April 2018 - Linux-audit - Linux-Audit List Archives

[BUG?] Exported private symbols in audit-userspace

by Yuri Gribov

Hi, Is there a reason for functions below to not be marked as hidden? They are not present in audit's public headers so technically there's no reason to export them from shlibs. I can see that some symbols (e.g. `audit_strsplit_r`) were marked as hidden before but then exported in https://github.com/linux-audit/audit-userspace/commit/aa4ed834b7db2f8c7c9... _audit_archadded _audit_elf _audit_exeadded _audit_filterfsadded audit_msg _audit_permadded __audit_send audit_send audit_strsplit audit_strsplit_r _audit_syscalladded auparse_do_interpretation _auparse_free_interpretations auparse_interp_adjust_type _auparse_load_interpretations _auparse_lookup_interpretation __bss_start check_lru_cache compute_subject_key destroy_lru _edata _end _fini _init init_lru lru_evict The issue was found using ShlibVisibilityChecker (https://github.com/yugr/ShlibVisibilityChecker). Best regards, Yury Gribov

6 years, 8 months

2
1
0 / 0

Re: Monitoring files

by Richard Guy Briggs

On 2018-04-24 18:04, warron.french wrote: > Furthermore, where would I add the -i switch to a rule like this one: > > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F > auid!=4294967295 -k privileged I'm not aware of any per-rule switches to permit failure to load to be non-fatal. I was suggesting it might help in your situation to add such a feature, but I think the better solution is a customized rule set for each machine or type of machine. > ?? > > -------------------------- > Warron French > > > On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french(a)gmail.com> > wrote: > > > Mr. Briggs/Rafi, > > > > I don't see the -i switch even mentioned in the manpage for audit.rules. > > Is this a documented switch, or not yet a capability on Red Hat or CentOS > > systems? > > > > Thanks in advance, > > > > -------------------------- > > Warron French > > > > > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb(a)redhat.com> > > wrote: > > > >> On 2018-04-23 23:41, F Rafi wrote: > >> > Adding a -i to the rules file should ignore any errors. > >> > >> At risk of feature creep, it might be nice to have a flag to ignore > >> certain rules but not others, a way to tag individual rules with either > >> a must, or a different tag with "ignore if not present" for file rules. > >> > >> > -Farhan > >> > > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <warron.french(a)gmail.com> > >> wrote: > >> > > Hi, I have a requirement to monitor a ton of files, executables and > >> confug > >> > > files. > >> > > > >> > > Anyway, not all of my systems have every file in the list; and when I > >> add > >> > > the rules appropriate, either as a Watch (-w) rule or as an Action > >> (-a) > >> > > rule, the rules stop loading when the find a rule that has a file that > >> > > doesn't exist *on that particular system*. > >> > > > >> > > This is the intended effect, yes? > >> > > > >> > > Thanks in advance, > >> > > -------------------------- > >> > > Warron French > >> > >> - RGB > >> > >> -- > >> Richard Guy Briggs <rgb(a)redhat.com> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems > >> Remote, Ottawa, Red Hat Canada > >> IRC: rgb, SunRaycer > >> Voice: +1.647.777.2635, Internal: (81) 32635 > >> > > > > - RGB -- Richard Guy Briggs <rgb(a)redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635

