[PATCH 0/4] audit obj cleanups
by Amy Griffis
A few patches to clean up auditing for syscall objects.
- stop logging bogus object labels
- handle edge cases for xattr and mqueue calls
- try harder to log only 1 PATH record per object
These patches are based on audit.b36. Thanks for reviewing.
Amy
17 years, 9 months
(no subject)
by Kirkwood, David A.
When I view the events related to xscreensaver for a locked screen I
get 2 separate audit entries, one for a failure and 1 as a success. Both
have the same uid, euid, etc. Actually, the entries are exactly the same
except for the event number and the success outcome. I have the
xscreensaver executable set -rwsr-xr-x.
Thanks,
David A. Kirkwood
17 years, 9 months
audit-ptrace patch (untested)
by Alexander Viro
That one is on top of security_getprocattr() patch. See bz#228384...
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 229fa01..cce8b6c 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -90,6 +90,7 @@
#define AUDIT_MQ_GETSETATTR 1315 /* POSIX MQ get/set attribute record type */
#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */
#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
+#define AUDIT_OBJ_PID 1318 /* ptrace target */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@@ -351,6 +352,8 @@ extern void __audit_inode(const char *name, const struct inode *inode);
extern void __audit_inode_child(const char *dname, const struct inode *inode,
const struct inode *parent);
extern void __audit_inode_update(const struct inode *inode);
+extern void __audit_ptrace(struct task_struct *t);
+
static inline int audit_dummy_context(void)
{
void *p = current->audit_context;
@@ -376,6 +379,12 @@ static inline void audit_inode_update(const struct inode *inode) {
__audit_inode_update(inode);
}
+static inline void audit_ptrace(struct task_struct *t)
+{
+ if (unlikely(!audit_dummy_context()))
+ __audit_ptrace(t);
+}
+
/* Private API (for audit.c only) */
extern unsigned int audit_serial(void);
extern void auditsc_get_stamp(struct audit_context *ctx,
@@ -476,6 +485,7 @@ extern int audit_n_rules;
#define audit_mq_timedreceive(d,l,p,t) ({ 0; })
#define audit_mq_notify(d,n) ({ 0; })
#define audit_mq_getsetattr(d,s) ({ 0; })
+#define audit_ptrace(t) ((void)0)
#define audit_n_rules 0
#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 89875b2..c8465ea 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -209,6 +209,9 @@ struct audit_context {
unsigned long personality;
int arch;
+ pid_t target_pid;
+ char * obj_ctx;
+
#if AUDIT_DEBUG
int put_count;
int ino_count;
@@ -729,6 +732,7 @@ static inline void audit_free_context(struct audit_context *context)
audit_free_names(context);
audit_free_aux(context);
kfree(context->filterkey);
+ kfree(context->obj_ctx);
kfree(context);
context = previous;
} while (context);
@@ -967,6 +971,13 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
audit_log_end(ab);
}
+ if (context->obj_ctx) {
+ ab =audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
+ audit_log_format(ab, "opid=%d obj=%s",
+ context->target_pid, context->obj_ctx);
+ audit_log_end(ab);
+ }
+
if (context->pwd && context->pwdmnt) {
ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
if (ab) {
@@ -1187,6 +1198,8 @@ void audit_syscall_exit(int valid, long return_code)
} else {
audit_free_names(context);
audit_free_aux(context);
+ kfree(context->obj_ctx);
+ context->obj_ctx = NULL;
kfree(context->filterkey);
context->filterkey = NULL;
tsk->audit_context = context;
@@ -1874,6 +1887,13 @@ int audit_sockaddr(int len, void *a)
return 0;
}
+void __audit_ptrace(struct task_struct *t)
+{
+ struct audit_context *context = current->audit_context;
+ context->target_pid = t->pid;
+ security_getprocattr(t, "current", &context->obj_ctx);
+}
+
/**
* audit_avc_path - record the granting or denial of permissions
* @dentry: dentry to record
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 4d50e06..ad7949a 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -18,6 +18,7 @@
#include <linux/ptrace.h>
#include <linux/security.h>
#include <linux/signal.h>
+#include <linux/audit.h>
#include <asm/pgtable.h>
#include <asm/uaccess.h>
@@ -161,6 +162,8 @@ int ptrace_attach(struct task_struct *task)
{
int retval;
+ audit_ptrace(task);
+
retval = -EPERM;
if (task->pid <= 1)
goto out;
17 years, 9 months
audit in /selinux directory
by Camilo Y. Campo
Hi All,
Some files in /selinux have a weird behavior on audit records... When I
try read (or write) some files with no read (or write) permission, I
can't get the audit record even when I watch the file.
