Question about audit_filter_rules
by Ondrej Mosnacek
Hi,
I noticed this suspicious line in the definition of the
audit_filter_rules function in auditsc.c:
[...]
case AUDIT_SESSIONID:
sessionid = audit_get_sessionid(current); // <--- HERE
result = audit_comparator(sessionid, f->op, f->val);
break;
[...]
Here, the sessionid is retrieved from the current task pointer, while
all the other code in this function compares against the tsk task
pointer. It seems that it is not always guaranteed that tsk ==
current, so my question is: Is it intentional for some reason or
should it be tsk instead of current?
Thanks,
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
6 years, 5 months
[ANNOUNCE] Linux Security Summit Europe 2018 - CFP
by Reshetova, Elena
==============================================================================
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT EUROPE 2018
25-26 October
EDINBURGH, UK
==============================================================================
DESCRIPTION
The Linux Security Summit (LSS) is a technical forum for collaboration
between Linux developers, researchers, and end users. Its primary aim is to
foster community efforts in analyzing and solving Linux security challenges.
This year, for the first time, the Linux Security Summit is going to
be also held in Europe (LSS-EU) in order to facilitate broader participation in Linux
Security development. Similar to LSS-North America, LSS-EU provides a unique
opportunity for to have discussions and networking opportunities with key people
in the Linux kernel security community , present your work and ideas and
affect the future direction of Linux security.
In addition to the refereed presentations, panels and BoF sessions, this year's
LSS-EU program will have an introduction into various Linux kernel security
subsystems in order to get participants acquainted with their main concepts
and goals, as well as outline the areas of future development, where contribution
by the community is welcomed.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* BoF Sessions.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity control
* Hardware Security
* Iot and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/events/linux-security-summit-europe-20...
DATES
* CFP Close: July 16, 2018
* CFP Notifications: July 23, 2018
* Schedule Announced: Aug 25, 2018
* Event: October 25-26, 2018
WHO SHOULD ATTEND
We're seeking a diverse range of attendees, and welcome participation by
people involved in Linux security development, operations, and research.
The LSS is a unique global event which provides the opportunity to present
and discuss your work or research with key Linux security community members
and maintainers. It?s also useful for those who wish to keep up with the
latest in Linux security development, and to provide input to the
development process.
WEB SITE
https://events.linuxfoundation.org/events/linux-security-summit-europe-2018/
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
PROGRAM COMMITTEE
The program committee for LSS-EU 2018 is:
* Elena Reshetova, Intel
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Red Hat
* Stephen Smalley, NSA
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
6 years, 5 months
[PATCH ghak81 RFC V2 0/5] audit: group task params
by Richard Guy Briggs
Group the audit parameters for each task into one structure.
In particular, remove the loginuid and sessionid values and the audit
context pointer from the task structure, replacing them with an audit
task information structure to contain them. Use access functions to
access audit values.
Note: Use static allocation of the audit task information structure
initially. Dynamic allocation was considered and attempted, but isn't
ready yet. Static allocation has the limitation that future audit task
information structure changes would cause a visible change to the rest
of the kernel, whereas dynamic allocation would mostly hide any future
changes.
The first four access normalization patches could stand alone.
Passes audit-testsuite.
