Re: [PATCH] lsm_audit: use get_task_comm
by Paul Moore
On Mon, Aug 28, 2017 at 9:58 AM, Geliang Tang <geliangtang(a)gmail.com> wrote:
> get_task_comm() copys the task's comm under the task_lock, it's safer
> than directly using memcpy().
>
> Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
> ---
> security/lsm_audit.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 28d4c3a..555b1c4 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -221,7 +221,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
>
> audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
> - audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
> + audit_log_untrustedstring(ab, get_task_comm(comm, current));
>
> switch (a->type) {
> case LSM_AUDIT_DATA_NONE:
> @@ -312,7 +312,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,
> char comm[sizeof(tsk->comm)];
> audit_log_format(ab, " opid=%d ocomm=", pid);
> audit_log_untrustedstring(ab,
> - memcpy(comm, tsk->comm, sizeof(comm)));
> + get_task_comm(comm, tsk));
[NOTE: adding the linux-audit mailing list to this thread]
This isn't strictly a problem with this patch, but I think we should
be able to get rid of the 'comm' variable in this if-block as simply
reuse the 'comm' from the top of the function. It would be nice to
include that in this patch.
Other than that minor nit, this patch looks good to me; if you make
that small change I'll merge it into the audit/next branch for the
upcoming merge window.
--
paul moore
www.paul-moore.com
7 years, 2 months
[PATCH] selinux: remove AVC init audit log message
by Richard Guy Briggs
In the process of normalizing audit log messages, it was noticed that the AVC
initialization code registered an audit log KERNEL record that didn't fit the
standard format. In the process of attempting to normalize it it was
determined that this record was not even necessary. Remove it.
Ref: http://marc.info/?l=selinux&m=149614868525826&w=2
See: https://github.com/linux-audit/audit-kernel/issues/48
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/selinux/avc.c | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index e60c79d..4b42931 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -197,8 +197,6 @@ void __init avc_init(void)
avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data",
sizeof(struct extended_perms_data),
0, SLAB_PANIC, NULL);
-
- audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n");
}
int avc_get_hash_stats(char *page)
--
1.7.1
7 years, 2 months
[PATCH 0/2] audit: Fix two bugs with deleting audit watches
by Jan Kara
Hello,
Tony pointed me to a long-standing use after free issue in audit watch
subsystem. The first patch should fix this. When analyzing and fixing
that issue, I've noticed that audit watch does not received FS_UNMOUNT
event although from the code it seems it expects to receive it - patch
two fixes that. The patches survive some basic testing but especially
for the second patch I'd like someone with more experience with audit
subsystem to have a look whether the patch makes sense.
Honza
7 years, 2 months
[GIT PULL] Audit fixes for v4.13 (#2)
by Paul Moore
Hi Linus,
Two small fixes to the audit code, both explained well in the
respective patch descriptions, but the quick summary is one
use-after-free fix, and one silly fanotify notification flag fix.
It's also worth mentioning, as you'll soon notice when you get to the
bottom of this email, that I've moved the audit tree over to
kernel.org and I'm now tagging/signing these pull requests; everything
*should* be in order, but if I've screwed it up somehow, let me know.
Thanks,
-Paul
---
The following changes since commit b0659ae5e30074ede1dc08f2c6d64f0c11d64e0f:
audit: fix memleak in auditd_send_unicast_skb. (2017-07-19 10:28:54 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git \
tags/audit-pr-20170816
for you to fetch changes up to b5fed474b98332559f2590c6bc90388a0899e793:
audit: Receive unmount event (2017-08-15 16:03:00 -0400)
----------------------------------------------------------------
audit/stable-4.13 PR 20170816
----------------------------------------------------------------
Jan Kara (2):
audit: Fix use after free in audit_remove_watch_rule()
audit: Receive unmount event
kernel/audit_watch.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--
paul moore
www.paul-moore.com
7 years, 2 months
[PATCH 1/1] Fanotify: Introduce a permissive mode
by Steve Grubb
Hello,
The fanotify interface can be used as an access control subsystem. If
for some reason the policy is bad, there is potentially no good way to
recover the system. This patch introduces a new command line variable,
fanotify_enforce, to allow overriding the access decision from user
space. The initialization status is recorded as an audit event so that
there is a record of being in permissive mode for the security officer.
