[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 9 months
[RFC PATCH 0/7] audit: clean up audit queue handling
by Richard Guy Briggs
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audit: wake up threads if queue switched from limited to unlimited
audit: allow audit_cmd_mutex holders to use reserves
audit: wake up audit_backlog_wait queue when auditd goes away.
audit: wake up kauditd_thread after auditd registers
kernel/audit.c | 20 +++++++++++++++-----
1 files changed, 15 insertions(+), 5 deletions(-)
8 years, 4 months
audit rules placement
by Lev Stipakov
Hello,
I have a rpm/deb package which includes audisp plugin. In order plugin
to work, I need to permanently add audit rules. It seems that for
Centos/RHEL 7 I need to put those into /etc/audit/rules.d/audit.rules
and for Centos/RHEL6 (and probably Debian / Ubuntu?) it is
/etc/audit/audit.rules.
I noticed however that at least on Centos 7 I could put my rules into
/etc/audit/rules.d/plugin.rules and they will be picked on auditd
restart and added to /etc/audit/audit.rules. This does not work on
Debian 8 - even though it has ruled.d directory only rules from
/rules.d/audit.rules are used.
Is there some kind of "official" guidance to where I should put my rules
on Centos/RHEL/Debian/Ubuntu ?
-Lev
8 years, 9 months
Auditing network traffic
by Lev Stipakov
Hello,
I work on an audisp plugin which audits network traffic – what process
has send/received data to/from what remote address. So far I see 2 ways
of accomplishing that:
Hook syscalls. First, hook socket call with af_inet/inet6 to get pid and
fd, then read/write/sendto/recvfrom filtered by pid and fd. I see few
issues with this appoach:
1) Fd can be closed or duped, so I should probably hook close/dup2 calls
too. Not sure, though, if socket could be closed by kernel without any
syscall. As a workaroud, one can just hook read/write and check if fd is
socket (S_ISSOCK) and also somehow filter out af_unix.
2) Getting saddr/daddr. Seems that dest addr could be obtained from
connect call. However I am not sure what is the right way to get that -
I got two records, first SYSCALL and then SOCKADDR. First one has an
argument which points to memory location where sockaddr structure lays,
and second one has ”saddr” field. Latter looks good, but does SOCKADDR
event type always follows SYSCALL for connect call? Same for sendto call.
Another way of getting network stats is the AUDIT target for netfilter.
Looks good, no need to worry about fds/addrs. However there is no pid.
What would be the ”best” way to get pid for those records? Anything else
besides looking into /proc/net/tcp?
-Lev
8 years, 9 months
[GIT PULL] Audit patches for 4.5
by Paul Moore
Hi Linus,
Seven audit patches for 4.5, all very minor despite the diffstat. The
diffstat churn for linux/audit.h can be attributed to needing to reshuffle the
linux/audit.h header to fix the seccomp auditing issue (see the commit
description for details). Besides the seccomp/audit fix, most of the fixes
are around trying to improve the connection with the audit daemon and a
Kconfig simplification. Nothing crazy, and everything passes our little
audit-testsuite, please pull for 4.5.
Thanks,
-Paul
---
The following changes since commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc:
Linux 4.4 (2016-01-10 15:01:32 -0800)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit upstream
for you to fetch changes up to cb74ed278f8054fddf79ed930495b9e214f7c7b2:
audit: always enable syscall auditing when supported and audit is enabled
(2016-01-13 09:18:55 -0500)
----------------------------------------------------------------
Markus Elfring (1):
audit: Delete unnecessary checks before two function calls
Paul Moore (3):
audit: remove audit_backlog_wait_overflow
audit: force seccomp event logging to honor the audit_enabled flag
audit: always enable syscall auditing when supported and audit is
enabled
Richard Guy Briggs (3):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: wake up threads if queue switched from limited to unlimited
include/linux/audit.h | 204 +++++++++++++++++++++++-----------------------
init/Kconfig | 11 +--
kernel/audit.c | 17 ++---
3 files changed, 114 insertions(+), 118 deletions(-)
--
paul moore
security @ redhat
8 years, 9 months
Use case not covered by the audit library?
by Gulland, Scott A
Hi,
I have a fairly common use case that I'm not sure is covered by the audit library and I need some advice on how best to handle it. I have a daemon running as root that services REST API calls (or a web UI from a browser). An external application first establishes a session by authenticating a user which returns a token/session ID to the caller. All future REST API calls, supplies the token/session ID which allows them authenticated access to the requested resource. The token/session ID indicates what user the request is associated with. Obviously, there can be many users simultaneously issuing requests.
What I need to do is specify the user on each audit log call. For example, I need to have a way to specify which user is issuing the request when I call audit_log_user_message(). Is this possible? This is a very common use case and really needs to be handled.
