[PATCH ghak110 V1] audit: connect LOGIN record to its syscall record
by Richard Guy Briggs
Currently the AUDIT_LOGIN event is a standalone record that isn't
connected to any other records that may be part of its syscall event. To
avoid the confusion of generating two events, connect the records by
using its syscall context.
Please see the github issue
https://github.com/linux-audit/audit-kernel/issues/110
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Passes audit-testsuite and ausearch-test-0.6
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index c89ea48c70a6..b96bf69183f4 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2220,7 +2220,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
if (!audit_enabled)
return;
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOGIN);
if (!ab)
return;
--
1.8.3.1
5 years, 7 months
[PATCH][v3] audit: fix a memleak caused by auditing load module
by Li RongQing
module.name will be allocated unconditionally when auditing load
module, and audit_log_start() can fail with other reasons, or
audit_log_exit maybe not called, caused module.name is not freed
so free module.name in audit_free_context and __audit_syscall_exit
unreferenced object 0xffff88af90837d20 (size 8):
comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
hex dump (first 8 bytes):
69 78 67 62 65 00 ff ff ixgbe...
backtrace:
[<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
[<00000000c1491e61>] load_module+0x64f/0x3850
[<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
[<0000000000d4a478>] do_syscall_64+0x117/0x400
[<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<000000007dc331dd>] 0xffffffffffffffff
Fixes: ca86cad7380e3 ("audit: log module name on init_module")
Signed-off-by: Zhang Yu <zhangyu31(a)baidu.com>
Signed-off-by: Li RongQing <lirongqing(a)baidu.com>
---
v3-->v2: create a helper and git rid of free from show_special as Paul suggest
v2-->v1: free module.name always, not check the return of audit_log_start
kernel/auditsc.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f043f..001056b4c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -881,6 +881,13 @@ static inline void audit_proctitle_free(struct audit_context *context)
context->proctitle.len = 0;
}
+static inline void audit_free_module(struct audit_context *context)
+{
+ if (context->type == AUDIT_KERN_MODULE) {
+ kfree(context->module.name);
+ context->module.name = NULL;
+ }
+}
static inline void audit_free_names(struct audit_context *context)
{
struct audit_names *n, *next;
@@ -964,6 +971,7 @@ int audit_alloc(struct task_struct *tsk)
static inline void audit_free_context(struct audit_context *context)
{
+ audit_free_module(context);
audit_free_names(context);
unroll_tree_refs(context, NULL, 0);
free_tree_refs(context);
@@ -1281,7 +1289,6 @@ static void show_special(struct audit_context *context, int *call_panic)
audit_log_format(ab, "name=");
if (context->module.name) {
audit_log_untrustedstring(ab, context->module.name);
- kfree(context->module.name);
} else
audit_log_format(ab, "(null)");
@@ -1583,6 +1590,7 @@ void __audit_syscall_exit(int success, long return_code)
if (!list_empty(&context->killed_trees))
audit_kill_trees(&context->killed_trees);
+ audit_free_module(context);
audit_free_names(context);
unroll_tree_refs(context, NULL, 0);
audit_free_aux(context);
--
2.16.2
5 years, 7 months
[PATCH v2 00/13] Prepare syscall_get_arch for PTRACE_GET_SYSCALL_INFO
by Dmitry V. Levin
syscall_get_arch() is required to be implemented on all architectures in order
to extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO request:
syscall_get_arch() is going to be called from ptrace_request() along with
syscall_get_nr(), syscall_get_arguments(), syscall_get_error(), and
syscall_get_return_value() functions with a tracee as their argument.
The primary intent is that the triple (audit_arch, syscall_nr, arg1..arg6)
should describe what system call is being called and what its arguments are.
This patchset began as a series called "Prepare for PTRACE_GET_SYSCALL_INFO",
then I merged it into a series called "ptrace: add PTRACE_GET_SYSCALL_INFO request"
that also contains ptrace-specific changes.