Changelog:
v2
- p2/5: add audit header to init/init_task.c to quiet kbuildbot
- audit_signal_info(): fetch loginuid once
- remove task_struct from audit_context() param list
- remove extra task_struct local vars
- do nothing on request to set audit context when audit is disabled
Richard Guy Briggs (5):
audit: normalize loginuid read access
audit: convert sessionid unset to a macro
audit: use inline function to get audit context
audit: use inline function to set audit context
audit: collect audit task parameters
MAINTAINERS | 2 +-
include/linux/audit.h | 28 ++++++++---
include/linux/audit_task.h | 31 ++++++++++++
include/linux/sched.h | 6 +--
include/net/xfrm.h | 4 +-
include/uapi/linux/audit.h | 1 +
init/init_task.c | 8 ++-
kernel/audit.c | 6 +--
kernel/audit_watch.c | 2 +-
kernel/auditsc.c | 97 +++++++++++++++++-------------------
kernel/fork.c | 2 +-
net/bridge/netfilter/ebtables.c | 2 +-
net/core/dev.c | 2 +-
net/netfilter/x_tables.c | 2 +-
net/netlabel/netlabel_user.c | 2 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/integrity_audit.c | 2 +-
security/lsm_audit.c | 2 +-
security/selinux/hooks.c | 4 +-
security/selinux/selinuxfs.c | 6 +--
security/selinux/ss/services.c | 12 ++---
21 files changed, 133 insertions(+), 90 deletions(-)
create mode 100644 include/linux/audit_task.h
--
1.8.3.1
6 years, 5 months
[PATCH 00/18] Convert default pr_fmt from empty to KBUILD_MODNAME
by Joe Perches
pr_<level> logging uses allow a prefix to be specified with a
specific #define pr_fmt
The default of pr_fmt in printk.h is #define pr_fmt(fmt) fmt
so no prefixing of logging output is generically done.
There are several output logging uses like dump_stack() that are
unprefixed and should remain unprefixed.
This patch series attempts to convert the default #define of pr_fmt to
KBUILD_MODNAME ": " fmt and as well update the various bits of the kernel
that should _not_ be prefixed by adding #define pr_fmt(fmt) fmt to those
compilation units that do not want output message prefixing.
There are about 1200 uses of #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
that could be removed if the default is changed.
A script that does this removal (and removes any blank lines that follow)
for the linux-kernel tree is included below:
$ git grep -P --name-only "define\s+pr_fmt\b" | \
grep -v include/linux/printk.h | \
xargs perl -i -e 'local $/; while (<>) {s/(\n)*[ \t]*#[ \t]*define[ \t]+pr_fmt[ \t]*\([ \t]*(\w+)[ \t]*\)[ \t]*KBUILD_MODNAME[ \t]*\": \"[ \t]*\2[ \t]*\n\s*/\1\n/; s/^\n//; print;}'
This script should be run after this patch series is applied.
The above script output diff is currently:
1198 files changed, 70 insertions(+), 2241 deletions(-)
Joe Perches (18):
kernel: Use pr_fmt
lib: Use pr_fmt
printk: Convert pr_fmt from blank define to KBUILD_MODNAME
x86: Remove pr_fmt duplicate logging prefixes
x86/mtrr: Rename main.c to mtrr.c and remove duplicate prefixes
net: Remove pr_fmt duplicate logging prefixes
blk-mq: Remove pr_fmt duplicate logging prefixes
random: Remove pr_fmt duplicate logging prefixes
ptp: Remove pr_fmt duplicate logging prefixes
efifb: Remove pr_fmt duplicate logging prefixes
proc: Remove pr_fmt duplicate logging prefixes
uprobes: Remove pr_fmt duplicate logging prefixes
printk: Remove pr_fmt duplicate logging prefixes
