August 2015 - Linux-audit - Linux-Audit List Archives

[PATCH] audit: fix uninitialized variable in audit_add_rule()

by Paul Moore

As reported by the 0-Day testing service: kernel/auditfilter.c: In function 'audit_rule_change': >> kernel/auditfilter.c:864:6: warning: 'err' may be used uninit... int err; Cc: Richard Guy Briggs <rgb(a)redhat.com> Signed-off-by: Paul Moore <pmoore(a)redhat.com> --- kernel/auditfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 4cb9b44..83f6d29 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -861,7 +861,7 @@ static inline int audit_add_rule(struct audit_entry *entry) struct audit_watch *watch = entry->rule.watch; struct audit_tree *tree = entry->rule.tree; struct list_head *list; - int err; + int err = 0; #ifdef CONFIG_AUDITSYSCALL int dont_count = 0;

9 years, 5 months

1
0
0 / 0

[PATCH V4 (was V6)] generalize audit_del_rule

by Richard Guy Briggs

This patch was split out from the audit by executable path patch set due to the potential to use it elsewhere. In particular, some questions came up while assessing the potential for code reuse: Why does audit_remove_parent_watches() not call audit_del_rule() for each entry found? Is audit_signals not properly decremented? Is audit_n_rules not properly decremented? Why does kill_rules() not call audit_del_rule() for each entry found? Is audit_signals not properly decremented? Is audit_n_rules not properly decremented? Richard Guy Briggs (1): audit: save signal match info in case entry passed in is the one deleted kernel/auditfilter.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)

9 years, 5 months

2
3
0 / 0

[PATCH V8 0/3] audit by executable name

by Richard Guy Briggs

Please see the accompanying userspace patchset: https://www.redhat.com/archives/linux-audit/2015-July/thread.html [[PATCH V2] 0/2] Log on the future execution of a path The userspace interface is not expected to change appreciably unless something important has been overlooked. Setting and deleting rules works as expected. If the path does not exist at rule creation time, it will be re-evaluated every time there is a change to the parent directory at which point the change in device and inode will be noted. Here's a sample run: Test for addition, trigger and deletion of tree executable rule: # auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree ---- time->Sat Jul 11 10:41:50 2015 type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1 ---- # /usr/bin/touch /tmp/test ---- time->Sat Jul 11 10:41:50 2015 type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374 type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT type=CWD msg=audit(1436629310.757:44712): cwd="/root" type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree" ---- # auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree ---- time->Sat Jul 11 10:41:50 2015 type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1 ---- Revision history: v8: Re-spin due to mods to: "audit: save signal match info in case entry passed in is the one deleted" v7: Add Audit Feature Bitmap macro AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH to AUDIT_FEATURE_BITMAP_ALL. Split out new patch to use macros for unset inode and device values. Remove BUG() usage in stubs. Rename audit_mark_free() to audit_fsnotify_mark_free(). Remove unused audit_get_mark() and audit_put_mark() functions. Rework ino and dev comparisons and assignments, using macros and existing funcs and eliminating temp variables. Move audit_update_mark() above its first usage. Move contents of kernel/audit_exe.c to kernel/audit_watch.c. Merge patch 3 with 1, merge patch 4 with 1 and 3 and rewrite the patch descriptions. Split out patch to audit by executable children. v6: Explicitly declare prototypes as external. Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch, lsm_field. Rebased on v4.1. Rename audit_remove_mark_rule() called from audit_mark_handle_event() to audit_autoremove_mark_rule() to avoid confusion with audit_remove_{watch,tree}_rule() usage. Add audit_remove_mark_rule() to provide similar interface as audit_remove_{watch,tree}_rule(). Simplify stubs to defines. Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in keeping with the naming convention of inotify_free_mark(), dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark(). Return -ENOMEM rather than null in case of memory allocation failure for audit_mark in audit_alloc_mark(). Rename audit_free_mark() to audit_mark_free() to avoid association with {i,d,fa}notify_free_mark() and audit_watch_free_mark(). Clean up exe with similar interface as watch and tree. Clean up audit exe mark just before audit_free_rule() rather than in it to avoid mutex in software interrupt context. Fixed bug in audit_dupe_exe() that returned error rather than valid pointer. v5: Revert patch "Let audit_free_rule() take care of calling audit_remove_mark()." since it caused a group mark deadlock. https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html v4: Re-order and squash down fixups Fix audit_dup_exe() to copy pathname string before calling audit_alloc_mark(). https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html v3: Rationalize and rename some function names and clean up get/put and free code. Rename several "watch" references to "mark". Rename audit_remove_rule() to audit_remove_mark_rule(). Let audit_free_rule() take care of calling audit_remove_mark(). Put audit_alloc_mark() arguments in same order as watch, tree and inode. Move the access to the entry for audit_match_signal() to the beginning of the function in case the entry found is the same one passed in. This will enable it to be used by audit_remove_mark_rule(). https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html v2: Misguided attempt to add in audit_exe similar to watches https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html v1.5: eparis' switch to fsnotify https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html v1: Change to path interface instead of inode https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html v0: Peter Moodie's original patches https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html Future step: Get full-path notify working. Richard Guy Briggs (3): audit: clean simple fsnotify implementation audit: implement audit by executable audit: add audit by children of executable path include/linux/audit.h | 1 + include/uapi/linux/audit.h | 6 +- kernel/Makefile | 2 +- kernel/audit.h | 18 ++++ kernel/audit_fsnotify.c | 215 ++++++++++++++++++++++++++++++++++++++++++++ kernel/audit_tree.c | 2 + kernel/audit_watch.c | 31 +++++++ kernel/auditfilter.c | 57 +++++++++++- kernel/auditsc.c | 14 +++ 9 files changed, 342 insertions(+), 4 deletions(-) create mode 100644 kernel/audit_fsnotify.c

