February 2017 - Linux-audit - Linux-Audit List Archives

by Steve Grubb

Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Add one more comma to ausearch csv output - Add support for KERN_MODULE event - Add selectable escaping for ausearch/report output - In auparse normalizer, always report session for syscalls - Modify systemd service file to make auditd a forking type of service - Adjust a couple of words to prevent collisions in normalizer - Change object_type to object_kind in the normalizer - Add rudementary data for AVC without a syscall record - Document auparse_normalize function This release adds initial support for the KERN_MODULE event. It fixes a systemd race condition when booting up the system that loads a policy that makes the audit rules immutable. Ausearch and aureport gained a new command line switch to allow you to control what kind of escaping it uses for the output. The options are raw, tty, shell, and shell_quote. The default is tty if nothing is passed. All the rest of the work was on the auparse_normalizer. There was one ABI change where things were renamed from obj_type to obj_kind to better match other things. Too much confusion around the word type since it is a field name, This is the last release off of the fedorahosted svn server. All future commits will be done on github and it will no longer be a mirror. Please let me know if you run across any problems with this release. -Steve

8 years, 1 month

1
0
0 / 0

[PATCH V2] audit: normalize NETFILTER_PKT

by Richard Guy Briggs

Simplify and eliminate flipping in and out of message fields, relying on nfmark the way we do for audit_key. https://github.com/linux-audit/audit-kernel/issues/11 Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- net/netfilter/xt_AUDIT.c | 128 +++++++++++++++------------------------------- 1 files changed, 41 insertions(+), 87 deletions(-) diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c index 4973cbd..05f7f25 100644 --- a/net/netfilter/xt_AUDIT.c +++ b/net/netfilter/xt_AUDIT.c @@ -31,146 +31,100 @@ MODULE_ALIAS("ip6t_AUDIT"); MODULE_ALIAS("ebt_AUDIT"); MODULE_ALIAS("arpt_AUDIT"); -static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb, - unsigned int proto, unsigned int offset) -{ - switch (proto) { - case IPPROTO_TCP: - case IPPROTO_UDP: - case IPPROTO_UDPLITE: { - const __be16 *pptr; - __be16 _ports[2]; - - pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports); - if (pptr == NULL) { - audit_log_format(ab, " truncated=1"); - return; - } - - audit_log_format(ab, " sport=%hu dport=%hu", - ntohs(pptr[0]), ntohs(pptr[1])); - } - break; - - case IPPROTO_ICMP: - case IPPROTO_ICMPV6: { - const u8 *iptr; - u8 _ih[2]; - - iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih); - if (iptr == NULL) { - audit_log_format(ab, " truncated=1"); - return; - } - - audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu", - iptr[0], iptr[1]); - - } - break; - } -} +struct nfpkt_par { + int ipv; + const void *saddr; + const void *daddr; + u8 proto; +}; -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) +static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb, struct nfpkt_par *apar) { struct iphdr _iph; const struct iphdr *ih; + apar->ipv = 4; ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); - if (!ih) { - audit_log_format(ab, " truncated=1"); + if (!ih) return; - } - - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu", - &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol); - - if (ntohs(ih->frag_off) & IP_OFFSET) { - audit_log_format(ab, " frag=1"); - return; - } - audit_proto(ab, skb, ih->protocol, ih->ihl * 4); + apar->saddr = &ih->saddr; + apar->daddr = &ih->daddr; + apar->proto = ih->protocol; } -static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) +static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb, struct nfpkt_par *apar) { struct ipv6hdr _ip6h; const struct ipv6hdr *ih; u8 nexthdr; __be16 frag_off; - int offset; + apar->ipv = 6; ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h); - if (!ih) { - audit_log_format(ab, " truncated=1"); + if (!ih) return; - } nexthdr = ih->nexthdr; - offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), - &nexthdr, &frag_off); + ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off); - audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu", - &ih->saddr, &ih->daddr, nexthdr); - - if (offset) - audit_proto(ab, skb, nexthdr, offset); + apar->saddr = &ih->saddr; + apar->daddr = &ih->daddr; + apar->proto = nexthdr; } static unsigned int audit_tg(struct sk_buff *skb, const struct xt_action_param *par) { - const struct xt_audit_info *info = par->targinfo; struct audit_buffer *ab; + struct nfpkt_par apar = { + -1, NULL, NULL, -1, + }; if (audit_enabled == 0) goto errout; - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); if (ab == NULL) goto errout; - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s", - info->type, par->hooknum, skb->len, - par->in ? par->in->name : "?", - par->out ? par->out->name : "?"); - - if (skb->mark) - audit_log_format(ab, " mark=%#x", skb->mark); + audit_log_format(ab, " mark=%#x", skb->mark ?: -1); if (skb->dev && skb->dev->type == ARPHRD_ETHER) { - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x", - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, - ntohs(eth_hdr(skb)->h_proto)); - if (par->family == NFPROTO_BRIDGE) { switch (eth_hdr(skb)->h_proto) { case htons(ETH_P_IP): - audit_ip4(ab, skb); + audit_ip4(ab, skb, &apar); break; case htons(ETH_P_IPV6): - audit_ip6(ab, skb); + audit_ip6(ab, skb, &apar); break; } } } - + if (apar.ipv == -1) switch (par->family) { case NFPROTO_IPV4: - audit_ip4(ab, skb); + audit_ip4(ab, skb, &apar); break; case NFPROTO_IPV6: - audit_ip6(ab, skb); + audit_ip6(ab, skb, &apar); break; } -#ifdef CONFIG_NETWORK_SECMARK - if (skb->secmark) - audit_log_secctx(ab, skb->secmark); -#endif + switch (apar.ipv) { + case 4: + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu", + apar.saddr, apar.daddr, apar.proto); + break; + case 6: + audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu", + apar.saddr, apar.daddr, apar.proto); + break; + default: + audit_log_format(ab, " saddr=? daddr=? proto=-1"); + } audit_log_end(ab); -- 1.7.1