6 years, 8 months

4
5
0 / 0

Re: Monitoring files

by warron.french

Mr. Briggs/Rafi, I don't see the -i switch even mentioned in the manpage for audit.rules. Is this a documented switch, or not yet a capability on Red Hat or CentOS systems? Thanks in advance, -------------------------- Warron French On Tue, Apr 24, 2018 at 6:31 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote: > On 2018-04-24 18:03, warron.french wrote: > > Mr. Briggs/Rafi, > > I think you forgot to reply to the list (preferred) and/or Rafi. > > > I don't see the -i switch even mentioned in the manpage for audit.rules. > > Is this a documented switch, or not yet a capability on Red Hat or CentOS > > systems? > > > > Thanks in advance, > > > > -------------------------- > > Warron French > > > > > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb(a)redhat.com> > wrote: > > > > > On 2018-04-23 23:41, F Rafi wrote: > > > > Adding a -i to the rules file should ignore any errors. > > > > > > At risk of feature creep, it might be nice to have a flag to ignore > > > certain rules but not others, a way to tag individual rules with either > > > a must, or a different tag with "ignore if not present" for file rules. > > > > > > > -Farhan > > > > > > > > On Mon, Apr 23, 2018 at 9:19 PM, warron.french < > warron.french(a)gmail.com> > > > wrote: > > > > > Hi, I have a requirement to monitor a ton of files, executables and > > > confug > > > > > files. > > > > > > > > > > Anyway, not all of my systems have every file in the list; and > when I > > > add > > > > > the rules appropriate, either as a Watch (-w) rule or as an Action > (-a) > > > > > rule, the rules stop loading when the find a rule that has a file > that > > > > > doesn't exist *on that particular system*. > > > > > > > > > > This is the intended effect, yes? > > > > > > > > > > Thanks in advance, > > > > > -------------------------- > > > > > Warron French > > > > > > - RGB > > > > > > -- > > > Richard Guy Briggs <rgb(a)redhat.com> > > > Sr. S/W Engineer, Kernel Security, Base Operating Systems > > > Remote, Ottawa, Red Hat Canada > > > IRC: rgb, SunRaycer > > > Voice: +1.647.777.2635, Internal: (81) 32635 > > > > > - RGB > > -- > Richard Guy Briggs <rgb(a)redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 >

6 years, 8 months

2
1
0 / 0

filename not audited for openat() on F28

by Jiri Jaburek

(Please CC me on replies.) Hello, I'm trying to run the audit-test suite on Fedora 28 and am running into it expecting a name= field in the SYSCALL entry. augrok --seek=697600 -m1 type==SYSCALL syscall=openat success=no pid=3951 auid=1000 uid=0 euid=0 suid=0 fsuid=0 gid=0 egid=0 sgid=0 fsgid=0 exit=-13 subj=staff_u:lspp_test_r:lspp_test_generic_t:SystemHigh name=tmp.owfFtgPOjx/new Fedora 28: ---- time->Fri Apr 20 15:04:59 2018 type=PROCTITLE msg=audit(1524229499.918:366591): proctitle=2F62696E2F62617368002E2F72756E2E62617368002D647600323734 type=PATH msg=audit(1524229499.918:366591): item=0 name="tmp.J4IQL7Buxe/" inode=1055495 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1524229499.918:366591): cwd="/usr/local/eal4_testing/audit-test/syscalls" type=SYSCALL msg=audit(1524229499.918:366591): arch=c000003e syscall=257 success=no exit=-13 a0=3 a1=7ffc02f0eaf6 a2=c0 a3=16b6010 items=1 ppid=5275 pid=5276 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="do_openat" exe="/usr/local/eal4_testing/audit-test/utils/bin/do_openat" subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null) type=AVC msg=audit(1524229499.918:366591): avc: denied { create } for pid=5276 comm="do_openat" name="new" scontext=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file permissive=0 ---- RHEL-7.5: ---- time->Fri Apr 20 15:06:59 2018 type=PROCTITLE msg=audit(1524229619.726:56605): proctitle=72756E636F6E0073746166665F753A6C7370705F746573745F723A6C7370705F746573745F67656E657269635F743A53797374656D4869676800646F5F6F70656E6174002F746D7000746D702E30674C74574A336977622F6E6577006372656174650073746166665F753A6F626A6563745F723A757365725F746D705F743A53 type=PATH msg=audit(1524229619.726:56605): item=1 name="tmp.0gLtWJ3iwb/new" objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1524229619.726:56605): item=0 name="tmp.0gLtWJ3iwb/" inode=1055489 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1524229619.726:56605): cwd="/usr/local/eal4_testing/audit-test/syscalls" type=SYSCALL msg=audit(1524229619.726:56605): arch=c000003e syscall=257 success=no exit=-13 a0=3 a1=7ffc1ecd6b57 a2=c0 a3=0 items=2 ppid=20750 pid=20751 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1595 comm="do_openat" exe="/usr/local/eal4_testing/audit-test/utils/bin/do_openat" subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null) ---- The key difference here is probably the absence of type=PATH msg=audit(1524229619.726:56605): item=1 name="tmp.0gLtWJ3iwb/new" objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 on Fedora 28, which augrok looks for. Is this expected? I'm seeing something similar with other syscalls like creat("/tmp/tmp.9EsMgMuio7/new", 0700) producing ---- type=PROCTITLE msg=audit(04/20/2018 15:15:35.547:371576) : proctitle=runcon staff_u:lspp_test_r:lspp_test_generic_t:SystemHigh do_creat /tmp/tmp.9EsMgMuio7/new staff_u:object_r:user_tmp_t:SystemLow type=PATH msg=audit(04/20/2018 15:15:35.547:371576) : item=0 name=/tmp/tmp.9EsMgMuio7/ inode=1572964 dev=fd:02 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(04/20/2018 15:15:35.547:371576) : cwd=/usr/local/eal4_testing/audit-test/syscalls type=SYSCALL msg=audit(04/20/2018 15:15:35.547:371576) : arch=x86_64 syscall=creat success=no exit=EACCES(Permission denied) a0=0x7ffc41d04af9 a1=0700 a2=0x0 a3=0x0 items=1 ppid=6779 pid=6780 auid=eal uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=do_creat exe=/usr/local/eal4_testing/audit-test/utils/bin/do_creat subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null) type=AVC msg=audit(04/20/2018 15:15:35.547:371576) : avc: denied { create } for pid=6780 comm=do_creat name=new scontext=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file permissive=0 ---- but the lack of "/new" in PATH here seems more like a bug. Thanks, Jiri

