[PATCH ghak28 V4] audit: log audit netlink multicast bind and unbind events
by Richard Guy Briggs
Log information about programs connecting to and disconnecting from the
audit netlink multicast socket. This is needed so that during
investigations a security officer can tell who or what had access to the
audit trail. This helps to meet the FAU_SAR.2 requirement for Common
Criteria. Here is the systemd startup event:
type=UNKNOWN[1335] msg=audit(2020-01-17 10:30:33.731:6) : pid=1 uid=root auid=unset tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1 op=connect res=yes
And the events from the test suite:
type=PROCTITLE msg=audit(2020-01-17 10:36:24.050:294) : proctitle=/usr/bin/perl -w amcast_joinpart/test
type=SOCKADDR msg=audit(2020-01-17 10:36:24.050:294) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=SYSCALL msg=audit(2020-01-17 10:36:24.050:294) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x55d65cb79090 a2=0xc a3=0x0 items=0 ppid=671 pid=674 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=3 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=UNKNOWN[1335] msg=audit(2020-01-17 10:36:24.050:294) : pid=674 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes
type=UNKNOWN[1335] msg=audit(2020-01-17 10:36:24.051:295) : pid=674 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
Please see the upstream issue tracker:
https://github.com/linux-audit/audit-kernel/issues/28
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Sock...
https://github.com/rgbriggs/audit-testsuite/compare/ghak28-mcast-part-join
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Note: msg type 1334 was skipped due to BPF accepted in another tree.
Note: v5 due to previous 2014-10-07, 2015-07-23, 2016-11-30, 2017-10-13
Note: subj attrs included due to missing syscall record for systemd (audit=1)
Note: tried refactor of subj attrs, but this is yet another new order.
---
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++----
2 files changed, 45 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 3ad935527177..67fb24472dc2 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -116,6 +116,7 @@
#define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */
#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
+#define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 17b0d523afb3..478259f3fa53 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1520,20 +1520,60 @@ static void audit_receive(struct sk_buff *skb)
audit_ctl_unlock();
}
+/* Log information about who is connecting to the audit multicast socket */
+static void audit_log_multicast_bind(int group, const char *op, int err)
+{
+ const struct cred *cred;
+ struct tty_struct *tty;
+ char comm[sizeof(current->comm)];
+ struct audit_buffer *ab;
+
+ if (!audit_enabled)
+ return;
+
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER);
+ if (!ab)
+ return;
+
+ cred = current_cred();
+ tty = audit_get_tty();
+ audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
+ task_pid_nr(current),
+ from_kuid(&init_user_ns, cred->uid),
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ tty ? tty_name(tty) : "(none)",
+ audit_get_sessionid(current));
+ audit_put_tty(tty);
+ audit_log_task_context(ab); /* subj= */
+ audit_log_format(ab, " comm=");
+ audit_log_untrustedstring(ab, get_task_comm(comm, current));
+ audit_log_d_path_exe(ab, current->mm); /* exe= */
+ audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
+ audit_log_end(ab);
+}
+
/* Run custom bind function on netlink socket group connect or bind requests. */
-static int audit_bind(struct net *net, int group)
+static int audit_multicast_bind(struct net *net, int group)
{
+ int err = 0;
+
if (!capable(CAP_AUDIT_READ))
- return -EPERM;
+ err = -EPERM;
+ audit_log_multicast_bind(group, "connect", err);
+ return err;
+}
- return 0;
+static void audit_multicast_unbind(struct net *net, int group)
+{
+ audit_log_multicast_bind(group, "disconnect", 0);
}
static int __net_init audit_net_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
- .bind = audit_bind,
+ .bind = audit_multicast_bind,
+ .unbind = audit_multicast_unbind,
.flags = NL_CFG_F_NONROOT_RECV,
.groups = AUDIT_NLGRP_MAX,
};
--
1.8.3.1
5 years, 1 month
Auditing a program use but not what it is doing
by MAUPERTUIS, PHILIPPE
Hi,
Like many, we are using aide and clamav.
I woud like to have an audit record when these program are run but no records for what they are doing.
