Problem running auditd on Raspberry Pi (fedora-server-24)
by C.y
Hi all,
I have fedora-server-24 installed on my raspberry-pi-3, following the guide
https://fedoraproject.org/wiki/Raspberry_Pi.
Once I get my raspberry pi boot up, there were error mentioning that "audit
support not in kernel", which I believed were then resolved after I rebuild
my kernel.
However, I got stuck when I tried to add rule using `auditctl` command as
below:
`# auditctl -w /etc/passwd -p wa -k passwd_changes`
Error sending add rule data request (Invalid argument)
I tried to search for solution but it lead me to a bug that were already
been solved like years ago. Can anyone tell me if I am in the right way of
getting auditd works on raspberry pi? Were the problem I've faced were
already a known issue?
Below are my system information and some logs/details when I tried to
diagnosis the problem and thanks a lot for your help in advance!
`# uname -a`
Linux raspi3.lab 4.4.23-v7+ #2 SMP Sat Oct 1 15:24:41 CST 2016 armv7l
armv7l armv7l GNU/Linux
`# modprobe configs ; gunzip -dc /proc/config.gz | grep AUDIT`
CONFIG_AUDIT=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_AUDIT_GENERIC=y
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
`# systemctl status auditd.service`
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor
preset: enabled)
Active: active (running) since Fri 2016-02-12 00:28:07 CST; 7 months 19
days ago
Process: 1553 ExecReload=/bin/kill -HUP $MAINPID (code=exited,
status=0/SUCCESS)
Process: 279 ExecStartPost=/sbin/augenrules --load (code=exited,
status=1/FAILURE)
Main PID: 278 (auditd)
CGroup: /system.slice/auditd.service
└─278 /sbin/auditd -n
Oct 01 16:36:53 raspi3.lab auditd[278]: audit(1475311013.356:8458)
op=reconfigure state=changed auid=4294967295 pid=-1 subj=? res=success
Oct 01 16:36:53 raspi3.lab systemd[1]: Reloaded Security Auditing Service.
Oct 01 16:37:28 raspi3.lab systemd[1]: Reloading Security Auditing Service.
Oct 01 16:37:28 raspi3.lab auditd[278]: config change requested by pid=-1
auid=4294967295 subj=?
Oct 01 16:37:28 raspi3.lab auditd[278]: audit(1475311048.046:257)
op=reconfigure state=changed auid=4294967295 pid=-1 subj=? res=success
Oct 01 16:37:28 raspi3.lab systemd[1]: Reloaded Security Auditing Service.
Oct 01 16:38:18 raspi3.lab systemd[1]: Reloading Security Auditing Service.
Oct 01 16:38:18 raspi3.lab auditd[278]: config change requested by pid=-1
auid=4294967295 subj=?
Oct 01 16:38:18 raspi3.lab auditd[278]: audit(1475311098.716:2108)
op=reconfigure state=changed auid=4294967295 pid=-1 subj=? res=success
Oct 01 16:38:18 raspi3.lab systemd[1]: Reloaded Security Auditing Service.
While my `/var/log/audit/audit.log` was full with lines of "SERVICE_START"
& "SERVICE_STOP"
type=SERVICE_START msg=audit(1475313700.696:276): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=NetworkManager-dispatcher
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
type=SERVICE_STOP msg=audit(1475313710.836:277): pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=NetworkManager-dispatcher
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
Sincerly,
CHING YI.
8 years, 1 month
[PATCH] audit: Use timespec64 to represent audit timestamps
by Deepa Dinamani
struct timespec is not y2038 safe.
Audit timestamps are recorded in string format into
an audit buffer for a given context.
These mark the entry timestamps for the syscalls.
Use y2038 safe struct timespec64 to represent the times.
The log strings can handle this transition as strings can
hold upto 1024 characters.
