May 2015 - Linux-audit - Linux-Audit List Archives

Re: [PATCH 1/2] security: lsm_audit: add ioctl specific auditing

by Paul Moore

On Thursday, April 09, 2015 02:49:31 PM Jeff Vander Stoep wrote: > Add information about ioctl calls to the LSM audit data. Log the > file path and command number. > > Signed-off-by: Jeff Vander Stoep <jeffv(a)google.com> > --- > include/linux/lsm_audit.h | 7 +++++++ > security/lsm_audit.c | 15 +++++++++++++++ > 2 files changed, 22 insertions(+) No real comment other than we should include the linux-audit list on this patch (added to the To/CC line). >From an audit perspective the only new field would be the ioctl number which is represented by the "ioctlcmd" name. Does anyone in the audit space have any strong feelings on this one way or another? > diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h > index 1cc89e9..ffb9c9d 100644 > --- a/include/linux/lsm_audit.h > +++ b/include/linux/lsm_audit.h > @@ -40,6 +40,11 @@ struct lsm_network_audit { > } fam; > }; > > +struct lsm_ioctlop_audit { > + struct path path; > + u16 cmd; > +}; > + > /* Auxiliary data to use in generating the audit record. */ > struct common_audit_data { > char type; > @@ -53,6 +58,7 @@ struct common_audit_data { > #define LSM_AUDIT_DATA_KMOD 8 > #define LSM_AUDIT_DATA_INODE 9 > #define LSM_AUDIT_DATA_DENTRY 10 > +#define LSM_AUDIT_DATA_IOCTL_OP 11 > union { > struct path path; > struct dentry *dentry; > @@ -68,6 +74,7 @@ struct common_audit_data { > } key_struct; > #endif > char *kmod_name; > + struct lsm_ioctlop_audit *op; > } u; > /* this union contains LSM specific data */ > union { > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > index 69fdf3b..7147c17 100644 > --- a/security/lsm_audit.c > +++ b/security/lsm_audit.c > @@ -245,6 +245,21 @@ static void dump_common_audit_data(struct audit_buffer > *ab, } > break; > } > + case LSM_AUDIT_DATA_IOCTL_OP: { > + struct inode *inode; > + > + audit_log_d_path(ab, " path=", &a->u.op->path); > + > + inode = a->u.op->path.dentry->d_inode; > + if (inode) { > + audit_log_format(ab, " dev="); > + audit_log_untrustedstring(ab, inode->i_sb->s_id); > + audit_log_format(ab, " ino=%lu", inode->i_ino); > + } > + > + audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd); > + break; > + } > case LSM_AUDIT_DATA_DENTRY: { > struct inode *inode; -- paul moore www.paul-moore.com

