[PATCH] audit: use session_info helper
by Richard Guy Briggs
There are still a couple of places (mark and watch config changes) that
open code auid and ses fields in sequence in records instead of using
the audit_log_session_info() helper. Use the helper. Adjust the helper
to accomodate being the first fields. Passes audit-testsuite.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 6 +++---
kernel/audit_fsnotify.c | 5 ++---
kernel/audit_watch.c | 5 ++---
3 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a8058764aa6..6c53e373b828 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -400,7 +400,7 @@ static int audit_log_config_change(char *function_name, u32 new, u32 old,
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return rc;
- audit_log_format(ab, "%s=%u old=%u", function_name, new, old);
+ audit_log_format(ab, "%s=%u old=%u ", function_name, new, old);
audit_log_session_info(ab);
rc = audit_log_task_context(ab);
if (rc)
@@ -1067,7 +1067,7 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
if (unlikely(!*ab))
return;
- audit_log_format(*ab, "pid=%d uid=%u", pid, uid);
+ audit_log_format(*ab, "pid=%d uid=%u ", pid, uid);
audit_log_session_info(*ab);
audit_log_task_context(*ab);
}
@@ -2042,7 +2042,7 @@ void audit_log_session_info(struct audit_buffer *ab)
unsigned int sessionid = audit_get_sessionid(current);
uid_t auid = from_kuid(&init_user_ns, audit_get_loginuid(current));
- audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
+ audit_log_format(ab, "auid=%u ses=%u", auid, sessionid);
}
void audit_log_key(struct audit_buffer *ab, char *key)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index fba78047fb37..f90ffa699e5b 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -130,9 +130,8 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
- audit_log_format(ab, "auid=%u ses=%u op=%s",
- from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current), op);
+ audit_log_session_info(ab);
+ audit_log_format(ab, " op=%s", op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, audit_mark->path);
audit_log_key(ab, rule->filterkey);
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 787c7afdf829..568e48d1d0ab 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -245,9 +245,8 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (!ab)
return;
- audit_log_format(ab, "auid=%u ses=%u op=%s",
- from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current), op);
+ audit_log_session_info(ab);
+ audit_log_format(ab, "op=%s", op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path);
audit_log_key(ab, r->filterkey);
--
1.8.3.1
5 years, 11 months
[PATCH ghak59 V2 0/6] audit: config_change normalizations and event record gathering
by Richard Guy Briggs
Make a number of changes to normalize CONFIG_CHANGE records by adding
missing op= fields, providing more information in existing op fields and
connecting all records to existing audit events.
The user record patch is included but is *optional* since there is doubt
that we want to disconnect the records from a single event.
Since tree purge records are processed after the EOE record is produced,
the order of operation of the EOE record and the purge will have to be
reversed so that the purge records can be included in the event.
For reference, here are the calling methods and function tree for all
CONFIG_CHANGE events:
- audit_log_config_change() "op=set"
- AUDIT_SET:AUDIT_STATUS_PID
- AUDIT_SET:AUDIT_STATUS_LOST
- audit_do_config_change()
- AUDIT_SET:AUDIT_STATUS_FAILURE
- AUDIT_SET:AUDIT_STATUS_ENABLED
- AUDIT_SET:AUDIT_STATUS_RATE_LIMIT
- AUDIT_SET:AUDIT_STATUS_BACKLOG_LIMIT
- AUDIT_SET:AUDIT_STATUS_BACKLOG_WAIT_TIME
- audit_log_common_recv_msg()
- AUDIT_*USER* events (not CONFIG_CHANGE like all the rest)
- AUDIT_LOCKED "op=%s_rule"(add/remove)
- AUDIT_TRIM "op=trim"
- AUDIT_MAKE_EQUIV: "op=make_equiv"
- AUDIT_TTY_SET: "op=tty_set"
- audit_log_rule_change()
- AUDIT_ADD_RULE -F dir=:
- AUDIT_DEL_RULE -F dir=:
- audit_mark_log_rule_change()
- audit_autoremove_mark_rule() "op=autoremove_rule(mark)"
