[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 9 months
[PATCH v3 0/4] Improved seccomp logging
by Tyler Hicks
This patch set is the third revision of the following two previously
submitted patch sets:
v1: http://lkml.kernel.org/r/1483375990-14948-1-git-send-email-tyhicks@canoni...
v1: http://lkml.kernel.org/r/1483377999-15019-2-git-send-email-tyhicks@canoni...
v2: http://lkml.kernel.org/r/1486100262-32391-1-git-send-email-tyhicks@canoni...
The patch set aims to address some known deficiencies in seccomp's current
logging capabilities:
1. Inability to log all filter actions.
2. Inability to selectively enable filtering; e.g. devs want noisy logging,
users want relative quiet.
3. Consistent behavior with audit enabled and disabled.
4. Inability to easily develop a filter due to the lack of a
permissive/complain mode.
Changes since v2 to address feedback from Kees:
- Patch 1
+ Log a warning when sysctl registration fails
+ Move comment describing SECCOMP_RET_*_NAME from PATCH 2
+ Document the actions_avail sysctl
- Patch 2
+ Inline seccomp_log()
+ Optimize logging for RET_ALLOW hot path
+ Use "{ }" for name buffer initialization
+ Make a copy of the ctl_table and only modify the copy
+ Rename max_action_to_log sysctl to log_max_action
+ Document the log_max_action sysctl
- Patch 3
+ Put some space between RET_LOG and RET_ALLOW for future actions
+ Separate the RET_ALLOW and RET_LOG cases in __seccomp_filter()
- Patch 4
+ Adjust the selftests for the updated RET_LOG value
Tyler
Tyler Hicks (4):
seccomp: Add sysctl to display available actions
seccomp: Add sysctl to configure actions that should be logged
seccomp: Create an action to log before allowing
seccomp: Add tests for SECCOMP_RET_LOG
Documentation/prctl/seccomp_filter.txt | 43 ++++++
Documentation/sysctl/kernel.txt | 1 +
include/linux/audit.h | 6 +-
include/uapi/linux/seccomp.h | 1 +
kernel/seccomp.c | 185 +++++++++++++++++++++++++-
tools/testing/selftests/seccomp/seccomp_bpf.c | 94 +++++++++++++
6 files changed, 322 insertions(+), 8 deletions(-)
--
2.7.4
7 years, 6 months
[PATCH 00/19] Kernel subsystem refcounter conversions
by Elena Reshetova
Now when new refcount_t type and API are finally merged
(see include/linux/refcount.h), the following
patches convert various refcounters in the kernel susystem from atomic_t
to refcount_t. By doing this we prevent intentional or accidental
underflows or overflows that can led to use-after-free vulnerabilities.
The below patches are fully independent and can be cherry-picked separately.
Since we convert all kernel subsystems in the same fashion, resulting
in about 300 patches, we have to group them for sending at least in some
fashion to be manageable. Please excuse the long cc list.