10 years, 10 months

3
3
0 / 0

[PATCH V6 00/10] namespaces: log namespaces per task

by Richard Guy Briggs

The purpose is to track namespace instances in use by logged processes from the perspective of init_*_ns by logging the namespace IDs (device ID and namespace inode - offset). 1/10 exposes proc's ns entries structure which lists a number of useful operations per namespace type for other subsystems to use. 2/10 proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST 3/10 provides an example of usage for audit_log_task_info() which is used by syscall audits, among others. audit_log_task() and audit_common_recv_message() would be other potential use cases. Proposed output format: This differs slightly from Aristeu's patch because of the label conflict with "pid=" due to including it in existing records rather than it being a seperate record. It has now returned to being a seperate record. The proc device major/minor are listed in hexadecimal and namespace IDs are the proc inode minus the base offset. type=NS_INFO msg=audit(1408577535.306:82): dev=00:03 netns=3 utsns=-3 ipcns=-4 pidns=-1 userns=-2 mntns=0 4/10 change audit startup from __initcall to subsys_initcall to get it started earlier to be able to receive initial namespace log messages. 5/10 tracks the creation and deletion of namespaces, listing the type of namespace instance, proc device ID, related namespace id if there is one and the newly minted namespace ID. Proposed output format for initial namespace creation: type=AUDIT_NS_INIT_UTS msg=audit(1408577534.868:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_utsns=(none) utsns=-3 res=1 type=AUDIT_NS_INIT_USER msg=audit(1408577534.868:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_userns=(none) userns=-2 res=1 type=AUDIT_NS_INIT_PID msg=audit(1408577534.868:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_pidns=(none) pidns=-1 res=1 type=AUDIT_NS_INIT_MNT msg=audit(1408577534.868:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_mntns=(none) mntns=0 res=1 type=AUDIT_NS_INIT_IPC msg=audit(1408577534.868:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_ipcns=(none) ipcns=-4 res=1 type=AUDIT_NS_INIT_NET msg=audit(1408577533.500:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_netns=(none) netns=2 res=1 And a CLONE action would result in: type=type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 dev=00:03 old_netns=2 netns=3 res=1 While deleting a namespace would result in: type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 dev=00:03 mntns=4 res=1 6/10 accepts a PID from userspace and requests logging an AUDIT_NS_INFO record type (CAP_AUDIT_CONTROL required). 7/10 is a macro for CLONE_NEW_* flags. 8/10 adds auditing on creation of namespace(s) in fork. 9/10 adds auditing a change of namespace on setns. 10/10 attaches a AUDIT_NS_INFO record to AUDIT_VIRT_CONTROL records (CAP_AUDIT_WRITE required). v5 -> v6: Switch to using namespace ID based on namespace proc inode minus base offset Added proc device ID to qualify proc inode reference Eliminate exposed /proc interface v4 -> v5: Clean up prototypes for dependencies on CONFIG_NAMESPACES. Add AUDIT_NS_INFO record type to AUDIT_VIRT_CONTROL record. Log AUDIT_NS_INFO with PID. Move /proc/<pid>/ns_* patches to end of patchset to deprecate them. Log on changing ns (setns). Log on creating new namespaces when forking. Added a macro for CLONE_NEW*. v3 -> v4: Seperate out the NS_INFO message from the SYSCALL message. Moved audit_log_namespace_info() out of audit_log_task_info(). Use a seperate message type per namespace type for each of INIT/DEL. Make ns= easier to search across NS_INFO and NS_INIT/DEL_XXX msg types. Add /proc/<pid>/ns/ documentation. Fix dynamic initial ns logging. v2 -> v3: Use atomic64_t in ns_serial to simplify it. Avoid funciton duplication in proc, keying on dentry. Squash down audit patch to avoid rcu sleep issues. Add tracking for creation and deletion of namespace instances. v1 -> v2: Avoid rollover by switching from an int to a long long. Change rollover behaviour from simply avoiding zero to raising a BUG. Expose serial numbers in /proc/<pid>/ns/*_snum. Expose ns_entries and use it in audit. Notes: As for CAP_AUDIT_READ, a patchset has been accepted upstream to check capabilities of userspace processes that try to join netlink broadcast groups. This set does not try to solve the non-init namespace audit messages and auditd problem yet. That will come later, likely with additional auditd instances running in another namespace with a limited ability to influence the master auditd. I echo Eric B's idea that messages destined for different namespaces would have to be tailored for that namespace with references that make sense (such as the right pid number reported to that pid namespace, and not leaking info about parents or peers). Questions: Is there a way to link serial numbers of namespaces involved in migration of a container to another kernel? It sounds like what is needed is a part of a mangement application that is able to pull the audit records from constituent hosts to build an audit trail of a container. What additional events should list this information? Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL (and now CAP_AUDIT_READ) in init_user_ns can get to this information in the init namespace at the moment from audit. Richard Guy Briggs (10): namespaces: expose ns_entries proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST audit: log namespace ID numbers audit: initialize at subsystem time rather than device time audit: log creation and deletion of namespace instances audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO sched: add a macro to ref all CLONE_NEW* flags fork: audit on creation of new namespace(s) audit: log on switching namespace (setns) audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record fs/namespace.c | 13 +++ fs/proc/generic.c | 3 +- fs/proc/namespaces.c | 2 +- include/linux/audit.h | 20 +++++ include/linux/proc_ns.h | 10 ++- include/uapi/linux/audit.h | 21 +++++ include/uapi/linux/sched.h | 6 ++ ipc/namespace.c | 12 +++ kernel/audit.c | 169 +++++++++++++++++++++++++++++++++++++- kernel/auditsc.c | 2 + kernel/fork.c | 3 + kernel/nsproxy.c | 4 + kernel/pid_namespace.c | 13 +++ kernel/user_namespace.c | 13 +++ kernel/utsname.c | 12 +++ net/core/net_namespace.c | 12 +++ security/integrity/ima/ima_api.c | 2 + 17 files changed, 309 insertions(+), 8 deletions(-)

10 years, 10 months

11
56
0 / 0

Significant performance hit auditing system account actions?