lib/mpi: Remove pr_fmt duplicate logging prefixes
security: Remove pr_fmt duplicate logging prefixes
aoe: Remove pr_fmt duplicate logging prefixes
security: encrypted-keys: Remove pr_fmt duplicate logging prefixes
rcu: Use pr_fmt to prefix "rcu: " to logging output
arch/x86/events/amd/ibs.c | 2 +-
arch/x86/kernel/cpu/mtrr/Makefile | 2 +-
arch/x86/kernel/cpu/mtrr/{main.c => mtrr.c} | 33 ++++++-------
arch/x86/kernel/e820.c | 32 ++++++------
arch/x86/kernel/hpet.c | 5 +-
arch/x86/kernel/uprobes.c | 4 +-
arch/x86/mm/numa.c | 22 ++++-----
block/blk-mq.c | 9 ++--
drivers/block/aoe/aoeblk.c | 29 ++++++-----
drivers/block/aoe/aoechr.c | 11 ++---
drivers/block/aoe/aoecmd.c | 34 ++++++-------
drivers/block/aoe/aoedev.c | 19 +++-----
drivers/block/aoe/aoemain.c | 6 +--
drivers/block/aoe/aoenet.c | 19 +++-----
drivers/char/hw_random/via-rng.c | 10 ++--
drivers/char/random.c | 16 +++---
drivers/ptp/ptp_clock.c | 4 +-
drivers/video/fbdev/efifb.c | 48 +++++++++---------
fs/proc/root.c | 6 +--
include/linux/printk.h | 2 +-
kernel/acct.c | 2 +
kernel/async.c | 14 +++---
kernel/audit_tree.c | 2 +-
kernel/backtracetest.c | 8 +--
kernel/crash_core.c | 29 ++++++-----
kernel/events/uprobes.c | 3 +-
kernel/exit.c | 2 +
kernel/hung_task.c | 13 +++--
kernel/kprobes.c | 20 +++++---
kernel/module.c | 59 +++++++++++------------
kernel/panic.c | 3 ++
kernel/params.c | 13 +++--
kernel/pid.c | 2 +
kernel/printk/printk.c | 2 +-
kernel/profile.c | 2 +
kernel/range.c | 2 +-
kernel/rcu/rcu_segcblist.c | 2 +
kernel/rcu/rcuperf.c | 10 ++--
kernel/rcu/rcutorture.c | 46 +++++++++---------
kernel/rcu/srcutiny.c | 2 +
kernel/rcu/srcutree.c | 5 +-
kernel/rcu/tiny.c | 3 ++
kernel/rcu/tree.c | 8 +--
kernel/rcu/tree_plugin.h | 67 +++++++++++++++-----------
kernel/rcu/update.c | 19 +++++---
kernel/relay.c | 5 +-
kernel/seccomp.c | 4 +-
kernel/signal.c | 10 ++--
kernel/smpboot.c | 5 +-
kernel/taskstats.c | 4 +-
kernel/torture.c | 6 ++-
kernel/tracepoint.c | 3 ++
kernel/workqueue.c | 2 +
lib/cpu_rmap.c | 15 +++---
lib/crc32test.c | 2 +
lib/earlycpio.c | 5 +-
lib/find_bit_benchmark.c | 2 +
lib/kobject.c | 36 +++++++-------
lib/kobject_uevent.c | 27 +++++------
lib/mpi/mpicoder.c | 10 ++--
lib/nmi_backtrace.c | 3 ++
lib/percpu_ida.c | 4 +-
lib/percpu_test.c | 2 +
lib/random32.c | 10 ++--
lib/stmp_device.c | 2 +
lib/string.c | 2 +
lib/swiotlb.c | 4 +-
lib/test_debug_virtual.c | 2 +
lib/test_rhashtable.c | 44 +++++++++--------
lib/test_sort.c | 2 +
lib/ubsan.c | 61 ++++++++++++-----------
net/ipv4/ipconfig.c | 59 ++++++++++-------------
net/ipv4/ipmr.c | 2 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 9 ++--
net/ipv6/ip6mr.c | 2 +-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 6 +--
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 4 +-
net/netfilter/nf_conntrack_helper.c | 11 ++---
net/netfilter/nf_conntrack_standalone.c | 2 +-
net/socket.c | 2 +-
security/keys/encrypted-keys/encrypted.c | 63 +++++++++++-------------
security/selinux/selinuxfs.c | 29 ++++++-----
82 files changed, 580 insertions(+), 532 deletions(-)
rename arch/x86/kernel/cpu/mtrr/{main.c => mtrr.c} (96%)
--
2.15.0
6 years, 5 months
[PATCH ghak81 RFC V1 0/5] audit: group task params
by Richard Guy Briggs
Group the audit parameters for each task into one structure.