The ptrace-specific part, however, needs more attention to workaround problems
on niche architectures like alpha, while the syscall_get_arch() part is
straightforward, so I decided to split it out into a separate patchset that
just prepares syscall_get_arch() for PTRACE_GET_SYSCALL_INFO: it adds
syscall_get_arch() to those architectures that haven't implemented it yet,
and then adds "struct task_struct *" argument to syscall_get_arch()
on all architectures.
All patches from this patchset have been already reviewed, so it's ready
to be merged without waiting for the ptrace-specific part. As it's all
about syscall_get_arch(), it should probably go via audit tree.
Notes:
v2: rebased to v5.1-rc1, added Acked-by
Dmitry V. Levin (13):
Move EM_ARCOMPACT and EM_ARCV2 to uapi/linux/elf-em.h
arc: define syscall_get_arch()
c6x: define syscall_get_arch()
h8300: define syscall_get_arch()
Move EM_HEXAGON to uapi/linux/elf-em.h
hexagon: define syscall_get_arch()
m68k: define syscall_get_arch()
Move EM_NDS32 to uapi/linux/elf-em.h
nds32: define syscall_get_arch()
nios2: define syscall_get_arch()
Move EM_UNICORE to uapi/linux/elf-em.h
unicore32: define syscall_get_arch()
syscall_get_arch: add "struct task_struct *" argument
arch/alpha/include/asm/syscall.h | 2 +-
arch/arc/include/asm/elf.h | 6 +-----
arch/arc/include/asm/syscall.h | 11 +++++++++++
arch/arm/include/asm/syscall.h | 2 +-
arch/arm64/include/asm/syscall.h | 4 ++--
arch/c6x/include/asm/syscall.h | 7 +++++++
arch/csky/include/asm/syscall.h | 2 +-
arch/h8300/include/asm/syscall.h | 6 ++++++
arch/hexagon/include/asm/elf.h | 6 +-----
arch/hexagon/include/asm/syscall.h | 8 ++++++++
arch/ia64/include/asm/syscall.h | 2 +-
arch/m68k/include/asm/syscall.h | 12 ++++++++++++
arch/microblaze/include/asm/syscall.h | 2 +-
arch/mips/include/asm/syscall.h | 6 +++---
arch/mips/kernel/ptrace.c | 2 +-
arch/nds32/include/asm/elf.h | 3 +--
arch/nds32/include/asm/syscall.h | 9 +++++++++
arch/nios2/include/asm/syscall.h | 6 ++++++
arch/openrisc/include/asm/syscall.h | 2 +-
arch/parisc/include/asm/syscall.h | 4 ++--
arch/powerpc/include/asm/syscall.h | 10 ++++++++--
arch/riscv/include/asm/syscall.h | 2 +-
arch/s390/include/asm/syscall.h | 4 ++--
arch/sh/include/asm/syscall_32.h | 2 +-
arch/sh/include/asm/syscall_64.h | 2 +-
arch/sparc/include/asm/syscall.h | 5 +++--
arch/unicore32/include/asm/elf.h | 3 +--
arch/unicore32/include/asm/syscall.h | 12 ++++++++++++
arch/x86/include/asm/syscall.h | 8 +++++---
arch/x86/um/asm/syscall.h | 2 +-
arch/xtensa/include/asm/syscall.h | 2 +-
include/asm-generic/syscall.h | 5 +++--
include/uapi/linux/audit.h | 12 ++++++++++++
include/uapi/linux/elf-em.h | 6 ++++++
kernel/auditsc.c | 4 ++--
kernel/seccomp.c | 4 ++--
36 files changed, 137 insertions(+), 48 deletions(-)
create mode 100644 arch/m68k/include/asm/syscall.h
create mode 100644 arch/unicore32/include/asm/syscall.h
--
ldv
5 years, 7 months
[PATCH ghau51/ghau40 v5 0/6] add support for audit container identifier
by Richard Guy Briggs
Add support for audit kernel container identifiers to userspace tools.
The first and second add new record types. The third adds filter
support. The fourth and 5th start to add search support.