by leam hall

Some security requirements include auditing events by users and root. So the line might include something like: -F auid=0 -F auid>=500 -F auid!=4294967295 My question is, if you don't include that phrase will the audit system still get everything and not incur a serious performance hit. Effectively it will audit everything for users 1-499, the usual system accounts. Leam -- Mind on a Mission <http://leamhall.blogspot.com/>

10 years, 10 months

2
1
0 / 0

[PATCH V7 00/10] namespaces: log namespaces per task

by Richard Guy Briggs

The purpose is to track namespace instances in use by logged processes from the perspective of init_*_ns by logging the namespace IDs (namespace device ID and namespace inode). 1/10 exposes proc's ns entries structure which lists a number of useful operations per namespace type for other subsystems to use. 2/10 creates and switches to a dedicated inode pool for the namespace filesystem. 3/10 add the nsfs device ID to ns_common for each namespace instance for quick access. 4/10 provides an example of usage for audit_log_task_info() which is used by syscall audits, among others. Proposed output format: This differs slightly from Aristeu's patch because of the label conflict with "pid=" due to including it in existing records rather than it being a seperate record. "pid=" here is the target pid for a potentially unactivated task for which the nsproxy has been created. It has now returned to being a seperate record. The nsfs device major/minor are listed in hexadecimal and namespace IDs are the ns inode. type=NS_INFO msg=audit(1408577535.306:82): pid=310 dev=00:03 netns=7 utsns=3 ipcns=4 pidns=1 userns=2 mntns=5 5/10 change audit startup from __initcall to subsys_initcall to get it started earlier to be able to receive initial namespace log messages. 6/10 tracks the creation and deletion of namespaces, listing the type of namespace instance, nsfs device ID, related namespace id if there is one and the newly minted namespace ID. Proposed output format for initial namespace creation: type=AUDIT_NS_INIT_UTS msg=audit(1431115986.147:5): dev=00:03 old_utsns=(none) utsns=2 res=1 type=AUDIT_NS_INIT_USER msg=audit(1431115986.148:6): dev=00:03 old_userns=(none) userns=3 res=1 type=AUDIT_NS_INIT_PID msg=audit(1431115986.149:7): dev=00:03 old_pidns=(none) pidns=4 res=1 type=AUDIT_NS_INIT_MNT msg=audit(1431115986.150:8): dev=00:00 old_mntns=(none) mntns=5 res=1 type=AUDIT_NS_INIT_IPC msg=audit(1431115986.151:9): dev=00:03 old_ipcns=(none) ipcns=1 res=1 type=AUDIT_NS_INIT_NET msg=audit(1431115985.500:10): dev=00:03 old_netns=(none) netns=7 res=1 And a CLONE action would result in: type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): dev=00:03 old_netns=7 netns=8 res=1 While deleting a namespace would result in: type=AUDIT_NS_DEL_MNT msg=audit(1431116003.205:534): dev=00:03 mntns=8 res=1 7/10 accepts a PID from userspace and requests logging an AUDIT_NS_INFO record type (CAP_AUDIT_CONTROL required). 8/10 adds auditing on creation of namespace(s) in fork for unshare(2) and clone(2), adding the CLONE_NEW_*ALL macro. 9/10 adds auditing a change of namespace on setns(2). type=AUDIT_NS_SET_NET msg=audit(1408577535.306:81): dev=00:03 old_netns=7 netns=8 res=1 10/10 attaches a AUDIT_NS_INFO record to AUDIT_VIRT_CONTROL records (CAP_AUDIT_WRITE required). v6 -> v7: Added sys_unshare to the sys_clone patch. Combined the CLONE_NEW_*_ALL macro and audit clone and unshare patches. Rebased on Al Viro's NSFS from v3.19-rc1 adding nsfs device ID to ns_common. Create and switch to an nsfs inode db. Switch AUDIT_NS_{INIT,DEL,SET}_* to auxiliary records. Fix NULL dereference bug in AUDIT_NS_INFO call from AUDIT_VIRT_CONTROL type. Remove call for audit_log_common_recv_msg. Only emit info, init, del, set messages on audit_enabled. v5 -> v6: Switch to using namespace ID based on namespace proc inode minus base offset Added proc device ID to qualify proc inode reference Eliminate exposed /proc interface v4 -> v5: Clean up prototypes for dependencies on CONFIG_NAMESPACES. Add AUDIT_NS_INFO record type to AUDIT_VIRT_CONTROL record. Log AUDIT_NS_INFO with PID. Move /proc/<pid>/ns_* patches to end of patchset to deprecate them. Log on changing ns (setns). Log on creating new namespaces when forking. Added a macro for CLONE_NEW*. v3 -> v4: Seperate out the NS_INFO message from the SYSCALL message. Moved audit_log_namespace_info() out of audit_log_task_info(). Use a seperate message type