FYI: email change
by Paul Moore
A quick note that my @redhat.com email address is going to stop
working in the next day or two, so if you are using my Red Hat email
address to reach me please start using my @paul-moore.com address.
Everything else, e.g. my community involvement, will remain unaffected.
--
paul moore
www.paul-moore.com
6 years, 1 month
SELinux
by khalid fahad
Hi,
I have a question about SELiux. the question is ( Using the syntax from
sesearch output , provide a list of rules that you would create to confine
file access for a corporate finance application (e.g. accounts
payable/receivable, payroll). You should create type(s) for both the
process(es) and files. Ensure that you consider the wide variety of types
of data that this application would need to access).
i run the command (sesearch -A I grep -w '' ftpd_ t public content_ t'' )
and i get:-
allow ftpd_t public_content_t : dir { ioctl read getattr lock search open
} ;
allow ftpd_t public_content_t : lnk file { read getattr } ;
allow ftpd_t public_content_t : file { ioctl read getattr lock open } ;
can you help me to understand the concept of this question ?
best reg,
6 years, 1 month
[RFC PATCH ghak10 v4 0/2] audit: Log modifying adjtimex(2) calls
by Ondrej Mosnacek
Hi,
this patchset implements more detailed auditing of the adjtimex(2)
syscall in order to make it possible to:
a) distinguish modifying vs. read-only calls in the audit log
b) reconstruct from the audit log what changes were made and how they
have influenced the system clock
The main motivation is to be able to detect an adversary that tries to
confuse the audit timestamps by changing system time via adjtimex(2),
but at the same time avoid flooding the audit log with records of benign
read-only adjtimex(2) calls.
@John or other timekeeping/NTP folks: We had a discussion on the audit
ML on which of the internal timekeeping/NTP variables we should actually
log changes for. We are only interested in variables that can (directly
or indirectly) cause noticeable changes to the system clock, but since we
have only limited understanding of the NTP code, we would like to ask
you for advice on which variables are security relevant.
Right now, the patchset is conservative and logs all changes that can be
done via adjtimex(2):
- direct injection of timekeeping offset (obviously relevant)
- adjustment of timekeeping's TAI offset
- NTP value adjustments:
- time_offset (probably important)
- time_freq (maybe not important?)
- time_status (likely important, can cause leap second injection)
- time_maxerror (maybe not important?)
- time_esterror (maybe not important?)
- time_constant (???)
- time_adjust (sounds important)
- tick_usec (???)
Could you please give us some hints on the effect of changing these
variables and whether you think that it is important to log their
changes?
Thanks a lot!
GitHub issue: https://github.com/linux-audit/audit-kernel/issues/10
Changes in v4:
- Squashed first two patches into one
- Rename ADJNTPVAL's "type" field to "op" to align with audit record
conventions
- Minor commit message editing
- Cc timekeeping/NTP people for feedback
v3: https://www.redhat.com/archives/linux-audit/2018-July/msg00001.html
Changes in v3:
- Switched to separate records for each variable
- Both old and new value is now reported for each change
- Injecting offset is reported via a separate record (since this
offset consists of two values and is added directly to the clock,
i.e. it doesn't make sense to log old and new value)
- Added example records produced by chronyd -q (see the commit message
of the last patch)
v2: https://www.redhat.com/archives/linux-audit/2018-June/msg00114.html
Changes in v2:
- The audit_adjtime() function has been modified to only log those
fields that contain values that are actually used, resulting in more
compact records.
- The audit_adjtime() call has been moved to do_adjtimex() in
timekeeping.c
- Added an additional patch (for review) that simplifies the detection
if the syscall is read-only.
v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html
Ondrej Mosnacek (2):
audit: Add functions to log time adjustments
timekeeping/ntp: Audit clock/NTP params adjustments
include/linux/audit.h | 21 ++++++++++++++++
include/uapi/linux/audit.h | 2 ++
kernel/auditsc.c | 15 ++++++++++++
kernel/time/ntp.c | 50 ++++++++++++++++++++++++++++++--------
kernel/time/timekeeping.c | 3 +++
5 files changed, 81 insertions(+), 10 deletions(-)
--
2.17.1
6 years, 1 month
Audit log decode
by khalid fahad
Hi,
I need help to decode the following records in audit.log. Thanks
type=PROCTITLE msg=audit(100000000.000:000): proctitle=726D002F7661722F6C6F672F736563757265
type=PATH msg=audit(100000000.000:000): item=1 name="/var/log/secure" inode=34679270 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=DELETE
type=PATH msg=audit(100000000.000:000): item=0 name="/var/log/" inode=33586091 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT
type=CWD msg=audit(100000000.000:000): cwd="/home/adminuser"
type=SYSCALL msg=audit(100000000.000:000): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=b830c0 a2=0 a3=7ffc9bd9d600 items=2 ppid=3493 pid=35055 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="secure_log"
6 years, 1 month
Troubleshooting Custom audispd Plugin
by Osama Elnaggar
Hi,
I'm working on a custom audispd plugin written in Python 3. It’s a work in
progress and I’ve successfully run it numerous times as an audispd plugin.
However, I sometimes make modifications that result in the audispd plugin
failing and I end up with the following in /var/log/syslog
Sep 6 20:52:05 ubuntu-hypervisor audispd: plugin /usr/bin/python3
terminated unexpectedly
Sep 6 20:52:05 ubuntu-hypervisor audispd: plugin /usr/bin/python3 was
restarted
...
This is repeated several times until audispd gives up and I see the
following message:
Sep 6 20:52:14 ubuntu-hypervisor audispd: plugin /usr/bin/python3 has
exceeded max_restarts
To troubleshoot, I modify my code to read from /var/log/audit/audit.log
instead. I modify a single line (with fileinput.input() to read from
myfile as shown in the commented line below).
Here is the code snippet (a colorized easier to read version is available
here - https://pastebin.com/84Nxu3Rp):
# let us initialize the AuParser
aup = auparse.AuParser(auparse.AUSOURCE_FEED)
# we initalize the callback to be fn_process_event
aup.add_callback(fn_process_event, None, None)
myfile = "/var/log/audit/audit.log"
while True:
try:
# we read in line by line from stdin
for line in fileinput.input():
#for line in fileinput.input(myfile):
aup.feed(line)
except:
logger.error("Fatal error in while loop", exc_info=True)
# we flush the feed when we quit
aup.flush_feed()
Any suggestions on how to troubleshoot these types of issues when reading
from a file works fine without issue but running it as a plugin fails as
shown in /var/log/syslog? Thanks.
--
Osama Elnaggar
6 years, 1 month
[PATCH 0/10 v2] audit: Fix various races when tagging and untagging mounts
by Jan Kara
Hello,
this is a second revision of the series that addresses problems I have
identified when trying to understand how exactly is kernel/audit_tree.c using
generic fsnotify framework. I hope I have understood all the interactions right
but careful review is certainly welcome.
The patches have been tested by a stress test I have written which mounts &
unmounts filesystems in the directory tree while adding and removing audit
rules for this tree in parallel and accessing the tree to generate events.
Still some real-world testing would be welcome.
Changes since v1:
* Split the last patch to ease review
* Rewrite test script so that it can be included in audit testsuite
* Some cleanups and improvements suggested by Amir
Honza
6 years, 1 month