[BUG?] Exported private symbols in audit-userspace
by Yuri Gribov
Hi,
Is there a reason for functions below to not be marked as hidden? They
are not present in audit's public headers so technically there's no
reason to export them from shlibs. I can see that some symbols (e.g.
`audit_strsplit_r`) were marked as hidden before but then exported in
https://github.com/linux-audit/audit-userspace/commit/aa4ed834b7db2f8c7c9...
_audit_archadded
_audit_elf
_audit_exeadded
_audit_filterfsadded
audit_msg
_audit_permadded
__audit_send
audit_send
audit_strsplit
audit_strsplit_r
_audit_syscalladded
auparse_do_interpretation
_auparse_free_interpretations
auparse_interp_adjust_type
_auparse_load_interpretations
_auparse_lookup_interpretation
__bss_start
check_lru_cache
compute_subject_key
destroy_lru
_edata
_end
_fini
_init
init_lru
lru_evict
The issue was found using ShlibVisibilityChecker
(https://github.com/yugr/ShlibVisibilityChecker).
Best regards,
Yury Gribov
6 years, 6 months
Re: Monitoring files
by Richard Guy Briggs
On 2018-04-24 18:04, warron.french wrote:
> Furthermore, where would I add the -i switch to a rule like this one:
>
> -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> auid!=4294967295 -k privileged
I'm not aware of any per-rule switches to permit failure to load to be
non-fatal. I was suggesting it might help in your situation to add such
a feature, but I think the better solution is a customized rule set for
each machine or type of machine.
> ??
>
> --------------------------
> Warron French
>
>
> On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french(a)gmail.com>
> wrote:
>
> > Mr. Briggs/Rafi,
> >
> > I don't see the -i switch even mentioned in the manpage for audit.rules.
> > Is this a documented switch, or not yet a capability on Red Hat or CentOS
> > systems?
> >
> > Thanks in advance,
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb(a)redhat.com>
> > wrote:
> >
> >> On 2018-04-23 23:41, F Rafi wrote:
> >> > Adding a -i to the rules file should ignore any errors.
> >>
> >> At risk of feature creep, it might be nice to have a flag to ignore
> >> certain rules but not others, a way to tag individual rules with either
> >> a must, or a different tag with "ignore if not present" for file rules.
> >>
> >> > -Farhan
> >> >
> >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <warron.french(a)gmail.com>
> >> wrote:
> >> > > Hi, I have a requirement to monitor a ton of files, executables and
> >> confug
> >> > > files.
> >> > >
> >> > > Anyway, not all of my systems have every file in the list; and when I
> >> add
> >> > > the rules appropriate, either as a Watch (-w) rule or as an Action
> >> (-a)
> >> > > rule, the rules stop loading when the find a rule that has a file that
> >> > > doesn't exist *on that particular system*.
> >> > >
> >> > > This is the intended effect, yes?
> >> > >
> >> > > Thanks in advance,
> >> > > --------------------------
> >> > > Warron French
> >>
> >> - RGB
> >>
> >> --
> >> Richard Guy Briggs <rgb(a)redhat.com>
> >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> >> Remote, Ottawa, Red Hat Canada
> >> IRC: rgb, SunRaycer
> >> Voice: +1.647.777.2635, Internal: (81) 32635
> >>
> >
> >
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
6 years, 6 months
Re: Monitoring files
by warron.french
Mr. Briggs/Rafi,
I don't see the -i switch even mentioned in the manpage for audit.rules.
Is this a documented switch, or not yet a capability on Red Hat or CentOS
systems?
Thanks in advance,
--------------------------
Warron French
On Tue, Apr 24, 2018 at 6:31 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
> On 2018-04-24 18:03, warron.french wrote:
> > Mr. Briggs/Rafi,
>
> I think you forgot to reply to the list (preferred) and/or Rafi.
>
> > I don't see the -i switch even mentioned in the manpage for audit.rules.
> > Is this a documented switch, or not yet a capability on Red Hat or CentOS
> > systems?
