[PATCH ghak46 V1] audit: normalize MAC_STATUS record
by Richard Guy Briggs
There were two formats of the audit MAC_STATUS record, one of which was more
standard than the other. One listed enforcing status changes and the
other listed enabled status changes with a non-standard label. In
addition, the record was missing information about which LSM was
responsible and the operation's completion status. While this record is
only issued on success, the parser expects the res= field to be present.
old enforcing/permissive:
type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0 old_enforcing=1 auid=0 ses=1
old enable/disable:
type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1
List both sets of status and old values and add the lsm= field and the
res= field.
Here is the new format:
type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1
This record already accompanied a SYSCALL record.
See: https://github.com/linux-audit/audit-kernel/issues/46
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/selinux/selinuxfs.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 00eed84..00b21b2 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -145,10 +145,11 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
if (length)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
- "enforcing=%d old_enforcing=%d auid=%u ses=%u",
+ "enforcing=%d old_enforcing=%d auid=%u ses=%u"
+ " enabled=%d old-enabled=%d lsm=selinux res=1",
new_value, selinux_enforcing,
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
+ audit_get_sessionid(current), selinux_enabled, selinux_enabled);
selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
@@ -272,9 +273,11 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
if (length)
goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
- "selinux=0 auid=%u ses=%u",
+ "enforcing=%d old_enforcing=%d auid=%u ses=%u"
+ " enabled=%d old-enabled=%d lsm=selinux res=1",
+ selinux_enforcing, selinux_enforcing,
from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current));
+ audit_get_sessionid(current), 0, 1);
}
length = count;
--
1.8.3.1
6 years, 6 months
[PATCH ghak47 V1] audit: normalize MAC_POLICY_LOAD record
by Richard Guy Briggs
The audit MAC_POLICY_LOAD record had redundant dangling keywords and was
missing information about which LSM was responsible and its completion
status. While this record is only issued on success, the parser expects
the res= field to be present.
Old record:
type=MAC_POLICY_LOAD msg=audit(1479299795.404:43): policy loaded auid=0 ses=1
Delete the redundant dangling keywords, add the lsm= field and the res=
field.
New record:
type=MAC_POLICY_LOAD msg=audit(1523293846.204:894): auid=0 ses=1 lsm=selinux res=1
See: https://github.com/linux-audit/audit-kernel/issues/47
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/selinux/selinuxfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 00b21b2..496915a 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -531,7 +531,7 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
out1:
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
- "policy loaded auid=%u ses=%u",
+ "auid=%u ses=%u lsm=selinux res=1",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
out:
--
1.8.3.1
6 years, 6 months
Audit next branch rebased to v4.17-rc1
by Paul Moore
Considering some of the proposed changes on the list, e.g. Richard's
audit container ID patches, it seems prudent to bring the audit/branch
forward from v4.15 to v4.17-rc1 so we have a more recent base to work
from. For those of you with patches already posted to the list,
please don't rebase your patches unless I ask.
Thanks.
--
paul moore
www.paul-moore.com
6 years, 6 months
[PATCH ghak21 V4 0/2] audit: address ANOM_LINK excess records
by Richard Guy Briggs
This V4 is a supplement to patches 1 and 2 of v1 already merged.
Audit link denied events were being unexpectedly produced in a disjoint
way when audit was disabled, and when they were expected, there were
duplicate PATH records. This patchset addresses both issues for
symlinks and hardlinks.