Elena Reshetova (19):
kernel: convert sighand_struct.count from atomic_t to refcount_t
kernel: convert signal_struct.sigcnt from atomic_t to refcount_t
kernel: convert user_struct.__count from atomic_t to refcount_t
kernel: convert task_struct.usage from atomic_t to refcount_t
kernel: convert task_struct.stack_refcount from atomic_t to refcount_t
kernel: convert perf_event_context.refcount from atomic_t to
refcount_t
kernel: convert ring_buffer.refcount from atomic_t to refcount_t
kernel: convert ring_buffer.aux_refcount from atomic_t to refcount_t
kernel: convert uprobe.ref from atomic_t to refcount_t
kernel: convert nsproxy.count from atomic_t to refcount_t
kernel: convert cgroup_namespace.count from atomic_t to refcount_t
kernel: convert css_set.refcount from atomic_t to refcount_t
kernel: convert group_info.usage from atomic_t to refcount_t
kernel: convert cred.usage from atomic_t to refcount_t
kernel: convert audit_tree.count from atomic_t to refcount_t
kernel: convert audit_watch.count from atomic_t to refcount_t
kernel: convert numa_group.refcount from atomic_t to refcount_t
kernel: convert futex_pi_state.refcount from atomic_t to refcount_t
kernel: convert kcov.refcount from atomic_t to refcount_t
fs/exec.c | 4 ++--
include/linux/cgroup-defs.h | 3 ++-
include/linux/cgroup.h | 7 ++++---
include/linux/cred.h | 13 ++++++------
include/linux/init_task.h | 7 ++++---
include/linux/nsproxy.h | 6 +++---
include/linux/perf_event.h | 3 ++-
include/linux/sched.h | 19 +++++++++--------
kernel/audit_tree.c | 8 +++----
kernel/audit_watch.c | 8 +++----
kernel/cgroup/cgroup-internal.h | 10 ++++++---
kernel/cgroup/cgroup-v1.c | 4 ++--
kernel/cgroup/cgroup.c | 10 ++++-----
kernel/cgroup/namespace.c | 2 +-
kernel/cred.c | 46 ++++++++++++++++++++---------------------
kernel/events/core.c | 18 ++++++++--------
kernel/events/internal.h | 5 +++--
kernel/events/ring_buffer.c | 8 +++----
kernel/events/uprobes.c | 8 +++----
kernel/fork.c | 24 ++++++++++-----------
kernel/futex.c | 15 +++++++-------
kernel/groups.c | 2 +-
kernel/kcov.c | 9 ++++----
kernel/nsproxy.c | 6 +++---
kernel/sched/fair.c | 8 +++----
kernel/user.c | 8 +++----
26 files changed, 137 insertions(+), 124 deletions(-)
--
2.7.4
7 years, 6 months
space_left_action=exec only works once?
by Bond Masuda
Hello,
I configured space_left and space_left_action to run a script that
compresses and moves older audit log files from /var/log/audit. It
appears to work 1 time, and then doesn't work anymore until I kill the
auditd daemon and start it again.
Is this expected and/or desired behavior? I didn't see anything in the
man pages about this behavior. I was hoping to have my script run every
time the space_left threshold is hit so as to not run out of logging
disk space. Is there something I can do to accomplish this?
Thanks,
Bond
7 years, 7 months
Full path of the filename not showing up in audit logs for some entries in aureport -f
by Kaptaan
Hello,
I have set some file monitoring audit rules on a directory and the audit log shows some entries like
ausearch -if $LOGDIR -a 448424 -i
NOTE - using logs in /qdap01/tax/logs/audit.log
----
type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=1 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG.tax.41.tmp1 inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=CREATE
type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/27/2017 13:50:13.917:448424) : cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635
type=SYSCALL msg=audit(02/27/2017 13:50:13.917:448424) : arch=i386 syscall=open success=yes exit=5 a0=0x8be40c0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0 items=2 ppid=635 pid=677 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin tty=(none) ses=219531 comm=EXECPGM exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM key=DFS_DATA
ausearch -if $LOGDIR -a 448424 --raw | aureport -i -f
NOTE - using logs in /qdap01/tax/logs/audit.log
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2017 13:50:13 /qdap01/tax/data/seqfiles/DFS/ open yes /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM rmoroncelli 448424
As you can see the full path of the file is available for the audit event, but yet the aureport -f does not show the complete file name. Any idea why this is happening and what should I do to get the full path as given in item1. It seems for some reason, it always gives the filename in item0.