- audit_mark_handle_event()
- audit_mark_fsnotify_ops.handle_event
- audit_tree_log_remove_rule() "op=remove_rule(tree:%s)" from kill_rules()
- from trim_marked()
- AUDIT_TRIM: audit_trim_trees() "trim"
- audit_add_tree_rule() iterate_mounts err "add"
- audit_add_rule()
- audit_rule_change()
- AUDIT_ADD_RULE -F dir=:
- AUDIT_MAKE_EQUIV: audit_tag_tree() iterate_mounts err "equiv"
- from audit_kill_trees()
- __audit_free() "free"
- do_exit()
- copy_process() err
- __audit_syscall_exit() "exit"
- from evict_chunk() "evict"
- audit_tree_freeing_mark()
- audit_tree_ops.freeing_mark
- audit_watch_log_rule_change()
- audit_update_watch() "updated_rules(watch:inval)" : "updated_rules(watch:set)"
- audit_watch_handle_event() FS_CREATE|FS_MOVED_TO, FS_DELETE|FS_MOVED_FROM
- audit_watch_fsnotify_ops.handle_event
- audit_remove_parent_watches() "remove_rule(watch:parent)"
- audit_watch_handle_event() FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF
- audit_watch_fsnotify_ops.handle_event
See: https://github.com/linux-audit/audit-kernel/issues/50
See: https://github.com/linux-audit/audit-kernel/issues/59
Changelog:
v2:
- re-order audit_log_exit() and audit_kill_trees()
- drop EOE reordering patch
- rebase on 4.18-rc1 (audit/next)
Richard Guy Briggs (6):
audit: give a clue what CONFIG_CHANGE op was involved
audit: add syscall information to CONFIG_CHANGE records
audit: exclude user records from syscall context
audit: hand taken context to audit_kill_trees for syscall logging
audit: kill trees before logging syscall exit for exit/free
audit: extend config_change mark/watch/tree rule changes
kernel/audit.c | 20 ++++++++++++++------
kernel/audit.h | 4 ++--
kernel/audit_fsnotify.c | 4 ++--
kernel/audit_tree.c | 28 +++++++++++++++-------------
kernel/audit_watch.c | 8 +++++---
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 9 ++++-----
7 files changed, 43 insertions(+), 32 deletions(-)
--
1.8.3.1
5 years, 11 months
[PATCH 0/11 v3] audit: Fix various races when tagging and untagging mounts
by Jan Kara
Hello,
this is the third revision of the series that addresses problems I have
identified when trying to understand how exactly is kernel/audit_tree.c using
generic fsnotify framework. I hope I have understood all the interactions right
but careful review is certainly welcome.
The patches have been tested by a stress test I have written which mounts &
unmounts filesystems in the directory tree while adding and removing audit
rules for this tree in parallel and accessing the tree to generate events.
Still some real-world testing would be welcome.
Changes since v2:
* Fixed up mark freeing to use proper pointer as pointed out by Amir
* Changed some naming based on Paul's review
Changes since v1:
* Split the last patch to ease review
* Rewrite test script so that it can be included in audit testsuite
* Some cleanups and improvements suggested by Amir
Honza
5 years, 11 months
Using audisp remote results in "dispatch err (pipe full) event lost"
by Kay Mccormick
I have configured 3 servers to send their audit events to my centralized
host. I am using port 60 and private network addresses that are supported
between the hosts. My iptables/nftables rules
allow all traffic from the specific IP addresses set for my hosts., so
there is no problem
with network communication - except for this error I get in my log file for
one of the hosts.
I attached to process with strace and when I do so, the error does not
appear. When I detach strace, the error appears again. I have verified that
log events from the host are making it to the central server.
I have increased q_depth in /etc/audisp/audispd.conf from 250 to 2500 to
25000 to no avail. Upon reading the man page it appears that this is for
the "mode forwarding" configuration instead of the "immediate"
configuration, which is the default (on debian buster)
Changing the auditd to forward doesn't seem to help. It can't be that the
"pipe is full" because there really aren't that many messages - it must be
another sort of error.