Scott Gulland
916.785.1497
HPE Networking, CEB R&D
8000 Foothills Blvd; MS - 5505
Roseville, CA 95747
USA
8 years, 9 months
audit 2.5 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Make augenrules the default method to load audit rules
- Put rules in its own directory and break out rules into groups
- Have auditd do a fsync before closing log
- Make default flush setting larger
- In auparse. terminate the generated strings (Burn Alting)
- In auditd, add incremental_async flushing mode
- Clean up dangling fields in DAEMON events
- Add audit by process name support to auditctl (Richard Briggs)
- Relax permissions on systemd files
- Fix auparse to handle interlaced events (Burn Alting)
- Allow more syslog facilities in audispd-syslog (Aleksander Adamowski)
This release of the audit system represents a break with the past in a couple
ways. The default way to load rules is now via the augenrules program. And
this release of the audit package includes entirely new rules for use. The
nispom and stig rules still exist, but they have been renamed and moved. To
see the new rules, look in the rules documentation directory. There is a
README file that explains the new system.
The audit daemon has underwent some major performance improvements. The audit
daemon moved from a multi-threaded data flow to a singly-threaded data flow with
asynchronous flushing. This new mode, INCREMENTAL_ASYNC, is now the default
flush setting. Using it makes the audit daemon log over 90 times faster. (At
least that what I measured using the XFS file system. YMMV.) The audit daemon's
internal events were also reviewed and modernized with op= fields. Also,
because the audit daemon is now singly-threaded for the main data flow, there
is no need to make a multi-thread-safe copy of libaudit. This means the audit
daemon binary is significantly smaller.
This release adds audit by executable name support if your kernel also
supports it. The audit by executable names support will allow you to write
rules that target an exact application so that you can see if it is doing
something odd. An example rule would look like this:
-a always,exit -F arch=x86_64 -S connect,sendto -F exe=/bin/sh -F key=bash-
network
I think you will need the 4.4 kernel or later to use this feature.
Also in this release, there is a re-working of the auparse library by Burn
Alting to handle interlaced audit events. The kernel makes no effort to
serialize events going to user space, If for some reason two events got
interlaced where records for each one alternated with the other, the auparse
library previously considered one event ending and another starting for each
interlaced record - thus breaking up the event. This release should make all
tools linking against auparse much more reliable.
There were also a number of other minor cleanups and enhancements.
Please let me know if you run across any problems with this release.
-Steve
8 years, 9 months
Patch to add support for more syslog facilities
by Aleksander Adamowski
The set of syslog facilities that can be configured for the builting syslog
plugin is pretty limited (LOG_LOCAL0 - LOG_LOCAL9).
This patch adds a bunch of other facilities that might make sense for some
people (like us). Facilities that wouldn¹t make any sense (like LOG_NEWS or
LOG_LPR) are still left out.
Best Regards,
--
Olo
8 years, 9 months
[PATCH 00/15] Rework tty audit
by Peter Hurley
Hi Greg,
This patch series overhauls tty audit support. The goal was to simplify
and speed up tty auditing, which was a significant performance hit even
when disabled.
The main features of this series are:
* Remove reference counting; the purpose of reference counting the per-
process tty_audit_buf was to prevent premature deletion if the
buffer was in-use when tty auditing was exited for the process.
However, since the process is single-threaded at tty_audit_exit(),
the buffer cannot be in-use by another thread. Patch 11/15.
* Remove functionally dead code, such as tty_put_user(). Patch 2/15.
* Atomically modify tty audit enable/disable flags to support lockless
read. Patch 9/15.
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: Peter Zijlstra <peterz(a)infradead.org>
for patch 9/15 which removes an audit field from the signal_struct.
Cc: Oleg Nesterov <oleg(a)redhat.com>
to confirm my understanding of the single-threadedness of
if (group_dead) tty_audit_exit(), called from do_exit(). Patch 11/15
Requires: "tty: audit: Fix audit source"
Regards,
Peter Hurley (15):
tty: audit: Early-out pty master reads earlier
tty: audit: Never audit packet mode
tty: audit: Remove icanon mode from call chain
tty: audit: Defer audit buffer association
tty: audit: Take siglock directly
tty: audit: Ignore current association for audit push
tty: audit: Combine push functions
tty: audit: Track tty association with dev_t
tty: audit: Handle tty audit enable atomically
tty: audit: Remove false memory optimization
tty: audit: Remove tty_audit_buf reference counting
tty: audit: Simplify first-use allocation
tty: audit: Check audit enable first
tty: audit: Always push audit buffer before TIOCSTI
tty: audit: Poison tty_audit_buf while process exits
drivers/tty/n_tty.c | 25 ++----
drivers/tty/tty_audit.c | 231 ++++++++++++++----------------------------------
include/linux/audit.h | 4 +
include/linux/sched.h | 1 -
include/linux/tty.h | 12 +--
kernel/audit.c | 27 +++---
6 files changed, 97 insertions(+), 203 deletions(-)
--
2.6.3
8 years, 9 months