I have another entry where the inode is present but the name is (null).
ausearch -if $LOGDIR -a 448425 -i
NOTE - using logs in /qdap01/tax/logs/audit.log
----
type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=1 name=(null) inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=NORMAL
type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/27/2017 13:50:14.862:448425) : cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635
type=SYSCALL msg=audit(02/27/2017 13:50:14.862:448425) : arch=i386 syscall=open success=yes exit=5 a0=0x914552a a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0 items=2 ppid=677 pid=803 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin tty=(none) ses=219531 comm=IEBGENER exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER key=DFS_DATA
ausearch -if $LOGDIR -a 448425 --raw | aureport -i -f
NOTE - using logs in /qdap01/tax/logs/audit.log
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ open yes /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER rmoroncelli 448425
Why is this coming as null for item1?
Another entry has a rename SYSCALL, which comes out
ausearch -if $LOGDIR -a 448427 -i
NOTE - using logs in /qdap01/tax/logs/audit.log
----
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=3 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_08 inode=6703 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=CREATE
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=2 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_07 inode=6703 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=DELETE
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=1 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/27/2017 13:50:14.939:448427) : cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635
type=SYSCALL msg=audit(02/27/2017 13:50:14.939:448427) : arch=i386 syscall=rename success=yes exit=0 a0=0xfff3b160 a1=0xfff3ad60 a2=0x7 a3=0xfff3b160 items=4 ppid=840 pid=843 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin tty=(none) ses=219531 comm=gdgen exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen key=DFS_DATA
ausearch -if $LOGDIR -a 448427 -r | aureport -i -f
NOTE - using logs in /qdap01/tax/logs/audit.log
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ rename yes /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen rmoroncelli 448427
How can we get both the filenames (in item3 and item2) in the aureport?
Finally, can we have uid come out in the aureport along with auid? Any option/arguments that might help?
Sorry, if this has already been asked many times, but I did not get my answers with the limited search that I did.
Thanks in advance for the help.
Regards,
Amit Katekar.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
7 years, 7 months
[PATCH 1/3] audit: auditfilter: remove unnecessary semicolon
by Nicholas Mc Guire
The excess ; after the closing parenthesis is just code-noise it has no
and can be removed.
Signed-off-by: Nicholas Mc Guire <der.herr(a)hofr.at>
---
Problem located by coccinelle
./kernel/auditfilter.c:341:2-3: Unneeded semicolon
./kernel/auditfilter.c:415:2-3: Unneeded semicolon
Patch was compiletested with: x86_64_defconfig (implies CONFIG_AUDIT )
Patch is against 4.10.0 (localversion-next is next-20170222)
kernel/auditfilter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 880519d..239d11c 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -338,7 +338,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
entry->rule.listnr != AUDIT_FILTER_USER)
return -EINVAL;
break;
- };
+ }
switch(f->type) {
default:
@@ -412,7 +412,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
break;
- };
+ }
return 0;
}
--
2.1.4
7 years, 7 months
[PATCH V3] audit: normalize NETFILTER_PKT
by Richard Guy Briggs
Eliminate flipping in and out of message fields, dropping fields in the process.
