audit.18 kernel
by David Woodhouse
I've just uploaded kernel-2.6.9-5.0.3.EL.audit.18.src.rpm and the ppc64
build of it to ftp://ftp.uk.linux.org/pub/people/dwmw2/audit/kernel/
The build system is non-functional at the moment, so binary RPMS for
other machines will follow later. -- hopefully by the end of today.
This package includes the latest auditfs patch, the ia64 fix, and half
of the patch which Steve posted for logging comm= and exe=. When I
receive the netlink patches from Chris, I'll sort that out and make an
audit.19.
I await confirmation that my forward-port of the ia64 fix was correct,
so I can push that to Andrew Morton.
--
dwmw2
19 years, 9 months
Getting the program name in audit messages
by Steve Grubb
Hello,
This topic has already been discussed on the SE Linux mail list. Because the
attached patch affects the audit code, I want to put it out here for
discussion as well. I started with a patch to put the program name into avc
messages and Stephen Smalley changed the patch to put the processing in
audit_log_exit.
There is a minor problem in the SE Linux avc messages that makes it hard to
interpret what has failed. For example, if you have a shell script that tries
to read a file that's in a different context, you get a message with
exe=/bin/sh. This causes trouble tracking down the rogue script.
The attached patch against 2.6.11 changes the output of an AVC denial message
so that it looks like this:
type=KERNEL msg=audit(1112293183.500:1591315): item=0 name=/usr/X11R6/bin/id
inode=573518 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112293183.500:1591315): syscall=195 exit=-13 a0=9ef71e8
a1=bfe1e850 a2=b6cff4 a3=9ef71e8 items=1 pid=3583 loginuid=525 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=named exe=/bin/bash
type=KERNEL msg=audit(1112293183.500:1591315): avc: denied { search } for
name=bin dev=hda2 ino=573518 scontext=root:system_r:named_t
tcontext=system_u:object_r:bin_t tclass=dir
To get this, I deleted named, replaced it with a shell script that tries
to cat /etc/shadow. As you can see, it now says comm=named. You also get
the syscall information which could help policy writers correct problems
with less guessing. All around, its a plus for SE Linux.
How does this affect auditing? The audit record now has 2 new fields.
I put the following rules into the audit system:
-a entry,always -S execve
-a entry,always -S open
And within seconds got this:
type=KERNEL msg=audit(1112294058.648:2278762): syscall=5 exit=-2 a0=961f198
a1=18800 a2=2086b9 a3=18800 items=1 pid=3336 loginuid=525 uid=525 gid=525
euid=525 suid=525 fsuid=525 egid=525 sgid=525 fsgid=525 comm=gam_server
exe=/usr/libexec/gam_server
type=KERNEL msg=audit(1112294059.206:2279059): item=0 name=/dev/hdd inode=1357
dev=00:0d mode=060600 uid=525 gid=6 rdev=16:40
type=KERNEL msg=audit(1112294059.206:2279059): syscall=5 exit=4 a0=890b2f0
a1=8880 a2=0 a3=8880 items=1 pid=2744 loginuid=-1 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 comm=hald exe=/usr/sbin/hald
You now see what the exe's path is and what the program calls itself. This can
help interpret the audit messages since now you know that pid 2744 was the
hal daemon. So, I think this will be a big plus for auditing, too.
What do you guys think?
-Steve Grubb
19 years, 9 months