[RFC PATCH] audit-testsuite: restrict the syscall_socketcall test to x86/x86_64
by Paul Moore
From: Paul Moore <paul(a)paul-moore.com>
Add the ability to filter out tests based on the host system's ABI
as determined by "uname -m". This allows the test to run
successfully on aarch64, and likely many other non-x86 ABIs as well.
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
tests/Makefile | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/tests/Makefile b/tests/Makefile
index 297c56a..5ab0785 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -2,8 +2,16 @@
export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE
DISTRO := $(shell ./os_detect)
-MODE := $(shell [ $(shell uname -i) == "i386" ] && echo "32" || echo "64")
-
+MACHINE := $(shell uname -m)
+# NOTE: this assumes that only i386 is 32-bit which is obviously wrong, but
+# until we can test this on other 32-bit ABIs limit MODE=32 to i386
+ifeq ($(MACHINE),i386)
+MODE := 32
+else
+MODE := 64
+endif
+
+# all of the tests
TESTS := \
exec_execve \
exec_name \
@@ -20,6 +28,11 @@ TESTS := \
syscall_socketcall \
user_msg
+# apply any ABI restrictions to the tests
+ifneq ($(MACHINE),$(filter i386 x86_64,$(MACHINE)))
+ TESTS := $(filter-out syscall_socketcall,$(TESTS))
+endif
+
.PHONY: all test clean
all:
6 years
[PATCH ghak95] audit: Do not log full CWD path on empty relative paths
by Ondrej Mosnacek
When a relative path has just a single component and we want to emit a
nametype=PARENT record, the current implementation just reports the full
CWD path (which is alrady available in the audit context).
This is wrong for three reasons:
1. Wasting log space for redundant data (CWD path is already in the CWD
record).
2. Inconsistency with other PATH records (if a relative PARENT directory
path contains at least one component, only the verbatim relative path
is logged).
3. In some syscalls (e.g. openat(2)) the relative path may not even be
relative to the CWD, but to another directory specified as a file
descriptor. In that case the logged path is simply plain wrong.
This patch modifies this behavior to simply report "." in the
aforementioned case, which is equivalent to an "empty" directory path
and can be concatenated with the actual base directory path (CWD or
dirfd from openat(2)-like syscall) once support for its logging is added
later. In the meantime, defaulting to CWD as base directory on relative
paths (as already done by the userspace tools) will be enough to achieve
results equivalent to the current behavior.
See: https://github.com/linux-audit/audit-kernel/issues/95
Fixes: 9c937dcc7102 ("[PATCH] log more info for directory entry change events")
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
kernel/audit.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a8058764aa6..4f18bd48eb4b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2127,28 +2127,27 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
audit_log_format(ab, "item=%d", record_num);
+ audit_log_format(ab, " name=");
if (path)
- audit_log_d_path(ab, " name=", path);
+ audit_log_d_path(ab, NULL, path);
else if (n->name) {
switch (n->name_len) {
case AUDIT_NAME_FULL:
/* log the full path */
- audit_log_format(ab, " name=");
audit_log_untrustedstring(ab, n->name->name);
break;
case 0:
/* name was specified as a relative path and the
* directory component is the cwd */
- audit_log_d_path(ab, " name=", &context->pwd);
+ audit_log_untrustedstring(ab, ".");
break;
default:
/* log the name's directory component */
- audit_log_format(ab, " name=");
audit_log_n_untrustedstring(ab, n->name->name,
n->name_len);
}
} else
- audit_log_format(ab, " name=(null)");
+ audit_log_format(ab, "(null)");
if (n->ino != AUDIT_INO_UNSET)
audit_log_format(ab, " inode=%lu"
--
2.17.1
6 years
operation not supported on filtering
by Vincent Fiset
I got a minimal audit.rules file containing:
# cat -n /etc/audit/audit.rules
1 -D
2
3 -b 8192
4
5 -e 0
6
7 -a always,exclude -F msgtype=CWD
8
9 -w /etc/sysctl.conf -p wa -k sysctl
When I restart auditd I get:
# /etc/init.d/auditd restart
Restarting audit daemon: auditd Error sending add rule request
(Operation not supported)
There was an error in line 7 of /etc/audit/audit.rules
failed!
instructions like `-a always,exclude -F msgtype=CWD` seems to be very
popular in example all over the internet. I don't understand why I get the
error.
I use auditd `1:1.7.18-1.1` on debian 7
What should I do to make this filter work?
