pam_loginuid.so /etc/pam.d/sshd:9:session required pam_loginuid.so /etc/pam.d/remote:9:session required pam_loginuid.so /etc/pam.d/ssh-keycat:4:session required pam_loginuid.so ----- MY QUESTION: With the above listed configuration I still get audit.log entries with auid=-1 including cron and anacron entries. EXAMPLE AUDIT.LOG SNIPPET: type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1447748821.214:1370): user pid=5863 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_START msg=audit(1447748821.215:1371): user pid=5863 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=SYSCALL msg=audit(1447748821.215:1372): arch=c000003e syscall=59 success=yes exit=0 a0=7f24d92992d6 a1=7ffdc67f7a90 a2=7f24d9299340 a3=8 items=2 ppid=5863 pid=5865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="root-commands" type=EXECVE msg=audit(1447748821.215:1372): argc=3 a0="/bin/sh" a1="-c" a2=636174202F6574632F736861646F7720263E2F6465762F6E756C6C type=PATH msg=audit(1447748821.215:1372): item=0 name="/bin/sh" inode=1045010 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL type=PATH msg=audit(1447748821.215:1372): item=1 name=(null) inode=1044483 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL type=SYSCALL msg=audit(1447748821.216:1373): arch=c000003e syscall=59 success=yes exit=0 a0=e388c0 a1=e38e20 a2=e37b00 a3=7ffc3c6a4a20 items=2 ppid=5865 pid=5866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="root-commands" type=EXECVE msg=audit(1447748821.216:1373): argc=2 a0="cat" a1="/etc/shadow" type=PATH msg=audit(1447748821.216:1373): item=0 name="/bin/cat" inode=1044629 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL type=PATH msg=audit(1447748821.216:1373): item=1 name=(null) inode=1044483 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL type=CRED_DISP msg=audit(1447748821.217:1374): user pid=5863 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1447748821.217:1375): user pid=5863 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' What am I missing or doing wrong? I also tried working with pam_tty_audit and aureport --tty but that is too detailed as every keypress gets logged. Cheers, Orhan

9 years, 1 month

2
4
0 / 0

[PATCH] kernel-audit: Delete unnecessary checks before two function calls

by SF Markus Elfring

From: Markus Elfring <elfring(a)users.sourceforge.net> Date: Sun, 15 Nov 2015 12:38:33 +0100 The functions consume_skb() and kfree_skb() test whether their argument is NULL and then return immediately. Thus the tests around their calls are not needed. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring(a)users.sourceforge.net> --- kernel/audit.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 5ffcbd3..1e8e228 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -509,8 +509,7 @@ static void flush_hold_queue(void) * if auditd just disappeared but we * dequeued an skb we need to drop ref */ - if (skb) - consume_skb(skb); + consume_skb(skb); } static int kauditd_thread(void *dummy) @@ -1232,9 +1231,7 @@ static void audit_buffer_free(struct audit_buffer *ab) if (!ab) return; - if (ab->skb) - kfree_skb(ab->skb); - + kfree_skb(ab->skb); spin_lock_irqsave(&audit_freelist_lock, flags); if (audit_freelist_count > AUDIT_MAXFREE) kfree(ab); -- 2.6.2

9 years, 1 month

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit November 2015