11:32 a.m.
... contains Chris' version of Steve's fix for audit_log_drain(), and my
thinko in the auditfs patch fixed so the hook in permission() should
work on all file systems.
--
dwmw2
12:40 p.m.
On Monday 11 April 2005 12:32, David Woodhouse wrote:
... contains Chris' version of Steve's fix for
audit_log_drain(), and my
thinko in the auditfs patch fixed so the hook in permission() should
work on all file systems.
I just tested this latest kernel. It seems to handle Kris's problem much
better. I would be interested in getting feedback. Now that we are fully
using the backlog buffer, does that solve the problem? There's 2 more fixups
that we can make depending on what the feedback is.
On another note...I still don't see any shutdown messages:
[root@endeavor audit-rec]# /etc/rc.d/init.d/auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
From /var/log/messages:
Apr 11 13:37:55 localhost auditd[2766]:
The audit daemon is exiting.
Apr 11 13:37:55 localhost kernel: audit(1113241075.473:0): audit_pid=0
old=2766 by auid 4325
Apr 11 13:37:56 localhost auditd[2831]: Init complete, audit pid set to: 2831
From /var/log/audit/audit.log
type=DAEMON msg=auditd(1113241075)
auditd normal halt, pid=2766, uid=0
type=DAEMON msg=auditd(1113241076) auditd start, ver=0.7, format=raw,
pid=2831, uid=0
type=KERNEL msg=audit(1113241076.797:0): audit_enabled=1 old=1 by auid 4325
type=KERNEL msg=audit(1113241077.001:0): audit_backlog_limit=1024 old=1024 by
auid 4325
[root@endeavor ~]# uname -a
Linux endeavor 2.6.9-5.0.3.EL.audit.20 #1 Mon Apr 11 09:31:57 EDT 2005 i686
athlon i386 GNU/Linux
This is using the 686 kernel.
-Steve
2:13 p.m.
On Mon, 2005-04-11 at 13:40 -0400, Steve Grubb wrote:
On another note...I still don't see any shutdown messages:
Is the audit dæmon flushing the queue completely before it shuts down,
or just exiting immediately? The message should definitely be in the
queue before the signal is delivered.
--
dwmw2
2:31 p.m.
On Monday 11 April 2005 15:13, David Woodhouse wrote:
Is the audit dæmon flushing the queue completely before it shuts
down,
or just exiting immediately? The message should definitely be in the
queue before the signal is delivered.
When it receives the term signal, it stops looking for netlink packets, writes
a normal termination event, sets a flag for the other thread to finish the
backlog and exit, the main thread waits for the logger thread and then
terminates.
When the audit daemon shuts down, the kernel will start sending audit events
to syslog. That's why I included both syslog and audit.log.
-Steve
2:49 p.m.
On Monday 11 April 2005 15:13, David Woodhouse wrote:
Is the audit dæmon flushing the queue completely before it shuts
down,
or just exiting immediately?
