July 2006 - Linux-audit - Linux-Audit List Archives

by Michael C Thompson

Hey Steve / Amy, In doing some tests, I've noticed that the USER_ROLE_CHANGE audit record is associated with both newrole, and semanage user -[ad]. I do not think that USER_ROLE_CHANGE is a good name to have associated with SELinux user creation/removal, not to mention that the payload of the record resulting from newrole looks nothing like the payload from that generated by semanage user -[ad]. Can we add a USER_ROLE_MODIFY, or some other label, that would indicate and differentiate SELinux user creation/removal from a simple newrole? Thanks, Mike

18 years, 5 months

2
2
0 / 0

audit 1.2.5 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Switch out audit event dispatcher - Fix bug upgrading rule types Please let me know if there are any problems with this release. -Steve

18 years, 5 months

1
0
0 / 0

[PATCH] fix oops with CONFIG_AUDIT and !CONFIG_AUDITSYSCALL

by Amy Griffis

Always initialize the audit_inode_hash[] so we don't oops on list rules. Signed-off-by: Amy Griffis <amy.griffis(a)hp.com> --- kernel/audit.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 7dfac70..097a560 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -690,9 +690,7 @@ #endif /* Initialize audit support at boot time. */ static int __init audit_init(void) { -#ifdef CONFIG_AUDITSYSCALL int i; -#endif printk(KERN_INFO "audit: initializing netlink socket (%s)\n", audit_default ? "enabled" : "disabled"); @@ -717,10 +715,10 @@ #ifdef CONFIG_AUDITSYSCALL audit_ih = inotify_init(&audit_inotify_ops); if (IS_ERR(audit_ih)) audit_panic("cannot initialize inotify handle"); +#endif for (i = 0; i < AUDIT_INODE_BUCKETS; i++) INIT_LIST_HEAD(&audit_inode_hash[i]); -#endif return 0; } -- 1.4.0

18 years, 5 months

1
0
0 / 0

[PATCH] fix missed create event for directory audit

by Amy Griffis

When an object is created via a symlink into an audited directory, audit misses the event due to not having collected the inode data for the directory. Modify __audit_inode_child() to copy the parent inode data if a parent wasn't found in audit_names[]. Signed-off-by: Amy Griffis <amy.griffis(a)hp.com> --- fs/namei.c | 2 +- include/linux/audit.h | 8 ++++---- include/linux/fsnotify.h | 6 +++--- kernel/auditsc.c | 16 +++++++++++++--- 4 files changed, 21 insertions(+), 11 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 8904b4f..f9ffe6d 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1357,7 +1357,7 @@ static int may_delete(struct inode *dir, return -ENOENT; BUG_ON(victim->d_parent->d_inode != dir); - audit_inode_child(victim->d_name.name, victim->d_inode, dir->i_ino); + audit_inode_child(victim->d_name.name, victim->d_inode, dir); error = permission(dir,MAY_WRITE | MAY_EXEC, NULL); if (error) diff --git a/include/linux/audit.h b/include/linux/audit.h index c63f204..2803163 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -327,7 +327,7 @@ extern void __audit_getname(const char * extern void audit_putname(const char *name); extern void __audit_inode(const char *name, const struct inode *inode); extern void __audit_inode_child(const char *dname, const struct inode *inode, - unsigned long pino); + const struct inode *parent); extern void __audit_inode_update(const struct inode *inode); static inline void audit_getname(const char *name) { @@ -339,10 +339,10 @@ static inline void audit_inode(const cha __audit_inode(name, inode); } static inline void audit_inode_child(const char *dname, - const struct inode *inode, - unsigned long pino) { + const struct inode *inode, + const struct inode *parent) { if (unlikely(current->audit_context)) - __audit_inode_child(dname, inode, pino); + __audit_inode_child(dname, inode, parent); } static inline void audit_inode_update(const struct inode *inode) { if (unlikely(current->audit_context)) diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h index cc5dec7..d4f219f 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h @@ -67,7 +67,7 @@ static inline void fsnotify_move(struct if (source) { inotify_inode_queue_event(source, IN_MOVE_SELF, 0, NULL, NULL); } - audit_inode_child(new_name, source, new_dir->i_ino); + audit_inode_child(new_name, source, new_dir); } /* @@ -98,7 +98,7 @@ static inline void fsnotify_create(struc inode_dir_notify(inode, DN_CREATE); inotify_inode_queue_event(inode, IN_CREATE, 0, dentry->d_name.name, dentry->d_inode); - audit_inode_child(dentry->d_name.name, dentry->d_inode, inode->i_ino); + audit_inode_child(dentry->d_name.name, dentry->d_inode, inode); } /* @@ -109,7 +109,7 @@ static inline void fsnotify_mkdir(struct inode_dir_notify(inode, DN_CREATE); inotify_inode_queue_event(inode, IN_CREATE | IN_ISDIR, 0, dentry->d_name.name, dentry->d_inode); - audit_inode_child(dentry->d_name.name, dentry->d_inode, inode->i_ino); + audit_inode_child(dentry->d_name.name, dentry->d_inode, inode); } /* diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 0bc584d..d440fe4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1252,7 +1252,7 @@ #endif * audit_inode_child - collect inode info for created/removed objects * @dname: inode's dentry name * @inode: inode being audited - * @pino: inode number of dentry parent + * @parent: inode of dentry parent * * For syscalls that create or remove filesystem objects, audit_inode * can only collect information for the filesystem object's parent. @@ -1263,7 +1263,7 @@ #endif * unsuccessful attempts. */ void __audit_inode_child(const char *dname, const struct inode *inode, - unsigned long pino) + const struct inode *parent) { int idx; struct audit_context *context = current->audit_context; @@ -1277,7 +1277,7 @@ void __audit_inode_child(const char *dna if (!dname) goto update_context; for (idx = 0; idx < context->name_count; idx++) - if (context->names[idx].ino == pino) { + if (context->names[idx].ino == parent->i_ino) { const char *name = context->names[idx].name; if (!name) @@ -1305,6 +1305,16 @@ #endif context->names[idx].ino = (unsigned long)-1; else audit_copy_inode(&context->names[idx], inode); + + /* A parent was not found in audit_names, so copy the inode data for the + * provided parent. */ + if (!found_name) { + idx = context->name_count++; +#if AUDIT_DEBUG + context->ino_count++; +#endif + audit_copy_inode(&context->names[idx], parent); + } } /** -- 1.4.0

