[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 9 months
[PATCH] security: lsm_audit: print pid and tid
by Jeff Vander Stoep
dump_common_audit_data() currently contains a field for pid, but the
value printed is actually the thread ID, tid. Update this value to
return the task group ID. Add a new field for tid. With this change
the values printed by audit now match the values returned by the
getpid() and gettid() syscalls.
Signed-off-by: Jeff Vander Stoep <jeffv(a)google.com>
---
security/lsm_audit.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index cccbf30..57f26c1 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
*/
BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
- audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
+ audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
+ task_pid_vnr(tsk));
audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
switch (a->type) {
@@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab,
case LSM_AUDIT_DATA_TASK: {
struct task_struct *tsk = a->u.tsk;
if (tsk) {
- pid_t pid = task_pid_nr(tsk);
+ pid_t pid = task_tgid_vnr(tsk);
if (pid) {
char comm[sizeof(tsk->comm)];
audit_log_format(ab, " opid=%d ocomm=", pid);
+ audit_log_format(ab, " opid=%d otid=%d ocomm=",
+ pid, task_pid_vnr(tsk));
audit_log_untrustedstring(ab,
memcpy(comm, tsk->comm, sizeof(comm)));
}
--
2.8.0.rc3.226.g39d4020
8 years, 2 months
Re: [PATCH] prctl: remove one-shot limitation for changing exe link
by Eric W. Biederman
Mateusz Guzik <mguzik(a)redhat.com> writes:
> On Sat, Jul 30, 2016 at 12:31:40PM -0500, Eric W. Biederman wrote:
>> So what I am requesting is very simple. That the checks in
>> prctl_set_mm_exe_file be tightened up to more closely approach what
>> execve requires. Thus preserving the value of the /proc/[pid]/exe for
>> the applications that want to use the exe link.
>>
>> Once the checks in prctl_set_mm_exe_file are tightened up please feel
>> free to remove the one shot test.
>>
>
> This is more fishy.
>
> First of all exe_file is used by the audit subsystem. So someone has to
> ask audit people what is the significance (if any) of the field.
>
> All exe_file users but one use get_mm_exe_file and handle NULL
> gracefully.
>
> Even with the current limit of changing the field once, the user can
> cause a transient failure of get_mm_exe_file which can fail to increment
> the refcount before it drops to 0.
>
> This transient failure can be used to get a NULL value stored in
> ->exe_file during fork (in dup_mmap):
> RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
>
> The one place which is not using get_mm_exe_file to get to the pointer
> is audit_exe_compare:
> rcu_read_lock();
> exe_file = rcu_dereference(tsk->mm->exe_file);
> ino = exe_file->f_inode->i_ino;
> dev = exe_file->f_inode->i_sb->s_dev;
> rcu_read_unlock();
>
> This is buggy on 2 accounts:
> 1. exe_file can be NULL
> 2. rcu does not protect f_inode
>
> The issue is made worse with allowing arbitrary number changes.
>
> Modifying get_mm_exe_file to retry is trivial and in effect never return
> NULL is trivial. With arbitrary number of changes allowed this may
> require some cond_resched() or something.
>
> For comments I cc'ed Richard Guy Briggs, who is both an audit person and
> the author of audit_exe_compare.
That is fair. Keeping the existing users working is what needs to
happen.
At the same time we have an arbitrary number of possible changes with
exec, but I guess that works differently because the mm is changed as
well.
So yes let's bug fix this piece of code and then we can see about
relaxing constraints.
Eric
8 years, 2 months
[PATCH] semanage: add auditing of changes in records
by Miroslav Vadkerti
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.
A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.
The format of the audit events was discussed with the audit userspace
maintainer.
