[PATCH ghak111 V1] audit: deliver siginfo regarless of syscall
by Richard Guy Briggs
When a process signals the audit daemon (shutdown, rotate, resume,
reconfig) but syscall auditing is not enabled, we still want to know the
identity of the process sending the signal to the audit daemon.
Move audit_signal_info() out of syscall auditing to general auditing but
create a new function audit_signal_info_syscall() to take care of the
syscall dependent parts for when syscall auditing is enabled.
Please see the github kernel audit issue
https://github.com/linux-audit/audit-kernel/issues/111
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 6 ++++++
kernel/audit.c | 27 +++++++++++++++++++++++++++
kernel/audit.h | 4 ++--
kernel/auditsc.c | 19 +++----------------
kernel/signal.c | 2 +-
5 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 1e69d9fe16da..4a22fc3f824f 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -173,6 +173,9 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
}
extern u32 audit_enabled;
+
+extern int audit_signal_info(int sig, struct task_struct *t);
+
#else /* CONFIG_AUDIT */
static inline __printf(4, 5)
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
@@ -226,6 +229,9 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
}
#define audit_enabled AUDIT_OFF
+
+#define audit_signal_info(s, t) AUDIT_OFF
+
#endif /* CONFIG_AUDIT */
#ifdef CONFIG_AUDIT_COMPAT_GENERIC
diff --git a/kernel/audit.c b/kernel/audit.c
index b96bf69183f4..67399ff72d43 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2274,6 +2274,33 @@ int audit_set_loginuid(kuid_t loginuid)
}
/**
+ * audit_signal_info - record signal info for shutting down audit subsystem
+ * @sig: signal value
+ * @t: task being signaled
+ *
+ * If the audit subsystem is being terminated, record the task (pid)
+ * and uid that is doing that.
+ */
+int audit_signal_info(int sig, struct task_struct *t)
+{
+ kuid_t uid = current_uid(), auid;
+
+ if (auditd_test_task(t) &&
+ (sig == SIGTERM || sig == SIGHUP ||
+ sig == SIGUSR1 || sig == SIGUSR2)) {
+ audit_sig_pid = task_tgid_nr(current);
+ auid = audit_get_loginuid(current);
+ if (uid_valid(auid))
+ audit_sig_uid = auid;
+ else
+ audit_sig_uid = uid;
+ security_task_getsecid(current, &audit_sig_sid);
+ }
+
+ return audit_signal_info_syscall(t);
+}
+
+/**
* audit_log_end - end one audit record
* @ab: the audit_buffer
*
diff --git a/kernel/audit.h b/kernel/audit.h
index 958d5b8fc1b3..18a8ae812e9f 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -299,7 +299,7 @@ extern bool audit_tree_match(struct audit_chunk *chunk,
extern void audit_put_tree(struct audit_tree *tree);
extern void audit_kill_trees(struct audit_context *context);
-extern int audit_signal_info(int sig, struct task_struct *t);
+extern int audit_signal_info_syscall(struct task_struct *t);
extern void audit_filter_inodes(struct task_struct *tsk,
struct audit_context *ctx);
extern struct list_head *audit_killed_trees(void);
@@ -330,7 +330,7 @@ extern void audit_filter_inodes(struct task_struct *tsk,
#define audit_tree_path(rule) "" /* never called */
#define audit_kill_trees(context) BUG()
-#define audit_signal_info(s, t) AUDIT_DISABLED
+#define audit_signal_info_syscall(t) AUDIT_OFF
#define audit_filter_inodes(t, c) AUDIT_DISABLED
#endif /* CONFIG_AUDITSYSCALL */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 98a98e6dca05..dbd43d84c347 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2370,30 +2370,17 @@ void __audit_ptrace(struct task_struct *t)
}
/**
- * audit_signal_info - record signal info for shutting down audit subsystem
- * @sig: signal value
+ * audit_signal_info_syscall - record signal info for syscalls
* @t: task being signaled
*
* If the audit subsystem is being terminated, record the task (pid)
* and uid that is doing that.