9 years, 5 months

1
3
0 / 0

[PATCH V4 (was V6) 0/2] audit: rebalance and remove extra layers of watch references

by Richard Guy Briggs

While working on the audit by executable path feature, it was discovered that watches and parent references were slightly imbalanced and deeper than necessary. Only bump up references when they are actually used and decrease when removed. v4: Eliminate unnecessary gotos and call return directly. Expand patch description with answer to mailing list query. Richard Guy Briggs (2): audit: eliminate unnecessary extra layer of watch references audit: eliminate unnecessary extra layer of watch parent references kernel/audit_watch.c | 11 ++++------- kernel/auditfilter.c | 16 +++------------- 2 files changed, 7 insertions(+), 20 deletions(-)

9 years, 5 months

2
4
0 / 0

Watching over non-existent folder to maintain a generic audit.rules file

by Florian Crouzat

Hello, I'm a bit new with auditd so excuse me if this question has been already answered but I failed to find answers. I'm in the process of replacing a FIM tool by auditd which is by far more powerful but I wanted to describe all possibles files and folders (or system calls) that I need to watch over in a generic audit.rules files that I would deploy on thousands of hosts. Unfortunately, I do not only watch over system-related files and folders but also applicative ones (eg custom path where some private keys are stored, etc) .. My problem is that these folders do not exists on all hosts thus making it impossible to write a generic audit.rules files. As I said, I have thousands of hosts and I can't imagine deploying different files on every hosts depending on the profile of the host. I know puppet could help me for this kind of stuff but I don't have it yet and even though, it would be difficult to configure. How do you guys usually workaround this issue ? I'm pretty sure I'm not the first one wanting to deploy a generic hardening across many hosts (but maybe I'm the only one using auditd to watch over something else than pure system-related stuff? Thanks, Florian

9 years, 5 months

3
6
0 / 0

auid=0

by rshaw1＠umbc.edu

Comparing the "official" STIG content with the scap-security-guide content, the former seems to have added corresponding rules for "-F auid=0" that aren't present in scap-security guide. i.e. where scap-security-guide will just have one rule: -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F auid!=4294967295 -k delete the official content will have the above plus: -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete Is the addition necessary? It doesn't seem to be, as the rules caught root usage of, for example, chmod just fine without it (I had used su; not sure if there's a difference between that and other ways of being root.) I would like to make sure I'm right before asking one group or the other to delete or add it, respectively. --Ray