Signed-off-by: sgrubb <sgrubb(a)redhat.com>
---
Documentation/admin-guide/kernel-parameters.txt | 7 +++++
fs/notify/fanotify/fanotify.c | 42 +++++++++++++++++++++++--
include/uapi/linux/audit.h | 1 +
3 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 7737ab5..84c0e78 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1141,6 +1141,13 @@
Format: <interval>,<probability>,<space>,<times>
See also Documentation/fault-injection/.
+ fanotify_enforce=[FANOTIFY] Enable or disable enforcement of policy
+ decisions at boot time.
+ Format: { "0" | "1" }
+ 0 -- disable enforcement.
+ 1 -- enable enforcement.
+ Default value is 1 (enforcing).
+
floppy= [HW]
See Documentation/blockdev/floppy.txt.
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index 2fa99ae..cab5c2b 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -9,9 +9,43 @@
#include <linux/sched/user.h>
#include <linux/types.h>
#include <linux/wait.h>
+#include <linux/audit.h>
#include "fanotify.h"
+
+#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+/*
+ * This variable determines if the decisions made by user space listener
+ * will be enforced or overridden for system recovery
+ */
+static unsigned int enforcing_mode = 1;
+
+
+/* Record status of the fanotify sunsystem */
+static int __init fanotify_init(void)
+{
+ audit_log(NULL, GFP_KERNEL, AUDIT_FANOTIFY_STATUS,
+ "state=initialized fanotify_enforce=%u res=1",
+ enforcing_mode);
+ return 0;
+}
+late_initcall(fanotify_init);
+
+static int __init set_fanotify_enforce(char *str)
+{
+ long val;
+
+ if (kstrtol(str, 0, &val) == 0) {
+ enforcing_mode = !!val;
+ pr_info("fanotify initialized with fanotify_enforce=%u\n",
+ enforcing_mode);
+ }
+ return 1;
+}
+__setup("fanotify_enforce=", set_fanotify_enforce);
+#endif
+
static bool should_merge(struct fsnotify_event *old_fsn,
struct fsnotify_event *new_fsn)
{
@@ -88,9 +122,12 @@ static int fanotify_get_response(struct fsnotify_group *group,
}
event->response = 0;
- pr_debug("%s: group=%p event=%p about to return ret=%d\n", __func__,
- group, event, ret);
-
+ pr_debug("%s: group=%p event=%p about to return ret=%d enforce=%u\n",
+ __func__, group, event, ret, enforcing_mode);
+
+ if (unlikely(!enforcing_mode))
+ ret = 0;
+
return ret;
}
#endif
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 0714a66..9560627 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -112,6 +112,7 @@
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
+#define AUDIT_FANOTIFY_STATUS 1331 /* Fanotify enforcing status */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
--
2.9.4
7 years, 2 months
[PATCH ALT4 V2 1/2] audit: show fstype:pathname for entries with anonymous parents
by Richard Guy Briggs
Tracefs or debugfs were causing hundreds to thousands of null PATH
records to be associated with the init_module and finit_module SYSCALL
records on a few modules when the following rule was in place for
startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
This happens because the parent inode is not found in the task's
audit_names list and hence treats it as anonymous. This gives us no
information other than a numerical device number that may no longer be
visible upon log inspeciton, and an inode number.
Fill in the filesystem type, filesystem magic number and full pathname
from the filesystem mount point on previously null PATH records from
entries that have an anonymous parent from the child dentry using
dentry_path_raw().
Make the dentry argument of __audit_inode_child() non-const so that we
can take a reference to it in the case of an anonymous parent with
dget() and dget_parent() to be able to later print a partial path from
the host filesystem rather than null.
Since all we are given is an inode of the parent and the dentry of the
child, finding the path from the mount point to the root of the
filesystem is more challenging that would involve searching all
vfsmounts from "/" until a matching dentry is found for that
filesystem's root dentry. Even if one is found, there may be more than
one mount point. At this point the gain seems marginal since
knowing the filesystem type and path are a significant help in tracking
down the source of the PATH records and being to address them.