*/
-int audit_signal_info(int sig, struct task_struct *t)
+int audit_signal_info_syscall(struct task_struct *t)
{
struct audit_aux_data_pids *axp;
struct audit_context *ctx = audit_context();
- kuid_t uid = current_uid(), auid, t_uid = task_uid(t);
-
- if (auditd_test_task(t) &&
- (sig == SIGTERM || sig == SIGHUP ||
- sig == SIGUSR1 || sig == SIGUSR2)) {
- audit_sig_pid = task_tgid_nr(current);
- auid = audit_get_loginuid(current);
- if (uid_valid(auid))
- audit_sig_uid = auid;
- else
- audit_sig_uid = uid;
- security_task_getsecid(current, &audit_sig_sid);
- }
+ kuid_t t_uid = task_uid(t);
if (!audit_signals || audit_dummy_context())
return 0;
diff --git a/kernel/signal.c b/kernel/signal.c
index b7953934aa99..73db5dfa797d 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -43,6 +43,7 @@
#include <linux/compiler.h>
#include <linux/posix-timers.h>
#include <linux/livepatch.h>
+#include <linux/audit.h> /* audit_signal_info() */
#define CREATE_TRACE_POINTS
#include <trace/events/signal.h>
@@ -52,7 +53,6 @@
#include <asm/unistd.h>
#include <asm/siginfo.h>
#include <asm/cacheflush.h>
-#include "audit.h" /* audit_signal_info() */
/*
* SLAB caches for signal bits.
--
1.8.3.1
5 years, 6 months
[PATCH ghau90 v1] sig_info: use standard template for log messages
by Richard Guy Briggs
Records that are triggered by an AUDIT_SIGNAL_INFO message including
AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1),
AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent
reporting of signal info and swinging field "state".
They also assume that an empty security context implies there is no
other useful information in the AUDIT_SIGNAL_INFO message so don't use
the information that is there.
Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and add the
"state" field where missing.
Use audit_sig_info values when available, not making assumptions about
their availability when the security context is absent.
See: https://github.com/linux-audit/audit-userspace/issues/90
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
docs/audit_request_signal_info.3 | 2 +-
lib/libaudit.c | 12 +++++++++
lib/libaudit.h | 1 +
src/auditd-reconfig.c | 9 +++----
src/auditd.c | 54 ++++++++++++++--------------------------
5 files changed, 36 insertions(+), 42 deletions(-)
diff --git a/docs/audit_request_signal_info.3 b/docs/audit_request_signal_info.3
index 873deb58bef3..b68d7bbefeed 100644
--- a/docs/audit_request_signal_info.3
+++ b/docs/audit_request_signal_info.3
@@ -8,7 +8,7 @@ int audit_request_signal_info(int fd);
.SH "DESCRIPTION"
-audit_request_signal_info requests that the kernel send information about the sender of a signal to the audit daemon. The sinal info structure is as follows:
+audit_request_signal_info requests that the kernel send information about the sender of a signal to the audit daemon. The signal info structure is as follows:
.nf
struct audit_sig_info {
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 2af017a0e520..e9c4f9cad6df 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -674,6 +674,18 @@ int audit_request_signal_info(int fd)
return rc;
}
+char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res)
+{
+ snprintf(buf, len,
+ "op=%s auid=%u pid=%d subj=%s res=%s",
+ op,
+ rep->signal_info->uid,
+ rep->signal_info->pid,
+ rep->len == 24 ? "?" : rep->signal_info->ctx,
+ res);
+ return buf;
+}
+
int audit_update_watch_perms(struct audit_rule_data *rule, int perms)
{
unsigned int i, done=0;
diff --git a/lib/libaudit.h b/lib/libaudit.h
index ca7aa63e354e..63a5e948d00e 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -562,6 +562,7 @@ extern int audit_setloginuid(uid_t uid);
extern uint32_t audit_get_session(void);
extern int audit_detect_machine(void);
extern int audit_determine_machine(const char *arch);
+extern char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res);
/* Translation functions */
extern int audit_name_to_field(const char *field);
diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c
index a03e29aa57ab..f5b00e6d1dc7 100644
--- a/src/auditd-reconfig.c
+++ b/src/auditd-reconfig.c
@@ -115,12 +115,9 @@ static void *config_thread_main(void *arg)
} else {
// need to send a failed event message
char txt[MAX_AUDIT_MESSAGE_LENGTH];
- snprintf(txt, sizeof(txt),
- "op=reconfigure state=no-change auid=%u pid=%d subj=%s res=failed",
- e->reply.signal_info->uid,
- e->reply.signal_info->pid,
- (e->reply.len > 24) ?