In particular, remove the loginuid and sessionid values and the audit
context pointer from the task structure, replacing them with an audit
task information structure to contain them. Use access functions to
access audit values.
Note: Use static allocation of the audit task information structure
initially. Dynamic allocation was considered and attempted, but isn't
ready yet. Static allocation has the limitation that future audit task
information structure changes would cause a visible change to the rest
of the kernel, whereas dynamic allocation would mostly hide any future
changes.
The first four access normalization patches could stand alone.
Passes audit-testsuite.
Richard Guy Briggs (5):
audit: normalize loginuid read access
audit: convert sessionid unset to a macro
audit: use inline function to get audit context
audit: use inline function to set audit context
audit: collect audit task parameters
MAINTAINERS | 2 +-
include/linux/audit.h | 30 ++++++++++---
include/linux/audit_task.h | 31 ++++++++++++++
include/linux/sched.h | 6 +--
include/net/xfrm.h | 4 +-
include/uapi/linux/audit.h | 1 +
init/init_task.c | 8 +++-
kernel/audit.c | 4 +-
kernel/audit_watch.c | 2 +-
kernel/auditsc.c | 82 ++++++++++++++++++------------------
kernel/fork.c | 2 +-
net/bridge/netfilter/ebtables.c | 2 +-
net/core/dev.c | 2 +-
net/netfilter/x_tables.c | 2 +-
net/netlabel/netlabel_user.c | 2 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/integrity_audit.c | 2 +-
security/lsm_audit.c | 2 +-
security/selinux/hooks.c | 4 +-
security/selinux/selinuxfs.c | 6 +--
security/selinux/ss/services.c | 12 +++---
21 files changed, 129 insertions(+), 79 deletions(-)
create mode 100644 include/linux/audit_task.h
--
1.8.3.1
6 years, 5 months
How to use exclude directory or file
by George Sarker
Hello,
I am trying to exclude a directory and all of its sub-directories and
contents from being audited.
I used this link https://access.redhat.com/solutions/416863
I generated this syntax :
-a never,exclude -F path=/root/test
However, I am still getting audits from scripts generating files within
this path.
Can you suggest a proper configuration for excluding a directory along with
its sub-directories and contents.
We are on RHEL 6.9 and currently our audit version is
: audit-2.4.5-3.el6.x86_64
Thanks for your support!
George Sarker.
6 years, 5 months
How to use exclude directory or file
by George Sarker
Hello,
I am trying to exclude a directory and all of its sub-directories and
contents from being audited.
I used this link https://access.redhat.com/solutions/416863
I generated this syntax :
-a never,exclude -F path=/root/test
However, I am still getting audits from scripts generating files within
this path.
Can you suggest a proper configuration for excluding a directory along with
its sub-directories and contents.
We are on RHEL 6.9 and currently our audit version is
: audit-2.4.5-3.el6.x86_64
Thanks for your support!
6 years, 5 months
[PATCH v3 0/4] Better integrate seccomp logging and auditing
by Tyler Hicks
Seccomp received improved logging controls in v4.14. Applications can opt into
logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
They can also debug filter matching with the new SECCOMP_RET_LOG action.
Administrators can prevent specific actions from being logged using the
kernel.seccomp.actions_logged sysctl.
However, one corner case intentionally wasn't addressed in those v4.14 changes.
When a process is being inspected by the audit subsystem, seccomp's decision
making for logging ignores the new controls and unconditionally logs every
action taken except for SECCOMP_RET_ALLOW. This isn't particularly useful since
many existing applications don't intend to log handled actions due to them
occurring very frequently. This amount of logging fills the audit logs without
providing many benefits now that application authors have fine grained controls
at their disposal.
