lost events on boot
by Lenny Bruzenak
Apologies if this has been answered. I searched and found some
relevant-looking dialog 2 years ago (on 12/14/2018) that Paul/RGB/Ondrej
were discussing, however I do not see the answer.
I'm running userspace 2.8.5 , kernel 3.10.0-1160.
I have boot parameters "audit=1 ... audit_backlog_limit=8192" .
Immediately after boot, I use "auditctl -s and see hundreds (varies,
between 119-330) of lost records.
So I cleaned out all the audit data, rebooted again and examined the events.
They are numbered sequentially 1-515. I counted the events and they
match (515).
So my questions are these:
* Is this "lost" value accurate?
* If the numbering doesn't indicate any gaps, what does that tell me?
The kernel is supplying the serial number (right?), so is it
discarding the events without assigning a serial number?
* Do I have something wrong with my kernel boot parameters?
I'd have thought that 8k buffers would be enough, and certainly if I
only have 515 events, should be. Unless, each record inside the event is
adding. I also then counted each record, not just events, and got around
1600, so I'd have thought that even multi-record events would have fit.
I guess that depends on the buffer size.
Appreciate the help in advance; thanks.
LCB
--
Lenny Bruzenak
MagitekLTD
3 years, 10 months
Audit firewall changes in RHEL 8
by Smith, Gary R
Good afternoon,
I have RHEL 7 systems set up to emit audit records when the firewall rules with iptables change. I do it with a single audit command:
-a always,exit -F arch=b64 -S setsockopt -F a2=0x40 -F key=IPTablesChange
And it works great. I get audit logs like this:
type=PROCTITLE msg=audit(12/04/2020 11:04:58.840:3334178) : proctitle=iptables -D INPUT 2
type=SYSCALL msg=audit(12/04/2020 11:04:58.840:3334178) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip a2=IPT_SO_SET_REPLACE a3=0x1009ca0 items=0 ppid=154754 pid=160855 auid=DrEvil uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=198995 comm=iptables exe=/usr/sbin/xtables-multi key=IPtablesChange
type=NETFILTER_CFG msg=audit(12/04/2020 11:04:58.840:3334178) : table=filter family=ipv4 entries=48
I want to do the same thing with RHEL 8 and nftables. I tried the same audit rule but nothing happens. I tried using firewall-cmd to change the rules. The rules changed, but no audit records. I fat fingered rules using nft but no audit record. I suspect that I’m not writing the audit rule correctly. I looked around to see if a2 needed to be something other than 0x040 (IPT_SO_SET_REPLACE) but I couldn’t find anything.
Any suggestions on how to do this in RHEL 8 would be appreciated.
Best regards,
Gary Smith
3 years, 10 months
[RFC PATCH ghau10 v1] fix FEATURE_VERSION vs FEATURE_BITMAP
by Richard Guy Briggs
Untangle AUDIT_FEATURE_VERSION and AUDIT_FEATURE_BITMAP since they have nothing
to do with each other.
AUDIT_FEATURE_VERSION is a method to enable and lock certain audit features in
the kernel. Threre are currently only two.
AUDIT_FEATURE_BITMAP is a method to determine what features exist in the kernel
implementation of audit. There are currently seven.
fixes: a22f13a548d2f26b3fb05b31599f5b12f56d3d07 ("Fix compile time feature detection in auditctl")
fixes: 74327320a25b2d889708002908d6a051b4dfea51 ("Fix compile time feature detection in auditctl")
fixes: f588248775b4f8180b846bbc1681bc54e07871ed ("Better detect struct audit_status existence")
fixes: bed754a651f47f5a83bbf565609e4936b0270269 ("Fix building on old kernels")
Please see issue page https://github.com/linux-audit/audit-userspace/issues/10
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/libaudit.c | 12 ++++--------
lib/libaudit.h | 2 +-
lib/netlink.c | 6 ++----
src/auditctl-listing.c | 3 +--
src/auditctl.c | 6 ++----
5 files changed, 10 insertions(+), 19 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 37bf508cf07a..de22e9281969 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -540,8 +540,7 @@ int audit_reset_lost(int fd)
int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock)
{
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
- defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
+#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
int rc;
struct audit_features f;
@@ -565,8 +564,7 @@ int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock)
int audit_request_features(int fd)
{
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
- defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
+#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
int rc;
struct audit_features f;
@@ -585,8 +583,7 @@ int audit_request_features(int fd)
extern int audit_set_loginuid_immutable(int fd)
{
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
- defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
+#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
return audit_set_feature(fd, AUDIT_FEATURE_LOGINUID_IMMUTABLE, 1, 1);
#else
errno = EINVAL;
@@ -607,8 +604,7 @@ static void load_feature_bitmap(void)
return;
}
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
- defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
+#if defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
if ((rc = audit_request_status(fd)) > 0) {
struct audit_reply rep;
int i;
diff --git a/lib/libaudit.h b/lib/libaudit.h
index ec880eeb89ec..2305cf55d166 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -514,7 +514,7 @@ struct audit_reply {
struct nlmsgerr *error;
struct audit_sig_info *signal_info;
struct daemon_conf *conf;
-#ifdef AUDIT_FEATURE_BITMAP_ALL
+#ifdef AUDIT_FEATURE_VERSION
struct audit_features *features;
#endif
};
diff --git a/lib/netlink.c b/lib/netlink.c
index 5b2028fda7e8..9525b8d833c0 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -147,8 +147,7 @@ static int adjust_reply(struct audit_reply *rep, int len)
rep->error = NULL;
rep->signal_info = NULL;
rep->conf = NULL;
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
- defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
+#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
rep->features = NULL;
#endif
if (!NLMSG_OK(rep->nlh, (unsigned int)len)) {
@@ -173,8 +172,7 @@ static int adjust_reply(struct audit_reply *rep, int len)
case AUDIT_GET:
rep->status = NLMSG_DATA(rep->nlh);
break;
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
- defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
+#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
case AUDIT_GET_FEATURE:
rep->features = NLMSG_DATA(rep->nlh);
break;
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index 6eb3b56bbc79..2b4b43caa9d2 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -567,8 +567,7 @@ int audit_print_reply(struct audit_reply *rep, int fd)
#endif
printed = 1;
break;
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
- defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
+#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
case AUDIT_GET_FEATURE:
{
uint32_t mask = AUDIT_FEATURE_TO_MASK(
diff --git a/src/auditctl.c b/src/auditctl.c
index 29f7215b94b6..3891db56bee7 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -133,8 +133,7 @@ static void usage(void)
" -v Version\n"
" -w <path> Insert watch at <path>\n"
" -W <path> Remove watch at <path>\n"
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
- defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
+#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
" --loginuid-immutable Make loginuids unchangeable once set\n"
#endif
#if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \
@@ -449,8 +448,7 @@ static int parse_syscall(const char *optarg)
static struct option long_opts[] =
{
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
- defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
+#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
{"loginuid-immutable", 0, NULL, 1},
#endif
#if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \
--
2.18.4
3 years, 11 months
New release?
by Laurent Bigonville
Hello,
The freeze of the new debian release is approaching (early next year)
and I'm looking a bit for guidance about what do with the audit package.
Should I start cherry-picking patches, wait for a new (pre-)release?
Keep the good 2.8?
Kind regards,
Laurent Bigonville
3 years, 11 months