On Monday, April 15, 2019 9:02:36 AM EDT Richard Guy Briggs wrote:
Records that are triggered by an AUDIT_SIGNAL_INFO message including
AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1),
AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent
reporting of signal info and swinging field "state".
This is crusty old code that has things in it that were for migrations with
very old kernels. It's not readily obvious because those kernel transitions
were quite some time ago. There was also a fake
They also assume that an empty security context implies there is no
other useful information in the AUDIT_SIGNAL_INFO message so don't use
the information that is there.
How are you generating the events that trigger this? If this is based on
reading the source code, I think its because of an ancient kernel change. If
you can generate this condition, then I'd like to replicate the problem on my
system to see what's happening.
Normalize AUDIT_DAEMON_CONFIG to use the value
"reconfigure" and add the
"state" field where missing.
Use audit_sig_info values when available, not making assumptions about
their availability when the security context is absent.
See:
https://github.com/linux-audit/audit-userspace/issues/90
I had made changes to the git repo Saturday. I suspect this patch does not
apply. I like the op value changes. That part I can go along with. Shall I
just make that adjustment in the upstream repo and we can talk more about how
you are creating these events?
Thanks,
-Steve
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
docs/audit_request_signal_info.3 | 2 +-
lib/libaudit.c | 12 +++++++++
lib/libaudit.h | 1 +
src/auditd-reconfig.c | 9 +++----
src/auditd.c | 54
++++++++++++++-------------------------- 5 files changed, 36
insertions(+), 42 deletions(-)
diff --git a/docs/audit_request_signal_info.3
b/docs/audit_request_signal_info.3 index 873deb58bef3..b68d7bbefeed 100644
--- a/docs/audit_request_signal_info.3
+++ b/docs/audit_request_signal_info.3
@@ -8,7 +8,7 @@ int audit_request_signal_info(int fd);
.SH "DESCRIPTION"
-audit_request_signal_info requests that the kernel send information about
the sender of a signal to the audit daemon. The sinal info structure is as
follows: +audit_request_signal_info requests that the kernel send
information about the sender of a signal to the audit daemon. The signal
info structure is as follows:
.nf
struct audit_sig_info {
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 2af017a0e520..e9c4f9cad6df 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -674,6 +674,18 @@ int audit_request_signal_info(int fd)
return rc;
}
+char *audit_format_signal_info(char *buf, int len, char *op, struct
audit_reply *rep, char *res) +{
+ snprintf(buf, len,
+ "op=%s auid=%u pid=%d subj=%s res=%s",
+ op,
+ rep->signal_info->uid,
+ rep->signal_info->pid,
+ rep->len == 24 ? "?" : rep->signal_info->ctx,
+ res);
+ return buf;
+}
+
int audit_update_watch_perms(struct audit_rule_data *rule, int perms)
{
unsigned int i, done=0;
diff --git a/lib/libaudit.h b/lib/libaudit.h
index ca7aa63e354e..63a5e948d00e 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -562,6 +562,7 @@ extern int audit_setloginuid(uid_t uid);
extern uint32_t audit_get_session(void);
extern int audit_detect_machine(void);
extern int audit_determine_machine(const char *arch);
+extern char *audit_format_signal_info(char *buf, int len, char *op, struct
audit_reply *rep, char *res);
/* Translation functions */
extern int audit_name_to_field(const char *field);
diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c
index a03e29aa57ab..f5b00e6d1dc7 100644
--- a/src/auditd-reconfig.c
+++ b/src/auditd-reconfig.c
@@ -115,12 +115,9 @@ static void *config_thread_main(void *arg)
} else {
// need to send a failed event message
char txt[MAX_AUDIT_MESSAGE_LENGTH];
- snprintf(txt, sizeof(txt),
- "op=reconfigure state=no-change auid=%u pid=%d subj=%s
res=failed",
- e->reply.signal_info->uid,
- e->reply.signal_info->pid,
- (e->reply.len > 24) ?