This was introduced with
commit b24a30a7305418ff138ff51776fc555ec57c011a
("audit: fix event coverage of AUDIT_ANOM_LINK")
commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
("fs: add link restriction audit reporting")
Here are the original events for symlink and hardlink for each of
CWD!=PARENT and CWD=PARENT on 4.15.7-300.fc27.x86_64:
----
type=PROCTITLE msg=audit(2018-03-21 04:15:45.353:285) : proctitle=ls /tmp/my-passwd
type=PATH msg=audit(2018-03-21 04:15:45.353:285) : item=0 name=/tmp/my-passwd nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-03-21 04:15:45.353:285) : cwd=/root
type=SYSCALL msg=audit(2018-03-21 04:15:45.353:285) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffddb7c4de7 a1=0x557b4bb5f3c0 a2=0x557b4bb5f3c0 a3=0xdb7c4d00 items=1 ppid=621 pid=676 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PATH msg=audit(2018-03-21 04:15:45.353:285) : item=0 name=/tmp/my-passwd inode=20618 dev=00:29 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=ANOM_LINK msg=audit(2018-03-21 04:15:45.353:285) : op=follow_link ppid=621 pid=676 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
----
type=PROCTITLE msg=audit(2018-03-21 04:15:45.356:286) : proctitle=ls my-passwd
type=PATH msg=audit(2018-03-21 04:15:45.356:286) : item=0 name=my-passwd nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-03-21 04:15:45.356:286) : cwd=/tmp
type=SYSCALL msg=audit(2018-03-21 04:15:45.356:286) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffe24d26de0 a1=0x55de0254b3c0 a2=0x55de0254b3c0 a3=0x24d26d00 items=1 ppid=621 pid=677 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PATH msg=audit(2018-03-21 04:15:45.356:286) : item=0 name=/tmp/my-passwd inode=20618 dev=00:29 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=ANOM_LINK msg=audit(2018-03-21 04:15:45.356:286) : op=follow_link ppid=621 pid=677 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
----
type=PROCTITLE msg=audit(2018-03-21 04:15:56.688:287) : proctitle=ln /tmp/test /tmp/test-ln
type=PATH msg=audit(2018-03-21 04:15:56.688:287) : item=1 name=/tmp/ inode=15168 dev=00:29 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(2018-03-21 04:15:56.688:287) : item=0 name=/tmp/test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-03-21 04:15:56.688:287) : cwd=/home/rgb
type=SYSCALL msg=audit(2018-03-21 04:15:56.688:287) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7fff7f3ac62e a2=0xffffff9c a3=0x7fff7f3ac638 items=2 ppid=650 pid=680 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PATH msg=audit(2018-03-21 04:15:56.688:287) : item=0 name=/tmp/test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=ANOM_LINK msg=audit(2018-03-21 04:15:56.688:287) : op=linkat ppid=650 pid=680 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
----
type=PROCTITLE msg=audit(2018-03-21 04:15:56.691:288) : proctitle=ln test test-ln
type=PATH msg=audit(2018-03-21 04:15:56.691:288) : item=1 name=/tmp inode=15168 dev=00:29 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(2018-03-21 04:15:56.691:288) : item=0 name=test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=no ne cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-03-21 04:15:56.691:288) : cwd=/tmp
type=SYSCALL msg=audit(2018-03-21 04:15:56.691:288) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffd01e3e62c a2=0xffffff9c a3=0x7ffd01e3e631 items=2 ppid=650 pid=681 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PATH msg=audit(2018-03-21 04:15:56.691:288) : item=0 name=/tmp/test inode=20018 dev=00:29 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=ANOM_LINK msg=audit(2018-03-21 04:15:56.691:288) : op=linkat ppid=650 pid=681 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
----
Here are the resulting events for symlink and hardlink for each of CWD!=PARENT
and CWD=PARENT based on audit/next 11dd266:
----
type=PROCTITLE msg=audit(2018-03-21 04:29:41.556:315) : proctitle=ls --color=auto /tmp/my-passwd
type=PATH msg=audit(2018-03-21 04:29:41.556:315) : item=0 name=/tmp/my-passwd inode=19641 dev=00:26 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-03-21 04:29:41.556:315) : cwd=/root
type=SYSCALL msg=audit(2018-03-21 04:29:41.556:315) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffd4585565a a1=0x5649fb468fd0 a2=0x5649fb468fd0 a3=0x45855600 items=1 ppid=694 pid=714 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_LINK msg=audit(2018-03-21 04:29:41.556:315) : op=follow_link ppid=694 pid=714 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
----
type=PROCTITLE msg=audit(2018-03-21 04:29:41.562:316) : proctitle=ls --color=auto my-passwd
type=PATH msg=audit(2018-03-21 04:29:41.562:316) : item=0 name=my-passwd inode=19641 dev=00:26 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-03-21 04:29:41.562:316) : cwd=/tmp