Look at this example:
[root@alex tmp]# auditctl -w /selinux/disable
[root@alex tmp]# cat /selinux/disable
cat: /selinux/disable: Invalid argument
[root@alex tmp]# ausearch -i -f /selinux/disable
----
type=PATH msg=audit(03/09/2007 16:23:01.340:29662) : item=0
name=/selinux/disable inode=13 dev=00:0e mode=file,200 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:security_t:s0
type=CWD msg=audit(03/09/2007 16:23:01.340:29662) : cwd=/tmp
type=SYSCALL msg=audit(03/09/2007 16:23:01.340:29662) : arch=x86_64
syscall=open success=yes exit=3 a0=7fff74a4a990 a1=0 a2=7fff74a49160
a3=15d93010 items=1 ppid=16073 pid=29020 auid=abat uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
comm=cat exe=/bin/cat subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023
key=(null)
The cat command failed and audit is saying "success". A bit strange for
me. Could anybody clarify this point for me, please?
Best Regards
--
Camilo Yamauchi Campo
Linux Technology Center
Software Engineer
camilo(a)br.ibm.com
17 years, 9 months
New Bit operators for Rules
by Steve Grubb
Hi,
I was looking into some aspects of auditing and found that I could not express
a couple rules that I wanted to. With the current set o operators, I could not
specify that I wanted a certain kind of open, fcntl, clone, or other syscalls
that may have bit mapped flags.
For example, suppose you wanted to audit opens that were O_DIRECTORY. It is a
bit mapped flag passed to open. With the current operators, you could only ask
for all opens and figure out the ones you wanted by filtering the searches.
I would like to add 2 new operators. & bit-mask and &= bit-test. The bit mask
operator would simply apply a mask to the field by "anding" it. you can
specify more than one bit and any bits that result in 1 makes the expression
true. The bit test is similar but checks that the results are equal to the
mask. In other words, the bits you specify must be a 1 to trigger an event.
The following patch introduces these new operators and has been tested.
Signed-off-by: Steve grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.18.x86_64.orig/include/linux/audit.h linux-2.6.18.x86_64/include/linux/audit.h
--- linux-2.6.18.x86_64.orig/include/linux/audit.h 2007-03-11 11:41:33.000000000 -0400
+++ linux-2.6.18.x86_64/include/linux/audit.h 2007-03-11 11:44:55.000000000 -0400
@@ -155,7 +155,7 @@
* are currently used in an audit field constant understood by the kernel.
* If you are adding a new #define AUDIT_<whatever>, please ensure that
* AUDIT_UNUSED_BITS is updated if need be. */
-#define AUDIT_UNUSED_BITS 0x0FFFFC00
+#define AUDIT_UNUSED_BITS 0x07FFFC00
/* Rule fields */
@@ -207,25 +207,29 @@
#define AUDIT_NEGATE 0x80000000
/* These are the supported operators.
- * 4 2 1
- * = > <
- * -------
- * 0 0 0 0 nonsense
- * 0 0 1 1 <
- * 0 1 0 2 >
- * 0 1 1 3 !=
- * 1 0 0 4 =
- * 1 0 1 5 <=
- * 1 1 0 6 >=
- * 1 1 1 7 all operators
+ * 4 2 1 8
+ * = > < ?