> >
> > Thanks in advance,
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb(a)redhat.com>
> wrote:
> >
> > > On 2018-04-23 23:41, F Rafi wrote:
> > > > Adding a -i to the rules file should ignore any errors.
> > >
> > > At risk of feature creep, it might be nice to have a flag to ignore
> > > certain rules but not others, a way to tag individual rules with either
> > > a must, or a different tag with "ignore if not present" for file rules.
> > >
> > > > -Farhan
> > > >
> > > > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> warron.french(a)gmail.com>
> > > wrote:
> > > > > Hi, I have a requirement to monitor a ton of files, executables and
> > > confug
> > > > > files.
> > > > >
> > > > > Anyway, not all of my systems have every file in the list; and
> when I
> > > add
> > > > > the rules appropriate, either as a Watch (-w) rule or as an Action
> (-a)
> > > > > rule, the rules stop loading when the find a rule that has a file
> that
> > > > > doesn't exist *on that particular system*.
> > > > >
> > > > > This is the intended effect, yes?
> > > > >
> > > > > Thanks in advance,
> > > > > --------------------------
> > > > > Warron French
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rgb(a)redhat.com>
> > > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > > Remote, Ottawa, Red Hat Canada
> > > IRC: rgb, SunRaycer
> > > Voice: +1.647.777.2635, Internal: (81) 32635
> > >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb(a)redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
6 years, 6 months
filename not audited for openat() on F28
by Jiri Jaburek
(Please CC me on replies.)
Hello,
I'm trying to run the audit-test suite on Fedora 28 and am running into
it expecting a name= field in the SYSCALL entry.
augrok --seek=697600 -m1 type==SYSCALL syscall=openat success=no
pid=3951 auid=1000 uid=0 euid=0 suid=0 fsuid=0 gid=0
egid=0 sgid=0 fsgid=0 exit=-13
subj=staff_u:lspp_test_r:lspp_test_generic_t:SystemHigh
name=tmp.owfFtgPOjx/new
Fedora 28:
----
time->Fri Apr 20 15:04:59 2018
type=PROCTITLE msg=audit(1524229499.918:366591):
proctitle=2F62696E2F62617368002E2F72756E2E62617368002D647600323734
type=PATH msg=audit(1524229499.918:366591): item=0
name="tmp.J4IQL7Buxe/" inode=1055495 dev=fd:02 mode=040700 ouid=0 ogid=0
rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 nametype=PARENT
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1524229499.918:366591):
cwd="/usr/local/eal4_testing/audit-test/syscalls"
type=SYSCALL msg=audit(1524229499.918:366591): arch=c000003e syscall=257
success=no exit=-13 a0=3 a1=7ffc02f0eaf6 a2=c0 a3=16b6010 items=1
ppid=5275 pid=5276 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="do_openat"
exe="/usr/local/eal4_testing/audit-test/utils/bin/do_openat"
subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1524229499.918:366591): avc: denied { create } for
pid=5276 comm="do_openat" name="new"
scontext=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023
tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file permissive=0
----
RHEL-7.5:
----
time->Fri Apr 20 15:06:59 2018
type=PROCTITLE msg=audit(1524229619.726:56605):
proctitle=72756E636F6E0073746166665F753A6C7370705F746573745F723A6C7370705F746573745F67656E657269635F743A53797374656D4869676800646F5F6F70656E6174002F746D7000746D702E30674C74574A336977622F6E6577006372656174650073746166665F753A6F626A6563745F723A757365725F746D705F743A53
type=PATH msg=audit(1524229619.726:56605): item=1
name="tmp.0gLtWJ3iwb/new" objtype=CREATE cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1524229619.726:56605): item=0 name="tmp.0gLtWJ3iwb/"
inode=1055489 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 objtype=PARENT
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1524229619.726:56605):
cwd="/usr/local/eal4_testing/audit-test/syscalls"
type=SYSCALL msg=audit(1524229619.726:56605): arch=c000003e syscall=257
success=no exit=-13 a0=3 a1=7ffc1ecd6b57 a2=c0 a3=0 items=2 ppid=20750
pid=20751 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=1595 comm="do_openat"
exe="/usr/local/eal4_testing/audit-test/utils/bin/do_openat"
subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
----
The key difference here is probably the absence of
type=PATH msg=audit(1524229619.726:56605): item=1
name="tmp.0gLtWJ3iwb/new" objtype=CREATE cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
on Fedora 28, which augrok looks for.