The last is intended for debugging and not for upstream, matching the
kernel /proc read patch.
See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-kernel/issues/91
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Changelog:
v5
- updated aux record from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
- add AUDIT_CONTAINER_ID to normalization
- rebase on AUDIT_ANOM_LINK and AUDIT_MAC_CALIPSO_ADD
v4
- change from AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP
- change from AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER to
AUDIT_FEATURE_BITMAP_CONTAINERID
- change from event_container_id to event_contid internally
- change from container_id to contid and event_container_id to
event_contid internally
- change command line option from --container-id to --contid
v3
- change from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
- change from AUDIT_CONTAINER_INFO to AUDIT_CONTAINER
- change from AUDIT_CONTAINERID to AUDIT_CONTID
- update github issue refs
- add audit_get_containerid
- change event_container_id default value
- add --containerid to ausearch options help text
- update ausearch parser and error codes
v2
- rebase on UINT_MAX patch
- add patches for AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch,
normalization
Richard Guy Briggs (6):
AUDIT_CONTAINER_OP message type basic support
AUDIT_CONTAINER_ID message type basic support
auditctl: add support for AUDIT_CONTID filter
add ausearch containerid support
start normalization containerid support
libaudit: add support to get the task audit container identifier
auparse/normalize_record_map.h | 2 +
docs/Makefile.am | 2 +-
docs/audit_get_containerid.3 | 25 ++++++
docs/auditctl.8 | 3 +
lib/fieldtab.h | 1 +
lib/libaudit.c | 65 ++++++++++++++
lib/libaudit.h | 16 ++++
lib/msg_typetab.h | 2 +
lib/netlink.c | 1 +
src/auditctl-listing.c | 21 +++++
src/aureport-options.c | 1 +
src/ausearch-llist.c | 2 +
src/ausearch-llist.h | 1 +
src/ausearch-match.c | 3 +
src/ausearch-options.c | 47 +++++++++-
src/ausearch-options.h | 1 +
src/ausearch-parse.c | 199 +++++++++++++++++++++++++++++++++++++++++
17 files changed, 390 insertions(+), 2 deletions(-)
create mode 100644 docs/audit_get_containerid.3
--
1.8.3.1
5 years, 7 months
[GIT PULL] Audit patches for v5.1
by Paul Moore
Hi Linus,
A lucky 13 audit patches for v5.1. Despite the rather large diffstat,
most of the changes are from two bug fix patches that move code from
one Kconfig option to another. Beyond that bit of churn, the
remaining changes are largely cleanups and bug-fixes as we slowly
march towards container auditing. It isn't all boring though, we do
have a couple of new things: file capabilities v3 support, and
expanded support for filtering on filesystems to solve problems with
remote filesystems.
All changes pass the audit-testsuite. Please merge for v5.1.
Thanks,
-Paul
--
The following changes since commit bfeffd155283772bbe78c6a05dec7c0128ee500c:
Linux 5.0-rc1 (2019-01-06 17:08:20 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
tags/audit-pr-20190305
for you to fetch changes up to 131d34cb07957151c369366b158690057d2bce5e:
audit: mark expected switch fall-through (2019-02-12 20:17:13 -0500)
----------------------------------------------------------------
audit/stable-5.1 PR 20190305
----------------------------------------------------------------
Gustavo A. R. Silva (1):
audit: mark expected switch fall-through
Richard Guy Briggs (12):
audit: give a clue what CONFIG_CHANGE op was involved
audit: hand taken context to audit_kill_trees for syscall logging
audit: add syscall information to CONFIG_CHANGE records
audit: move loginuid and sessionid from CONFIG_AUDITSYSCALL to
CONFIG_AUDIT
audit: add support for fcaps v3
audit: more filter PATH records keyed on filesystem magic
audit: clean up AUDITSYSCALL prototypes and stubs
audit: ignore fcaps on umount
audit: remove unused actx param from audit_rule_match
audit: remove audit_context when CONFIG_ AUDIT and not AUDITSYSCALL
audit: join tty records to their syscall
audit: hide auditsc_get_stamp and audit_serial prototypes
drivers/tty/tty_audit.c | 2 +-
fs/namei.c | 2 +-
fs/namespace.c | 2 +
fs/proc/base.c | 6 +-