18 years, 5 months

1
0
0 / 0

[PATCH] fix faulty inode data collection for open() with O_CREAT

by Amy Griffis

When the specified path is an existing file or when it is a symlink, audit collects the wrong inode number, which causes it to miss the open() event. Adding a second hook to the open() path fixes this. Also add audit_copy_inode() to consolidate some code. Signed-off-by: Amy Griffis <amy.griffis(a)hp.com> --- fs/namei.c | 2 ++ include/linux/audit.h | 7 +++++ kernel/auditsc.c | 63 ++++++++++++++++++++++++++++++++----------------- 3 files changed, 50 insertions(+), 22 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 184fe4a..8904b4f 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1659,6 +1659,7 @@ do_last: * It already exists. */ mutex_unlock(&dir->d_inode->i_mutex); + audit_inode_update(path.dentry->d_inode); error = -EEXIST; if (flag & O_EXCL) @@ -1669,6 +1670,7 @@ do_last: if (flag & O_NOFOLLOW) goto exit_dput; } + error = -ENOENT; if (!path.dentry->d_inode) goto exit_dput; diff --git a/include/linux/audit.h b/include/linux/audit.h index 9fcafaf..c63f204 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -328,6 +328,7 @@ extern void audit_putname(const char *na extern void __audit_inode(const char *name, const struct inode *inode); extern void __audit_inode_child(const char *dname, const struct inode *inode, unsigned long pino); +extern void __audit_inode_update(const struct inode *inode); static inline void audit_getname(const char *name) { if (unlikely(current->audit_context)) @@ -343,6 +344,10 @@ static inline void audit_inode_child(con if (unlikely(current->audit_context)) __audit_inode_child(dname, inode, pino); } +static inline void audit_inode_update(const struct inode *inode) { + if (unlikely(current->audit_context)) + __audit_inode_update(inode); +} /* Private API (for audit.c only) */ extern unsigned int audit_serial(void); @@ -414,8 +419,10 @@ #define audit_getname(n) do { ; } while #define audit_putname(n) do { ; } while (0) #define __audit_inode(n,i) do { ; } while (0) #define __audit_inode_child(d,i,p) do { ; } while (0) +#define __audit_inode_update(i) do { ; } while (0) #define audit_inode(n,i) do { ; } while (0) #define audit_inode_child(d,i,p) do { ; } while (0) +#define audit_inode_update(i) do { ; } while (0) #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) #define audit_get_loginuid(c) ({ -1; }) #define audit_ipc_obj(i) ({ 0; }) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 53d2d74..0bc584d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1200,14 +1200,18 @@ #if AUDIT_DEBUG #endif } -static void audit_inode_context(int idx, const struct inode *inode) +/* Copy inode data into an audit_names. */ +static void audit_copy_inode(struct audit_names *name, const struct inode *inode) { - struct audit_context *context = current->audit_context; - - selinux_get_inode_sid(inode, &context->names[idx].osid); + name->ino = inode->i_ino; + name->dev = inode->i_sb->s_dev; + name->mode = inode->i_mode; + name->uid = inode->i_uid; + name->gid = inode->i_gid; + name->rdev = inode->i_rdev; + selinux_get_inode_sid(inode, &name->osid); } - /** * audit_inode - store the inode and device from a lookup * @name: name being audited @@ -1241,13 +1245,7 @@ #if AUDIT_DEBUG ++context->ino_count; #endif } - context->names[idx].ino = inode->i_ino; - context->names[idx].dev = inode->i_sb->s_dev; - context->names[idx].mode = inode->i_mode; - context->names[idx].uid = inode->i_uid; - context->names[idx].gid = inode->i_gid; - context->names[idx].rdev = inode->i_rdev; - audit_inode_context(idx, inode); + audit_copy_inode(&context->names[idx], inode); } /** @@ -1303,16 +1301,37 @@ #endif context->names[idx].name_len = AUDIT_NAME_FULL; context->names[idx].name_put = 0; /* don't call __putname() */ - if (inode) { - context->names[idx].ino = inode->i_ino; - context->names[idx].dev = inode->i_sb->s_dev; - context->names[idx].mode = inode->i_mode; - context->names[idx].uid = inode->i_uid; - context->names[idx].gid = inode->i_gid; - context->names[idx].rdev = inode->i_rdev; - audit_inode_context(idx, inode); - } else - context->names[idx].ino = (unsigned long)-1; + if (!inode) + context->names[idx].ino = (unsigned long)-1; + else + audit_copy_inode(&context->names[idx], inode); +} + +/** + * audit_inode_update - update inode info for last collected name + * @inode: inode being audited + * + * When open() is called on an existing object with the O_CREAT flag, the inode + * data audit initially collects is incorrect. This additional hook ensures + * audit has the inode data for the actual object to be opened. + */ +void __audit_inode_update(const struct inode *inode) +{ + struct audit_context *context = current->audit_context; + int idx; + + if (!context->in_syscall || !inode) + return; + + if (context->name_count == 0) { + context->name_count++; +#if AUDIT_DEBUG + context->ino_count++; +#endif + } + idx = context->name_count - 1; + + audit_copy_inode(&context->names[idx], inode); } /** -- 1.4.0

