[PATCH 0/3] Better integrate seccomp logging and auditing
by Tyler Hicks
Seccomp received improved logging controls in v4.14. Applications can opt into
logging of "handled" actions (SECCOMP_RET_TRAP, SECCOMP_RET_TRACE,
SECCOMP_RET_ERRNO) using the SECCOMP_FILTER_FLAG_LOG bit when loading filters.
They can also debug filter matching with the new SECCOMP_RET_LOG action.
Administrators can prevent specific actions from being logged using the
kernel.seccomp.actions_logged sysctl.
However, one corner case intentionally wasn't addressed in those v4.14 changes.
When a process is being inspected by the audit subsystem, seccomp's decision
making for logging ignores the new controls and unconditionally logs every
action taken except for SECCOMP_RET_ALLOW. This isn't particularly useful since
many existing applications don't intend to log handled actions due to them
occurring very frequently. This amount of logging fills the audit logs without
providing many benefits now that application authors have fine grained controls
at their disposal.
This patch set aligns the seccomp logging behavior for both audited and
unaudited processes. It also emits an audit record, if auditing is enabled,
when the kernel.seccomp.actions_logged sysctl is written to so that there's a
paper trail when entire actions are quieted.
Tyler
6 years, 6 months
[PATCH] audit: allow other filter list types for AUDIT_EXE
by Ondrej Mosnacek
This patch removes the restriction of the AUDIT_EXE field to only
SYSCALL filter and teaches audit_filter to recognize this field.
This makes it possible to write rule lists such as:
auditctl -a exit,always [some general rule]
# Filter out events with executable name /bin/exe1 or /bin/exe2:
auditctl -a exclude,always -F exe=/bin/exe1
auditctl -a exclude,always -F exe=/bin/exe2
See: https://github.com/linux-audit/audit-kernel/issues/54
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
kernel/auditfilter.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index a0c5a3ec6e60..8c9abbf20d42 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -428,8 +428,6 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
case AUDIT_EXE:
if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
- if (entry->rule.listnr != AUDIT_FILTER_EXIT)
- return -EINVAL;
break;
}
return 0;
@@ -1362,6 +1360,11 @@ int audit_filter(int msgtype, unsigned int listtype)
f->type, f->op, f->lsm_rule, NULL);
}
break;
+ case AUDIT_EXE:
+ result = audit_exe_compare(current, e->rule.exe);
+ if (f->op == Audit_not_equal)
+ result = !result;
+ break;
default:
goto unlock_and_return;
}
--
2.14.3
6 years, 6 months
Auditing printing
by warron.french
I have a requirement to monitor two (2) things:
1. Print to file
2. Print to (printer) device
What is the best approach for this? I don't see a syscall that looks
appropriate - but that doesn't mean there is not one.
Would I simply do an audit on the *lpr* command? Or is it another command?
I need the ability to monitor printing to both file and device, *FROM*,
linux shell as well as console or GUI.
Can someone advise me on how to accomplish this please?
Thanks in advance,
--------------------------
Warron French
6 years, 6 months