type=SYSCALL msg=audit(2018-03-21 04:29:41.562:316) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fff7fe3c653 a1=0x55d9f875dfd0 a2=0x55d9f875dfd0 a3=0x7fe3c600 items=1 ppid=694 pid=715 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_LINK msg=audit(2018-03-21 04:29:41.562:316) : op=follow_link ppid=694 pid=715 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
----
type=PROCTITLE msg=audit(2018-03-21 04:29:54.709:317) : proctitle=ln /tmp/test /tmp/test-ln
type=PATH msg=audit(2018-03-21 04:29:54.709:317) : item=1 name=/tmp/ inode=13038 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(2018-03-21 04:29:54.709:317) : item=0 name=/tmp/test inode=18720 dev=00:26 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-03-21 04:29:54.709:317) : cwd=/home/rgb
type=SYSCALL msg=audit(2018-03-21 04:29:54.709:317) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffc468b2dbb a2=0xffffff9c a3=0x7ffc468b2dc5 items=2 ppid=661 pid=718 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_LINK msg=audit(2018-03-21 04:29:54.709:317) : op=linkat ppid=661 pid=718 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
----
type=PROCTITLE msg=audit(2018-03-21 04:29:54.714:318) : proctitle=ln test test-ln
type=PATH msg=audit(2018-03-21 04:29:54.714:318) : item=1 name=/tmp inode=13038 dev=00:26 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(2018-03-21 04:29:54.714:318) : item=0 name=test inode=18720 dev=00:26 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(2018-03-21 04:29:54.714:318) : cwd=/tmp
type=SYSCALL msg=audit(2018-03-21 04:29:54.714:318) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffc06b99db9 a2=0xffffff9c a3=0x7ffc06b99dbe items=2 ppid=661 pid=719 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=ANOM_LINK msg=audit(2018-03-21 04:29:54.714:318) : op=linkat ppid=661 pid=719 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=ttyS0 ses=5 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
----
See: https://github.com/linux-audit/audit-kernel/issues/21
See also: https://github.com/linux-audit/audit-kernel/issues/51
Changelog:
v4:
- fix call from may_follow_link() to audit_log_link_denied() param count
v3:
- rebase on previously accepted 1/4 and 2/4 patches and drop them
- drop parent record audit_log_symlink_denied()
v2:
- remove now supperfluous struct path * parameter from audit_log_link_denied()
- refactor audit_log_symlink_denied() to properly free memory (pathname, filename)
Richard Guy Briggs (2):
audit: remove path param from link denied function
audit: add refused symlink to audit_names
fs/namei.c | 5 +++--
include/linux/audit.h | 6 ++----
kernel/audit.c | 3 +--
3 files changed, 6 insertions(+), 8 deletions(-)
--
1.8.3.1
6 years, 6 months
[ANNOUNCE] Linux Security Summit North America 2018 - CFP
by James Morris
==============================================================================
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT NORTH AMERICA 2018
27-28 August
VANCOUVER, CANADA
==============================================================================
DESCRIPTION
The Linux Security Summit (LSS) is a technical forum for collaboration
between Linux developers, researchers, and end users. Its primary aim is to
foster community efforts in analyzing and solving Linux security challenges.
LSS will be held this year as two separate events, one in North America
(LSS-NA), and one in Europe (LSS-EU), to facilitate broader participation in
Linux Security development. Note that this CFP is for LSS-NA; a separate CFP
will be announced for LSS-EU in May. We encourage everyone to attend both
events.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* BoF Sessions.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity control
* Hardware Security
* Iot and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/events/linux-security-summit-north-ame...
DATES
* CFP Close: June 3, 2018
* CFP Notifications: June 11, 2018
* Schedule Announced: June 25, 2018
* Event: August 27-28, 2018
WHO SHOULD ATTEND
We're seeking a diverse range of attendees, and welcome participation by
people involved in Linux security development, operations, and research.
The LSS is a unique global event which provides the opportunity to present
and discuss your work or research with key Linux security community members
and maintainers. It’s also useful for those who wish to keep up with the
latest in Linux security development, and to provide input to the
development process.
WEB SITE
https://events.linuxfoundation.org/events/linux-security-summit-north-ame...
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
PROGRAM COMMITTEE
The program committee for LSS 2018 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Red Hat
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
6 years, 6 months
Can auditd run in lxc on centos7
by Bob Beck
Hi,
I am attempting to run auditd in centos7 inside a lxc container.