18 years, 5 months

1
0
0 / 0

Bypassing audit's file watches

by Steve

I have found that I can modify files that are being watched and audit not catch it (ie. no events are dispatched). When monitoring a file for all system calls, I can: echo "" > /file/to/watch or cat some_file > /file/to/watch without generating audit events. I assume this has to do with how the kernel handles re-direction. Is it possible to catch these modifications? Thanks, Steve

18 years, 6 months

4
8
0 / 0

Auditing File Changes

by eklinger＠uci.edu

Good morning. Please forgive me if this has been asked, but will the file watch functionality be able to intercept writes and/or be able to intercept the actual changes to the file and report those, in addition to the fact that the file was modified? Thank you Evan

18 years, 6 months

9
22
0 / 0

Problem loading rules

by Steve

I am trying to load rules from a file that contains: -a exit,always -F path=/etc/shadow -S open -k myrule_000000 -a exit,always -F path=/usr/sbin/chroot -S execve -k myrule_000001 -a exit,always -F path=/var/repository/important.doc -S unlink -k myrule_000002 -a exit,always -F path=/var/log/secure -S open -k myrule_000003 -a exit,always -F path=/usr/bin/nmap -S execve -k myrule_000004 using auditctl -R I am getting the following error: Cannot realloc memory! -F path must be before -S There was an error in line 2 of iitds_audit.rules -- I originally had the -S options before the -F. When I got the error, I switched the order, but the same error is returned. I have tried entering the rules individually from the command line and they work without error. I am using audit-1.2.4 Thanks, Steve

18 years, 6 months

2
1
0 / 0

RE: audit 1.2.4 released

by Shuva Brata Deb

Hi, Can any body give me a pointer on which version or update of Redhat Enterprise Linux will see audit 1.2? A more generic question would be: Is there any way I can find out the packaging plan of Redhat Enterprise Linux with the upcoming versions of audit. RH Enterprise Linux v-4 comes with audit 1.0 and there are no downloads for newer version from the redhat download center. Thanks, Shuva.// -----Original Message----- From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb Sent: Saturday, July 01, 2006 2:09 AM To: linux-audit(a)redhat.com Subject: audit 1.2.4 released Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Add support for the new filter key - Update syscall tables for 2.6.17 - Add audit failure query function - Switch out gethostbyname call with getaddrinfo - Add audit by obj capability for 2.6.18 kernel - Ausearch & aureport now fail if no args to -te - New auditd.conf option to choose blocking/non-blocking dispatcher communication - Ausearch improved search by label Please let me know if there are any problems with this release. -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit --------------------------------------------------------------------------------------------- This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

18 years, 6 months

2
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit July 2006