Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing
by Paul Moore
On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote:
> Add information about ioctl calls to the LSM audit data. Log the
> file path and command number.
>
> Signed-off-by: Jeff Vander Stoep <jeffv(a)google.com>
> ---
> include/linux/lsm_audit.h | 7 +++++++
> security/lsm_audit.c | 15 +++++++++++++++
> 2 files changed, 22 insertions(+)
No real comment other than we should include the linux-audit list on this
patch (added to the To/CC line).
>From an audit perspective the only new field would be the ioctl number which
is represented by the "ioctlcmd" name. Does anyone in the audit space have
any strong feelings on this one way or another?
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 1cc89e9..ffb9c9d 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -40,6 +40,11 @@ struct lsm_network_audit {
> } fam;
> };
>
> +struct lsm_ioctlop_audit {
> + struct path path;
> + u16 cmd;
> +};
> +
> /* Auxiliary data to use in generating the audit record. */
> struct common_audit_data {
> char type;
> @@ -53,6 +58,7 @@ struct common_audit_data {
> #define LSM_AUDIT_DATA_KMOD 8
> #define LSM_AUDIT_DATA_INODE 9
> #define LSM_AUDIT_DATA_DENTRY 10
> +#define LSM_AUDIT_DATA_IOCTL_OP 11
> union {
> struct path path;
> struct dentry *dentry;
> @@ -68,6 +74,7 @@ struct common_audit_data {
> } key_struct;
> #endif
> char *kmod_name;
> + struct lsm_ioctlop_audit *op;
> } u;
> /* this union contains LSM specific data */
> union {
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 69fdf3b..7147c17 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer
> *ab, }
> break;
> }
> + case LSM_AUDIT_DATA_IOCTL_OP: {
> + struct inode *inode;
> +
> + audit_log_d_path(ab, " path=", &a->u.op->path);
> +
> + inode = a->u.op->path.dentry->d_inode;
> + if (inode) {
> + audit_log_format(ab, " dev=");
> + audit_log_untrustedstring(ab, inode->i_sb->s_id);
> + audit_log_format(ab, " ino=%lu", inode->i_ino);
> + }
> +
> + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
> + break;
> + }
> case LSM_AUDIT_DATA_DENTRY: {
> struct inode *inode;
--
paul moore
www.paul-moore.com
9 years, 5 months
[PATCH V6 00/10] namespaces: log namespaces per task
by Richard Guy Briggs
The purpose is to track namespace instances in use by logged processes from the
perspective of init_*_ns by logging the namespace IDs (device ID and namespace
inode - offset).
1/10 exposes proc's ns entries structure which lists a number of useful
operations per namespace type for other subsystems to use.
2/10 proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST
3/10 provides an example of usage for audit_log_task_info() which is used by
syscall audits, among others. audit_log_task() and audit_common_recv_message()
would be other potential use cases.
Proposed output format:
This differs slightly from Aristeu's patch because of the label conflict with
"pid=" due to including it in existing records rather than it being a seperate
record. It has now returned to being a seperate record. The proc device
major/minor are listed in hexadecimal and namespace IDs are the proc inode
minus the base offset.
type=NS_INFO msg=audit(1408577535.306:82): dev=00:03 netns=3 utsns=-3 ipcns=-4 pidns=-1 userns=-2 mntns=0
4/10 change audit startup from __initcall to subsys_initcall to get it started
earlier to be able to receive initial namespace log messages.
5/10 tracks the creation and deletion of namespaces, listing the type of
namespace instance, proc device ID, related namespace id if there is one and
the newly minted namespace ID.
Proposed output format for initial namespace creation:
type=AUDIT_NS_INIT_UTS msg=audit(1408577534.868:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_utsns=(none) utsns=-3 res=1
type=AUDIT_NS_INIT_USER msg=audit(1408577534.868:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_userns=(none) userns=-2 res=1
type=AUDIT_NS_INIT_PID msg=audit(1408577534.868:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_pidns=(none) pidns=-1 res=1
type=AUDIT_NS_INIT_MNT msg=audit(1408577534.868:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_mntns=(none) mntns=0 res=1
type=AUDIT_NS_INIT_IPC msg=audit(1408577534.868:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_ipcns=(none) ipcns=-4 res=1
type=AUDIT_NS_INIT_NET msg=audit(1408577533.500:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_netns=(none) netns=2 res=1
And a CLONE action would result in:
type=type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 dev=00:03 old_netns=2 netns=3 res=1
While deleting a namespace would result in:
type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 dev=00:03 mntns=4 res=1
6/10 accepts a PID from userspace and requests logging an AUDIT_NS_INFO record
type (CAP_AUDIT_CONTROL required).