include/linux/audit.h | 66 ++++----
include/linux/capability.h | 5 +-
include/linux/lsm_hooks.h | 4 +-
include/linux/namei.h | 3 +
include/linux/sched.h | 4 +-
include/linux/security.h | 5 +-
init/init_task.c | 2 +-
kernel/audit.c | 267 ++++++++++++------------------
kernel/audit.h | 81 +++++----
kernel/audit_fsnotify.c | 2 +-
kernel/audit_tree.c | 19 ++-
kernel/audit_watch.c | 2 +-
kernel/auditfilter.c | 6 +-
kernel/auditsc.c | 320 +++++++++++++++++++++++-------------
security/apparmor/audit.c | 3 +-
security/apparmor/include/audit.h | 3 +-
security/commoncap.c | 2 +
security/integrity/ima/ima.h | 3 +-
security/integrity/ima/ima_policy.c | 6 +-
security/security.c | 6 +-
security/selinux/include/audit.h | 4 +-
security/selinux/ss/services.c | 3 +-
security/smack/smack_lsm.c | 4 +-
27 files changed, 440 insertions(+), 392 deletions(-)
--
paul moore
www.paul-moore.com
5 years, 7 months
Tracking Content Written to Files
by Wajih Ul Hassan
Hi All,
Can I use auditd to track content written to specific files? For example,
in this case https://access.redhat.com/solutions/10107, how can I keep
track of what string was written to `/etc/hosts` file over time and extract
this information later from logs?
The reason I asked this question is that I am trying to audit some
simulated attack scenario and in this particular attack scenario I need to
know the what content was written/changed to a sensitive file over time to
fully understand the attack. Even if the attack deletes the contents of the
sensitive file at time t_2, I need to extract what was written to file at
time t_1.
Thanks,
Wajih
5 years, 7 months
[PATCH][v2] audit: fix a memleak caused by auditing load module
by Li RongQing
module.name will be allocated unconditionally when auditing load
module, and audit_log_start() can fail with other reasons, or
audit_log_exit maybe not called, caused module.name is released
so free module.name in audit_free_context and audit exit syscall
unreferenced object 0xffff88af90837d20 (size 8):
comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
hex dump (first 8 bytes):
69 78 67 62 65 00 ff ff ixgbe...
backtrace:
[<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
[<00000000c1491e61>] load_module+0x64f/0x3850
[<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
[<0000000000d4a478>] do_syscall_64+0x117/0x400
[<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<000000007dc331dd>] 0xffffffffffffffff
Fixes: ca86cad7380e3 ("audit: log module name on init_module")
Signed-off-by: Zhang Yu <zhangyu31(a)baidu.com>
Signed-off-by: Li RongQing <lirongqing(a)baidu.com>
---
kernel/auditsc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f043f..07728b07a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -964,6 +964,9 @@ int audit_alloc(struct task_struct *tsk)
static inline void audit_free_context(struct audit_context *context)
{
+ if (context->type == AUDIT_KERN_MODULE)
+ kfree(context->module.name);
+
audit_free_names(context);
unroll_tree_refs(context, NULL, 0);
free_tree_refs(context);
@@ -1282,6 +1285,8 @@ static void show_special(struct audit_context *context, int *call_panic)
if (context->module.name) {
audit_log_untrustedstring(ab, context->module.name);
kfree(context->module.name);
+ context->module.name = NULL;
+ context->type = 0;
} else
audit_log_format(ab, "(null)");
@@ -1583,6 +1588,11 @@ void __audit_syscall_exit(int success, long return_code)
if (!list_empty(&context->killed_trees))
audit_kill_trees(&context->killed_trees);
+ if (context->type == AUDIT_KERN_MODULE) {
+ kfree(context->module.name);
+ context->module.name = NULL;
+ }
+
audit_free_names(context);
unroll_tree_refs(context, NULL, 0);
audit_free_aux(context);
--
2.16.2
5 years, 8 months
[PATCH 00/14] Prepare syscall_get_arch for PTRACE_GET_SYSCALL_INFO
by Dmitry V. Levin
syscall_get_arch() is required to be implemented on all architectures in order
to extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO request:
syscall_get_arch() is going to be called from ptrace_request() along with
syscall_get_nr(), syscall_get_arguments(), syscall_get_error(), and
syscall_get_return_value() functions with a tracee as their argument.