- e->reply.signal_info->ctx : "?");
+ audit_format_signal_info(txt, sizeof(txt),
+ "reconfigure state=no-change",
+ &e->reply, "failed");
// FIXME: need to figure out sending this
//send_audit_event(AUDIT_DAEMON_CONFIG, txt);
free_config(&new_config);
diff --git a/src/auditd.c b/src/auditd.c
index c04a1c9ce93f..5c31583a49c6 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, struct ev_signal *sig, int revent
rc = audit_request_signal_info(fd);
if (rc < 0)
send_audit_event(AUDIT_DAEMON_CONFIG,
- "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=? res=failed");
+ "op=reconfigure state=no-change auid=-1 pid=-1 subj=? res=failed");
else
hup_info_requested = 1;
}
@@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, struct ev_signal *sig,
rc = audit_request_signal_info(fd);
if (rc < 0)
send_audit_event(AUDIT_DAEMON_ROTATE,
- "op=usr1-info auid=-1 pid=-1 subj=? res=failed");
+ "op=rotate-logs auid=-1 pid=-1 subj=? res=failed");
else
usr1_info_requested = 1;
}
@@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, struct ev_signal *sig, int reve
if (rc < 0) {
resume_logging();
send_audit_event(AUDIT_DAEMON_RESUME,
- "op=resume-logging auid=-1 pid=-1 subj=? res=success");
+ "op=resume-logging auid=-1 pid=-1 subj=? res=failed");
} else
usr2_info_requested = 1;
}
@@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io,
break;
case AUDIT_SIGNAL_INFO:
if (hup_info_requested) {
+ char hup[MAX_AUDIT_MESSAGE_LENGTH];
audit_msg(LOG_DEBUG,
"HUP detected, starting config manager");
reconfig_ev = cur_event;
if (start_config_manager(cur_event)) {
- send_audit_event(
- AUDIT_DAEMON_CONFIG,
- "op=reconfigure state=no-change "
- "auid=-1 pid=-1 subj=? res=failed");
+ audit_format_signal_info(hup, sizeof(hup),
+ "reconfigure state=no-change",
+ &cur_event->reply,
+ "failed");
+ send_audit_event(AUDIT_DAEMON_CONFIG, hup);
}
cur_event = NULL;
hup_info_requested = 0;
} else if (usr1_info_requested) {
char usr1[MAX_AUDIT_MESSAGE_LENGTH];
- if (cur_event->reply.len == 24) {
- snprintf(usr1, sizeof(usr1),
- "op=rotate-logs auid=-1 pid=-1 subj=?");
- } else {
- snprintf(usr1, sizeof(usr1),
- "op=rotate-logs auid=%u pid=%d subj=%s",
- cur_event->reply.signal_info->uid,
- cur_event->reply.signal_info->pid,
- cur_event->reply.signal_info->ctx);
- }
+ audit_format_signal_info(usr1, sizeof(usr1),
+ "rotate-logs",
+ &cur_event->reply,
+ "success");
send_audit_event(AUDIT_DAEMON_ROTATE, usr1);
usr1_info_requested = 0;
} else if (usr2_info_requested) {
char usr2[MAX_AUDIT_MESSAGE_LENGTH];
- if (cur_event->reply.len == 24) {
- snprintf(usr2, sizeof(usr2),
- "op=resume-logging auid=-1 "
- "pid=-1 subj=? res=success");
- } else {
- snprintf(usr2, sizeof(usr2),
- "op=resume-logging "
- "auid=%u pid=%d subj=%s res=success",
- cur_event->reply.signal_info->uid,
- cur_event->reply.signal_info->pid,
- cur_event->reply.signal_info->ctx);
- }
+ audit_format_signal_info(usr2, sizeof(usr2),
+ "resume-logging",
+ &cur_event->reply,
+ "success");
resume_logging();
libdisp_resume();
send_audit_event(AUDIT_DAEMON_RESUME, usr2);
@@ -993,12 +981,8 @@ int main(int argc, char *argv[])
rc = get_reply(fd, &trep, rc);
if (rc > 0) {
char txt[MAX_AUDIT_MESSAGE_LENGTH];
- snprintf(txt, sizeof(txt),
- "op=terminate auid=%u "
- "pid=%d subj=%s res=success",
- trep.signal_info->uid,
- trep.signal_info->pid,
- trep.signal_info->ctx);
+ audit_format_signal_info(txt, sizeof(txt), "terminate",
+ &trep, "success");
send_audit_event(AUDIT_DAEMON_END, txt);
}
}
--
1.8.3.1
5 years, 6 months
[PATCH ghak10 v8 0/2] audit: Log changes that can affect the system clock
by Ondrej Mosnacek
This patchset implements auditing of (syscall-triggered) changes that
can modify or indirectly affect the system clock. Some of these
changes can already be detected by simply logging relevant syscalls,
but this has some disadvantages:
a) It is usually not possible to find out from the syscall records
the amount by which the time was shifted.
b) Syscalls like adjtimex(2) or clock_adjtime(2) can be used also
for read-only operations, which might flood the audit log with
false positives. (Note that these patches don't solve this
problem yet due to the limitations of current record filtering
capabilities.)
The main motivation is to provide better reliability of timestamps
on the system as mandated by the FPT_STM.1 security functional
requirement from Common Criteria. This requirement apparently demands
that it is possible to reconstruct from audit trail the old and new
values of the time when it is adjusted (see [1]).