7/10 is a macro for CLONE_NEW_* flags.
8/10 adds auditing on creation of namespace(s) in fork.
9/10 adds auditing a change of namespace on setns.
10/10 attaches a AUDIT_NS_INFO record to AUDIT_VIRT_CONTROL records
(CAP_AUDIT_WRITE required).
v5 -> v6:
Switch to using namespace ID based on namespace proc inode minus base offset
Added proc device ID to qualify proc inode reference
Eliminate exposed /proc interface
v4 -> v5:
Clean up prototypes for dependencies on CONFIG_NAMESPACES.
Add AUDIT_NS_INFO record type to AUDIT_VIRT_CONTROL record.
Log AUDIT_NS_INFO with PID.
Move /proc/<pid>/ns_* patches to end of patchset to deprecate them.
Log on changing ns (setns).
Log on creating new namespaces when forking.
Added a macro for CLONE_NEW*.
v3 -> v4:
Seperate out the NS_INFO message from the SYSCALL message.
Moved audit_log_namespace_info() out of audit_log_task_info().
Use a seperate message type per namespace type for each of INIT/DEL.
Make ns= easier to search across NS_INFO and NS_INIT/DEL_XXX msg types.
Add /proc/<pid>/ns/ documentation.
Fix dynamic initial ns logging.
v2 -> v3:
Use atomic64_t in ns_serial to simplify it.
Avoid funciton duplication in proc, keying on dentry.
Squash down audit patch to avoid rcu sleep issues.
Add tracking for creation and deletion of namespace instances.
v1 -> v2:
Avoid rollover by switching from an int to a long long.
Change rollover behaviour from simply avoiding zero to raising a BUG.
Expose serial numbers in /proc/<pid>/ns/*_snum.
Expose ns_entries and use it in audit.
Notes:
As for CAP_AUDIT_READ, a patchset has been accepted upstream to check
capabilities of userspace processes that try to join netlink broadcast groups.
This set does not try to solve the non-init namespace audit messages and
auditd problem yet. That will come later, likely with additional auditd
instances running in another namespace with a limited ability to influence the
master auditd. I echo Eric B's idea that messages destined for different
namespaces would have to be tailored for that namespace with references that
make sense (such as the right pid number reported to that pid namespace, and
not leaking info about parents or peers).
Questions:
Is there a way to link serial numbers of namespaces involved in migration of a
container to another kernel? It sounds like what is needed is a part of a
mangement application that is able to pull the audit records from constituent
hosts to build an audit trail of a container.
What additional events should list this information?
Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL
(and now CAP_AUDIT_READ) in init_user_ns can get to this information in
the init namespace at the moment from audit.
Richard Guy Briggs (10):
namespaces: expose ns_entries
proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST
audit: log namespace ID numbers
audit: initialize at subsystem time rather than device time
audit: log creation and deletion of namespace instances
audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO
sched: add a macro to ref all CLONE_NEW* flags
fork: audit on creation of new namespace(s)
audit: log on switching namespace (setns)
audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record
fs/namespace.c | 13 +++
fs/proc/generic.c | 3 +-
fs/proc/namespaces.c | 2 +-
include/linux/audit.h | 20 +++++
include/linux/proc_ns.h | 10 ++-
include/uapi/linux/audit.h | 21 +++++
include/uapi/linux/sched.h | 6 ++
ipc/namespace.c | 12 +++
kernel/audit.c | 169 +++++++++++++++++++++++++++++++++++++-
kernel/auditsc.c | 2 +
kernel/fork.c | 3 +
kernel/nsproxy.c | 4 +
kernel/pid_namespace.c | 13 +++
kernel/user_namespace.c | 13 +++
kernel/utsname.c | 12 +++
net/core/net_namespace.c | 12 +++
security/integrity/ima/ima_api.c | 2 +
17 files changed, 309 insertions(+), 8 deletions(-)
9 years, 5 months
Significant performance hit auditing system account actions?
by leam hall
Some security requirements include auditing events by users and root. So
the line might include something like:
-F auid=0 -F auid>=500 -F auid!=4294967295
My question is, if you don't include that phrase will the audit system
still get everything and not incur a serious performance hit. Effectively
it will audit everything for users 1-499, the usual system accounts.