Thanks in advance for any help.
5 years, 11 months
auditd and CAP_AUDIT_READ
by Richard Guy Briggs
Hi Steve,
In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities
check rather than uid") a switch was made from checking "getuid() != 0"
to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via audit_can_control()
and audit_can_read().
Does auditd use the multicast socket? If not, there is no need for it
to check or have CAP_AUDIT_READ.
Having audit_can_read() available in lib/libaudit.c is certainly useful
regardless for other potential libaudit users like systemd.
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
5 years, 11 months
[PATCH 0/2] riscv: add audit support
by David Abdurachmanov
This patchset adds system call audit support on riscv (riscv32 &
riscv64).
The pachset was prepared on top of v4.19 tag.
audit-userspace changes were submitted. See:
https://github.com/linux-audit/audit-userspace/pull/73
Tested the following manually:
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and return
value/input arguments seem to be correct)
- /proc/self/loginuid (required by DNF [package manager])
I looked into audit-testsuite and with some adjustments results are:
Failed 4/14 test programs. 19/88 subtests failed.
The failing tests were due to missing CONFIG_IP_NF_MANGLE, 'id -Z' not
printing categories (don't know why), not having loadable kernel module
support enablled and syscall_socketcall not being relevant for new arches.
audit-testsuite with adjustments:
https://github.com/davidlt/audit-testsuite/tree/riscv64
Depends on:
[PATCH 1/2] Move EM_RISCV into elf-em.h
http://lists.infradead.org/pipermail/linux-riscv/2018-October/001885.html
This should solve DNF issues in Fedora 29/RISCV.
David Abdurachmanov (2):
riscv: add audit support
riscv: audit: add audit hook in do_syscall_trace_enter/exit()
arch/riscv/Kconfig | 1 +
arch/riscv/include/asm/ptrace.h | 5 +++++
arch/riscv/include/asm/syscall.h | 10 ++++++++++
arch/riscv/include/asm/thread_info.h | 6 ++++++
arch/riscv/kernel/entry.S | 4 ++--
arch/riscv/kernel/ptrace.c | 5 +++++
include/uapi/linux/audit.h | 2 ++
7 files changed, 31 insertions(+), 2 deletions(-)
--
2.17.2
5 years, 11 months
stuck on ghak100 testsuite script
by Richard Guy Briggs
Hi Paul, Ondrej,
I've got a couple of patches with two different approaches to address
ghak100:
https://github.com/linux-audit/audit-kernel/issues/100
The patches work, but I've not posted them yet because I wanted to
update the audit-testsuite first to consistently test it.
I've written a test to automate the regression test to add to
audit-testsuite based on the reproducer recipe provided in ghak100. The
procedure in the description of ghak100 works, but I'm having some
trouble with the script. In particular, it is hanging the script on the
"kill 'SIGSTOP' $pid_fuse" line. Once it hangs, the main script, the
test subscript and both backgrounded processes (fuse and umount) are
still hanging around.
Here's the script:
https://github.com/linux-audit/audit-testsuite/compare/master...rgbriggs:...
Do either of you have any insight why this might be happenning and how
to fix or work around it?
A couple of minor notes:
- The $pid_fuse += 1 is necessary since it forks from the PID reported
to the shell.
- The SIGSTOP is necessary to simulate the hung filesystem.
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
5 years, 11 months
[PATCH 0/14 v4] audit: Fix various races when tagging and untagging mounts
by Jan Kara
Hello,
this is the fourth revision of the series that addresses problems I have
identified when trying to understand how exactly is kernel/audit_tree.c using
generic fsnotify framework. I hope I have understood all the interactions right
but careful review is certainly welcome.
The patches have been tested by a stress test I have written which mounts &
unmounts filesystems in the directory tree while adding and removing audit
rules for this tree in parallel and accessing the tree to generate events.
Note that after running the stress test for ~10 hours, the kernel crashed in
shmem_evict_inode() but I have tracked that down to an independent bug in
fsnotify infrastructure which I'll fix separately and push the fix through
my tree.