The current version of the patchset logs the following changes:
- direct setting of system time to a given value
- direct injection of timekeeping offset
- adjustment of timekeeping's TAI offset
- NTP value adjustments (may affect system time indirectly):
- time_offset
- time_freq
- time_status
- time_adjust
- tick_usec
Changes to the following NTP values are not logged, as they are not
important for security:
- time_maxerror
- time_esterror
- time_constant
Audit kernel GitHub issue: https://github.com/linux-audit/audit-kernel/issues/10
Audit kernel RFE page: https://github.com/linux-audit/audit-kernel/wiki/RFE-More-detailed-auditi...
Audit userspace PR: https://github.com/linux-audit/audit-userspace/pull/89
Audit testsuite PR: https://github.com/linux-audit/audit-testsuite/pull/82
Testing: Passed audit-testuite (including new functional test from PR#82)
Changes in v8:
- Switched AUDIT_NTP_* macros to an enum
- Fixed mistakes in commit messages
- Added missing s64 -> long long conversion (forgot to commit it in v7)
v7: https://www.redhat.com/archives/linux-audit/2019-April/msg00044.html
Changes in v7:
- Removed #include <uapi/linux/timex.h> from audit.h, since it is not
needed
- Moved audit_log() calls out of locked sections and switched audit
allocations to GFP_KERNEL
- Rebased onto latest audit/next
- Switched the general NTP value type to long long (was s64),
which corresponds better with the actual timex field types
- Simplified commit log messages
v6: https://www.redhat.com/archives/linux-audit/2019-March/msg00016.html
Changes in v6:
- Reorganized the patches to group changes by record type, not
kernel subsytem, as suggested in earlier discussions
- Added checks to ignore no-change events (new value == old value)
- Added TIME_INJOFFSET logging also to do_settimeofday64() to cover
syscalls such as settimeofday(2), stime(2), clock_settime(2)
- Created an RFE page on audit-kernel GitHub
v5: https://www.redhat.com/archives/linux-audit/2018-August/msg00039.html
Changes in v5:
- Dropped logging of some less important changes and update commit messages
- No longer mark the patchset as RFC
v4: https://www.redhat.com/archives/linux-audit/2018-August/msg00023.html
Changes in v4:
- Squashed first two patches into one
- Renamed ADJNTPVAL's "type" field to "op" to align with audit record
conventions
- Minor commit message editing
- Cc timekeeping/NTP people for feedback
v3: https://www.redhat.com/archives/linux-audit/2018-July/msg00001.html
Changes in v3:
- Switched to separate records for each variable
- Both old and new value is now reported for each change
- Injecting offset is reported via a separate record (since this
offset consists of two values and is added directly to the clock,
i.e. it doesn't make sense to log old and new value)
- Added example records produced by chronyd -q (see the commit message
of the last patch)
v2: https://www.redhat.com/archives/linux-audit/2018-June/msg00114.html
Changes in v2:
- The audit_adjtime() function has been modified to only log those
fields that contain values that are actually used, resulting in more
compact records.
- The audit_adjtime() call has been moved to do_adjtimex() in
timekeeping.c
- Added an additional patch (for review) that simplifies the detection
if the syscall is read-only.
v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html
[1] https://www.niap-ccevs.org/MMO/PP/pp_ca_v2.1.pdf -- section 5.1,
table 4
Ondrej Mosnacek (2):
timekeeping: Audit clock adjustments
ntp: Audit NTP parameters adjustment
include/linux/audit.h | 75 ++++++++++++++++++++++++++++++++++++++
include/uapi/linux/audit.h | 2 +
kernel/auditsc.c | 28 ++++++++++++++
kernel/time/ntp.c | 22 +++++++++--
kernel/time/ntp_internal.h | 4 +-
kernel/time/timekeeping.c | 13 ++++++-
6 files changed, 139 insertions(+), 5 deletions(-)
--
2.20.1
5 years, 6 months
option --extra-obj2 does not seem to work
by Ondra N.
Hello,
it seems that the option fails to display the second object for rename
action.
interactive format correctly show renaming the file
5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
ausearch -k test-ra -i
type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
proctitle=python3 populate_fs.py rename
type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
cwd=/push_agent/src/main/python/scripts
type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts1 ses=5549 comm=python3
exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
but csv format shows just empty column where the info about the object2
should be.
ausearch -k test-ra --format csv --extra-obj2
,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
is this desired behaviour?
5 years, 6 months
[PATCH ghak10 v7 0/2] audit: Log changes that can affect the system clock
by Ondrej Mosnacek
This patchset implements auditing of (syscall-triggered) changes that
can modify or indirectly affect the system clock. Some of these
changes can already be detected by simply logging relevant syscalls,
but this has some disadvantages:
a) It is usually not possible to find out from the syscall records
the amount by which the time was shifted.
b) Syscalls like adjtimex(2) or clock_adjtime(2) can be used also
for read-only operations, which might flood the audit log with
false positives. (Note that these patches don't solve this
problem yet due to the limitations of current record filtering
capabilities.)