Leam
--
Mind on a Mission <http://leamhall.blogspot.com/>
9 years, 5 months
[PATCH V7 00/10] namespaces: log namespaces per task
by Richard Guy Briggs
The purpose is to track namespace instances in use by logged processes from the
perspective of init_*_ns by logging the namespace IDs (namespace device ID and
namespace inode).
1/10 exposes proc's ns entries structure which lists a number of useful
operations per namespace type for other subsystems to use.
2/10 creates and switches to a dedicated inode pool for the namespace
filesystem.
3/10 add the nsfs device ID to ns_common for each namespace instance for quick
access.
4/10 provides an example of usage for audit_log_task_info() which is used by
syscall audits, among others.
Proposed output format:
This differs slightly from Aristeu's patch because of the label conflict with
"pid=" due to including it in existing records rather than it being a seperate
record. "pid=" here is the target pid for a potentially unactivated task for
which the nsproxy has been created. It has now returned to being a seperate
record. The nsfs device major/minor are listed in hexadecimal and namespace
IDs are the ns inode.
type=NS_INFO msg=audit(1408577535.306:82): pid=310 dev=00:03 netns=7 utsns=3 ipcns=4 pidns=1 userns=2 mntns=5
5/10 change audit startup from __initcall to subsys_initcall to get it started
earlier to be able to receive initial namespace log messages.
6/10 tracks the creation and deletion of namespaces, listing the type of
namespace instance, nsfs device ID, related namespace id if there is one and
the newly minted namespace ID.
Proposed output format for initial namespace creation:
type=AUDIT_NS_INIT_UTS msg=audit(1431115986.147:5): dev=00:03 old_utsns=(none) utsns=2 res=1
type=AUDIT_NS_INIT_USER msg=audit(1431115986.148:6): dev=00:03 old_userns=(none) userns=3 res=1
type=AUDIT_NS_INIT_PID msg=audit(1431115986.149:7): dev=00:03 old_pidns=(none) pidns=4 res=1
type=AUDIT_NS_INIT_MNT msg=audit(1431115986.150:8): dev=00:00 old_mntns=(none) mntns=5 res=1
type=AUDIT_NS_INIT_IPC msg=audit(1431115986.151:9): dev=00:03 old_ipcns=(none) ipcns=1 res=1
type=AUDIT_NS_INIT_NET msg=audit(1431115985.500:10): dev=00:03 old_netns=(none) netns=7 res=1
And a CLONE action would result in:
type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): dev=00:03 old_netns=7 netns=8 res=1
While deleting a namespace would result in:
type=AUDIT_NS_DEL_MNT msg=audit(1431116003.205:534): dev=00:03 mntns=8 res=1
7/10 accepts a PID from userspace and requests logging an AUDIT_NS_INFO record
type (CAP_AUDIT_CONTROL required).
8/10 adds auditing on creation of namespace(s) in fork for unshare(2) and
clone(2), adding the CLONE_NEW_*ALL macro.
9/10 adds auditing a change of namespace on setns(2).
type=AUDIT_NS_SET_NET msg=audit(1408577535.306:81): dev=00:03 old_netns=7 netns=8 res=1
10/10 attaches a AUDIT_NS_INFO record to AUDIT_VIRT_CONTROL records
(CAP_AUDIT_WRITE required).
v6 -> v7:
Added sys_unshare to the sys_clone patch.
Combined the CLONE_NEW_*_ALL macro and audit clone and unshare patches.
Rebased on Al Viro's NSFS from v3.19-rc1 adding nsfs device ID to ns_common.
Create and switch to an nsfs inode db.
Switch AUDIT_NS_{INIT,DEL,SET}_* to auxiliary records.
Fix NULL dereference bug in AUDIT_NS_INFO call from AUDIT_VIRT_CONTROL type.
Remove call for audit_log_common_recv_msg.
Only emit info, init, del, set messages on audit_enabled.
v5 -> v6:
Switch to using namespace ID based on namespace proc inode minus base offset
Added proc device ID to qualify proc inode reference
Eliminate exposed /proc interface
v4 -> v5:
Clean up prototypes for dependencies on CONFIG_NAMESPACES.
Add AUDIT_NS_INFO record type to AUDIT_VIRT_CONTROL record.
Log AUDIT_NS_INFO with PID.
Move /proc/<pid>/ns_* patches to end of patchset to deprecate them.