I mean, I want to know that clamscan or aide has been launched but not that it checks say /etc/passwd whatever rules could be in place for /etc/passwd
Thanks
Philippe
equensWorldline is a registered trade mark and trading name owned by the Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email
5 years, 1 month
[PATCH 1/3] sched: Remove __rcu annotation from cred pointer
by Amol Grover
task_struct::cred (subjective credentials) is *always* used
task-synchronously, hence, does not require RCU semantics.
task_struct::real_cred (objective credentials) can be used in
RCU context and its __rcu annotation is retained.
However, task_struct::cred and task_struct::real_cred *may*
point to the same object, hence, the object pointed to by
task_struct::cred *may* have RCU delayed freeing.
Suggested-by: Jann Horn <jannh(a)google.com>
Co-developed-by: Joel Fernandes (Google) <joel(a)joelfernandes.org>
Signed-off-by: Joel Fernandes (Google) <joel(a)joelfernandes.org>
Signed-off-by: Amol Grover <frextrite(a)gmail.com>
---
include/linux/sched.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 716ad1d8d95e..39924e6e0cf2 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -879,8 +879,11 @@ struct task_struct {
/* Objective and real subjective task credentials (COW): */
const struct cred __rcu *real_cred;
- /* Effective (overridable) subjective task credentials (COW): */
- const struct cred __rcu *cred;
+ /*
+ * Effective (overridable) subjective task credentials (COW)
+ * which is used task-synchronously
+ */
+ const struct cred *cred;
#ifdef CONFIG_KEYS
/* Cached requested key. */
--
2.24.1
5 years, 1 month
ausearch on the fly
by MAUPERTUIS, PHILIPPE
Hi,
We are centralizing the audit logs with rsyslog.
The SIEM behind the central log server is unable to process the raw logs.
We would like to push the ausearch result in CSV format in real time or near real time.
Is there a way to have ausearch working from a pipe and and waiting when no logs are received
Regards
Philippe
equensWorldline is a registered trade mark and trading name owned by the Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email
5 years, 1 month
audisp-remote
by MAUPERTUIS, PHILIPPE
Hi,
Apart the man pages, I didn’t find anything useful relating to audisp-remote.
I am searching information on how it scales ? Is there any performance issue ?
How to use it in a large environment ? ….
Most of what I found dated a long time ago and mainly said use rsyslog instead.
It seems that centralizing the messages through rsyslog is far more popular.
Is audisp-remote really used ?
The man page read :
tcp_max_per_addr
This is a numeric value which indicates how many concurrent connections from one IP address is allowed. The
default is 1 and the maximum is 1024. Setting this too large may allow for a Denial of Service attack on the log‐
ging server. Also note that the kernel has an internal maximum that will eventually prevent this even if auditd
allows it by config. The default should be adequate in most cases unless a custom written recovery script runs to
forward unsent events. In this case you would increase the number only large enough to let it in too.
Where could I find an example of recovery script ?
Could it be a way to inject the audit message in auditd after having receiving them via rsyslog ?
This might be useful just because, by default ausearch in all available logs and the -if parameter accepts only one file.
Maybe my lack of knowledge about auditd leads me to write rubbish.
If so, please direct me to where I can find how to manage and use audit logs after centralizing them.
Not only keeping them but acutually using them.
Philippe
equensWorldline is a registered trade mark and trading name owned by the Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email
5 years, 2 months
USBguard bug
by Burn Alting
All,
I need some advice.
Currently when the USB management framework, usbguard (
https://github.com/USBGuard/usbguard), is building it's key-value pairs prior to
calling audit_log_user_message() with a AUDIT_USER_DEVICE type, it looks at each
value and decides to hex encode the value if any character in the value matches
the expression (str[i] == '"' || str[i] < 0x21 || str[i] == 0x7F). This can be found
in https://github.com/USBGuard/usbguard/blob/master/src/Daemon/LinuxAuditBac...
