Event generator
by Burn Alting
Does anyone know of an exhaustive auditd event generator.
I am aware of ausearch-test and audit-validation but I am looking for a
script or the like that will generate an exhaustive as possible set of
events - both success and failure.
Basically, I am looking at a script that, once an 'auditctl ... -S
all ...' has been enabled, will attempt to generate one of every
syscall. Both success/fail.
Something separate could do the the USER_, CRYPTO_ DAEMON_, SERVICE_,
CONFIG_ filewatch, etc events as well.
Thanks in advance.
9 years, 1 month
AUDIT_NETFILTER_CFG event format
by Steve Grubb
Hell Richard,
While we're in the NETFILTER area, the CFG event is lacking some fields, too.
Its currently:
table,family,entries
its missing everything about *who* sent it:
pid,uid,auid,ses,subj,exe,res
I'd suggest:
pid,uid,auid,ses,subj,table,family,entries,exe,res
to make it compatible with the majority of records. Incidentally, I created a
chart that shows how each record type is alike and different from every other
record. You might call it a record grammar tree:
http://people.redhat.com/sgrubb/audit/record-fields.html
I'd like to align as many events as possible to pid,uid,auid section of the
graph.
-Steve
9 years, 1 month
Re: linux-next: manual merge of the audit tree with Linus' tree
by Richard Guy Briggs
On 2017-01-19 13:51, Stephen Rothwell wrote:
> Hi Paul,
Hi Stephen,
> Today's linux-next merge of the audit tree got a conflict in:
>
> include/uapi/linux/audit.h
>
> between commits:
>
> 7ff89ac608d9 ("audit: add exclude filter extension to feature bitmap")
> dcdaa2f9480c ("Merge branch 'stable-4.10' of git://git.infradead.org/users/pcmoore/audit")
>
> from Linus' tree and commit:
>
> 92c82e8a322b ("audit: add feature audit_lost reset")
>
> from the audit tree.
This merge conflict was expected.
Your fix below looks as expected.
Thanks! Sorry for the trouble.
> I fixed it up (see below) and can carry the fix as necessary. This
> is now fixed as far as linux-next is concerned, but any non trivial
> conflicts should be mentioned to your upstream maintainer when your tree
> is submitted for merging. You may also want to consider cooperating
> with the maintainer of the conflicting tree to minimise any particularly
> complex conflicts.
>
> --
> Cheers,
> Stephen Rothwell
>
> diff --cc include/uapi/linux/audit.h
> index 1c107cb1c83f,3f24110ae63c..000000000000
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@@ -330,13 -331,14 +331,16 @@@ enum
> #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
> #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
> +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
> #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
> + #define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
> +
> #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
> AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> + AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
> - AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> + AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> + AUDIT_FEATURE_BITMAP_LOST_RESET)
>
> /* deprecated: AUDIT_VERSION_* */
> #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
9 years, 1 month
[PATCH v3] audit: log 32-bit socketcalls
by Richard Guy Briggs
32-bit socketcalls were not being logged by audit on x86_64 systems.
Log them. This is basically a duplicate of the call from
net/socket.c:sys_socketcall(), but it addresses the impedance mismatch
between 32-bit userspace process and 64-bit kernel audit.
See: https://github.com/linux-audit/audit-kernel/issues/14
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
v3:
Proper spacing around operators and functions. Local var ordering.
Ditch unlikely, return early.
v2:
Move work to audit_socketcall_compat() and use audit_dummy_context().