9 years, 5 months

2
3
0 / 0

[PATCH V6 0/4] audit by executable name

by Richard Guy Briggs

Please see the accompanying userspace patchset: https://www.redhat.com/archives/linux-audit/2015-July/thread.html [[PATCH V2] 0/2] Log on the future execution of a path The userspace interface is not expected to change appreciably unless something important has been overlooked. Setting and deleting rules works as expected. If the path does not exist at rule creation time, it will be re-evaluated every time there is a change to the parent directory at which point the change in device and inode will be noted. Here's a sample run: Test for addition, trigger and deletion of tree executable rule: # auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree ---- time->Sat Jul 11 10:41:50 2015 type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1 ---- # /usr/bin/touch /tmp/test ---- time->Sat Jul 11 10:41:50 2015 type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374 type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT type=CWD msg=audit(1436629310.757:44712): cwd="/root" type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree" ---- # auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree ---- time->Sat Jul 11 10:41:50 2015 type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1 ---- Revision history: v6: Explicitly declare prototypes as external. Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch, lsm_field. Rebased on v4.1. Rename audit_remove_mark_rule() called from audit_mark_handle_event() to audit_autoremove_mark_rule() to avoid confusion with audit_remove_{watch,tree}_rule() usage. Add audit_remove_mark_rule() to provide similar interface as audit_remove_{watch,tree}_rule(). Simplify stubs to defines. Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in keeping with the naming convention of inotify_free_mark(), dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark(). Return -ENOMEM rather than null in case of memory allocation failure for audit_mark in audit_alloc_mark(). Rename audit_free_mark() to audit_mark_free() to avoid association with {i,d,fa}notify_free_mark() and audit_watch_free_mark(). Clean up exe with similar interface as watch and tree. Clean up audit exe mark just before audit_free_rule() rather than in it to avoid mutex in software interrupt context. Fixed bug in audit_dupe_exe() that returned error rather than valid pointer. v5: Revert patch "Let audit_free_rule() take care of calling audit_remove_mark()." since it caused a group mark deadlock. https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html v4: Re-order and squash down fixups Fix audit_dup_exe() to copy pathname string before calling audit_alloc_mark(). https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html v3: Rationalize and rename some function names and clean up get/put and free code. Rename several "watch" references to "mark". Rename audit_remove_rule() to audit_remove_mark_rule(). Let audit_free_rule() take care of calling audit_remove_mark(). Put audit_alloc_mark() arguments in same order as watch, tree and inode. Move the access to the entry for audit_match_signal() to the beginning of the function in case the entry found is the same one passed in. This will enable it to be used by audit_remove_mark_rule(). https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html v2: Misguided attempt to add in audit_exe similar to watches https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html v1.5: eparis' switch to fsnotify https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html v1: Change to path interface instead of inode https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html v0: Peter Moodie's original patches https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html Future step: Get full-path notify working. Eric Paris (1): audit: implement audit by executable Richard Guy Briggs (3): audit: clean simple fsnotify implementation audit: convert audit_exe to audit_fsnotify audit: avoid double copying the audit_exe path string include/linux/audit.h | 1 + include/uapi/linux/audit.h | 2 + kernel/Makefile | 2 +- kernel/audit.h | 33 ++++++ kernel/audit_exe.c | 50 +++++++++ kernel/audit_fsnotify.c | 246 ++++++++++++++++++++++++++++++++++++++++++++ kernel/audit_tree.c | 2 + kernel/audit_watch.c | 4 + kernel/auditfilter.c | 63 +++++++++++- kernel/auditsc.c | 16 +++ 10 files changed, 415 insertions(+), 4 deletions(-) create mode 100644 kernel/audit_exe.c create mode 100644 kernel/audit_fsnotify.c