Is this expected?
I'm seeing something similar with other syscalls like
creat("/tmp/tmp.9EsMgMuio7/new", 0700)
producing
----
type=PROCTITLE msg=audit(04/20/2018 15:15:35.547:371576) :
proctitle=runcon staff_u:lspp_test_r:lspp_test_generic_t:SystemHigh
do_creat /tmp/tmp.9EsMgMuio7/new staff_u:object_r:user_tmp_t:SystemLow
type=PATH msg=audit(04/20/2018 15:15:35.547:371576) : item=0
name=/tmp/tmp.9EsMgMuio7/ inode=1572964 dev=fd:02 mode=dir,700 ouid=root
ogid=root rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023
nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/20/2018 15:15:35.547:371576) :
cwd=/usr/local/eal4_testing/audit-test/syscalls
type=SYSCALL msg=audit(04/20/2018 15:15:35.547:371576) : arch=x86_64
syscall=creat success=no exit=EACCES(Permission denied)
a0=0x7ffc41d04af9 a1=0700 a2=0x0 a3=0x0 items=1 ppid=6779 pid=6780
auid=eal uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=2 comm=do_creat
exe=/usr/local/eal4_testing/audit-test/utils/bin/do_creat
subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(04/20/2018 15:15:35.547:371576) : avc: denied {
create } for pid=6780 comm=do_creat name=new
scontext=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023
tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file permissive=0
----
but the lack of "/new" in PATH here seems more like a bug.
Thanks,
Jiri
6 years, 6 months
[PATCH v2] audit: allow not equal op for audit by executable
by Ondrej Mosnacek
From: Ondrej Mosnáček <omosnace(a)redhat.com>
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
return -EINVAL;
break;
case AUDIT_EXE:
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_EXE:
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
case AUDIT_UID:
result = audit_uid_comparator(cred->uid, f->op, f->uid);
--
2.14.3
6 years, 6 months
Monitoring files
by warron.french
Hi, I have a requirement to monitor a ton of files, executables and confug
files.
Anyway, not all of my systems have every file in the list; and when I add
the rules appropriate, either as a Watch (-w) rule or as an Action (-a)
rule, the rules stop loading when the find a rule that has a file that
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
6 years, 6 months
[PATCH ghak80 V1] audit: add syscall information to FEATURE_CHANGE records
by Richard Guy Briggs
Tie syscall information to FEATURE_CHANGE calls since it is a result of
user action.
See: https://github.com/linux-audit/audit-kernel/issues/80
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 8da24ef..23f125b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1103,10 +1103,9 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
{
struct audit_buffer *ab;
- if (audit_enabled == AUDIT_OFF)
+ if (!audit_enabled)
return;
-
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+ ab = audit_log_start(current->audit_context, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
if (!ab)
return;
audit_log_task_info(ab, current);
--
1.8.3.1
6 years, 6 months
auditing automounted filesystems (NFS)
by Frank Thommen
Hello,
we have started auditing on our systems (file open, close, write etc.).
This is no problem on local and on statically mounted NFS systems (-a
exit,always -F dir=/a/b/c ...). However for automounted filesystems
auditd only reports on system calls on those filesystems which are
mounted when auditd starts.
Is there a way to make auditd aware of newly mounted NFS filesystems, so
that we can audit them, too?