---
include/linux/audit.h | 20 ++++++++++++++++++++
net/compat.c | 17 ++++++++++++++---
2 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..2be99b2 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -387,6 +387,20 @@ static inline int audit_socketcall(int nargs, unsigned long *args)
return __audit_socketcall(nargs, args);
return 0;
}
+
+static inline int audit_socketcall_compat(int nargs, u32 *args)
+{
+ unsigned long a[AUDITSC_ARGS];
+ int i;
+
+ if (audit_dummy_context())
+ return 0;
+
+ for (i = 0; i < nargs; i++)
+ a[i] = (unsigned long)args[i];
+ return __audit_socketcall(nargs, a);
+}
+
static inline int audit_sockaddr(int len, void *addr)
{
if (unlikely(!audit_dummy_context()))
@@ -513,6 +527,12 @@ static inline int audit_socketcall(int nargs, unsigned long *args)
{
return 0;
}
+
+static inline int audit_socketcall_compat(int nargs, u32 *args)
+{
+ return 0;
+}
+
static inline void audit_fd_pair(int fd1, int fd2)
{ }
static inline int audit_sockaddr(int len, void *addr)
diff --git a/net/compat.c b/net/compat.c
index 1cd2ec0..a96fd2f 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -22,6 +22,7 @@
#include <linux/filter.h>
#include <linux/compat.h>
#include <linux/security.h>
+#include <linux/audit.h>
#include <linux/export.h>
#include <net/scm.h>
@@ -781,14 +782,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd, struct compat_mmsghdr __user *, mmsg,
COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
{
- int ret;
- u32 a[6];
+ u32 a[AUDITSC_ARGS];
+ unsigned int len;
u32 a0, a1;
+ int ret;
if (call < SYS_SOCKET || call > SYS_SENDMMSG)
return -EINVAL;
- if (copy_from_user(a, args, nas[call]))
+ len = nas[call];
+ if (len > sizeof(a))
+ return -EINVAL;
+
+ if (copy_from_user(a, args, len))
return -EFAULT;
+
+ ret = audit_socketcall_compat(len / sizeof(a[0]), a);
+ if (ret)
+ return ret;
+
a0 = a[0];
a1 = a[1];
--
1.7.1
9 years, 1 month
[PATCH V2] audit: log 32-bit socketcalls
by Richard Guy Briggs
32-bit socketcalls were not being logged by audit on x86_64 systems.
Log them. This is basically a duplicate of the call from
net/socket.c:sys_socketcall(), but it addresses the impedance mismatch
between 32-bit userspace process and 64-bit kernel audit.
See: https://github.com/linux-audit/audit-kernel/issues/14
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
--
v2:
Move work to audit_socketcall_compat() and use audit_dummy_context().
---
include/linux/audit.h | 16 ++++++++++++++++
net/compat.c | 15 +++++++++++++--
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..43d8003 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -387,6 +387,18 @@ static inline int audit_socketcall(int nargs, unsigned long *args)
return __audit_socketcall(nargs, args);
return 0;
}
+static inline int audit_socketcall_compat(int nargs, u32 *args)
+{
+ if (unlikely(!audit_dummy_context())) {
+ int i;
+ unsigned long a[AUDITSC_ARGS];
+
+ for (i=0; i<nargs; i++)
+ a[i] = (unsigned long)args[i];
+ return __audit_socketcall(nargs, a);
+ }
+ return 0;
+}
static inline int audit_sockaddr(int len, void *addr)
{
if (unlikely(!audit_dummy_context()))
@@ -513,6 +525,10 @@ static inline int audit_socketcall(int nargs, unsigned long *args)
{
return 0;
}
+static inline int audit_socketcall_compat(int nargs, u32 *args)
+{
+ return 0;
+}
static inline void audit_fd_pair(int fd1, int fd2)
{ }
static inline int audit_sockaddr(int len, void *addr)
diff --git a/net/compat.c b/net/compat.c
index 1cd2ec0..f0404d4 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -22,6 +22,7 @@
#include <linux/filter.h>
#include <linux/compat.h>
#include <linux/security.h>
+#include <linux/audit.h>
#include <linux/export.h>
#include <net/scm.h>
@@ -781,14 +782,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd, struct compat_mmsghdr __user *, mmsg,
COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
{
+ unsigned int len;
int ret;
- u32 a[6];
+ u32 a[AUDITSC_ARGS];
u32 a0, a1;
if (call < SYS_SOCKET || call > SYS_SENDMMSG)
return -EINVAL;
- if (copy_from_user(a, args, nas[call]))
+ len = nas[call];
+ if (len > sizeof(a))
+ return -EINVAL;
+