8 years, 1 month

4
16
0 / 0

Re: [PATCH V2] audit: normalize NETFILTER_PKT (fwd)

by Julia Lawall

Hello, It looks like the switch starting on line 106 should be indented more if it is expected to be under the if in line 105. I believe that there should also be braces around the switch. It is a single statement, but it is a complex one. thanks, julia ---------- Forwarded message ---------- Date: Thu, 23 Feb 2017 12:43:05 +0800 From: kbuild test robot <fengguang.wu(a)intel.com> To: kbuild(a)01.org Cc: Julia Lawall <julia.lawall(a)lip6.fr> Subject: Re: [PATCH V2] audit: normalize NETFILTER_PKT CC: kbuild-all(a)01.org In-Reply-To: <9504740e9333a0b7074abe0dddfc487aeeae6cff.1487813996.git.rgb(a)redhat.com> Hi Richard, [auto build test WARNING on v4.9-rc8] [cannot apply to nf-next/master next-20170222] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Richard-Guy-Briggs/audit-normali... :::::: branch date: 2 hours ago :::::: commit date: 2 hours ago >> net/netfilter/xt_AUDIT.c:106:1-2: code aligned with following code on line 116 git remote add linux-review https://github.com/0day-ci/linux git remote update linux-review git checkout 8f27486f1987d344c4d9b0de556dfd4209c524bf vim +106 net/netfilter/xt_AUDIT.c 8f27486f Richard Guy Briggs 2017-02-22 100 audit_ip6(ab, skb, &apar); 43f393ca Thomas Graf 2011-01-16 101 break; 43f393ca Thomas Graf 2011-01-16 102 } 43f393ca Thomas Graf 2011-01-16 103 } 43f393ca Thomas Graf 2011-01-16 104 } 8f27486f Richard Guy Briggs 2017-02-22 105 if (apar.ipv == -1) 43f393ca Thomas Graf 2011-01-16 @106 switch (par->family) { 43f393ca Thomas Graf 2011-01-16 107 case NFPROTO_IPV4: 8f27486f Richard Guy Briggs 2017-02-22 108 audit_ip4(ab, skb, &apar); 43f393ca Thomas Graf 2011-01-16 109 break; 43f393ca Thomas Graf 2011-01-16 110 43f393ca Thomas Graf 2011-01-16 111 case NFPROTO_IPV6: 8f27486f Richard Guy Briggs 2017-02-22 112 audit_ip6(ab, skb, &apar); 43f393ca Thomas Graf 2011-01-16 113 break; 43f393ca Thomas Graf 2011-01-16 114 } 43f393ca Thomas Graf 2011-01-16 115 8f27486f Richard Guy Briggs 2017-02-22 @116 switch (apar.ipv) { 8f27486f Richard Guy Briggs 2017-02-22 117 case 4: 8f27486f Richard Guy Briggs 2017-02-22 118 audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu", 8f27486f Richard Guy Briggs 2017-02-22 119 apar.saddr, apar.daddr, apar.proto); :::::: The code at line 106 was first introduced by commit :::::: 43f393caec0362abe03c72799d3f342af3973070 netfilter: audit target to record accepted/dropped packets :::::: TO: Thomas Graf <tgraf(a)infradead.org> :::::: CC: Patrick McHardy <kaber(a)trash.net> --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation

8 years, 1 month

2
1
0 / 0

Virtualization Manager, Guest Lifecycle Event Specification

by Steve Grubb

Hello, I wanted to mention to everyone that a new specification was posted to the Audit Documentation wiki pages which covers the events levied on managers of virtual machines and containers: https://github.com/linux-audit/audit-documentation/wiki/SPEC-Virtualizati... I am looking for feedback. Most of this is required by common criteria and is already in place. But there are a couple new requirements in recent VPP & SVPP that will need future support. -Steve

8 years, 1 month

1
0
0 / 0

[GIT PULL] Audit patches for v4.11

by Paul Moore

Hi Linux, The audit changes for v4.11 are relatively small compared to what we did for v4.10, both in terms of size and impact. The two patches from Steve tweak the formatting for some of the audit records to make them more consistent with other audit records. The three patches from Richard record the name of a module on module load, fix the logging of sockaddr information when using socketcall() on 32-bit systems, and add the ability to reset audit's lost record counter. My lone patch just fixes an annoying style nit that I was reminded about by one of Richard's patches. All these patches pass our test suite, please merge them for v4.11. Thanks, -Paul --- The following changes since commit 533c7b69c764ad5febb3e716899f43a75564fcab: audit: use proper refcount locking on audit_sock (2016-12-14 13:06:04 -0500) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.11 for you to fetch changes up to fe8e52b9b9100c486051aaf5208dbf4072bb87b1: audit: remove unnecessary curly braces from switch/case statements (2017-02-14 13:32:12 -0500) ---------------------------------------------------------------- Paul Moore (1): audit: remove unnecessary curly braces from switch/case statements Richard Guy Briggs (3): audit: add feature audit_lost reset audit: log 32-bit socketcalls audit: log module name on init_module Steve Grubb (2): audit: Make AUDIT_KERNEL event conform to the specification audit: Make AUDIT_ANOM_ABEND event normalized include/linux/audit.h | 32 ++++++++++++++++++++++++++++++++ include/uapi/linux/audit.h | 7 ++++++- kernel/audit.c | 12 ++++++++++-- kernel/audit.h | 3 +++ kernel/auditsc.c | 40 +++++++++++++++++++++++++++------------- kernel/module.c | 5 ++++- net/compat.c | 17 ++++++++++++++--- 7 files changed, 96 insertions(+), 20 deletions(-) -- paul moore security @ redhat

8 years, 1 month

1
0
0 / 0

auid of a script started by a daemon process.