Sample output:
type=PROCTITLE msg=audit(1488317694.446:143): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D006E66737634
type=PATH msg=audit(1488317694.446:143): item=797 name=tracefs(74726163):/events/nfs4/nfs4_setclientid/format inode=15969 dev=00:09 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE
type=PATH msg=audit(1488317694.446:143): item=796 name=tracefs(74726163):/events/nfs4/nfs4_setclientid inode=15964 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT
...
type=PATH msg=audit(1488317694.446:143): item=1 name=tracefs(74726163):/events/nfs4 inode=15571 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE
type=PATH msg=audit(1488317694.446:143): item=0 name=tracefs(74726163):/events inode=119 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT
type=UNKNOWN[1330] msg=audit(1488317694.446:143): name="nfsv4"
type=SYSCALL msg=audit(1488317694.446:143): arch=c000003e syscall=313 success=yes exit=0 a0=1 a1=55d5a35ce106 a2=0 a3=1 items=798 ppid=6 pid=528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:insmod_t:s0 key="mod-load"
See: https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 8 ++++----
kernel/audit.c | 16 ++++++++++++++++
kernel/audit.h | 1 +
kernel/auditsc.c | 8 +++++++-
4 files changed, 28 insertions(+), 5 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index aba3a26..367a03a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -241,7 +241,7 @@ extern void __audit_inode(struct filename *name, const struct dentry *dentry,
unsigned int flags);
extern void __audit_file(const struct file *);
extern void __audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type);
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
extern void __audit_ptrace(struct task_struct *t);
@@ -306,7 +306,7 @@ static inline void audit_inode_parent_hidden(struct filename *name,
AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
}
static inline void audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type) {
if (unlikely(!audit_dummy_context()))
__audit_inode_child(parent, dentry, type);
@@ -487,7 +487,7 @@ static inline void __audit_inode(struct filename *name,
unsigned int flags)
{ }
static inline void __audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type)
{ }
static inline void audit_inode(struct filename *name,
@@ -501,7 +501,7 @@ static inline void audit_inode_parent_hidden(struct filename *name,
const struct dentry *dentry)
{ }
static inline void audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type)
{ }
static inline void audit_core_dumps(long signr)
diff --git a/kernel/audit.c b/kernel/audit.c
index 25dd70a..7d83c5a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -66,6 +66,7 @@
#include <linux/freezer.h>
#include <linux/pid_namespace.h>
#include <net/netns/generic.h>
+#include <linux/dcache.h>
#include "audit.h"
@@ -1884,6 +1885,10 @@ void audit_copy_inode(struct audit_names *name, const struct dentry *dentry,
name->gid = inode->i_gid;
name->rdev = inode->i_rdev;
security_inode_getsecid(inode, &name->osid);
+ if (name->dentry) {
+ dput(name->dentry);
+ name->dentry = NULL;
+ }
audit_copy_fcaps(name, dentry);
}
@@ -1925,6 +1930,17 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
audit_log_n_untrustedstring(ab, n->name->name,
n->name_len);
}
+ } else if (n->dentry) {
+ char *fullpath;
+ const char *fullpathp;
+
+ fullpath = kmalloc(PATH_MAX, GFP_KERNEL);
+ if (!fullpath)
+ return;
+ fullpathp = dentry_path_raw(n->dentry, fullpath, PATH_MAX);
+ audit_log_format(ab, " name=%s(0x%lx):%s",
+ n->dentry->d_sb->s_type->name?:"?",
+ n->dentry->d_sb->s_magic, fullpathp?:"?");
} else
audit_log_format(ab, " name=(null)");
diff --git a/kernel/audit.h b/kernel/audit.h
index 144b7eb..2a11583 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -84,6 +84,7 @@ struct audit_names {
unsigned long ino;
dev_t dev;
+ struct dentry *dentry;
umode_t mode;
kuid_t uid;
kgid_t gid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4db32e8..b3797c7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -74,6 +74,7 @@
#include <linux/string.h>
#include <linux/uaccess.h>
#include <uapi/linux/limits.h>
+#include <linux/dcache.h>
#include "audit.h"
@@ -881,6 +882,8 @@ static inline void audit_free_names(struct audit_context *context)
list_del(&n->list);
if (n->name)
putname(n->name);
+ if (n->dentry)
+ dput(n->dentry);
if (n->should_free)
kfree(n);
}
@@ -1858,7 +1861,7 @@ void __audit_file(const struct file *file)
* unsuccessful attempts.