+ * ----------
+ * 0 0 0 0 00 nonsense
+ * 0 0 0 1 08 & bit mask
+ * 0 0 1 0 10 <
+ * 0 1 0 0 20 >
+ * 0 1 1 0 30 !=
+ * 1 0 0 0 40 =
+ * 1 0 0 1 48 &= bit test
+ * 1 0 1 0 50 <=
+ * 1 1 0 0 60 >=
+ * 1 1 1 1 78 all operators
*/
+#define AUDIT_BIT_MASK 0x08000000
#define AUDIT_LESS_THAN 0x10000000
#define AUDIT_GREATER_THAN 0x20000000
#define AUDIT_NOT_EQUAL 0x30000000
#define AUDIT_EQUAL 0x40000000
+#define AUDIT_BIT_TEST (AUDIT_BIT_MASK|AUDIT_EQUAL)
#define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN|AUDIT_EQUAL)
#define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN|AUDIT_EQUAL)
-#define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL)
+#define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK)
/* Status symbols */
/* Mask values */
diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c
--- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2007-03-11 11:42:08.000000000 -0400
+++ linux-2.6.18.x86_64/kernel/auditfilter.c 2007-03-11 11:46:07.000000000 -0400
@@ -417,6 +417,13 @@ static struct audit_entry *audit_rule_to
case AUDIT_DEVMINOR:
case AUDIT_EXIT:
case AUDIT_SUCCESS:
+ /* bit ops are only useful on syscall args */
+ if (f->op == AUDIT_BIT_MASK ||
+ f->op == AUDIT_BIT_TEST) {
+ err = -EINVAL;
+ goto exit_free;
+ }
+ break;
case AUDIT_ARG0:
case AUDIT_ARG1:
case AUDIT_ARG2:
@@ -1533,6 +1540,10 @@ int audit_comparator(const u32 left, con
return (left > right);
case AUDIT_GREATER_THAN_OR_EQUAL:
return (left >= right);
+ case AUDIT_BIT_MASK:
+ return (left & right);
+ case AUDIT_BIT_TEST:
+ return ((left & right) == right);
}
BUG();
return 0;
17 years, 9 months
Audit pipe full
by Ameel Kamboh
My platform is running RHEL5 (beta) with SNARE running as a dispatcher
I am seeing many of these logs in my /var/log/messages
Mar 9 13:59:02 vette auditd[23098]: dispatch err (pipe full) event lost
Mar 9 13:59:02 vette last message repeated 22 times
Mar 9 13:59:02 vette auditd[23098]: dispatch error reporting limit
reached - ending report notification.
Anyone know what is causing these:
Ameel Kamboh
MCS AS5200 Security and Media Services
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh(a)techtrial.com
email: akamboh(a)nortel.com
17 years, 9 months
setting up auditd
by geckiv
Well I have a few problems and I can't find any good references on the
net on how to do this. I have a RH Rel 4 system and it does not seem to
be setup to run auditd (ok rpm reveals audit-0.5-1. but config file and
device files non existent). And once i have that running I want to be
able to have my own application write to the auditd . I understand
audit-libs is required for that but have been unable to find it nor a
procedure on how ot use it. I found some tid bits but they seem Rel 3
related.
Help!!!
Thanks,
Frank
17 years, 9 months
setting time limits on aureport
by Bill Tangren
I am running 1.0.14-1.EL4 on a RHEL ES 4 system. I have noticed that the report
generated by aureport gives the total time range of the logs, rather than the
requested range. Is this how it is supposed to behave?
[root@aa ~]# aureport -ts 03/06/07 00:00:00
Summary Report
======================
Range of time: 03/04/07 01:00:22.175 - 03/07/07 09:41:51.113
Thanks!
Bill Tangren
17 years, 9 months
setting up auditd
by geckiv
Well I have a few problems and I can't find any good references on the
net on how to do this. I have a RH Rel 4 system and it does not seem to
be setup to run auditd (ok rpm reveals audit-0.5-1. but config file and
device files non existent). And once i have that running I want to be
able to have my own application write to the auditd . I understand
audit-libs is required for that but have been unable to find it nor a
procedure on how ot use it. I found some tid bits but they seem Rel 3
related.
Help!!!
Thanks,
Frank
17 years, 9 months
audit 1.5 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- NEW audit dispatcher program & plugin framework
- Correct hidden variables in libauparse
- Added NISPOM sample rules
- Verify accessibility of files passed in auparse_init
- Fix bug in parser library interpreting socketcalls
- Add support for stdio FILE pointer in auparse_init
- Adjust init script to allow anyone to status auditd (#230626)
The main feature of this update is a new audit event dispatcher that is
written in C. It should allow more plugins to be attached to it than the old
one. There will be more information about writing plugins later.
Please let me know if there are any problems with this release.
-Steve
17 years, 10 months