I did this:
strace /sbin/auditd -f
and got this:
recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\301\17\0\0\0\0\0\0000\0\0\0\351"...,
1216, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) =
36
write(2, "Init complete, audit pid set to:"..., 37Init complete, audit pid set
to: 4033) = 37
write(2, "\n", 1
) = 1
select(4, [3], NULL, NULL, {30, 0}) = 1 (in [3], left {30, 0})
recvfrom(3, ";\0\0\0\320\7\0\0\0\0\0\0\0\0\0\0audit(1113248675"..., 1216,
MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 75
futex(0x8050ea0, FUTEX_WAKE, 1) = 1
futex(0x8050e9c, FUTEX_WAKE, 1) = 1
futex(0x8050e84, FUTEX_WAKE, 1type=KERNEL msg=audit(1113248675.648:0):
audit_enabled=1 old=1 by auid 4325
) = 1
select(4, [3], NULL, NULL, {30, 0}) = 1 (in [3], left {30, 0})
recvfrom(3, "$\0\0\0\2\0\0\0\2\0\0\0\301\17\0\0\0\0\0\0000\0\0\0\351"...,
1216, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) =
36
select(4, [3], NULL, NULL, {30, 0}) = ? ERESTARTNOHAND (To be restarted)
--- SIGCONT (Continued) @ 0 (0) ---
select(4, [3], NULL, NULL, {16, 36000}) = ? ERESTARTNOHAND (To be restarted)
--- SIGCONT (Continued) @ 0 (0) ---
In another terminal, I did this:
kill -s SIGCONT 4033
When sigterm is sent, I get this:
select(4, [3], NULL, NULL, {30, 0}) = ? ERESTARTNOHAND (To be restarted)
--- SIGTERM (Terminated) @ 0 (0) ---
write(2, "Signal 15\n", 10Signal 15
) = 10
sigreturn() = ? (mask now [])
getuid32() = 0
time(NULL) = 1113248847
futex(0x8050ea0, FUTEX_WAKE, 1) = 1
futex(0x8050e9c, FUTEX_WAKE, 1) = 1
futex(0x8050e84, FUTEX_WAKE, 1type=DAEMON msg=auditd(1113248847) auditd normal
halt, pid=4033, uid=0
) = 1
sched_yield() = 0
rt_sigaction(SIGALRM, {0x8049627, [], SA_RESTORER, 0xc957e8}, NULL, 8) = 0
alarm(5) = 0
write(2, "The audit daemon is exiting.", 28The audit daemon is exiting.) = 28
write(2, "\n", 1
) = 1
sendto(3, "0\0\0\0\351\3\5\0\3\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0"..., 48, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 48
nanosleep({0, 100000000}, NULL) = 0
recvfrom(3, "$\0\0\0\2\0\0\0\3\0\0\0\301\17\0\0\0\0\0\0000\0\0\0\351"...,
1216, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 36
recvfrom(3, "$\0\0\0\2\0\0\0\3\0\0\0\301\17\0\0\0\0\0\0000\0\0\0\351"...,
1216, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) =
36
nanosleep({0, 100000000}, NULL) = 0
recvfrom(3, 0xbfe4d4c0, 1216, 64, 0xbfe4d470, 0xbfe4d46c) = -1 EAGAIN
(Resource temporarily unavailable)
close(3) = 0
unlink("/var/run/auditd.pid") = 0
munmap(0xb7f32000, 4096) = 0
exit_group(0) = ?
Again, no sign of a signal to the audit daemon event.
-Steve
2:27 p.m.
On Mon, 2005-04-11 at 17:32 +0100, David Woodhouse wrote:
... contains Chris' version of Steve's fix for
audit_log_drain(), and my
thinko in the auditfs patch fixed so the hook in permission() should
work on all file systems.
Given that -mm no longer includes the patch from the audit bk tree, is
anyone working on getting the individual audit-related patches back into
-mm?
Also, as I've seen no response to the auditfs rfc/patch on linux-
fsdevel, I'd suggest updating the patches and taking them to linux-
kernel, with explicit cc'ing of particular individuals whose feedback is
especially desired (e.g. viro, akpm, feel free to suggest others) and
explicit cc'ing of individuals from this list who want to be involved in
any discussion (e.g. me, dwmw2?, chrisw?, feel free to suggest others).
But I think that this also requires getting the other patches on which
the auditfs patch depends re-based to the latest -mm and posted to
linux-kernel.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
10:22 a.m.
On Monday 11 April 2005 19:27, Stephen Smalley wrote:
<snip>
Also, as I've seen no response to the auditfs rfc/patch on
linux-
fsdevel, I'd suggest updating the patches and taking them to linux-
kernel, with explicit cc'ing of particular individuals whose feedback is
especially desired (e.g. viro, akpm, feel free to suggest others) and
explicit cc'ing of individuals from this list who want to be involved in
any discussion (e.g. me, dwmw2?, chrisw?, feel free to suggest others).