This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
Signed-off-by: Miroslav Vadkerti <mvadkert(a)redhat.com>
---
policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 3b0b108..7d6caa3 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
"socket file": "s",
"symbolic link": "l",
"named pipe": "p"}
+
+proto_to_audit = {"tcp": 17,
+ "udp": 6,
+ "ipv4": 4,
+ "ipv6": 41}
+
+ftype_to_audit = {"": "any",
+ "b": "block",
+ "c": "char",
+ "d": "dir",
+ "f": "file",
+ "l": "symlink",
+ "p": "pipe",
+ "s": "socket"}
+
try:
import audit
@@ -90,6 +105,7 @@ try:
def __init__(self):
self.audit_fd = audit.audit_open()
self.log_list = []
+ self.log_change_list = []
def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
@@ -109,10 +125,17 @@ try:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+ def log_change(self, msg):
+ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""])
+
def commit(self, success):
for l in self.log_list:
audit.audit_log_semanage_message(*(l + [success]))
+ for l in self.log_change_list:
+ audit.audit_log_user_comm_message(*(l + [success]))
+
self.log_list = []
+ self.log_change_list = []
except:
class logger:
@@ -138,6 +161,9 @@ except:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
+ def log_change(self, msg):
+ self.log_list.append(" %s" % msg)
+
def commit(self, success):
if success == 1:
message = "Successful: "
@@ -155,6 +181,9 @@ class nulllogger:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
pass
+ def log_change(self, msg):
+ pass
+
def commit(self, success):
pass
@@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
+
def add(self, port, proto, serange, type):
self.begin()
self.__add(port, proto, serange, type)
@@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
+
def modify(self, port, proto, serange, setype):
self.begin()
self.__modify(port, proto, serange, setype)
@@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
port_str = "%s-%s" % (low, high)
+
(k, proto_d, low, high) = self.__genkey(port_str, proto_str)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % port_str)
@@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
raise ValueError(_("Could not delete the port %s") % port_str)
semanage_port_key_free(k)
+ if low == high:
+ port_str = low
+
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
+
self.commit()
def __delete(self, port, proto):
@@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
+
def delete(self, port, proto):
self.begin()
self.__delete(port, proto)
@@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
+
def add(self, addr, mask, proto, serange, ctype):
self.begin()
self.__add(addr, mask, proto, serange, ctype)
@@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
+
def modify(self, addr, mask, proto, serange, setype):
self.begin()
self.__modify(addr, mask, proto, serange, setype)
@@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
+
def delete(self, addr, mask, proto):
self.begin()
self.__delete(addr, mask, proto)
@@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
+
def add(self, interface, serange, ctype):
self.begin()
self.__add(interface, serange, ctype)
@@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
+
def modify(self, interface, serange, setype):
self.begin()
self.__modify(interface, serange, setype)
@@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
+ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
+
def delete(self, interface):
self.begin()
self.__delete(interface)
@@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
if i.startswith(target + "/"):
raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
+ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.equiv[target] = substitute
self.equal_ind = True
self.commit()
@@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Equivalence class for %s does not exists") % target)
self.equiv[target] = substitute
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.commit()
def createcon(self, target, seuser="system_u"):
@@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
self.__add(target, type, ftype, serange, seuser)
@@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def modify(self, target, setype, ftype, serange, seuser):
self.begin()
self.__modify(target, setype, ftype, serange, seuser)
@@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
+
self.equiv = {}
self.equal_ind = True
self.commit()
@@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
if target in self.equiv.keys():
self.equiv.pop(target)
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
return
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
def delete(self, target, ftype):
self.begin()
self.__delete(target, ftype)
--
1.8.3.1
8 years, 2 months
[PATCH 1/2] semanage: add auditing of changes in records
by Miroslav Vadkerti
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.
A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.
The format of the audit events was discussed with the audit userspace
maintainer.
This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
Signed-off-by: Miroslav Vadkerti <mvadkert(a)redhat.com>
---
policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 3b0b108..799ce24 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
"socket file": "s",
"symbolic link": "l",
"named pipe": "p"}
+
+proto_to_audit = {"tcp": 17,
+ "udp": 6,
+ "ipv4": 4,
+ "ipv6": 41}
+
+ftype_to_audit = {"": "any",
+ "b": "block",
+ "c": "char",
+ "d": "dir",
+ "f": "file",
+ "l": "symlink",
+ "p": "pipe",
+ "s": "socket"}
+
try:
import audit
@@ -90,6 +105,7 @@ try:
def __init__(self):
self.audit_fd = audit.audit_open()
self.log_list = []
+ self.log_change_list = []
def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
@@ -109,10 +125,17 @@ try:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+ def log_change(self, msg, hostname="", addr="", tty=""):
+ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr, tty])
+
def commit(self, success):
for l in self.log_list:
audit.audit_log_semanage_message(*(l + [success]))
+ for l in self.log_change_list:
+ audit.audit_log_user_comm_message(*(l + [success]))
+
self.log_list = []
+ self.log_change_list = []
except:
class logger:
@@ -138,6 +161,9 @@ except:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
+ def log_change(self, msg, hostname="", addr="", tty=""):
+ self.log_list.append(" %s" % msg)
+
def commit(self, success):
if success == 1:
message = "Successful: "
@@ -155,6 +181,9 @@ class nulllogger:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
pass
+ def log_change(self, msg, hostname="", addr="", tty=""):
+ pass
+
def commit(self, success):
pass
@@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
+
def add(self, port, proto, serange, type):
self.begin()
self.__add(port, proto, serange, type)
@@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
+
def modify(self, port, proto, serange, setype):
self.begin()
self.__modify(port, proto, serange, setype)
@@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
port_str = "%s-%s" % (low, high)
+
(k, proto_d, low, high) = self.__genkey(port_str, proto_str)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % port_str)
@@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
raise ValueError(_("Could not delete the port %s") % port_str)
semanage_port_key_free(k)
+ if low == high:
+ port_str = low
+
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
+
self.commit()
def __delete(self, port, proto):
@@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
+
def delete(self, port, proto):
self.begin()
self.__delete(port, proto)
@@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
+
def add(self, addr, mask, proto, serange, ctype):
self.begin()
self.__add(addr, mask, proto, serange, ctype)
@@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
+
def modify(self, addr, mask, proto, serange, setype):
self.begin()
self.__modify(addr, mask, proto, serange, setype)
@@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
+
def delete(self, addr, mask, proto):
self.begin()
self.__delete(addr, mask, proto)
@@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
+
def add(self, interface, serange, ctype):
self.begin()
self.__add(interface, serange, ctype)
@@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
+
def modify(self, interface, serange, setype):
self.begin()
self.__modify(interface, serange, setype)
@@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
+ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
+
def delete(self, interface):
self.begin()
self.__delete(interface)
@@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
if i.startswith(target + "/"):
raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
+ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.equiv[target] = substitute
self.equal_ind = True
self.commit()
@@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Equivalence class for %s does not exists") % target)
self.equiv[target] = substitute
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.commit()
def createcon(self, target, seuser="system_u"):
@@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
self.__add(target, type, ftype, serange, seuser)
@@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def modify(self, target, setype, ftype, serange, seuser):
self.begin()
self.__modify(target, setype, ftype, serange, seuser)
@@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
+
self.equiv = {}
self.equal_ind = True
self.commit()
@@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
if target in self.equiv.keys():
self.equiv.pop(target)
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
return
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
def delete(self, target, ftype):
self.begin()
self.__delete(target, ftype)
--
1.8.3.1
8 years, 2 months
How can I install the latest version of Linux Audit on CentOS 6.8?