The primary intent is that the triple (audit_arch, syscall_nr, arg1..arg6)
should describe what system call is being called and what its arguments are.
This patchset began as a series called "Prepare for PTRACE_GET_SYSCALL_INFO",
then I merged it into a series called "ptrace: add PTRACE_GET_SYSCALL_INFO request"
that also contains ptrace-specific changes.
The ptrace-specific part, however, needs more attention to workaround problems
on niche architectures like alpha, while the syscall_get_arch() part is
straightforward, so I decided to split it out into a separate patchset that
just prepares syscall_get_arch() for PTRACE_GET_SYSCALL_INFO: it adds
syscall_get_arch() to those architectures that haven't implemented it yet,
and then adds "struct task_struct *" argument to syscall_get_arch()
on all architectures.
All patches from this patchset have been already reviewed, so it's ready
to be merged without waiting for the ptrace-specific part. As it's all
about syscall_get_arch(), it should probably go via audit tree.
Dmitry V. Levin (14):
Move EM_ARCOMPACT and EM_ARCV2 to uapi/linux/elf-em.h
arc: define syscall_get_arch()
c6x: define syscall_get_arch()
h8300: define syscall_get_arch()
Move EM_HEXAGON to uapi/linux/elf-em.h
hexagon: define syscall_get_arch()
m68k: define syscall_get_arch()
Move EM_NDS32 to uapi/linux/elf-em.h
nds32: define syscall_get_arch()
nios2: define syscall_get_arch()
riscv: define syscall_get_arch()
Move EM_UNICORE to uapi/linux/elf-em.h
unicore32: define syscall_get_arch()
syscall_get_arch: add "struct task_struct *" argument
arch/alpha/include/asm/syscall.h | 2 +-
arch/arc/include/asm/elf.h | 6 +-----
arch/arc/include/asm/syscall.h | 11 +++++++++++
arch/arm/include/asm/syscall.h | 2 +-
arch/arm64/include/asm/syscall.h | 4 ++--
arch/c6x/include/asm/syscall.h | 7 +++++++
arch/csky/include/asm/syscall.h | 2 +-
arch/h8300/include/asm/syscall.h | 6 ++++++
arch/hexagon/include/asm/elf.h | 6 +-----
arch/hexagon/include/asm/syscall.h | 8 ++++++++
arch/ia64/include/asm/syscall.h | 2 +-
arch/m68k/include/asm/syscall.h | 12 ++++++++++++
arch/microblaze/include/asm/syscall.h | 2 +-
arch/mips/include/asm/syscall.h | 6 +++---
arch/mips/kernel/ptrace.c | 2 +-
arch/nds32/include/asm/elf.h | 3 +--
arch/nds32/include/asm/syscall.h | 9 +++++++++
arch/nios2/include/asm/syscall.h | 6 ++++++
arch/openrisc/include/asm/syscall.h | 2 +-
arch/parisc/include/asm/syscall.h | 4 ++--
arch/powerpc/include/asm/syscall.h | 10 ++++++++--
arch/riscv/include/asm/syscall.h | 10 ++++++++++
arch/s390/include/asm/syscall.h | 4 ++--
arch/sh/include/asm/syscall_32.h | 2 +-
arch/sh/include/asm/syscall_64.h | 2 +-
arch/sparc/include/asm/syscall.h | 5 +++--
arch/unicore32/include/asm/elf.h | 3 +--
arch/unicore32/include/asm/syscall.h | 12 ++++++++++++
arch/x86/include/asm/syscall.h | 8 +++++---
arch/x86/um/asm/syscall.h | 2 +-
arch/xtensa/include/asm/syscall.h | 2 +-
include/asm-generic/syscall.h | 5 +++--
include/uapi/linux/audit.h | 14 ++++++++++++++
include/uapi/linux/elf-em.h | 6 ++++++
kernel/auditsc.c | 4 ++--
kernel/seccomp.c | 4 ++--
36 files changed, 148 insertions(+), 47 deletions(-)
create mode 100644 arch/m68k/include/asm/syscall.h
create mode 100644 arch/unicore32/include/asm/syscall.h
--
ldv
5 years, 8 months
[PATCH] audit: fix a memleak caused by auditing load module
by Li RongQing
we should always free context->module.name, since it will be
allocated unconditionally and audit_log_start() can fail with
other reasons, and audit_log_exit maybe not called
unreferenced object 0xffff88af90837d20 (size 8):
comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s)
hex dump (first 8 bytes):
69 78 67 62 65 00 ff ff ixgbe...