Cheers
frank
6 years, 6 months
test-queue fails on s390x Alpine Linux
by Natanael Copa
Hi,
Running the testsuite on Alpine Linux s390x fails:
======================================================
audit 2.8.3: audisp/plugins/remote/test-suite.log
=======================================================
# TOTAL: 1
# PASS: 0
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
.. contents:: :depth: 2
FAIL: test-queue
================
test-queue: 250: q_open: Result not representable
Aborted (core dumped)
FAIL test-queue (exit status: 134)
Tests passes on aarch64, ppc64le, x86 and x86_64.
-nc
6 years, 6 months
[RFC PATCH V1 00/12] audit: implement container id
by Richard Guy Briggs
Implement audit kernel container ID.
This patchset is a preliminary RFC based on the proposal document (V3)
posted:
https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
The first patch implements the proc fs write to set the audit container
ID of a process, emitting an AUDIT_CONTAINER record.
The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO
if a container ID is present on a task.
The third adds filtering to the exit, exclude and user lists.
The 4th, implements reading the container ID from the proc filesystem
for debugging. This isn't planned for upstream inclusion.
The 5th adds signal and ptrace support.
The 6th attempts to create a local audit context to be able to bind a
standalone record with the container ID record.
The 7th, 8th, 9th, 10th patches add container ID records to standalone
records. Some of these may end up being syscall auxiliary records and
won't need this specific support since they'll be supported via
syscalls.
The 11th is a temporary workaround due to the AUDIT_CONTAINER records
not showing up as do AUDIT_LOGIN records. I suspect this is due to its
range (1000 vs 1300), but the intent is to solve it.
The 12th adds debug information not intended for upstream for those
brave souls wanting to tinker with it in this early state.
Feedback please!
Here's a quick and dirty test script:
echo 123455 > /proc/$$/containerid; echo $?
sleep 4&
child=$!; sleep 1
echo 18446744073709551615 > /proc/$child/containerid; echo $?
echo 123456 > /proc/$child/containerid; echo $?
echo 123457 > /proc/$child/containerid; echo $?
sleep 1
ausearch -ts recent |grep " contid=18446744073709551615"; echo $?
ausearch -ts recent |grep " contid=123456"; echo $?
ausearch -ts recent |grep " contid=123457"; echo $?
echo self:$$ contid:$( cat /proc/$$/containerid)
echo child:$child contid:$( cat /proc/$child/containerid)
containerid=123458
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule
bash -c "sleep 1; echo test > /tmp/$key"&
child=$!
echo $containerid > /proc/$child/containerid
sleep 2
rm -f /tmp/$key
ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record
auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule
See:
https://github.com/linux-audit/audit-kernel/issues/32
https://github.com/linux-audit/audit-userspace/issues/40
https://github.com/linux-audit/audit-testsuite/issues/64
Richard Guy Briggs (12):
audit: add container id
audit: log container info of syscalls
audit: add containerid filtering
audit: read container ID of a process
audit: add containerid support for ptrace and signals
audit: add support for non-syscall auxiliary records
audit: add container aux record to watch/tree/mark
audit: add containerid support for tty_audit
audit: add containerid support for config/feature/user records
audit: add containerid support for seccomp and anom_abend records
debug audit: add container id
debug! audit: add container id
drivers/tty/tty_audit.c | 5 +-
fs/proc/base.c | 63 +++++++++++++++++++
include/linux/audit.h | 36 +++++++++++
include/linux/init_task.h | 4 +-
include/linux/sched.h | 1 +
include/uapi/linux/audit.h | 9 ++-
kernel/audit.c | 74 +++++++++++++++++++---
kernel/audit.h | 3 +
kernel/audit_fsnotify.c | 5 +-
kernel/audit_tree.c | 5 +-
kernel/audit_watch.c | 33 +++++-----
kernel/auditfilter.c | 52 ++++++++++++++-
kernel/auditsc.c | 154 +++++++++++++++++++++++++++++++++++++++++++--
13 files changed, 408 insertions(+), 36 deletions(-)
--
1.8.3.1
6 years, 6 months