On 2020-04-17 17:18, Paul Moore wrote:
On Tue, Mar 17, 2020 at 12:04 PM Richard Guy Briggs
<rgb(a)redhat.com> wrote:
>
> Log information about programs connecting to and disconnecting from the
> audit netlink multicast socket. This is needed so that during
> investigations a security officer can tell who or what had access to the
> audit trail. This helps to meet the FAU_SAR.2 requirement for Common
> Criteria. Here is the systemd startup event:
>
> type=PROCTITLE msg=audit(2020-02-18 15:26:50.775:10) : proctitle=/init
> type=SYSCALL msg=audit(2020-02-18 15:26:50.775:10) : arch=x86_64 syscall=bind
success=yes exit=0 a0=0x19 a1=0x55645c369b70 a2=0xc a3=0x7fff9fedec24 items=0 ppid=0 pid=1
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=kernel key=(null)
> type=UNKNOWN[1335] msg=audit(2020-02-18 15:26:50.775:10) : pid=1 uid=root auid=unset
tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1
op=connect res=yes
>
> And the events from the test suite:
>
> type=PROCTITLE msg=audit(2020-02-18 15:28:01.594:307) : proctitle=/usr/bin/perl -w
amcast_joinpart/test
> type=SYSCALL msg=audit(2020-02-18 15:28:01.594:307) : arch=x86_64 syscall=bind
success=yes exit=0 a0=0x7 a1=0x558ebc428be0 a2=0xc a3=0x0 items=0 ppid=642 pid=645
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=UNKNOWN[1335] msg=audit(2020-02-18 15:28:01.594:307) : pid=645 uid=root
auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes
>
> type=PROCTITLE msg=audit(2020-03-17 11:35:31.474:344) : proctitle=/usr/bin/perl -w
amcast_joinpart/test
> type=SYSCALL msg=audit(2020-03-17 11:35:31.474:344) : arch=x86_64 syscall=setsockopt
success=yes exit=0 a0=0x7 a1=SOL_NETLINK a2=0x2 a3=0x7ffee21ca5f0 items=0 ppid=686 pid=689
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=ttyS0 ses=3 comm=perl exe=/usr/bin/perl
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=UNKNOWN[1335] msg=audit(2020-03-17 11:35:31.474:344) : pid=689 uid=root
auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
>
> type=UNKNOWN[1335] msg=audit(2020-01-17 10:36:24.051:295) : pid=674 uid=root
auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
This patch looks fine to me, but this line is curious ... I'm assuming
this is just a stray/cut-n-paste-error from the last time you updated
the commit description? If so, just let me know and I can drop it
while merging, otherwise there is something odd going on ....
That last line is the result of close() from an earlier version of the
testsuite, rather than setsockopt(..., NETLINK_DROP_MEMBERSHIP, ...).
This is why we need the subject attributes, as noted in the first note
above the changelog below.
> Please see the upstream issue tracker at
>
https://github.com/linux-audit/audit-kernel/issues/28
> With the feature description at
>
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Sock...
> The testsuite support is at
>
https://github.com/rgbriggs/audit-testsuite/compare/ghak28-mcast-part-join
>
https://github.com/linux-audit/audit-testsuite/pull/93
> And the userspace support patch is at
>
https://github.com/linux-audit/audit-userspace/pull/114
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
>
> ---
> Note: subj attrs included due to missing syscall record for disconnect on close
> Note: tried refactor of subj attrs, but this is yet another new order.
>
> Changelog:
> v7:
> - rename audit_log_multicast_bind to audit_log_multicast
>
> v6:
> - rebased on 5.6-rc1 audit/next and audit log BPF
> - updated patch description sample records
>
> v5:
> - rebased on 5.5-rc1 audit/next
> - group bind/unbind ops
> - add audit context
> - justify message number skip
> - check audit_enabled
> - change field name from nlnk-grp to nl-mcgrp
> - fix whitespace issues
>
> v4:
> - 2017-10-13 sgrubb
> - squash to 1 patch
> - rebase on KERN_MODULE event
> - open code subj attrs
>
> v3:
> - 2016-11-30 sgrubb
> - rebase on REPLACE event
> - minimize audit_log_format calls
> - rename audit_log_bind to audit_log_multicast_bind
>
> v2:
> - 2015-07-23 sgrubb
> - spin off audit_log_task_simple in seperate patch
>
> v1:
> - 2014-10-07 rgb
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++----
> 2 files changed, 45 insertions(+), 4 deletions(-)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index a534d71e689a..9b6a973f4cc3 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -117,6 +117,7 @@
> #define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */
> #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
> #define AUDIT_BPF 1334 /* BPF subsystem */
> +#define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b96331e1976d..612bd818f6d7 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1520,20 +1520,60 @@ static void audit_receive(struct sk_buff *skb)
> audit_ctl_unlock();
> }
>
> +/* Log information about who is connecting to the audit multicast socket */
> +static void audit_log_multicast(int group, const char *op, int err)
> +{
> + const struct cred *cred;
> + struct tty_struct *tty;
> + char comm[sizeof(current->comm)];
> + struct audit_buffer *ab;
> +
> + if (!audit_enabled)
> + return;
> +
> + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER);
> + if (!ab)
> + return;
> +
> + cred = current_cred();
> + tty = audit_get_tty();
> + audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
> + task_pid_nr(current),
> + from_kuid(&init_user_ns, cred->uid),
> + from_kuid(&init_user_ns, audit_get_loginuid(current)),
> + tty ? tty_name(tty) : "(none)",
> + audit_get_sessionid(current));
> + audit_put_tty(tty);
> + audit_log_task_context(ab); /* subj= */
> + audit_log_format(ab, " comm=");
> + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> + audit_log_d_path_exe(ab, current->mm); /* exe= */
> + audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op,
!err);
> + audit_log_end(ab);
> +}
> +
> /* Run custom bind function on netlink socket group connect or bind requests. */
> -static int audit_bind(struct net *net, int group)
> +static int audit_multicast_bind(struct net *net, int group)
> {
> + int err = 0;
> +
> if (!capable(CAP_AUDIT_READ))
> - return -EPERM;
> + err = -EPERM;
> + audit_log_multicast(group, "connect", err);
> + return err;
> +}
>
> - return 0;
> +static void audit_multicast_unbind(struct net *net, int group)
> +{
> + audit_log_multicast(group, "disconnect", 0);
> }
>
> static int __net_init audit_net_init(struct net *net)
> {
> struct netlink_kernel_cfg cfg = {
> .input = audit_receive,
> - .bind = audit_bind,
> + .bind = audit_multicast_bind,
> + .unbind = audit_multicast_unbind,
> .flags = NL_CFG_F_NONROOT_RECV,
> .groups = AUDIT_NLGRP_MAX,
> };
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635