by Kaptaan

Hello All, I have recently been introduced to linux security. After going through man pages and some posts, I believe I have configured and setup my audit rules correctly. My need is to monitor and log access to all files in certain directories. The problem. Application1 - I log in using my id <user1>. I sudo to <super_user1> and start the application. The application starts a few daemon process owned by <super_user1>. User2 - uses the application to access the files (through some script). The script is actually executed by the application's daemon process. The auid shown in the audit logs is always my id <user1> for all audit events. So I started capturing the uid from the logs which shows <user2>. Now user2 is smart, he/she sudo to <super_user2> and then runs the same script to access the files. This time the auid is shown as my user <user1> and the uid, euid is always shown as <super_user2>. Is there a way I can get the auid of the person who started the script even after he/she sudoes to another user? Any help/suggestion is much appreciated. Thanks, Amit. Sent with [ProtonMail](https://protonmail.com) Secure Email.

8 years, 1 month

2
3
0 / 0

[PATCH v4 0/4] Improved seccomp logging

by Tyler Hicks

This patch set is the fourth revision of the following two previously submitted patch sets: v1: http://lkml.kernel.org/r/1483375990-14948-1-git-send-email-tyhicks@canoni... v1: http://lkml.kernel.org/r/1483377999-15019-2-git-send-email-tyhicks@canoni... v2: http://lkml.kernel.org/r/1486100262-32391-1-git-send-email-tyhicks@canoni... v3: Same patches as v4 but I copied and pasted an invalid address for the linux-api list when submitting the set. The patch set aims to address some known deficiencies in seccomp's current logging capabilities: 1. Inability to log all filter actions. 2. Inability to selectively enable filtering; e.g. devs want noisy logging, users want relative quiet. 3. Consistent behavior with audit enabled and disabled. 4. Inability to easily develop a filter due to the lack of a permissive/complain mode. Changes since v3: - No code changes. I had to resubmit the patch set after copying and pasting a bad address for the linux-api list. Changes since v2 to address feedback from Kees: - Patch 1 + Log a warning when sysctl registration fails + Move comment describing SECCOMP_RET_*_NAME from PATCH 2 + Document the actions_avail sysctl - Patch 2 + Inline seccomp_log() + Optimize logging for RET_ALLOW hot path + Use "{ }" for name buffer initialization + Make a copy of the ctl_table and only modify the copy + Rename max_action_to_log sysctl to log_max_action + Document the log_max_action sysctl - Patch 3 + Put some space between RET_LOG and RET_ALLOW for future actions + Separate the RET_ALLOW and RET_LOG cases in __seccomp_filter() - Patch 4 + Adjust the selftests for the updated RET_LOG value Tyler Tyler Hicks (4): seccomp: Add sysctl to display available actions seccomp: Add sysctl to configure actions that should be logged seccomp: Create an action to log before allowing seccomp: Add tests for SECCOMP_RET_LOG Documentation/prctl/seccomp_filter.txt | 43 ++++++ Documentation/sysctl/kernel.txt | 1 + include/linux/audit.h | 6 +- include/uapi/linux/seccomp.h | 1 + kernel/seccomp.c | 185 +++++++++++++++++++++++++- tools/testing/selftests/seccomp/seccomp_bpf.c | 94 +++++++++++++ 6 files changed, 322 insertions(+), 8 deletions(-) -- 2.7.4

8 years, 1 month

2
10
0 / 0

Audit Blog

by Steve Grubb

Hello, I have started the blog to discuss audit issues at this location: http://security-plus-data-science.blogspot.com/ I only have a basic sketch of the direction this will go for now. But I will start posting there regularly - especially for the next couple of weeks while I'm unloading all the information about the new audit capabilties. Feel free to ask questions here to be expanded on there. -Steve