Changes since v3:
* Renamed mark to amark in alloc_mark()
* Fixed intermediate compilation breakage in one patch
* Fixed possible lockup due to prune_one() racing with
audit_tree_freeing_mark() and never making progress
* Simplified locking around untag_chunk()
* Fixed list corruption of chunk->trees list when tag_chunk() added a tree to
chunk->trees and then replace_chunk() called
list_replace(&old->trees, &chunk->trees);
* I've dropped the patch for audit testsuite from this posting since it
didn't change since v2 and Paul picked it up AFAIU.
* Added reviewed-by tags for unchanged patches
Changes since v2:
* Fixed up mark freeing to use proper pointer as pointed out by Amir
* Changed some naming based on Paul's review
Changes since v1:
* Split the last patch to ease review
* Rewrite test script so that it can be included in audit testsuite
* Some cleanups and improvements suggested by Amir
Honza
5 years, 11 months
[PATCH 00/13] Prepare for PTRACE_GET_SYSCALL_INFO
by Dmitry V. Levin
syscall_get_arch() is required to be implemented on all architectures
that use tracehook_report_syscall_entry() in order to extend
the generic ptrace API with PTRACE_GET_SYSCALL_INFO request.
Dmitry V. Levin (13):
Move EM_HEXAGON to uapi/linux/elf-em.h
elf-em.h: add EM_ARC
elf-em.h: add EM_NDS32
elf-em.h: add EM_XTENSA
m68k: define syscall_get_arch()
arc: define syscall_get_arch()
c6x: define syscall_get_arch()
h8300: define syscall_get_arch()
hexagon: define syscall_get_arch()
nds32: define syscall_get_arch()
nios2: define syscall_get_arch()
riscv: define syscall_get_arch()
xtensa: define syscall_get_arch()
arch/arc/include/asm/syscall.h | 6 ++++++
arch/c6x/include/asm/syscall.h | 6 ++++++
arch/h8300/include/asm/syscall.h | 5 +++++
arch/hexagon/include/asm/elf.h | 6 +-----
arch/hexagon/include/asm/syscall.h | 8 ++++++++
arch/m68k/include/asm/syscall.h | 12 ++++++++++++
arch/nds32/include/asm/syscall.h | 7 +++++++
arch/nios2/include/asm/syscall.h | 6 ++++++
arch/riscv/include/asm/syscall.h | 6 ++++++
arch/xtensa/include/asm/syscall.h | 7 +++++++
include/uapi/linux/audit.h | 8 ++++++++
include/uapi/linux/elf-em.h | 5 +++++
12 files changed, 77 insertions(+), 5 deletions(-)
create mode 100644 arch/m68k/include/asm/syscall.h
--
ldv
5 years, 11 months
[PATCH ghak99 v1] audit: print empty EXECVE args
by Richard Guy Briggs
Empty executable arguments were being skipped when printing out the list
of arguments in an EXECVE record, making it appear they were somehow
lost. Include empty arguments as an itemized empty string.
Reproducer:
autrace /bin/ls "" "/etc"
ausearch --start recent -m execve -i | grep EXECVE
type=EXECVE msg=audit(10/03/2018 13:04:03.208:1391) : argc=3 a0=/bin/ls a2=/etc
With fix:
type=EXECVE msg=audit(10/03/2018 21:51:38.290:194) : argc=3 a0=/bin/ls a1= a2=/etc
type=EXECVE msg=audit(1538617898.290:194): argc=3 a0="/bin/ls" a1="" a2="/etc"
Passes audit-testsuite
Based on: v4.19-rc2 (audit/next)
See: https://github.com/linux-audit/audit-kernel/issues/99
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f04..1513873 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1107,7 +1107,7 @@ static void audit_log_execve_info(struct audit_context *context,
}
/* write as much as we can to the audit log */
- if (len_buf > 0) {
+ if (len_buf >= 0) {
/* NOTE: some magic numbers here - basically if we
* can't fit a reasonable amount of data into the
* existing audit buffer, flush it and start with
--
1.8.3.1
5 years, 12 months