Signed-off-by: Deepa Dinamani <deepa.kernel(a)gmail.com>
Reviewed-by: Arnd Bergmann <arnd(a)arndb.de>
Acked-by: Paul Moore <paul(a)paul-moore.com>
Acked-by: Richard Guy Briggs <rgb(a)redhat.com>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: Paul Moore <paul(a)paul-moore.com>
Cc: Richard Guy Briggs <rgb(a)redhat.com>
Cc: linux-audit(a)redhat.com
---
include/linux/audit.h | 4 ++--
kernel/audit.c | 10 +++++-----
kernel/audit.h | 2 +-
kernel/auditsc.c | 6 +++---
4 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..e51782b 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -332,7 +332,7 @@ static inline void audit_ptrace(struct task_struct *t)
/* Private API (for audit.c only) */
extern unsigned int audit_serial(void);
extern int auditsc_get_stamp(struct audit_context *ctx,
- struct timespec *t, unsigned int *serial);
+ struct timespec64 *t, unsigned int *serial);
extern int audit_set_loginuid(kuid_t loginuid);
static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
@@ -490,7 +490,7 @@ static inline void __audit_seccomp(unsigned long syscall, long signr, int code)
static inline void audit_seccomp(unsigned long syscall, long signr, int code)
{ }
static inline int auditsc_get_stamp(struct audit_context *ctx,
- struct timespec *t, unsigned int *serial)
+ struct timespec64 *t, unsigned int *serial)
{
return 0;
}
diff --git a/kernel/audit.c b/kernel/audit.c
index a8a91bd..b03b6c7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1325,10 +1325,10 @@ unsigned int audit_serial(void)
}
static inline void audit_get_stamp(struct audit_context *ctx,
- struct timespec *t, unsigned int *serial)
+ struct timespec64 *t, unsigned int *serial)
{
if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
- *t = CURRENT_TIME;
+ ktime_get_real_ts64(t);
*serial = audit_serial();
}
}
@@ -1370,7 +1370,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
int type)
{
struct audit_buffer *ab = NULL;
- struct timespec t;
+ struct timespec64 t;
unsigned int uninitialized_var(serial);
int reserve = 5; /* Allow atomic callers to go up to five
entries over the normal backlog limit */
@@ -1422,8 +1422,8 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
audit_get_stamp(ab->ctx, &t, &serial);
- audit_log_format(ab, "audit(%lu.%03lu:%u): ",
- t.tv_sec, t.tv_nsec/1000000, serial);
+ audit_log_format(ab, "audit(%llu.%03lu:%u): ",
+ (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
return ab;
}
diff --git a/kernel/audit.h b/kernel/audit.h
index 431444c..55d1ca2 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -112,7 +112,7 @@ struct audit_context {
enum audit_state state, current_state;
unsigned int serial; /* serial number for record */
int major; /* syscall number */
- struct timespec ctime; /* time of syscall entry */
+ struct timespec64 ctime; /* time of syscall entry */
unsigned long argv[4]; /* syscall arguments */
long return_code;/* syscall return code */
u64 prio;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 5abf1dc..8dc7fe9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1522,7 +1522,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
return;
context->serial = 0;
- context->ctime = CURRENT_TIME;
+ ktime_get_real_ts64(&context->ctime);
context->in_syscall = 1;
context->current_state = state;
context->ppid = 0;
@@ -1931,13 +1931,13 @@ EXPORT_SYMBOL_GPL(__audit_inode_child);
/**
* auditsc_get_stamp - get local copies of audit_context values
* @ctx: audit_context for the task
- * @t: timespec to store time recorded in the audit_context
+ * @t: timespec64 to store time recorded in the audit_context
* @serial: serial value that is recorded in the audit_context
*
* Also sets the context as auditable.
*/
int auditsc_get_stamp(struct audit_context *ctx,
- struct timespec *t, unsigned int *serial)
+ struct timespec64 *t, unsigned int *serial)
{
if (!ctx->in_syscall)
return 0;
--
2.7.4
8 years, 1 month