*/
void __audit_inode_child(struct inode *parent,
- const struct dentry *dentry,
+ struct dentry *dentry,
const unsigned char type)
{
struct audit_context *context = current->audit_context;
@@ -1914,6 +1917,7 @@ void __audit_inode_child(struct inode *parent,
if (!n)
return;
audit_copy_inode(n, NULL, parent);
+ n->dentry = dget_parent(dentry);
}
if (!found_child) {
@@ -1935,6 +1939,8 @@ void __audit_inode_child(struct inode *parent,
audit_copy_inode(found_child, dentry, inode);
else
found_child->ino = AUDIT_INO_UNSET;
+ if (!found_parent)
+ found_child->dentry = dget(dentry);
}
EXPORT_SYMBOL_GPL(__audit_inode_child);
--
1.7.1
7 years, 2 months
[PATCH v6 0/6] Improved seccomp logging
by Tyler Hicks
This patch set aims to improve logging in seccomp by:
1) Empowering administrators to be able to permit or quiet logging of
specific seccomp actions
2) Allowing applications to request logging of all actions, except for
RET_ALLOW, in the filter being loaded (subject to the
administrator's wishes in #1)
3) By making it possible for application developers to request logging
of specific syscalls while developing filters for their application
(subject to the administrator's wishes in #1)
With this patch set applied, the logic for deciding if an action will be
logged is as described in the commit message of the final patch.
* Changes since v5:
- Rebase onto
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/?h=seccomp...
(kees)
+ Redefine the value of SECCOMP_FILTER_FLAG_LOG to account for the
new SECCOMP_FILTER_FLAG_KILL_PROCESS
+ Add SECCOMP_FILTER_FLAG_KILL_PROCESS to the
detect_seccomp_filter_flags selftest
- Reorder patches to move SECCOMP_GET_ACTION_AVAIL patch behind
actions_avail sysctl patch (kees)
- Reorder patches to move the selftest to detect filter flag support
before the patch that adds SECCOMP_FILTER_FLAG_LOG (kees)
- Add psuedo code showing the high level logic of when and when not to
log to the commit message of each patch that changes the logging
behavior (inspired by kees)
- Add Suggested-by to the SECCOMP_GET_ACTION_AVAIL patch to credit
Andy for the idea (tyhicks)
- Use sizeof(seccomp_actions_avail), instead of strlen(), to avoid
variable length "names" array in seccomp_actions_logged_handler()
(smatch)
- Only check the actions_logged sysctl value for "kill" when first
introducing the actions_logged sysctl since filters cannot yet set
the FILTER_FLAG_LOG flag (kees)
- Mention how the actions_logged sysctl could quiet SECCOMP_RET_LOG
actions in seccomp_filter.rst documentation (kees)
Tyler
7 years, 2 months
[PATCH v5 0/6] Improved seccomp logging
by Tyler Hicks
This is an update to the previous seccomp logging patch sets. The main
difference in this revision compared to the last is that the application now
has the ability to request that all actions in a filter, except for RET_ALLOW,
should be logged. This is done with a new filter flag. In support of that
change, the log_max_action sysctl was renamed to actions_logged as it now lists
the actions that an admin has allowed to be logged. The admin has the final say
in what actions get logged.
Please see the individual patches for summaries of changes since the last
revision.
Thanks!
Tyler
7 years, 2 months
[PATCH] audit: update the function comments
by Geliang Tang
Update the function comments to match the code.