The main motivation is to provide better reliability of timestamps
on the system as mandated by the FPT_STM.1 security functional
requirement from Common Criteria. This requirement apparently demands
that it is possible to reconstruct from audit trail the old and new
values of the time when it is adjusted (see [1]).
The current version of the patchset logs the following changes:
- direct setting of system time to a given value
- direct injection of timekeeping offset
- adjustment of timekeeping's TAI offset
- NTP value adjustments (may affect system time indirectly):
- time_offset
- time_freq
- time_status
- time_adjust
- tick_usec
Changes to the following NTP values are not logged, as they are not
important for security:
- time_maxerror
- time_esterror
- time_constant
Audit kernel GitHub issue: https://github.com/linux-audit/audit-kernel/issues/10
Audit kernel RFE page: https://github.com/linux-audit/audit-kernel/wiki/RFE-More-detailed-auditi...
Audit userspace PR: https://github.com/linux-audit/audit-userspace/pull/89
Audit testsuite PR: https://github.com/linux-audit/audit-testsuite/pull/82
Testing: Passed audit-testuite (including new functional test from PR#82)
Changes in v7:
- Removed #include <uapi/linux/timex.h> from audit.h, since it is not
needed
- Moved audit_log() calls out of locked sections and switched audit
allocations to GFP_KERNEL
- Rebased onto latest audit/next
- Switched the general NTP value type to long long (was s64),
which corresponds better with the actual timex field types
- Simplified commit log messages
v6: https://www.redhat.com/archives/linux-audit/2019-March/msg00016.html
Changes in v6:
- Reorganized the patches to group changes by record type, not
kernel subsytem, as suggested in earlier discussions
- Added checks to ignore no-change events (new value == old value)
- Added TIME_INJOFFSET logging also to do_settimeofday64() to cover
syscalls such as settimeofday(2), stime(2), clock_settime(2)
- Created an RFE page on audit-kernel GitHub
v5: https://www.redhat.com/archives/linux-audit/2018-August/msg00039.html
Changes in v5:
- Dropped logging of some less important changes and update commit messages
- No longer mark the patchset as RFC
v4: https://www.redhat.com/archives/linux-audit/2018-August/msg00023.html
Changes in v4:
- Squashed first two patches into one
- Renamed ADJNTPVAL's "type" field to "op" to align with audit record
conventions
- Minor commit message editing
- Cc timekeeping/NTP people for feedback
v3: https://www.redhat.com/archives/linux-audit/2018-July/msg00001.html
Changes in v3:
- Switched to separate records for each variable
- Both old and new value is now reported for each change
- Injecting offset is reported via a separate record (since this
offset consists of two values and is added directly to the clock,
i.e. it doesn't make sense to log old and new value)
- Added example records produced by chronyd -q (see the commit message
of the last patch)
v2: https://www.redhat.com/archives/linux-audit/2018-June/msg00114.html
Changes in v2:
- The audit_adjtime() function has been modified to only log those
fields that contain values that are actually used, resulting in more
compact records.
- The audit_adjtime() call has been moved to do_adjtimex() in
timekeeping.c
- Added an additional patch (for review) that simplifies the detection
if the syscall is read-only.
v1: https://www.redhat.com/archives/linux-audit/2018-June/msg00095.html
[1] https://www.niap-ccevs.org/MMO/PP/pp_ca_v2.1.pdf -- section 5.1,
table 4
Ondrej Mosnacek (2):
timekeeping: Audit clock adjustments
ntp: Audit NTP parameters adjustment
include/linux/audit.h | 68 ++++++++++++++++++++++++++++++++++++++
include/uapi/linux/audit.h | 2 ++
kernel/auditsc.c | 29 ++++++++++++++++
kernel/time/ntp.c | 22 ++++++++++--
kernel/time/ntp_internal.h | 4 ++-
kernel/time/timekeeping.c | 13 +++++++-
6 files changed, 133 insertions(+), 5 deletions(-)
--
2.20.1
5 years, 6 months
[ANNOUNCE][CFP] Linux Security Summit North America 2019
by James Morris
==============================================================================
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT NORTH AMERICA 2019
19-21 August
SAN DIEGO, CA, USA
==============================================================================
DESCRIPTION
The Linux Security Summit (LSS) is a technical forum for collaboration
between Linux developers, researchers, and end users. Its primary aim is to
foster community efforts in analyzing and solving Linux security challenges.
LSS will be held this year as two separate events, one in North America
(LSS-NA), and one in Europe (LSS-EU), to facilitate broader participation in
Linux Security development. Note that this CFP is for LSS-NA; a separate CFP
will be announced for LSS-EU in May. We encourage everyone to attend both
events.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* Tutorials (NEW for 2019)
90 minutes in length.