6 years, 8 months

4
6
0 / 0

[PATCH v2] audit: allow not equal op for audit by executable

by Ondrej Mosnacek

From: Ondrej Mosnáček <omosnace(a)redhat.com> Current implementation of auditing by executable name only implements the 'equal' operator. This patch extends it to also support the 'not equal' operator. See: https://github.com/linux-audit/audit-kernel/issues/53 Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com> --- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index d7a807e81451..a0c5a3ec6e60 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) return -EINVAL; break; case AUDIT_EXE: - if (f->op != Audit_equal) + if (f->op != Audit_not_equal && f->op != Audit_equal) return -EINVAL; if (entry->rule.listnr != AUDIT_FILTER_EXIT) return -EINVAL; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4e0a4ac803db..479c031ec54c 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk, break; case AUDIT_EXE: result = audit_exe_compare(tsk, rule->exe); + if (f->op == Audit_not_equal) + result = !result; break; case AUDIT_UID: result = audit_uid_comparator(cred->uid, f->op, f->uid); -- 2.14.3

6 years, 8 months

3
3
0 / 0

Monitoring files

by warron.french

Hi, I have a requirement to monitor a ton of files, executables and confug files. Anyway, not all of my systems have every file in the list; and when I add the rules appropriate, either as a Watch (-w) rule or as an Action (-a) rule, the rules stop loading when the find a rule that has a file that doesn't exist *on that particular system*. This is the intended effect, yes? Thanks in advance, -------------------------- Warron French

6 years, 8 months

3
2
0 / 0

[PATCH ghak80 V1] audit: add syscall information to FEATURE_CHANGE records

by Richard Guy Briggs

Tie syscall information to FEATURE_CHANGE calls since it is a result of user action. See: https://github.com/linux-audit/audit-kernel/issues/80 Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- kernel/audit.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 8da24ef..23f125b 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1103,10 +1103,9 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature { struct audit_buffer *ab; - if (audit_enabled == AUDIT_OFF) + if (!audit_enabled) return; - - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); + ab = audit_log_start(current->audit_context, GFP_KERNEL, AUDIT_FEATURE_CHANGE); if (!ab) return; audit_log_task_info(ab, current); -- 1.8.3.1

6 years, 8 months

3
7
0 / 0

auditing automounted filesystems (NFS)

by Frank Thommen

Hello, we have started auditing on our systems (file open, close, write etc.). This is no problem on local and on statically mounted NFS systems (-a exit,always -F dir=/a/b/c ...). However for automounted filesystems auditd only reports on system calls on those filesystems which are mounted when auditd starts. Is there a way to make auditd aware of newly mounted NFS filesystems, so that we can audit them, too? Cheers frank