Sample raw message format IPv4 UDP:
type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
Sample raw message format IPv6 ICMP6:
type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
Issue: https://github.com/linux-audit/audit-kernel/issues/11
Test case: https://github.com/linux-audit/audit-testsuite/issues/43
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
1 files changed, 27 insertions(+), 95 deletions(-)
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index 4973cbd..945fa29 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
MODULE_ALIAS("ebt_AUDIT");
MODULE_ALIAS("arpt_AUDIT");
-static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
- unsigned int proto, unsigned int offset)
-{
- switch (proto) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_UDPLITE: {
- const __be16 *pptr;
- __be16 _ports[2];
-
- pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
- if (pptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " sport=%hu dport=%hu",
- ntohs(pptr[0]), ntohs(pptr[1]));
- }
- break;
-
- case IPPROTO_ICMP:
- case IPPROTO_ICMPV6: {
- const u8 *iptr;
- u8 _ih[2];
-
- iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
- if (iptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
- iptr[0], iptr[1]);
-
- }
- break;
- }
-}
-
-static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
{
struct iphdr _iph;
const struct iphdr *ih;
ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
- return;
- }
+ if (!ih)
+ return false;
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
- &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+ &ih->saddr, &ih->daddr, ih->protocol);
- if (ntohs(ih->frag_off) & IP_OFFSET) {
- audit_log_format(ab, " frag=1");
- return;
- }
-
- audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
+ return true;
}
-static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
{
struct ipv6hdr _ip6h;
const struct ipv6hdr *ih;
u8 nexthdr;
__be16 frag_off;
- int offset;
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
- return;
- }
+ if (!ih)
+ return false;
nexthdr = ih->nexthdr;
- offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
- &nexthdr, &frag_off);
+ ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
&ih->saddr, &ih->daddr, nexthdr);
- if (offset)
- audit_proto(ab, skb, nexthdr, offset);
+ return true;
}
static unsigned int
audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
- const struct xt_audit_info *info = par->targinfo;
struct audit_buffer *ab;
+ int fam = -1;
if (audit_enabled == 0)
goto errout;
-
ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
if (ab == NULL)
goto errout;
- audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
- info->type, par->hooknum, skb->len,
- par->in ? par->in->name : "?",
- par->out ? par->out->name : "?");
-
- if (skb->mark)
- audit_log_format(ab, " mark=%#x", skb->mark);
-
- if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
- audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
- ntohs(eth_hdr(skb)->h_proto));
+ audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
- if (par->family == NFPROTO_BRIDGE) {
+ switch (par->family) {
+ case NFPROTO_BRIDGE: {
switch (eth_hdr(skb)->h_proto) {
case htons(ETH_P_IP):
- audit_ip4(ab, skb);
+ fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
break;
-
case htons(ETH_P_IPV6):
- audit_ip6(ab, skb);
+ fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
break;
}
+ break;
}
+ case NFPROTO_IPV4:
+ fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
+ break;
+
+ case NFPROTO_IPV6:
+ fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
+ break;
}
- switch (par->family) {
- case NFPROTO_IPV4:
- audit_ip4(ab, skb);
- break;
-
- case NFPROTO_IPV6:
- audit_ip6(ab, skb);
- break;
- }
-
-#ifdef CONFIG_NETWORK_SECMARK
- if (skb->secmark)
- audit_log_secctx(ab, skb->secmark);
-#endif
+ if (fam == -1)
+ audit_log_format(ab, " saddr=? daddr=? proto=-1");
audit_log_end(ab);
--
1.7.1
7 years, 8 months
[PATCH 4/4] kernel:audit.c fixed a coding style issue
by Joan Jani
This patch fixes the following checkpath.pl warning
WARNING: Block comments use a trailing */ on a separate line
like
kernel/audit.c:135: WARNING: Block comments use a trailing */ on a separate line
kernel/audit.c:170: WARNING: Block comments use a trailing */ on a separate line
kernel/audit.c:174: WARNING: Block comments use a trailing */ on a separate line
kernel/audit.c:181: WARNING: Block comments use a trailing */ on a
and some more style. No changes to code
Signed-off-by: Joan Jani <igiann(a)hotmail.com>
---
kernel/audit.c | 53 ++++++++++++++++++++++++++++++++++-------------------
1 file changed, 34 insertions(+), 19 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index e794544..62d90d9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -70,7 +70,8 @@
#include "audit.h"
/* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
- * (Initialization happens after skb_init is called.) */
+ * (Initialization happens after skb_init is called.)
+ */
#define AUDIT_DISABLED -1
#define AUDIT_UNINITIALIZED 0
#define AUDIT_INITIALIZED 1
@@ -100,11 +101,13 @@ static __u32 audit_nlk_portid;
/* If audit_rate_limit is non-zero, limit the rate of sending audit records
* to that number per second. This prevents DoS attacks, but results in
- * audit records being dropped. */
+ * audit records being dropped.
+ */
static u32 audit_rate_limit;
/* Number of outstanding audit_buffers allowed.