But I think that this also requires getting the other patches on which
the auditfs patch depends re-based to the latest -mm and posted to
linux-kernel.
Yeah, I finished work up on the user space/kernel space transport feature
(separated the kernel/user audit_watch structure, added a transport structure
per Stephen's suggestions, etc) and completed a basic watch listing feature,
which will return to user space a list of all watches. If at the time of the
listing, the watch's parent could be reached, its returned as a "valid"
path,
otherwise it's returned as an "invalid" path. The last bit of information
that needs to be added and finalized before I submit is a new field on the
watch for "device", so when a list is sent back to user space you can tell
the difference between the watch "/tmp/foo" and "/tmp/foo" ;-)
Granted, this
is probably a little over board as far as a CAPP certification is concerned,
but I figure it's generally useful; can't hurt.
I'm also a little concerned about how the administrator is going to be able to
_effectively_, _realistically_, and _intuitively_ interpret what they're
seeing in the audit log with regards to file system auditing. This is mostly
due to the possibility of a single syscall generating multiple records. Even
I have to double check the hook placement to make complete sense of all the
records being generated. When we document expected results they should be
perfectly explainable, wouldn't you agree? So, perhaps some kind of flagging
that's human readable in the audit record (ie: CREATE_*, UNLINK, RENAME_TO,
RENAME_FROM, PERMISSION, etc) would prove useful.
Perhaps something we can talk about tomorrow.
-tim
3:41 p.m.
On Mon, 2005-04-11 at 15:27 -0400, Stephen Smalley wrote:
On Mon, 2005-04-11 at 17:32 +0100, David Woodhouse wrote:
> ... contains Chris' version of Steve's fix for audit_log_drain(), and my
> thinko in the auditfs patch fixed so the hook in permission() should
> work on all file systems.
Given that -mm no longer includes the patch from the audit bk tree, is
anyone working on getting the individual audit-related patches back
into -mm?
I can do that -- I have separate patches for the RPM, after all. I
wonder why the bk-audit patch is dropped, though... Andrew?
--
dwmw2
10:17 a.m.
On Monday 11 April 2005 20:53, Andrew Morton wrote:
David Woodhouse <dwmw2(a)infradead.org> wrote:
> I wonder why the bk-audit patch is dropped, though.
Mainly because it was conflicting with some work Andi was trying to get
right in x86_64. I can probably bring it back next time.
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
What kernel do you want me to diff against in the interim?
-tim
5:03 p.m.
On Mon, 2005-04-11 at 15:17 +0000, Timothy R. Chavez wrote:
What kernel do you want me to diff against in the interim?
bk://linux-audit.bkbits.net/audit-2.6-mm or the RPM.
--
dwmw2
3:58 p.m.
On Mon, 11 Apr 2005 17:32:27 BST, David Woodhouse said:
... contains Chris' version of Steve's fix for
audit_log_drain(), and my
thinko in the auditfs patch fixed so the hook in permission() should
work on all file systems.
Umm.. for those of us playing along with the home version, where is it to be
found? I've apparently lost the mail where you listed where you were putting
them, as at the time I was getting them via the bk-audit patch in the -mm
tree....
4:50 p.m.
On Tuesday 12 April 2005 16:58, Valdis.Kletnieks(a)vt.edu wrote:
Umm.. for those of us playing along with the home version, where is
it to
be found?
ftp://ftp.uk.linux.org/pub/people/dwmw2/audit/
I'll also put this on my people.redhat.com page.
-Steve
7194
days inactive
7195
days old
linux-audit@lists.linux-audit.osci.io
12 comments
6 participants
participants (6)
-
Andrew Morton -
David Woodhouse -
Stephen Smalley -
Steve Grubb -
Timothy R. Chavez -
Valdis.Kletnieks@vt.edu