9 years, 5 months

4
25
0 / 0

[PATCH V7 0/3] audit by executable name

by Richard Guy Briggs

Please see the accompanying userspace patchset: https://www.redhat.com/archives/linux-audit/2015-July/thread.html [[PATCH V2] 0/2] Log on the future execution of a path The userspace interface is not expected to change appreciably unless something important has been overlooked. Setting and deleting rules works as expected. If the path does not exist at rule creation time, it will be re-evaluated every time there is a change to the parent directory at which point the change in device and inode will be noted. Here's a sample run: Test for addition, trigger and deletion of tree executable rule: # auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree ---- time->Sat Jul 11 10:41:50 2015 type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1 ---- # /usr/bin/touch /tmp/test ---- time->Sat Jul 11 10:41:50 2015 type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374 type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT type=CWD msg=audit(1436629310.757:44712): cwd="/root" type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree" ---- # auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree ---- time->Sat Jul 11 10:41:50 2015 type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1 ---- Revision history: v7: Add Audit Feature Bitmap macro AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH to AUDIT_FEATURE_BITMAP_ALL. Split out new patch to use macros for unset inode and device values. Remove BUG() usage in stubs. Rename audit_mark_free() to audit_fsnotify_mark_free(). Remove unused audit_get_mark() and audit_put_mark() functions. Rework ino and dev comparisons and assignments, using macros and existing funcs and eliminating temp variables. Move audit_update_mark() above its first usage. Move contents of kernel/audit_exe.c to kernel/audit_watch.c. Merge patch 3 with 1, merge patch 4 with 1 and 3 and rewrite the patch descriptions. Split out patch to audit by executable children. v6: Explicitly declare prototypes as external. Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch, lsm_field. Rebased on v4.1. Rename audit_remove_mark_rule() called from audit_mark_handle_event() to audit_autoremove_mark_rule() to avoid confusion with audit_remove_{watch,tree}_rule() usage. Add audit_remove_mark_rule() to provide similar interface as audit_remove_{watch,tree}_rule(). Simplify stubs to defines. Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in keeping with the naming convention of inotify_free_mark(), dnotify_free_mark(), fanotify_free_mark(), audit_watch_free_mark(). Return -ENOMEM rather than null in case of memory allocation failure for audit_mark in audit_alloc_mark(). Rename audit_free_mark() to audit_mark_free() to avoid association with {i,d,fa}notify_free_mark() and audit_watch_free_mark(). Clean up exe with similar interface as watch and tree. Clean up audit exe mark just before audit_free_rule() rather than in it to avoid mutex in software interrupt context. Fixed bug in audit_dupe_exe() that returned error rather than valid pointer. v5: Revert patch "Let audit_free_rule() take care of calling audit_remove_mark()." since it caused a group mark deadlock. https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html v4: Re-order and squash down fixups Fix audit_dup_exe() to copy pathname string before calling audit_alloc_mark(). https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html v3: Rationalize and rename some function names and clean up get/put and free code. Rename several "watch" references to "mark". Rename audit_remove_rule() to audit_remove_mark_rule(). Let audit_free_rule() take care of calling audit_remove_mark(). Put audit_alloc_mark() arguments in same order as watch, tree and inode. Move the access to the entry for audit_match_signal() to the beginning of the function in case the entry found is the same one passed in. This will enable it to be used by audit_remove_mark_rule(). https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html v2: Misguided attempt to add in audit_exe similar to watches https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html v1.5: eparis' switch to fsnotify https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html v1: Change to path interface instead of inode https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html v0: Peter Moodie's original patches https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html Future step: Get full-path notify working. Richard Guy Briggs (3): audit: clean simple fsnotify implementation audit: implement audit by executable audit: add audit by children of executable path include/linux/audit.h | 1 + include/uapi/linux/audit.h | 6 +- kernel/Makefile | 2 +- kernel/audit.h | 18 ++++ kernel/audit_fsnotify.c | 215 ++++++++++++++++++++++++++++++++++++++++++++ kernel/audit_tree.c | 2 + kernel/audit_watch.c | 31 +++++++ kernel/auditfilter.c | 60 ++++++++++++- kernel/auditsc.c | 14 +++ 9 files changed, 345 insertions(+), 4 deletions(-) create mode 100644 kernel/audit_fsnotify.c

9 years, 5 months

1
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit August 2015