Here is the log I get when I run auditd -f
onfig file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit.log
log_format_parser called with: RAW
log_group_parser called with: root
priority_boost_parser called with: 4
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 5
qos_parser called with: lossy
dispatch_parser called with: /usr/sbin/audispd
name_format_parser called with: NONE
max_log_size_parser called with: 6
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
GSSAPI support is not enabled, ignoring value at line 30
krb5_principal_parser called with: auditd
GSSAPI support is not enabled, ignoring value at line 31
Started dispatcher: /usr/sbin/audispd pid: 3028
type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4
format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295
pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=success
config_manager init complete
Error sending status request (Connection refused)
Error sending enable request (Connection refused)
type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable
auid=4294967295 pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t
res=failed
Unable to set initial audit startup state to 'enable', exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)
6 years, 6 months
[PATCH] audit: allow not equal op for audit by executable
by Ondrej Mosnacek
Current implementation of auditing by executable name only implements
the 'equal' operator. This patch extends it to also support the 'not
equal' operator.
See: https://github.com/linux-audit/audit-kernel/issues/53
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
Hi Paul,
this turned out to be easier than I anticipated so I'm sending the patch
already :) I hope I got everything right. Note that the userspace tools
also need to be updated to check the feature bit and allow/disallow the
operator based on that.
Ondrej
include/uapi/linux/audit.h | 18 ++++++++++--------
kernel/auditfilter.c | 2 +-
kernel/auditsc.c | 2 ++
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e05132..03393f7e8932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,13 +333,14 @@ enum {
#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
#define AUDIT_STATUS_LOST 0x0040
-#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
-#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
-#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
-#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
-#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
-#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
-#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
+#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
+#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
+#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
+#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ 0x00000080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -347,7 +348,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d7a807e81451..a0c5a3ec6e60 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
return -EINVAL;
break;
case AUDIT_EXE:
- if (f->op != Audit_equal)
+ if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
if (entry->rule.listnr != AUDIT_FILTER_EXIT)
return -EINVAL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4e0a4ac803db..479c031ec54c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct *tsk,
break;
case AUDIT_EXE:
result = audit_exe_compare(tsk, rule->exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
break;
case AUDIT_UID:
result = audit_uid_comparator(cred->uid, f->op, f->uid);
--
2.14.3
6 years, 6 months
[GIT PULL] Audit patches for v4.17
by Paul Moore
Hi Linus,
We didn't have anything to send for v4.16, but we're back with a
little more than usual for v4.17. Eleven patches in total, most fall
into the small fix category, but there are three non-trivial changes
worth calling out: the audit entry filter is being removed after
deprecating it for quite a while (years of no one really using it
because it turns out to be not very practical), created our own
version of "__mutex_owner()" because the locking folks were upset we
were using theirs, improved our handling of kernel command line
parameters to make them more forgiving, and we fixed auditing of
symlink operations.
Everything passes the audit-testsuite and as of a few minutes ago it
merges well with your tree.
Please pull, thanks.
-Paul
--
The following changes since commit d8a5b80568a9cb66810e75b182018e9edb68e8ff:
Linux 4.15 (2018-01-28 13:20:33 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-
20180403
for you to fetch changes up to ea841bafda3f7f9aa8b06a09f0f3e41c207af84f:
audit: add refused symlink to audit_names (2018-03-21 11:31:03 -0400)
----------------------------------------------------------------
audit/stable-4.17 PR 20180403
----------------------------------------------------------------
Greg Edwards (1):
audit: do not panic on invalid boot parameter
Paul Moore (1):
audit: track the owner of the command mutex ourselves
Richard Guy Briggs (9):
audit: update bugtracker and source URIs
audit: session ID should not set arch quick field pointer
audit: deprecate the AUDIT_FILTER_ENTRY filter
audit: bail before bug check if audit disabled
audit: return on memory error to avoid null pointer dereference
audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
audit: link denied should not directly generate PATH record
audit: remove path param from link denied function
audit: add refused symlink to audit_names
Documentation/admin-guide/kernel-parameters.txt | 14 +--
MAINTAINERS | 1 -
fs/namei.c | 5 +-
include/linux/audit.h | 6 +-
kernel/audit.c | 108 +++++++++++++++++-------
kernel/audit.h | 3 +-
kernel/audit_tree.c | 8 +-
kernel/auditfilter.c | 5 +-
kernel/auditsc.c | 22 +++--
9 files changed, 106 insertions(+), 66 deletions(-)
--
paul moore
www.paul-moore.com
6 years, 7 months