* Hackfest Sessions (NEW for 2019)
1/2 day.
Note that LSS NA is now a 3-day event. The third day will be a mix of
tutorials and hackfest sessions:
* Tutorial sessions should be focused on advanced Linux security defense
topics within areas such as the kernel, compiler, and security-related
libraries. Priority will be given to tutorials created for this
conference.
* Hackfest proposals should aim to solve, or make significant progress on
a well-defined problem in the Linux security defense space, and be
supported by multiple community developers.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity policy and enforcement
* Hardware Security
* IoT and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/events/linux-security-summit-north-ame...
DATES
* CFP Close: May 31, 2019
* CFP Notifications: June 17, 2019
* Schedule Announced: June 19, 2019
* Event: August 19-21, 2019
WHO SHOULD ATTEND
We're seeking a diverse range of attendees, and welcome participation by
people involved in Linux security development, operations, and research.
The LSS is a unique global event which provides the opportunity to present
and discuss your work or research with key Linux security community members
and maintainers. It’s also useful for those who wish to keep up with the
latest in Linux security development, and to provide input to the
development process.
WEB SITE
https://events.linuxfoundation.org/events/linux-security-summit-north-ame...
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
PROGRAM COMMITTEE
The program committee for LSS 2019 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Cisco
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
5 years, 6 months
[PATCH ghau51/ghau40 v6 0/7] add support for audit container identifier
by Richard Guy Briggs
Add support for audit kernel container identifiers to userspace tools.
The first and second add new record types. The third adds filter
support. The fourth and 5th start to add search support.
The 6th is to read the calling process' audit container identifier from
the /proc filesystem matching the kernel /proc read patch.
The last is to learn the audit container identifier of the process that
signals the audit daemon.
See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-kernel/issues/91
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Changelog:
v6
- auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2
request and record
- swap CONTAINER_OP contid/old-contid to ease parsing
- add to auparse
v5
- updated aux record from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
- add AUDIT_CONTAINER_ID to normalization
- rebase on AUDIT_ANOM_LINK and AUDIT_MAC_CALIPSO_ADD
v4
- change from AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP
- change from AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER to
AUDIT_FEATURE_BITMAP_CONTAINERID
- change from event_container_id to event_contid internally
- change from container_id to contid and event_container_id to
event_contid internally
- change command line option from --container-id to --contid
v3
- change from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
- change from AUDIT_CONTAINER_INFO to AUDIT_CONTAINER
- change from AUDIT_CONTAINERID to AUDIT_CONTID
- update github issue refs
- add audit_get_containerid
- change event_container_id default value
- add --containerid to ausearch options help text
- update ausearch parser and error codes
v2
- rebase on UINT_MAX patch
- add patches for AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch,
normalization
Richard Guy Briggs (7):
AUDIT_CONTAINER_OP message type basic support
AUDIT_CONTAINER_ID message type basic support
auditctl: add support for AUDIT_CONTID filter
add ausearch containerid support
start normalization containerid support
libaudit: add support to get the task audit container identifier
add support for audit_signal_info2
auparse/auditd-config.c | 1 +
auparse/auparse-defs.h | 3 +-
auparse/interpret.c | 10 ++
auparse/normalize_record_map.h | 2 +
auparse/typetab.h | 2 +
bindings/python/auparse_python.c | 1 +
docs/Makefile.am | 2 +-
docs/audit_get_containerid.3 | 25 +++++
docs/audit_request_signal_info.3 | 3 +-
docs/auditctl.8 | 3 +
lib/fieldtab.h | 1 +
lib/libaudit.c | 118 ++++++++++++++++++++++-
lib/libaudit.h | 31 ++++++
lib/msg_typetab.h | 3 +
lib/netlink.c | 5 +
src/auditctl-listing.c | 21 +++++
src/auditd-config.c | 1 +
src/auditd-config.h | 1 +
src/auditd-event.c | 23 +++--
src/auditd-reconfig.c | 32 ++++---
src/auditd.c | 33 +++----
src/aureport-options.c | 1 +
src/ausearch-llist.c | 2 +
src/ausearch-llist.h | 1 +
src/ausearch-match.c | 3 +
src/ausearch-options.c | 47 +++++++++-
src/ausearch-options.h | 1 +
src/ausearch-parse.c | 197 +++++++++++++++++++++++++++++++++++++++
28 files changed, 530 insertions(+), 43 deletions(-)
create mode 100644 docs/audit_get_containerid.3
--
1.8.3.1
5 years, 6 months
Events Delayed in Example audisp Plugin
by Lukas Rupprecht
Hi All,
I'm, having problems with the example audisp plugin from https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin... as sometimes, events seem to be delayed. The scenario is as follows:
My audit rules are tracking clone, execve,setpgid, and exit_group calls and I changed the example plugin to just dump records in handle_event using the following code:
static void handle_event(auparse_state_t *au, auparse_cb_event_t cb_event_type,
void *user_data) {
int type, num = 0;
if (cb_event_type != AUPARSE_CB_EVENT_READY)
return;
while (auparse_goto_record_num(au, num) > 0) {
type = auparse_get_type(au);
// dump whole record
printf("%s: %s\n", audit_msg_type_to_name(auparse_get_type(au)),
auparse_get_record_text(au));
num++;
}
}
When running a simple 'cat' command, I should see events for (in that order) clone, execve, setpgid, setpgid, exit_group. However, the plugin is only printing the first four events but not the exit_group. The event is printed eventually, but only, if there has been other system activity that triggered new, unrelated events (for example, another clone).