- * When set to zero, this means unlimited. */
+ * When set to zero, this means unlimited.
+ */
static u32 audit_backlog_limit = 64;
#define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
@@ -115,7 +118,7 @@ pid_t audit_sig_pid = -1;
u32 audit_sig_sid = 0;
/* Records can be lost in several ways:
- 0) [suppressed in audit_alloc]
+ * 0) [suppressed in audit_alloc]
1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
2) out of memory in audit_log_move [alloc_skb]
3) suppressed due to audit_rate_limit
@@ -132,7 +135,8 @@ struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
/* The audit_freelist is a list of pre-allocated audit buffers (if more
* than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
- * being placed on the freelist). */
+ * being placed on the freelist).
+ */
static DEFINE_SPINLOCK(audit_freelist_lock);
static int audit_freelist_count;
static LIST_HEAD(audit_freelist);
@@ -167,18 +171,21 @@ DEFINE_MUTEX(audit_cmd_mutex);
/* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
* audit records. Since printk uses a 1024 byte buffer, this buffer
- * should be at least that large. */
+ * should be at least that large.
+ */
#define AUDIT_BUFSIZ 1024
/* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
- * audit_freelist. Doing so eliminates many kmalloc/kfree calls. */
+ * audit_freelist. Doing so eliminates many kmalloc/kfree calls.
+ */
#define AUDIT_MAXFREE (2*NR_CPUS)
/* The audit_buffer is used when formatting an audit record. The caller
* locks briefly to get the record off the freelist or to allocate the
* buffer, and locks briefly to send the buffer to the netlink layer or
* to place it on a transmit queue. Multiple audit_buffers can be in
- * use simultaneously. */
+ * use simultaneously.
+ */
struct audit_buffer {
struct list_head list;
struct sk_buff *skb; /* formatted skb ready to send */
@@ -227,7 +234,8 @@ static inline int audit_rate_check(void)
unsigned long elapsed;
int retval = 0;
- if (!audit_rate_limit) return 1;
+ if (!audit_rate_limit)
+ return 1;
spin_lock_irqsave(&lock, flags);
if (++messages < audit_rate_limit) {
@@ -253,7 +261,7 @@ static inline int audit_rate_check(void)
* Emit at least 1 message per second, even if audit_rate_check is
* throttling.
* Always increment the lost messages counter.
-*/
+ */
void audit_log_lost(const char *message)
{
static unsigned long last_msg = 0;
@@ -350,6 +358,7 @@ static int audit_set_backlog_wait_time(u32 timeout)
static int audit_set_enabled(u32 state)
{
int rc;
+
if (state > AUDIT_LOCKED)
return -EINVAL;
@@ -402,7 +411,8 @@ static void kauditd_printk_skb(struct sk_buff *skb)
static void kauditd_hold_skb(struct sk_buff *skb)
{
/* at this point it is uncertain if we will ever send this to auditd so
- * try to send the message via printk before we go any further */
+ * try to send the message via printk before we go any further
+ */
kauditd_printk_skb(skb);
/* can we just silently drop the message? */
@@ -436,7 +446,8 @@ static void kauditd_retry_skb(struct sk_buff *skb)
{
/* NOTE: because records should only live in the retry queue for a
* short period of time, before either being sent or moved to the hold
- * queue, we don't currently enforce a limit on this queue */
+ * queue, we don't currently enforce a limit on this queue
+ */
skb_queue_tail(&audit_retry_queue, skb);
}
@@ -555,7 +566,7 @@ static int kauditd_thread(void *dummy)
struct nlmsghdr *nlh;
#define UNICAST_RETRIES 5
-#define AUDITD_BAD(x,y) \
+#define AUDITD_BAD(x, y) \
((x) == -ECONNREFUSED || (x) == -EPERM || ++(y) >= UNICAST_RETRIES)
/* NOTE: we do invalidate the auditd connection flag on any sending
@@ -729,8 +740,9 @@ static int audit_send_reply_thread(void *arg)
mutex_unlock(&audit_cmd_mutex);
/* Ignore failure. It'll only happen if the sender goes away,
- because our timeout is set to infinite. */
- netlink_unicast(aunet->nlsk , reply->skb, reply->portid, 0);
+ * because our timeout is set to infinite.