Log on changing ns (setns).
Log on creating new namespaces when forking.
Added a macro for CLONE_NEW*.
v3 -> v4:
Seperate out the NS_INFO message from the SYSCALL message.
Moved audit_log_namespace_info() out of audit_log_task_info().
Use a seperate message type per namespace type for each of INIT/DEL.
Make ns= easier to search across NS_INFO and NS_INIT/DEL_XXX msg types.
Add /proc/<pid>/ns/ documentation.
Fix dynamic initial ns logging.
v2 -> v3:
Use atomic64_t in ns_serial to simplify it.
Avoid funciton duplication in proc, keying on dentry.
Squash down audit patch to avoid rcu sleep issues.
Add tracking for creation and deletion of namespace instances.
v1 -> v2:
Avoid rollover by switching from an int to a long long.
Change rollover behaviour from simply avoiding zero to raising a BUG.
Expose serial numbers in /proc/<pid>/ns/*_snum.
Expose ns_entries and use it in audit.
Notes:
As for CAP_AUDIT_READ, a patchset has been accepted upstream to check
capabilities of userspace processes that try to join netlink broadcast groups.
This set does not try to solve the non-init namespace audit messages and
auditd problem yet. That will come later, likely with additional auditd
instances running in another namespace with a limited ability to influence the
master auditd. I echo Eric B's idea that messages destined for different
namespaces would have to be tailored for that namespace with references that
make sense (such as the right pid number reported to that pid namespace, and
not leaking info about parents or peers).
Questions:
Is there a way to link serial numbers of namespaces involved in migration of a
container to another kernel? It sounds like what is needed is a part of a
mangement application that is able to pull the audit records from constituent
hosts to build an audit trail of a container.
Do any additional events need this information?
Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL
(and now CAP_AUDIT_READ) in init_user_ns can get to this information in
the init namespace at the moment from audit.
Richard Guy Briggs (10):
namespaces: expose ns_entries
nsfs: switch to dedicated inode pool
nsfs: add nsfs device ID to ns_common
audit: log namespace ID numbers
audit: initialize at subsystem time rather than device time
audit: log creation and deletion of namespace instances
audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO
fork: audit on creation of new namespace(s) with clone and unshare
audit: log on switching namespace (setns)
audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record
fs/namespace.c | 15 +++
fs/nsfs.c | 65 ++++++++++++++
fs/proc/internal.h | 2 +
fs/proc/namespaces.c | 2 +-
include/linux/audit.h | 27 ++++++
include/linux/ns_common.h | 1 +
include/linux/proc_ns.h | 22 ++---
include/uapi/linux/audit.h | 21 +++++
include/uapi/linux/sched.h | 6 ++
init/version.c | 2 +-
ipc/msgutil.c | 2 +-
ipc/namespace.c | 13 +++
kernel/audit.c | 180 +++++++++++++++++++++++++++++++++++++-
kernel/auditsc.c | 2 +
kernel/fork.c | 13 ++-
kernel/nsproxy.c | 2 +
kernel/pid.c | 2 +-
kernel/pid_namespace.c | 13 +++
kernel/user.c | 2 +-
kernel/user_namespace.c | 13 +++
kernel/utsname.c | 12 +++
net/core/net_namespace.c | 13 +++
security/integrity/ima/ima_api.c | 2 +
23 files changed, 410 insertions(+), 22 deletions(-)
9 years, 5 months
Latest audit file for DISA STIGS
by James.A.Williams.ctr@nga.mil
Classification: UNCLASSIFIED
======================================================
Hi All,
Does anyone have a good audit file that conforms to the DISA STIG (RHEL 6)?
Please email the file or copy into email.
Thanks,
Jim
======================================================
Classification: UNCLASSIFIED
9 years, 5 months
auid field when switching user
by Guillaume L.
Bonjour,
I'm trying to use auditd to log all actions made by the users on the
system. This part works fine.
The documentation mention the "auid" field to identify the user from the
first connection "even" when the user's identity changes (like with a su):
auid=500
The auid field records the Audit user ID, that is the loginuid. This ID is
assigned to a user upon login and is inherited by every process even when
the user's identity changes (for example, by switching user accounts with
the su - john command).
But this is not working. If I log with the user "test" (uid 1000) when I
switch to the user root, the value of auid is 0 (the uid of root).
Did I missing something ?
Thank you in advance.
Regards,
--
Guillaume
9 years, 5 months