by Mateusz Piotrowski
Hello,
I’m trying to update the 2013 version of auditd on a just installed CentOS 6.8-i386.
So far I’ve downloaded audit-userspace from GitHub[1] and I’ve faced a couple of problems:
1. README says that I should consult the README-install file. I cannot see this file. Where is it?
2. I consulted the INSTALL.tmp and since I’ve not got any ./configure file inside my clone I deducted I’ve got to run ./autogen.sh. I was missing some dependencies so I ran `yum install autoconf automake libtool`.
Then I ran `./configure --sbindir=/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes` but the command failed at this is a part of the log I got (the full log file is available here[2]):
configure: WARNING: unrecognized options: --with-libcap-ng
...
Checking for programs
...
./configure: line 13130: AX_PROG_CC_FOR_BUILD: command not found
...
Checking for header files
...
checking for python... /usr/bin/python
checking for python version... 2.6
checking for python platform... linux2
checking for python script directory... ${prefix}/lib/python2.6/site-packages
checking for python extension module directory... ${exec_prefix}/lib/python2.6/site-packages
configure: error: Python explicitly requested and python headers were not found
Have you got any idea what the problem is?
Is there an easier way to get the latest Linux Audit version on my system?
Cheers!
-m
[1]: https://github.com/linux-audit/audit-userspace <https://github.com/linux-audit/audit-userspace>
[2]: http://pastebin.com/jd7ZSmLV <http://pastebin.com/jd7ZSmLV>
[Logs in a raw txt format]: http://pastebin.com/raw/Jd7ZSmLV <http://pastebin.com/raw/Jd7ZSmLV>
8 years, 3 months
[GIT PULL] Audit patches for 4.8
by Paul Moore
Hi Linus,
Six audit patches for 4.8. There are a couple of style and minor whitespace
tweaks for the logs, as well as a minor fixup to catch errors on user filter
rules, however the major improvements are a fix to the s390 syscall argument
masking code (reviewed by the nice s390 folks), some consolidation around the
exclude filtering (less code, always a win), and a double-fetch fix for
recording the execve arguments. Please pull for 4.8.
Thanks,
-Paul
---
The following changes since commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a:
Linux 4.6 (2016-05-15 15:43:13 -0700)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.8
for you to fetch changes up to 43761473c254b45883a64441dd0bc85a42f3645c:
audit: fix a double fetch in audit_log_single_execve_arg()
(2016-07-20 14:15:46 -0400)
----------------------------------------------------------------
Paul Moore (3):
audit: fix some horrible switch statement style crimes
s390: ensure that syscall arguments are properly masked on s390
audit: fix a double fetch in audit_log_single_execve_arg()
Richard Guy Briggs (2):
audit: fixup: log on errors from filter user rules
audit: add fields to exclude filter by reusing user filter
Steve Grubb (1):
audit: fix whitespace in CWD record
arch/s390/kernel/ptrace.c | 10 +-
include/linux/audit.h | 2 -
kernel/audit.c | 4 +-
kernel/audit.h | 2 +
kernel/auditfilter.c | 147 +++++++-------------
kernel/auditsc.c | 342 +++++++++++++++++++++---------------------
6 files changed, 235 insertions(+), 272 deletions(-)
--
paul moore
security @ redhat
8 years, 3 months
[PATCH] alpha_table.h: Syscall 511 is getrandom, not renameat2
by James Clarke
---
This fixes gen_alpha_tables_h aborting due to renameat2 being duplicated.
lib/alpha_table.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/alpha_table.h b/lib/alpha_table.h
index 08171cc..c43744f 100644
--- a/lib/alpha_table.h
+++ b/lib/alpha_table.h
@@ -451,6 +451,6 @@ _S(507, "finit_module")
_S(508, "sched_setattr")
_S(509, "sched_getattr")
_S(510, "renameat2")
-_S(511, "renameat2")
+_S(511, "getrandom")
_S(512, "memfd_create")
_S(513, "execveat")
--
2.9.1
8 years, 3 months