I added some instrumentation and found that, when the exit_group event arrives, fgets_unlocked (line 125) does read the SYSCALL record for exit_group but is missing the corresponding EOE record. A possible explanation could be that, when select unblocks, fgets_unlocked only reads a single line from stdin while the remaining data is buffered. Hence, when select is called the next time, it does not detect any activity on the file descriptor and blocks, and the buffered data is only read once select unblocks due to a new event.
To test this, I replaced the call to fgets_unlocked by a read call to consume all available bytes on stdin. The new code looks as follows (replacing lines 123-130 in audisp-example.c):
/* Now the event loop */
if (!stop && !hup && retval > 0) {
ssize_t bytesRead = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH);
if (bytesRead > 0) {
// this is just for printf
tmp[bytesRead] = '\0';
printf("Read %d bytes from socket: %s", bytesRead, tmp);
auparse_feed(au, tmp, bytesRead);
}
}
Using this code, I can now see the EOE record for the corresponding exit_group SYSCALL record being read when the event arrives (I can see it printed by the printf in the event loop). However, the problem is that it is still not processed in handle_event until a new, unrelated event arrives, i.e. it is not printed immediately in handle_event. It should have been feed to the parser though as part of the last read. Could this be a bug or am I missing something? I tried this for versions 2.8.1 and 2.8.5.
Thanks for any help in advance!
Lukas
5 years, 6 months
[PATCH ghak112 V1] audit: purge unnecessary list_empty calls
by Richard Guy Briggs
The original conditions that led to the use of list_empty() to optimize
list_for_each_entry_rcu() in auditfilter.c and auditsc.c code have been
removed without removing the list_empty() call, but this code example
has been copied several times. Remove the unnecessary list_empty()
calls.
Please see upstream github issue
https://github.com/linux-audit/audit-kernel/issues/112
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/auditfilter.c | 2 --
kernel/auditsc.c | 64 ++++++++++++++++++++++------------------------------
2 files changed, 27 insertions(+), 39 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 63f8b3f26fab..2c3c2f349b23 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1315,8 +1315,6 @@ int audit_filter(int msgtype, unsigned int listtype)
int ret = 1; /* Audit by default */
rcu_read_lock();
- if (list_empty(&audit_filter_list[listtype]))
- goto unlock_and_return;
list_for_each_entry_rcu(e, &audit_filter_list[listtype], list) {
int i, result = 0;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 98a98e6dca05..51a2ceb3a1ca 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -771,15 +771,13 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
return AUDIT_DISABLED;
rcu_read_lock();
- if (!list_empty(list)) {
- list_for_each_entry_rcu(e, list, list) {
- if (audit_in_mask(&e->rule, ctx->major) &&
- audit_filter_rules(tsk, &e->rule, ctx, NULL,
- &state, false)) {
- rcu_read_unlock();
- ctx->current_state = state;
- return state;
- }
+ list_for_each_entry_rcu(e, list, list) {
+ if (audit_in_mask(&e->rule, ctx->major) &&
+ audit_filter_rules(tsk, &e->rule, ctx, NULL,
+ &state, false)) {
+ rcu_read_unlock();
+ ctx->current_state = state;
+ return state;
}
}
rcu_read_unlock();
@@ -798,9 +796,6 @@ static int audit_filter_inode_name(struct task_struct *tsk,
struct audit_entry *e;
enum audit_state state;
- if (list_empty(list))
- return 0;
-
list_for_each_entry_rcu(e, list, list) {
if (audit_in_mask(&e->rule, ctx->major) &&
audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
@@ -808,7 +803,6 @@ static int audit_filter_inode_name(struct task_struct *tsk,