This patch set aligns the seccomp logging behavior for both audited and
non-audited processes. It also emits an audit record, if auditing is enabled,
when the kernel.seccomp.actions_logged sysctl is written to so that there's a
paper trail when entire actions are quieted.
Changes in v3:
* Patch 3
- Never drop a field when emitting the audit record
- Use the value "?" for the actions field when an error occurred while
writing to the sysctl
- Use the value "?" for the actions and/or old-actions fields when a failure
to translate actions to names
- Use the value "(none)" for the actions and/or old-actions fields when no
actions are specified
+ This is possible when writing an empty string to the sysctl
- Update the commit message to note the new values and give an example of
when an empty string is written
* Patch 4
- Adjust the control flow of seccomp_log() to exit early if nothing should be
logged
Changes in v2:
* Patch 2
- New patch, allowing for a configurable separator between action names
* Patch 3
- The value of the actions field in the audit record now uses a comma instead
of a space
- The value of the actions field in the audit record is no longer enclosed in
quotes
- audit_log_start() is called with the current processes' audit_context in
audit_seccomp_actions_logged()
- audit_seccomp_actions_logged() no longer records the pid, uid, auid, tty,
ses, task context, comm, or executable path
- The new and old value of seccomp_actions_logged is recorded in the
AUDIT_CONFIG_CHANGE record
- The value of the "res" field in the CONFIG_CHANGE audit record is corrected
(1 indicates success, 0 failure)
- Updated patch 3's commit message to reflect the updated audit record format
in the examples
* Patch 4
- A function comment for audit_seccomp() was added to explain, among other
things, that event filtering is performed in seccomp_log()
Tyler
6 years, 5 months
[PATCH v2 0/4] Better integrate seccomp logging and auditing
by Tyler Hicks
Seccomp received improved logging controls in v4.14. Applications can opt into
logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
They can also debug filter matching with the new SECCOMP_RET_LOG action.
Administrators can prevent specific actions from being logged using the
kernel.seccomp.actions_logged sysctl.
However, one corner case intentionally wasn't addressed in those v4.14 changes.
When a process is being inspected by the audit subsystem, seccomp's decision
making for logging ignores the new controls and unconditionally logs every
action taken except for SECCOMP_RET_ALLOW. This isn't particularly useful since
many existing applications don't intend to log handled actions due to them
occurring very frequently. This amount of logging fills the audit logs without
providing many benefits now that application authors have fine grained controls
at their disposal.
This patch set aligns the seccomp logging behavior for both audited and
non-audited processes. It also emits an audit record, if auditing is enabled,
when the kernel.seccomp.actions_logged sysctl is written to so that there's a
paper trail when entire actions are quieted.
Changes since v1:
* Patch 1
- No changes
* Patch 2
- New patch, allowing for a configurable separator between action names
* Patch 3
- The value of the actions field in the audit record now uses a comma instead
of a space
- The value of the actions field in the audit record is no longer enclosed in
quotes
- audit_log_start() is called with the current processes' audit_context in
audit_seccomp_actions_logged()
- audit_seccomp_actions_logged() no longer records the pid, uid, auid, tty,
ses, task context, comm, or executable path
- The new and old value of seccomp_actions_logged is recorded in the
AUDIT_CONFIG_CHANGE record
- The value of the "res" field in the CONFIG_CHANGE audit record is corrected
(1 indicates success, 0 failure)
- Updated patch 3's commit message to reflect the updated audit record format
in the examples
* Patch 4
- A function comment for audit_seccomp() was added to explain, among other
things, that event filtering is performed in seccomp_log()
Tyler
6 years, 6 months
What does audisp/plugins.d/syslog.conf LOG_WARN not show?
by leam hall
(RHEL 6, default audit rpms)
We're trying to cut down on spurious logging but have some logging
mandated (STIG environment). If the syslog.conf file in
audisp/plugins.d/syslog.conf is set with "args = LOG_WARN", will the
events in audit.rules still be logged?
Thanks!
Leam
6 years, 6 months