+ */
+ netlink_unicast(aunet->nlsk, reply->skb, reply->portid, 0);
put_net(net);
kfree(reply);
return 0;
@@ -1311,6 +1323,7 @@ static void __net_exit audit_net_exit(struct net *net)
{
struct audit_net *aunet = net_generic(net, audit_net_id);
struct sock *sock = aunet->nlsk;
+
mutex_lock(&audit_cmd_mutex);
if (sock == audit_sock)
auditd_reset();
@@ -1378,7 +1391,8 @@ static int __init audit_enable(char *str)
__setup("audit=", audit_enable);
/* Process kernel command-line parameter at boot time.
- * audit_backlog_limit=<n> */
+ * audit_backlog_limit=<n>
+ */
static int __init audit_backlog_limit_set(char *str)
{
u32 audit_backlog_limit_arg;
@@ -1415,7 +1429,7 @@ static void audit_buffer_free(struct audit_buffer *ab)
spin_unlock_irqrestore(&audit_freelist_lock, flags);
}
-static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
+static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
gfp_t gfp_mask, int type)
{
unsigned long flags;
@@ -1921,7 +1935,8 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
break;
case 0:
/* name was specified as a relative path and the
- * directory component is the cwd */
+ * directory component is the cwd
+ */
audit_log_d_path(ab, " name=", &context->pwd);
break;
default:
@@ -1961,7 +1976,7 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
/* log the audit_names record type */
audit_log_format(ab, " nametype=");
- switch(n->type) {
+ switch (n->type) {
case AUDIT_TYPE_NORMAL:
audit_log_format(ab, "NORMAL");
break;
--
2.7.4
7 years, 8 months
AUDIT_NETFILTER_PKT message format
by Richard Guy Briggs
Hi,
I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT
event messages and it is not quite as straightforward as I had expected.
It is being tracked here:
https://github.com/linux-audit/audit-kernel/issues/11
and refers to a previous posting from Mr. Dash Four from four years ago
to which there was no reply.
The example given in the tracker above for "frag=" is fairly
straightforward, but digging more, there are a number of others that are
not quite so obvious.
How many different combinations of fields is acceptable? Can we create
new message types for each one, or is there a preferred way to indicate
which sub-type it is other than implicit from the arguments given?
Others that are straightforward:
- The first "truncated=" gets pulled in with "0".
- "mark=" gets pulled in with "0".
Ones that are not so straightforward:
- "secmark" depends on a kernel config setting, so should it always be
present but "(none)" if that kernel feature is compiled out?
- ARPHRD_ETHER pulls in 3 fields, I would pull them all in and set them
to "(none)" to indicate that type isn't present.
- audit_ip4() and audit_ip6 share "saddr=", "daddr=", proto=", but ip4
adds "ipid=", which would be set to "(none)" for ip6.
- audit_proto() pulls in "truncated=" again, then either "sport=" and
"dport=" OR "icmptype=" and "icmpcode=".
If all fields are pulled in, we end up adding 10 fields beyond a
standard well-formed packet, and 15 beyond a truncated packet.
Note: In the cases of "mark" and "secmark" both are unions. In the case of
"mark", I don't see a problem since it isn't conditionally compiled out
and won't be mis-interpreted. In the case of "secmark=", it could be
mis-interpreted as offload_fwd_mark if that field is even compiled in,
but that would be addressed in the compiler directive...
One last question: Does anyone have a test suite that can generate any
or all of these types of packets?
Thanks!
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
7 years, 8 months