8 years, 1 month

1
0
0 / 0

[PATCH V2] audit: log module name on init_module

by Richard Guy Briggs

This adds a new auxiliary record MODULE_INIT to the SYSCALL event. We get finit_module for free since it made most sense to hook this in to load_module(). https://github.com/linux-audit/audit-kernel/issues/7 https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-f... Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- include/linux/audit.h | 12 ++++++++++++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 3 +++ kernel/auditsc.c | 14 ++++++++++++++ kernel/module.c | 5 ++++- 5 files changed, 34 insertions(+), 1 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 2be99b2..aba3a26 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, const struct cred *old); extern void __audit_log_capset(const struct cred *new, const struct cred *old); extern void __audit_mmap_fd(int fd, int flags); +extern void __audit_log_kern_module(char *name); static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) { @@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags) __audit_mmap_fd(fd, flags); } +static inline void audit_log_kern_module(char *name) +{ + if (!audit_dummy_context()) + __audit_log_kern_module(name); +} + extern int audit_n_rules; extern int audit_signals; #else /* CONFIG_AUDITSYSCALL */ @@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new, { } static inline void audit_mmap_fd(int fd, int flags) { } + +static inline void audit_log_kern_module(char *name) +{ +} + static inline void audit_ptrace(struct task_struct *t) { } #define audit_n_rules 0 diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 3f24110..3c02bb2 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -111,6 +111,7 @@ #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */ #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */ #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ +#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/audit.h b/kernel/audit.h index 431444c..144b7eb 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -199,6 +199,9 @@ struct audit_context { struct { int argc; } execve; + struct { + char *name; + } module; }; int fds[2]; struct audit_proctitle proctitle; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index bb5f504..bde3aac 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1268,6 +1268,11 @@ static void show_special(struct audit_context *context, int *call_panic) case AUDIT_EXECVE: { audit_log_execve_info(context, &ab); break; } + case AUDIT_KERN_MODULE: + audit_log_format(ab, "name="); + audit_log_untrustedstring(ab, context->module.name); + kfree(context->module.name); + break; } audit_log_end(ab); } @@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags) context->type = AUDIT_MMAP; } +void __audit_log_kern_module(char *name) +{ + struct audit_context *context = current->audit_context; + + context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL); + strcpy(context->module.name, name); + context->type = AUDIT_KERN_MODULE; +} + static void audit_log_task(struct audit_buffer *ab) { kuid_t auid, uid; diff --git a/kernel/module.c b/kernel/module.c index 529efae..5432dbe 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -61,6 +61,7 @@ #include <linux/pfn.h> #include <linux/bsearch.h> #include <linux/dynamic_debug.h> +#include <linux/audit.h> #include <uapi/linux/module.h> #include "module-internal.h" @@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const char __user *uargs, goto free_copy; } + audit_log_kern_module(mod->name); + /* Reserve our place in the list. */ err = add_unformed_module(mod); if (err) @@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const char __user *uargs, mod->name, after_dashes); } - /* Link in to syfs. */ + /* Link in to sysfs. */ err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp); if (err < 0) goto coming_cleanup; -- 1.7.1

8 years, 1 month

4
7
0 / 0

[PATCH v2 0/4] Improved seccomp logging

by Tyler Hicks

This patch set is the second revision of the following two previously submitted patch sets: http://lkml.kernel.org/r/1483375990-14948-1-git-send-email-tyhicks@canoni... http://lkml.kernel.org/r/1483377999-15019-2-git-send-email-tyhicks@canoni... The patch set aims to address some known deficiencies in seccomp's current logging capabilities: 1. Inability to log all filter actions. 2. Inability to selectively enable filtering; e.g. devs want noisy logging, users want relative quiet. 3. Consistent behavior with audit enabled and disabled. 4. Inability to easily develop a filter due to the lack of a permissive/complain mode. The first three items were outlined by Paul Moore and are issues that I agree with. The last one is one that I'm particularly interested in. I deviated a little from the plan that he laid out to address the third issue. Looking back at Paul's feedback, he wanted a way to log seccomp actions even when the audit subsystem is disabled at build time. I felt like the bigger problem is that, while it is common for kernels to be built with audit support, it is far less common to actually have auditd running. Therefore, my approach was to improve the situation when kernel audit support is enabled at build time but audit_enabled is false at runtime. The audit subsystem forwards messages onto syslog in that situation. Tyler

8 years, 1 month

2
19
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit February 2017