per namespace type for each of INIT/DEL. Make ns= easier to search across NS_INFO and NS_INIT/DEL_XXX msg types. Add /proc/<pid>/ns/ documentation. Fix dynamic initial ns logging. v2 -> v3: Use atomic64_t in ns_serial to simplify it. Avoid funciton duplication in proc, keying on dentry. Squash down audit patch to avoid rcu sleep issues. Add tracking for creation and deletion of namespace instances. v1 -> v2: Avoid rollover by switching from an int to a long long. Change rollover behaviour from simply avoiding zero to raising a BUG. Expose serial numbers in /proc/<pid>/ns/*_snum. Expose ns_entries and use it in audit. Notes: As for CAP_AUDIT_READ, a patchset has been accepted upstream to check capabilities of userspace processes that try to join netlink broadcast groups. This set does not try to solve the non-init namespace audit messages and auditd problem yet. That will come later, likely with additional auditd instances running in another namespace with a limited ability to influence the master auditd. I echo Eric B's idea that messages destined for different namespaces would have to be tailored for that namespace with references that make sense (such as the right pid number reported to that pid namespace, and not leaking info about parents or peers). Questions: Is there a way to link serial numbers of namespaces involved in migration of a container to another kernel? It sounds like what is needed is a part of a mangement application that is able to pull the audit records from constituent hosts to build an audit trail of a container. Do any additional events need this information? Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL (and now CAP_AUDIT_READ) in init_user_ns can get to this information in the init namespace at the moment from audit. Richard Guy Briggs (10): namespaces: expose ns_entries nsfs: switch to dedicated inode pool nsfs: add nsfs device ID to ns_common audit: log namespace ID numbers audit: initialize at subsystem time rather than device time audit: log creation and deletion of namespace instances audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO fork: audit on creation of new namespace(s) with clone and unshare audit: log on switching namespace (setns) audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record fs/namespace.c | 15 +++ fs/nsfs.c | 65 ++++++++++++++ fs/proc/internal.h | 2 + fs/proc/namespaces.c | 2 +- include/linux/audit.h | 27 ++++++ include/linux/ns_common.h | 1 + include/linux/proc_ns.h | 22 ++--- include/uapi/linux/audit.h | 21 +++++ include/uapi/linux/sched.h | 6 ++ init/version.c | 2 +- ipc/msgutil.c | 2 +- ipc/namespace.c | 13 +++ kernel/audit.c | 180 +++++++++++++++++++++++++++++++++++++- kernel/auditsc.c | 2 + kernel/fork.c | 13 ++- kernel/nsproxy.c | 2 + kernel/pid.c | 2 +- kernel/pid_namespace.c | 13 +++ kernel/user.c | 2 +- kernel/user_namespace.c | 13 +++ kernel/utsname.c | 12 +++ net/core/net_namespace.c | 13 +++ security/integrity/ima/ima_api.c | 2 + 23 files changed, 410 insertions(+), 22 deletions(-)

10 years, 10 months

1
10
0 / 0

Latest audit file for DISA STIGS

by James.A.Williams.ctr＠nga.mil

Classification: UNCLASSIFIED ====================================================== Hi All, Does anyone have a good audit file that conforms to the DISA STIG (RHEL 6)? Please email the file or copy into email. Thanks, Jim ====================================================== Classification: UNCLASSIFIED

10 years, 10 months

3
2
0 / 0

Seeking auditd help

by Bill Jackson III

Any pointers for troubleshooting auditd missing events for file reads, edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5? http://security.stackexchange.com/q/89009/56827

10 years, 10 months

4
3
0 / 0

auid field when switching user

by Guillaume L.

Bonjour, I'm trying to use auditd to log all actions made by the users on the system. This part works fine. The documentation mention the "auid" field to identify the user from the first connection "even" when the user's identity changes (like with a su): auid=500 The auid field records the Audit user ID, that is the loginuid. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with the su - john command). But this is not working. If I log with the user "test" (uid 1000) when I switch to the user root, the value of auid is 0 (the uid of root). Did I missing something ? Thank you in advance. Regards, -- Guillaume

10 years, 10 months

3
3
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit May 2015