backtrace:
[<0000000008da28fe>] __audit_log_kern_module+0x33/0x80
[<00000000c1491e61>] load_module+0x64f/0x3850
[<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250
[<0000000000d4a478>] do_syscall_64+0x117/0x400
[<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<000000007dc331dd>] 0xffffffffffffffff
Fixes: ca86cad7380e3 ("audit: log module name on init_module")
Signed-off-by: Zhang Yu <zhangyu31(a)baidu.com>
Signed-off-by: Li RongQing <lirongqing(a)baidu.com>
---
kernel/auditsc.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2d1f043f..2bd80375f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1186,8 +1186,13 @@ static void show_special(struct audit_context *context, int *call_panic)
int i;
ab = audit_log_start(context, GFP_KERNEL, context->type);
- if (!ab)
+ if (!ab) {
+ if (context->type == AUDIT_KERN_MODULE) {
+ kfree(context->module.name);
+ context->module.name = NULL;
+ }
return;
+ }
switch (context->type) {
case AUDIT_SOCKETCALL: {
@@ -1354,8 +1359,15 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
context->personality = tsk->personality;
ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
- if (!ab)
+
+ if (!ab) {
+ if (context->type == AUDIT_KERN_MODULE) {
+ kfree(context->module.name);
+ context->module.name = NULL;
+ }
return; /* audit_panic has been called */
+ }
+
audit_log_format(ab, "arch=%x syscall=%d",
context->arch, context->major);
if (context->personality != PER_LINUX)
@@ -1576,6 +1588,12 @@ void __audit_syscall_exit(int success, long return_code)
if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT)
audit_log_exit(context, current);
+ else {
+ if (context->type == AUDIT_KERN_MODULE) {
+ kfree(context->module.name);
+ context->module.name = NULL;
+ }
+ }
context->in_syscall = 0;
context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0;
--
2.16.2
5 years, 8 months
audit 2.8.5 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Fix segfault on shutdown
- Fix hang on startup (#1587995)
- Add sleep to script to dump state so file is ready when needed
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Mark netlabel events as simple events so that get processed quicker
- When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Update lookup tables for the 4.18 kernel
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport.
(#1622194)
- Event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- In ausearch/report, limit record size when malformed
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Treat all network originating events as VER2 so dispatcher doesn't format
it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
This is a big update to the maintenance branch of the audit package. All of
the fixes included here are cherry picked fixes from the audit-3.0 development
branch. This might be the last release for the 2.8 code base. We'll just have
to see.
Work on the audit-3.0 release is waiting for the audit container work to land
and then should be released soon thereafter. (Just in case people were wonder
what is holding up an official audit-3.0 release.)
SHA256: 0e5d4103646e00f8d1981e1cd2faea7a2ae28e854c31a803e907a383c5e2ecb7
Please let me know if you run across any problems with this release.
-Steve
5 years, 8 months