where it makes the call
audit_log_user_message(_audit_fd, AUDIT_USER_DEVICE, message.c_str(),
/*hostname=*/nullptr, /*addr=*/nullptr, /*tty=*/nullptr, result);
As a result, one sees audit events such as
type=USER_DEVICE msg=audit(1580255002.606:352190): pid=3115 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op="changed-
authorization-state-for" device="/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.3"
target="allow"
device_rule=626C6F636B20696420303738313A353539312073657269616C2022344335333030303132
323034313231303533313322206E616D652022556C7472612055534220332E3022206861736820227953
6D433045594970734A575666474436414854774577712F624974344631466A78785856306C3552356B3D
2220706172656E742D6861736820226B763376322B726E713951765949332F48624A314556397664756A
5A30615643512F43474259496B4542303D22207669612D706F72742022312D312E332220776974682D69
6E746572666163652030383A30363A3530 exe="/usr/sbin/usbguard-daemon" hostname=? addr=?
terminal=? res=success'�UID="root" AUID="unset"
where device_rule started as
block id 0781:5591 serial "4C530001220412105313" name "Ultra USB 3.0" hash
"ySmC0EYIpsJWVfGD6AHTwEwq/bIt4F1FjxxXV0l5R5k=" parent-hash
"kv3v2+rnq9QvYI3/HbJ1EV9vdujZ0aVCQ/CGBYIkEB0=" via-port "1-1.3" with-interface
08:06:50
or
type=USER_DEVICE msg=audit(1580255002.605:352187): pid=3115 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op="discovered-
device" device="/devices/pci0000:00/0000:00:1d.0/usb2/2-1"
device_rule=616C6C6F7720696420383038373A303032342073657269616C202222206E616D65202222
206861736820225A78377630464D51456A53634B534146454E41696F624573314F47505042305957522B
79584443564530343D2220706172656E742D68617368202257484254784E61456F4D474E534E6333314B
70464E53416546463448624C4D51675342714F526C433653383D22207669612D706F72742022322D3122
20776974682D696E746572666163652030393A30303A3030 exe="/usr/sbin/usbguard-daemon"
hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
where device_rule started as
allow id 8087:0024 serial "" name "" hash
"Zx7v0FMQEjScKSAFENAiobEs1OGPPB0YWR+yXDCVE04=" parent-hash
"WHBTxNaEoMGNSNc31KpFNSAeFF4HbLMQgSBqORlC6S8=" via-port "2-1" with-interface
09:00:00
I have a number of questions
- What is the best recommendation I can make in a bug report I'd like to raise so
that the auparse library can reliably interpret all their key's values?
- Should I also request they actually provide hostname and addr values to
audit_log_user_message()?
- If one want them to identify the user who participates in the activity what is the
best recommendation to make in terms of keys in the message?
Thanks in advance
5 years, 2 months
[ANNOUNCE][CFP] Linux Security Summit North America 2020
by James Morris
==============================================================================
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT NORTH AMERICA 2020
24-26 JUNE
AUSTIN, TEXAS, USA
==============================================================================
DESCRIPTION
Linux Security Summit North America (LSS-NA) is a technical forum for
collaboration between Linux developers, researchers, and end-users. Its
primary aim is to foster community efforts in analyzing and solving Linux
security challenges.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* Tutorials
90 minutes in length.
Tutorial sessions should be focused on advanced Linux security defense
topics within areas such as the kernel, compiler, and security-related
libraries. Priority will be given to tutorials created for this conference,
and those where the presenter a leading subject matter expert on the topic.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity policy and enforcement
* Hardware Security
* IoT and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/linux-security-summit-north-america/pr...
DATES
* CFP close: March 31
* CFP notifications: April 13
* Schedule announced: April 16
* Event: June 24-26
WHO SHOULD ATTEND
We're seeking a diverse range of attendees and welcome participation by
people involved in Linux security development, operations, and research.
LSS-NA is a unique global event that provides the opportunity to present and
discuss your work or research with key Linux security community members and
maintainers. It’s also useful for those who wish to keep up with the latest
in Linux security development and to provide input to the development
process.
WEB SITE
https://events.linuxfoundation.org/linux-security-summit-north-america/
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
#linuxsecuritysummit
PROGRAM COMMITTEE
The program committee for LSS 2020 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Cisco
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
5 years, 2 months