+ if (copy_from_user(a, args, len))
return -EFAULT;
+
+ ret = audit_socketcall_compat(len/sizeof(a[0]), a);
+ if (ret)
+ return ret;
+
a0 = a[0];
a1 = a[1];
--
1.7.1
9 years, 1 month
audit 2.7.1 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- In auparse_classify, handle simple SYSCALL events
- In auparse_classify, correct identification of execve object
- In auparse, load interpretations when auparse_find_field_next changes record
- In auparse_classify, collect some new object data on some syscalls
- In auparse_classify, make sure session is cleared on each new event
- In ausearch, only add the separator for enriched events (#1406328)
- In auparse_classify, add more syscalls to action map
- In auparse_classify, fix mode conversion so file object classification works
- Do not let libev process SIGCHLD
- In auditd, install temporary SIGCHLD handler until libev starts
- Fix signal handling in audispd so that it responds faster
- In auditd, fix descriptor setup when initializing the dispatcher
- In auparse_classify, only collect syscall subj attributes when asked
- Add auparse_classify_key function to auparse
- In auparse_classify, handle more common interpreters
- Add support in auditctl to reset the lost record counter
The main goal of this update is to cleanup the auparse_classify interface to
auparse. It should now be in good shape. I will be explaining what this is for
and how it can be used in the near future.
Aside from this a bug was fixed in the descriptor handling when start audispd.
If anyone has their own dispatcher, you might want to carefully test before
moving to this release. Another bug was fixed in how audispd responds to
signals. Shutdown and reconfigure should be much faster now.
The one other feature in this release is the addition of a new auditctl
command, --reset-lost. If you run auditctl -s it reports how many lost records
have occured. If you like to track this on a daily basis, you can now issue
the --reset-lost command and if the kernel supports this, it will reset the
number to 0.
Please let me know if you run across any problems with this release.
-Steve
9 years, 1 month
[RFC] [PATCH] audit: log 32-bit socketcalls
by Richard Guy Briggs
32-bit socketcalls were not being logged by audit on x86_64 systems.
Log them.
See: https://github.com/linux-audit/audit-kernel/issues/14
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
net/compat.c | 18 ++++++++++++++++--
1 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/net/compat.c b/net/compat.c
index 1cd2ec0..86cacab 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -22,6 +22,7 @@
#include <linux/filter.h>
#include <linux/compat.h>
#include <linux/security.h>
+#include <linux/audit.h>
#include <linux/export.h>
#include <net/scm.h>
@@ -781,14 +782,27 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd, struct compat_mmsghdr __user *, mmsg,
COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
{
+ unsigned int len, i;
int ret;
- u32 a[6];
+ u32 a[AUDITSC_ARGS];
+ unsigned long aa[AUDITSC_ARGS];
u32 a0, a1;
if (call < SYS_SOCKET || call > SYS_SENDMMSG)
return -EINVAL;
- if (copy_from_user(a, args, nas[call]))
+ len = nas[call];
+ if (len > sizeof(a))
+ return -EINVAL;
+
+ if (copy_from_user(a, args, len))
return -EFAULT;
+
+ for (i=0; i < len/sizeof(a[0]); i++)
+ aa[i] = (unsigned long)a[i];
+ ret = audit_socketcall(len/sizeof(a[0]), aa);
+ if (ret)
+ return ret;
+
a0 = a[0];
a1 = a[1];
--
1.7.1
9 years, 1 month
[PATCH] audit: add feature audit_lost reset
by Richard Guy Briggs
Add a method to reset the audit_lost value.
An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
will return a positive value repesenting the current audit_lost value
and reset the counter to zero. If AUDIT_STATUS_LOST is not the
only flag set, the reset command will be ignored. The value sent with
the command is ignored.
An AUDIT_LOST_RESET message will be queued to the listening audit
daemon. The message will be similar to a CONFIG_CHANGE message with the
fields "lost=0" and "old=" containing the value of audit_lost at reset
ending with a successful result code.