return 1;
}
}
-
return 0;
}
@@ -1945,18 +1939,16 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
return;
rcu_read_lock();
- if (!list_empty(list)) {
- list_for_each_entry_rcu(e, list, list) {
- for (i = 0; i < e->rule.field_count; i++) {
- struct audit_field *f = &e->rule.fields[i];
-
- if (f->type == AUDIT_FSTYPE
- && audit_comparator(inode->i_sb->s_magic,
- f->op, f->val)
- && e->rule.action == AUDIT_NEVER) {
- rcu_read_unlock();
- return;
- }
+ list_for_each_entry_rcu(e, list, list) {
+ for (i = 0; i < e->rule.field_count; i++) {
+ struct audit_field *f = &e->rule.fields[i];
+
+ if (f->type == AUDIT_FSTYPE
+ && audit_comparator(inode->i_sb->s_magic,
+ f->op, f->val)
+ && e->rule.action == AUDIT_NEVER) {
+ rcu_read_unlock();
+ return;
}
}
}
@@ -2065,18 +2057,16 @@ void __audit_inode_child(struct inode *parent,
return;
rcu_read_lock();
- if (!list_empty(list)) {
- list_for_each_entry_rcu(e, list, list) {
- for (i = 0; i < e->rule.field_count; i++) {
- struct audit_field *f = &e->rule.fields[i];
-
- if (f->type == AUDIT_FSTYPE
- && audit_comparator(parent->i_sb->s_magic,
- f->op, f->val)
- && e->rule.action == AUDIT_NEVER) {
- rcu_read_unlock();
- return;
- }
+ list_for_each_entry_rcu(e, list, list) {
+ for (i = 0; i < e->rule.field_count; i++) {
+ struct audit_field *f = &e->rule.fields[i];
+
+ if (f->type == AUDIT_FSTYPE
+ && audit_comparator(parent->i_sb->s_magic,
+ f->op, f->val)
+ && e->rule.action == AUDIT_NEVER) {
+ rcu_read_unlock();
+ return;
}
}
}
--
1.8.3.1
5 years, 6 months
[PATCH ghau85 v1] ima: add support for AUDIT_INTEGRITY_EVM_XATTR records
by Richard Guy Briggs
In commit fa516b6 ("EVM: Allow runtime modification of the set of verified
xattrs") support was added in the kernel for the
AUDIT_INTEGRITY_EVM_XATTR record with the EVM_ADD_XATTRS config option.
Its record number is 1806. It has a field "xattr=" with result field
"res=".
Add support for the record type number. Since the xattr field isn't
searchable, a parser wasn't necessary.
See: https://github.com/linux-audit/audit-userspace/issues/85
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
auparse/normalize_record_map.h | 1 +
lib/libaudit.h | 3 +++
lib/msg_typetab.h | 1 +
3 files changed, 5 insertions(+)
diff --git a/auparse/normalize_record_map.h b/auparse/normalize_record_map.h
index 085437f67724..fee778e76db7 100644
--- a/auparse/normalize_record_map.h
+++ b/auparse/normalize_record_map.h
@@ -99,6 +99,7 @@ _S(AUDIT_ANOM_LINK, "used-suspcious-link")
//_S(AUDIT_INTEGRITY_HASH,"")
//_S(AUDIT_INTEGRITY_PCR,"")
//_S(AUDIT_INTEGRITY_RULE,"")
+//_S(AUDIT_INTEGRITY_EVM_XATTR,"")
_S(AUDIT_KERNEL, "initialized-audit-subsystem")
_S(AUDIT_ANOM_LOGIN_FAILURES, "failed-log-in-too-many-times-to")
_S(AUDIT_ANOM_LOGIN_TIME, "attempted-log-in-during-unusual-hour-to")
diff --git a/lib/libaudit.h b/lib/libaudit.h
index ca7aa63e354e..797e0a7be5a8 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -142,6 +142,9 @@ extern "C" {
#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
#define AUDIT_INTEGRITY_RULE 1805 /* Policy rule */
#endif
+#ifndef AUDIT_INTEGRITY_EVM_XATTR
+#define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */
+#endif
#define AUDIT_FIRST_ANOM_MSG 2100
#define AUDIT_LAST_ANOM_MSG 2199
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index f5d76e4f38a1..af34c04c65d4 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -152,6 +152,7 @@ _S(AUDIT_INTEGRITY_STATUS, "INTEGRITY_STATUS" )
_S(AUDIT_INTEGRITY_HASH, "INTEGRITY_HASH" )
_S(AUDIT_INTEGRITY_PCR, "INTEGRITY_PCR" )
_S(AUDIT_INTEGRITY_RULE, "INTEGRITY_RULE" )
+_S(AUDIT_INTEGRITY_EVM_XATTR, "INTEGRITY_EVM_XATTR" )
#ifdef WITH_APPARMOR
_S(AUDIT_AA, "APPARMOR" )
--
1.8.3.1
5 years, 6 months