--
/VF
6 years
use openat to create a file, then audit log can't show the full path name ?
by litaibaichina@gmail.com
Hi Guys,
I tried to use code like the following to create a file and I am wathcing /data/Documents:
# auditctl -l
-w /data/Documents -p rwa
my_open(const char *path, int flags, mode_t mode)
{
char *new = strdup(path);
char *p;
const char *last;
int dirfd, lastfd;
int fd = -1;
dirfd = lastfd = open("/", O_DIRECTORY|O_NOFOLLOW);
for (last = new + 1; (p = strchr(last, '/')); last = p)
{
while (*p == '/')
*p++ = '\0';
dirfd = openat(lastfd, last, O_RDONLY|O_DIRECTORY|O_NOFOLLOW);
close(lastfd);
if (dirfd < 0)
break;
lastfd = dirfd;
}
if (dirfd >= 0)
{
fd = openat(dirfd, last, flags|O_NOFOLLOW, mode);
close(dirfd);
}
then get audit logs like:
----
type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6495) : proctitle=./test-sscanf
type=PATH msg=audit(12/04/2018 08:57:28.750:6495) : item=0 name=Documents inode=256 dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=NORMAL
type=CWD msg=audit(12/04/2018 08:57:28.750:6495) : cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6495) : arch=x86_64 syscall=openat success=yes exit=3 a0=0x4 a1=0x14c9016 a2=O_RDONLY|O_DIRECTORY|O_NOFOLLOW a3=0x0 items=1 ppid=19411 pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf exe=/root/test-sscanf key=(null)
----
type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6496) : proctitle=./test-sscanf
type=PATH msg=audit(12/04/2018 08:57:28.750:6496) : item=1 name=test-safeopen.txt inode=1714024 dev=00:2a mode=file,664 ouid=root ogid=root rdev=00:00 nametype=CREATE
type=PATH msg=audit(12/04/2018 08:57:28.750:6496) : item=0 name=/root inode=256 dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=PARENT
type=CWD msg=audit(12/04/2018 08:57:28.750:6496) : cwd=/root
type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6496) : arch=x86_64 syscall=openat success=yes exit=4 a0=0x3 a1=0x14c9020 a2=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a3=0x1b4 items=2 ppid=19411 pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf exe=/root/test-sscanf key=(null)
so looks like I can't get the full path /data/Documents/test-safeopen.txt, audit can't remember the path in item 0 ?
Thanks.
6 years
[PATCH V2] audit: shorten PATH cap values when zero
by Richard Guy Briggs
Since the vast majority of files (99.993% on a typical system) have no
fcaps, display "0" instead of the full zero-padded 16 hex digits in the
two PATH record cap_f* fields to save netlink bandwidth and disk space.
Simply changing the format to %x won't work since the value is two (or
possibly more in the future) 32-bit hexadecimal values concatenated and
bits in higher order values will be misrepresented.
Passes audit-testsuite and userspace tools already work fine.
Please see the github issue tracker for more details
https://github.com/linux-audit/audit-kernel/issues/101
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Acked-by: Steve Grubb <sgrubb(a)redhat.com>
---
Changelog:
v2:
- switch to cap_isclear() and condense logic
kernel/audit.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a8058764aa6..55b2079145dc 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2058,11 +2058,13 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
{
int i;
- audit_log_format(ab, " %s=", prefix);
- CAP_FOR_EACH_U32(i) {
- audit_log_format(ab, "%08x",
- cap->cap[CAP_LAST_U32 - i]);
+ if (cap_isclear(*cap)) {
+ audit_log_format(ab, " %s=0", prefix);
+ return;
}
+ audit_log_format(ab, " %s=", prefix);
+ CAP_FOR_EACH_U32(i)
+ audit_log_format(ab, "%08x", cap->cap[CAP_LAST_U32 - i]);
}
static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
--
1.8.3.1
6 years
Disabling local logging with write_logs = no
by Kay Mccormick
I am trying to log only to a remote machine so I have set:
write_logs = no
in my auditd.conf. Unfortunately, when I restart auditd it does not appear
to respect my configuration choice.
When I run it with 'auditd -f' to keep it in the foreground, it does not
write the file and i see :
write_logs_parser called with: no
in the output.
Looking at the source, I see:
if (opt_foreground) {
config.daemonize = D_FOREGROUND;
set_aumessage_mode(MSG_STDERR, DBG_YES);
} else {
config.daemonize = D_BACKGROUND;
set_aumessage_mode(MSG_SYSLOG, DBG_NO);
(void) umask( umask( 077 ) | 022 );
}
It seems I cannot get messages logged with LOG_DEBUG without running in
foreground mode (in which case the bug does not appear to be triggered) or
recompiling auditd.
I have included the output of auditd -f and also my auditd.conf.
6 years
