[PATCH 1/1] audit: Make AUDIT_KERNEL event conform to the specification
by Steve Grubb
The AUDIT_KERNEL event is not following name=value format. This causes
some information to get lost. The event has been reformatted to follow
the convention. Additionally the audit_enabled value was added for
troubleshooting purposes. The following is an example of the new event:
type=KERNEL audit(1480621249.833:1): state=initialized audit_enabled=0 res=1
Signed-off-by: sgrubb <sgrubb(a)redhat.com>
---
kernel/audit.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 910a7c1..91860d4 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1252,7 +1252,9 @@ static int __init audit_init(void)
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
- audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
+ audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
+ "state=initialized audit_enabled=%u res=1",
+ audit_enabled);
for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
INIT_LIST_HEAD(&audit_inode_hash[i]);
--
2.7.4
7 years, 11 months
[PATCH 2/2] audit: log binding and unbinding to netlink multicast
by Steve Grubb
Log information about programs connecting and disconnecting to the audit
netlink multicast socket. This is needed so that during investigations a
security officer can tell who or what had access to the audit trail. This
helps to meet the FAU_SAR.2 requirement for Common Criteria.
Signed-off-by: sgrubb <sgrubb(a)redhat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 31 +++++++++++++++++++++++++++----
2 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 82e8aa5..e6dd046 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,7 @@
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
+#define AUDIT_EVENT_LISTENER 1330 /* Task joined multicast read socket */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 22f8c3d..910a7c1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1161,22 +1161,45 @@ void audit_log_task_simple(struct audit_buffer *ab,
struct task_struct *tsk)
}
EXPORT_SYMBOL(audit_log_task_simple);
+/* Log information about who is connecting to the audit multicast socket */
+static void audit_log_multicast_bind(int group, const char *op, int err)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
+ if (!ab)
+ return;
+
+ audit_log_task_simple(ab, current);
+ audit_log_format(ab, " nlnk-grp=%d op=%s res=%d", group, op, !err);
+ audit_log_end(ab);
+}
+
/* Run custom bind function on netlink socket group connect or bind requests.
*/
-static int audit_bind(struct net *net, int group)
+static int audit_multicast_bind(struct net *net, int group)
{
+ int err = 0;
+
if (!capable(CAP_AUDIT_READ))
- return -EPERM;
+ err = -EPERM;
+ audit_log_multicast_bind(group, "connect", err);
- return 0;
+ return err;
+}
+
+static void audit_multicast_unbind(struct net *net, int group)
+{
+ audit_log_multicast_bind(group, "disconnect", 0);
}
static int __net_init audit_net_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
- .bind = audit_bind,
+ .bind = audit_multicast_bind,
.flags = NL_CFG_F_NONROOT_RECV,
.groups = AUDIT_NLGRP_MAX,
+ .unbind = audit_multicast_unbind,
};
struct audit_net *aunet = net_generic(net, audit_net_id);
--
2.7.4
7 years, 11 months
Auditd cause high CPU and high Load
by Minh Tien Nguyen
Dear Audit team.
My name is Nguyen Minh Tien. I came from Singapore. I am working as a
developer for Garena LTD. Last week, I met a problem with Audit on our
product servers. The Auditd process had caused of some pick time on our
server. In that times, system CPU cost a lot, around 100%. And the Load
average is over 30. We have tried to find the root cause and have failed.
Could you help us for that case?
The servers, which meet the performance issue, use Redhat 6.8 and their
kernel is 2.6.32.
--
Best regards
_________________________
Nguyen Minh Tien - SA Team
email: nguyenmt(a)garena.com
7 years, 11 months