- e->reply.signal_info->ctx : "?");
+ audit_format_signal_info(txt, sizeof(txt),
+ "reconfigure state=no-change",
+ &e->reply, "failed");
// FIXME: need to figure out sending this
//send_audit_event(AUDIT_DAEMON_CONFIG, txt);
free_config(&new_config);
diff --git a/src/auditd.c b/src/auditd.c
index c04a1c9ce93f..5c31583a49c6 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, struct
ev_signal *sig, int revent rc = audit_request_signal_info(fd);
if (rc < 0)
send_audit_event(AUDIT_DAEMON_CONFIG,
- "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=?
res=failed");
+ "op=reconfigure state=no-change auid=-1 pid=-1 subj=?
res=failed");
else
hup_info_requested = 1;
}
@@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, struct
ev_signal *sig, rc = audit_request_signal_info(fd);
if (rc < 0)
send_audit_event(AUDIT_DAEMON_ROTATE,
- "op=usr1-info auid=-1 pid=-1 subj=? res=failed");
+ "op=rotate-logs auid=-1 pid=-1 subj=? res=failed");
else
usr1_info_requested = 1;
}
@@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, struct
ev_signal *sig, int reve if (rc < 0) {
resume_logging();
send_audit_event(AUDIT_DAEMON_RESUME,
- "op=resume-logging auid=-1 pid=-1 subj=?
res=success");
+ "op=resume-logging auid=-1 pid=-1 subj=?
res=failed");
} else
usr2_info_requested = 1;
}
@@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop,
struct ev_io *io, break;
case AUDIT_SIGNAL_INFO:
if (hup_info_requested) {
+ char hup[MAX_AUDIT_MESSAGE_LENGTH];
audit_msg(LOG_DEBUG,
"HUP detected, starting config manager");
reconfig_ev = cur_event;
if (start_config_manager(cur_event)) {
- send_audit_event(
- AUDIT_DAEMON_CONFIG,
- "op=reconfigure state=no-change "
- "auid=-1 pid=-1 subj=? res=failed");
+ audit_format_signal_info(hup, sizeof(hup),
+ "reconfigure
state=no-change",
+ &cur_event->reply,
+ "failed");
+ send_audit_event(AUDIT_DAEMON_CONFIG,
hup);
}
cur_event = NULL;
hup_info_requested = 0;
} else if (usr1_info_requested) {
char usr1[MAX_AUDIT_MESSAGE_LENGTH];
- if (cur_event->reply.len == 24) {
- snprintf(usr1, sizeof(usr1),
- "op=rotate-logs auid=-1 pid=-1 subj=?");
- } else {
- snprintf(usr1, sizeof(usr1),
- "op=rotate-logs auid=%u pid=%d subj=%s",
- cur_event->reply.signal_info->uid,
- cur_event->reply.signal_info->pid,
- cur_event->reply.signal_info->ctx);
- }
+ audit_format_signal_info(usr1, sizeof(usr1),
+ "rotate-logs",
+ &cur_event->reply,
+ "success");
send_audit_event(AUDIT_DAEMON_ROTATE, usr1);
usr1_info_requested = 0;
} else if (usr2_info_requested) {
char usr2[MAX_AUDIT_MESSAGE_LENGTH];
- if (cur_event->reply.len == 24) {
- snprintf(usr2, sizeof(usr2),
- "op=resume-logging auid=-1 "
- "pid=-1 subj=? res=success");
- } else {
- snprintf(usr2, sizeof(usr2),
- "op=resume-logging "
- "auid=%u pid=%d subj=%s res=success",
- cur_event->reply.signal_info->uid,
- cur_event->reply.signal_info->pid,
- cur_event->reply.signal_info->ctx);
- }
+ audit_format_signal_info(usr2, sizeof(usr2),
+ "resume-logging",
+ &cur_event->reply,
+ "success");
resume_logging();
libdisp_resume();
send_audit_event(AUDIT_DAEMON_RESUME, usr2);
@@ -993,12 +981,8 @@ int main(int argc, char *argv[])
rc = get_reply(fd, &trep, rc);
if (rc > 0) {
char txt[MAX_AUDIT_MESSAGE_LENGTH];
- snprintf(txt, sizeof(txt),
- "op=terminate auid=%u "
- "pid=%d subj=%s res=success",
- trep.signal_info->uid,
- trep.signal_info->pid,
- trep.signal_info->ctx);
+ audit_format_signal_info(txt, sizeof(txt), "terminate",
+ &trep, "success");
send_audit_event(AUDIT_DAEMON_END, txt);
}
}