Signed-off-by: Geliang Tang <geliangtang(a)gmail.com>
---
kernel/audit.c | 2 +-
kernel/auditsc.c | 18 +++++++++---------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 0cf15c7..be1c28f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1833,7 +1833,7 @@ void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
}
/**
- * audit_log_hex - convert a buffer to hex and append it to the audit skb
+ * audit_log_n_hex - convert a buffer to hex and append it to the audit skb
* @ab: the audit_buffer
* @buf: buffer to convert to hex
* @len: length of @buf to be converted
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fd72e11..aac1a41 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1462,7 +1462,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
}
/**
- * audit_free - free a per-task audit context
+ * __audit_free - free a per-task audit context
* @tsk: task whose audit context block to free
*
* Called from copy_process and do_exit
@@ -1489,7 +1489,7 @@ void __audit_free(struct task_struct *tsk)
}
/**
- * audit_syscall_entry - fill in an audit record at syscall entry
+ * __audit_syscall_entry - fill in an audit record at syscall entry
* @major: major syscall type (function)
* @a1: additional syscall register 1
* @a2: additional syscall register 2
@@ -1543,7 +1543,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
}
/**
- * audit_syscall_exit - deallocate audit context after a system call
+ * __audit_syscall_exit - deallocate audit context after a system call
* @success: success value of the syscall
* @return_code: return value of the syscall
*
@@ -1705,7 +1705,7 @@ static struct audit_names *audit_alloc_name(struct audit_context *context,
}
/**
- * audit_reusename - fill out filename with info from existing entry
+ * __audit_reusename - fill out filename with info from existing entry
* @uptr: userland ptr to pathname
*
* Search the audit_names list for the current audit context. If there is an
@@ -1730,7 +1730,7 @@ __audit_reusename(const __user char *uptr)
}
/**
- * audit_getname - add a name to the list
+ * __audit_getname - add a name to the list
* @name: name to add
*
* Add a name to the list of audit names for this context.
@@ -2135,7 +2135,7 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
}
/**
- * audit_ipc_obj - record audit data for ipc object
+ * __audit_ipc_obj - record audit data for ipc object
* @ipcp: ipc permissions
*
*/
@@ -2151,7 +2151,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
}
/**
- * audit_ipc_set_perm - record audit data for new ipc permissions
+ * __audit_ipc_set_perm - record audit data for new ipc permissions
* @qbytes: msgq bytes
* @uid: msgq user id
* @gid: msgq group id
@@ -2180,7 +2180,7 @@ void __audit_bprm(struct linux_binprm *bprm)
/**
- * audit_socketcall - record audit data for sys_socketcall
+ * __audit_socketcall - record audit data for sys_socketcall
* @nargs: number of args, which should not be more than AUDITSC_ARGS.
* @args: args array
*
@@ -2211,7 +2211,7 @@ void __audit_fd_pair(int fd1, int fd2)
}
/**
- * audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
+ * __audit_sockaddr - record audit data for sys_bind, sys_connect, sys_sendto
* @len: data length in user space
* @a: data address in kernel space
*
--
2.9.3
7 years, 2 months
Questions about enriched format and Node on RHEL 7.4
by Maupertuis Philippe
Hi,
With Rhel 7.4 just out, I am giving a try at the new audit.
Something seems strange to me.
With the default log_format = RAW in auditd.conf, I get the node= parameter right in rsyslog (through the syslog plugin).
If I switch to log_format = ENRICHED the parameter is missing altogether (no node=)
In both case local there is no node parameter in the local audit.log.
When I run ausearch --format text from the local host I never get node information.
When I run it from the data received by rsyslog (after stripping the prefix with sed 's/^.*audispd://'), I get the node information for the RAW format only.
Another point that bothers me is that I got an extra line did-unknown after each meaningful line when I use the remote content (RAW or ENRICHED)
This is what I get locally
At 16:03:55 07/08/17 fr18358, acting as root, successfully executed /bin/pkg-config
At 16:03:55 07/08/17 fr18358, acting as root, successfully executed /usr/libexec/grepconf.sh
At 16:03:55 07/08/17 fr18358, acting as root, successfully opened-file /dev/tty using grepconf.sh
At 16:03:55 07/08/17 fr18358, acting as root, successfully executed /bin/grep
This is what I get from remote data
At 15:43:52 07/08/17 fr18358, acting as root, successfully executed /bin/pkg-config
At 15:43:52 07/08/17 did-unknown
At 15:43:52 07/08/17 fr18358, acting as root, successfully executed /usr/libexec/grepconf.sh
At 15:43:52 07/08/17 did-unknown
At 15:43:52 07/08/17 fr18358, acting as root, successfully opened-file /dev/tty using grepconf.sh
At 15:43:52 07/08/17 did-unknown
At 15:43:52 07/08/17 fr18358, acting as root, successfully executed /bin/grep
Please tell me what I am doing wrong.
Philippe
!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
7 years, 2 months