6 years, 8 months

3
7
0 / 0

test-queue fails on s390x Alpine Linux

by Natanael Copa

Hi, Running the testsuite on Alpine Linux s390x fails: ====================================================== audit 2.8.3: audisp/plugins/remote/test-suite.log ======================================================= # TOTAL: 1 # PASS: 0 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 .. contents:: :depth: 2 FAIL: test-queue ================ test-queue: 250: q_open: Result not representable Aborted (core dumped) FAIL test-queue (exit status: 134) Tests passes on aarch64, ppc64le, x86 and x86_64. -nc

6 years, 8 months

2
1
0 / 0

[RFC PATCH V1 00/12] audit: implement container id

by Richard Guy Briggs

Implement audit kernel container ID. This patchset is a preliminary RFC based on the proposal document (V3) posted: https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html The first patch implements the proc fs write to set the audit container ID of a process, emitting an AUDIT_CONTAINER record. The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO if a container ID is present on a task. The third adds filtering to the exit, exclude and user lists. The 4th, implements reading the container ID from the proc filesystem for debugging. This isn't planned for upstream inclusion. The 5th adds signal and ptrace support. The 6th attempts to create a local audit context to be able to bind a standalone record with the container ID record. The 7th, 8th, 9th, 10th patches add container ID records to standalone records. Some of these may end up being syscall auxiliary records and won't need this specific support since they'll be supported via syscalls. The 11th is a temporary workaround due to the AUDIT_CONTAINER records not showing up as do AUDIT_LOGIN records. I suspect this is due to its range (1000 vs 1300), but the intent is to solve it. The 12th adds debug information not intended for upstream for those brave souls wanting to tinker with it in this early state. Feedback please! Here's a quick and dirty test script: echo 123455 > /proc/$$/containerid; echo $? sleep 4& child=$!; sleep 1 echo 18446744073709551615 > /proc/$child/containerid; echo $? echo 123456 > /proc/$child/containerid; echo $? echo 123457 > /proc/$child/containerid; echo $? sleep 1 ausearch -ts recent |grep " contid=18446744073709551615"; echo $? ausearch -ts recent |grep " contid=123456"; echo $? ausearch -ts recent |grep " contid=123457"; echo $? echo self:$$ contid:$( cat /proc/$$/containerid) echo child:$child contid:$( cat /proc/$child/containerid) containerid=123458 key=tmpcontainerid auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule bash -c "sleep 1; echo test > /tmp/$key"& child=$! echo $containerid > /proc/$child/containerid sleep 2 rm -f /tmp/$key ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule See: https://github.com/linux-audit/audit-kernel/issues/32 https://github.com/linux-audit/audit-userspace/issues/40 https://github.com/linux-audit/audit-testsuite/issues/64 Richard Guy Briggs (12): audit: add container id audit: log container info of syscalls audit: add containerid filtering audit: read container ID of a process audit: add containerid support for ptrace and signals audit: add support for non-syscall auxiliary records audit: add container aux record to watch/tree/mark audit: add containerid support for tty_audit audit: add containerid support for config/feature/user records audit: add containerid support for seccomp and anom_abend records debug audit: add container id debug! audit: add container id drivers/tty/tty_audit.c | 5 +- fs/proc/base.c | 63 +++++++++++++++++++ include/linux/audit.h | 36 +++++++++++ include/linux/init_task.h | 4 +- include/linux/sched.h | 1 + include/uapi/linux/audit.h | 9 ++- kernel/audit.c | 74 +++++++++++++++++++--- kernel/audit.h | 3 + kernel/audit_fsnotify.c | 5 +- kernel/audit_tree.c | 5 +- kernel/audit_watch.c | 33 +++++----- kernel/auditfilter.c | 52 ++++++++++++++- kernel/auditsc.c | 154 +++++++++++++++++++++++++++++++++++++++++++-- 13 files changed, 408 insertions(+), 36 deletions(-) -- 1.8.3.1

6 years, 8 months

6
30
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit April 2018