See: https://github.com/linux-audit/audit-kernel/issues/3
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
v3: Switch, from returing a message to the initiating process, to
queueing the message for the audit log.
v2: Switch from AUDIT_GET to AUDIT_SET, adding a +ve return code and
sending a dedicated AUDIT_LOST_RESET message.
---
include/uapi/linux/audit.h | 2 ++
kernel/audit.c | 16 +++++++++++++++-
2 files changed, 17 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 208df7b..6d38bff 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -70,6 +70,7 @@
#define AUDIT_TTY_SET 1017 /* Set TTY auditing status */
#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */
#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */
+#define AUDIT_LOST_RESET 1020 /* Reset the audit_lost value */
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
#define AUDIT_USER_AVC 1107 /* We filter this differently */
@@ -325,6 +326,7 @@ enum {
#define AUDIT_STATUS_RATE_LIMIT 0x0008
#define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
+#define AUDIT_STATUS_LOST 0x0040
#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
diff --git a/kernel/audit.c b/kernel/audit.c
index f1ca116..441e8c0 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -122,7 +122,7 @@
3) suppressed due to audit_rate_limit
4) suppressed due to audit_backlog_limit
*/
-static atomic_t audit_lost = ATOMIC_INIT(0);
+static atomic_t audit_lost = ATOMIC_INIT(0);
/* The netlink socket. */
static struct sock *audit_sock;
@@ -920,6 +920,20 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err < 0)
return err;
}
+ if (s.mask == AUDIT_STATUS_LOST) {
+ struct audit_buffer *ab;
+ u32 lost = atomic_xchg(&audit_lost, 0);
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOST_RESET);
+ if (unlikely(!ab))
+ return lost;
+ audit_log_format(ab, "lost=0 old=%u", lost);
+ audit_log_session_info(ab);
+ audit_log_task_context(ab);
+ audit_log_format(ab, " res=1");
+ audit_log_end(ab);
+ return lost;
+ }
break;
}
case AUDIT_GET_FEATURE:
--
1.7.1
9 years, 1 month
Re: [PATCH v4 0/3] perf: add support for analyzing events for containers
by Aravinda Prasad
On Wednesday 04 January 2017 02:34 PM, Krister Johansen wrote:
> On Tue, Jan 03, 2017 at 04:57:54PM +0530, Hari Bathini wrote:
>> On Thursday 29 December 2016 07:11 AM, Krister Johansen wrote:
>>> On Fri, Dec 16, 2016 at 12:06:55AM +0530, Hari Bathini wrote:
>>>> This patch-set overcomes this limitation by using cgroup identifier as
>>>> container unique identifier. A new PERF_RECORD_NAMESPACES event that
>>>> records namespaces related info is introduced, from which the cgroup
>>>> namespace's device & inode numbers are used as cgroup identifier. This
>>>> is based on the assumption that each container is created with it's own
>>>> cgroup namespace allowing assessment/analysis of multiple containers
>>>> using cgroup identifier.
>>> Why choose cgroups when the kernel dispenses namespace-unique
>>> identifiers. Cgroup membership can be arbitrary. Moreover, cgroup and
>>
>> Agreed. But doesn't that hold for any other namespace or a combination
>> of namespaces as well?
>
> I guess that's part of my concern. There is no container-unique
> identifier on the system, since the notion of containers is a construct
> of higer-level software.
I wish we had a container-unique identifier. A container-unique
identifier will make things a lot more better, not just for
container-aware tracing but for audit subsystem as well.
https://lwn.net/Articles/699819/#Comments
--
Regards,
Aravinda
9 years, 1 month
adutictl -F exe
by Maupertuis Philippe
Hello list,
On my fedora 24 with audit-2.6.7-1.fc24.x86_64, the man auditctl list :
exe Absolute path to application that while executing this rule will apply to. This can only be used on the exit list.
On my RHEL7.3 with audit-2.6.5-3.el7.x86_64 the option is missing.
Reading the changelog at https://people.redhat.com/sgrubb/audit/ChangeLog, I couldn't find in which version it was introduced.
Is this option available on 4.x kernel only ?
Is there any chance that the option finally arrive on RHEL 7 ?
Best regards
Philippe
!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
9 years, 1 month
