July 2007 - Linux-audit - Linux-Audit List Archives

[PATCH] audit=0 appears not to completely disable auditing

by Steve Grubb

Hi, There was a bz, 231371, reporting that current upstream kernels do not completely disable auditing when boot with audit=0 and the audit daemon not configured to run. You can reproduce the problem by: service auditd stop auditctl -e 0 auditctl -w /etc/passwd and you'd get an event in syslog: Mar 9 15:43:04 localhost kernel: audit(1173472984.321:982): auid=4294967295 subj=user_u:system_r:auditctl_t:s0 op=add rule key=(null) list=4 res=1 The patch below solves this problem by checking audit_enabled before creating an audit event. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com> diff -urp linux-2.6.18.x86_64.orig/kernel/audit.c linux-2.6.18.x86_64/kernel/audit.c --- linux-2.6.18.x86_64.orig/kernel/audit.c 2007-03-09 14:08:18.000000000 -0500 +++ linux-2.6.18.x86_64/kernel/audit.c 2007-03-09 14:06:59.000000000 -0500 @@ -238,46 +238,50 @@ void audit_log_lost(const char *message) static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) { - int old = audit_rate_limit; + if (audit_enabled) { + int old = audit_rate_limit; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_rate_limit=%d old=%d by auid=%u subj=%s", - limit, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_rate_limit=%d old=%d by auid=%u", - limit, old, loginuid); + limit, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_rate_limit=%d old=%d by auid=%u", + limit, old, loginuid); + } audit_rate_limit = limit; return 0; } static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) { - int old = audit_backlog_limit; + if (audit_enabled) { + int old = audit_backlog_limit; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_backlog_limit=%d old=%d by auid=%u subj=%s", - limit, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_backlog_limit=%d old=%d by auid=%u", - limit, old, loginuid); + limit, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_backlog_limit=%d old=%d by auid=%u", + limit, old, loginuid); + } audit_backlog_limit = limit; return 0; } @@ -289,21 +293,23 @@ static int audit_set_enabled(int state, if (state != 0 && state != 1) return -EINVAL; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (audit_enabled || state) { + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_enabled=%d old=%d by auid=%u subj=%s", - state, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_enabled=%d old=%d by auid=%u", - state, old, loginuid); + state, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_enabled=%d old=%d by auid=%u", + state, old, loginuid); + } audit_enabled = state; return 0; } @@ -317,21 +323,23 @@ static int audit_set_failure(int state, && state != AUDIT_FAIL_PANIC) return -EINVAL; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (audit_enabled) { + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_failure=%d old=%d by auid=%u subj=%s", - state, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_failure=%d old=%d by auid=%u", - state, old, loginuid); + state, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_failure=%d old=%d by auid=%u", + state, old, loginuid); + } audit_failure = state; return 0; } @@ -536,22 +544,26 @@ static int audit_receive_msg(struct sk_b if (err < 0) return err; } if (status_get->mask & AUDIT_STATUS_PID) { - int old = audit_pid; - if (sid) { - if ((err = selinux_ctxid_to_string( - sid, &ctx, &len))) - return err; - else + if (audit_enabled) { + int old = audit_pid; + if (sid) { + if ((err = selinux_ctxid_to_string( + sid, &ctx, &len))) + return err; + else + audit_log(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE, + "audit_pid=%d old=%d by auid=%u subj=%s", + status_get->pid, old, + loginuid, ctx); + kfree(ctx); + } else audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_pid=%d old=%d by auid=%u subj=%s", - status_get->pid, old, - loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_pid=%d old=%d by auid=%u", - status_get->pid, old, loginuid); + status_get->pid, old, + loginuid); + } audit_pid = status_get->pid; } if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c --- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2007-03-09 14:08:18.000000000 -0500 +++ linux-2.6.18.x86_64/kernel/auditfilter.c 2007-03-09 14:05:54.000000000 -0500 @@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih; /* Inotify events we care about. */ #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF +extern int audit_enabled; + void audit_free_parent(struct inotify_watch *i_watch) { struct audit_parent *parent; @@ -897,7 +899,6 @@ static void audit_update_watch(struct au struct audit_watch *owatch, *nwatch, *nextw; struct audit_krule *r, *nextr; struct audit_entry *oentry, *nentry; - struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { @@ -937,13 +938,18 @@ static void audit_update_watch(struct au call_rcu(&oentry->rcu, audit_free_rule_rcu); } - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=updated rules specifying path="); - audit_log_untrustedstring(ab, owatch->path); - audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); - audit_log_format(ab, " list=%d res=1", r->listnr); - audit_log_end(ab); - + if (audit_enabled) { + struct audit_buffer *ab; + ab = audit_log_start(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE); + audit_log_format(ab, + "op=updated rules specifying path="); + audit_log_untrustedstring(ab, owatch->path); + audit_log_format(ab, " with dev=%u ino=%lu\n", + dev, ino); + audit_log_format(ab, " list=%d res=1", r->listnr); + audit_log_end(ab); + } audit_remove_watch(owatch); goto add_watch_to_parent; /* event applies to a single watch */ } @@ -962,25 +968,28 @@ static void audit_remove_parent_watches( struct audit_watch *w, *nextw; struct audit_krule *r, *nextr; struct audit_entry *e; - struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); parent->flags |= AUDIT_PARENT_INVALID; list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { list_for_each_entry_safe(r, nextr, &w->rules, rlist) { e = container_of(r, struct audit_entry, rule); - - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=remove rule path="); - audit_log_untrustedstring(ab, w->path); - if (r->filterkey) { - audit_log_format(ab, " key="); - audit_log_untrustedstring(ab, r->filterkey); - } else - audit_log_format(ab, " key=(null)"); - audit_log_format(ab, " list=%d res=1", r->listnr); - audit_log_end(ab); - + if (audit_enabled) { + struct audit_buffer *ab; + ab = audit_log_start(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE); + audit_log_format(ab, "op=remove rule path="); + audit_log_untrustedstring(ab, w->path); + if (r->filterkey) { + audit_log_format(ab, " key="); + audit_log_untrustedstring(ab, + r->filterkey); + } else + audit_log_format(ab, " key=(null)"); + audit_log_format(ab, " list=%d res=1", + r->listnr); + audit_log_end(ab); + } list_del(&r->rlist); list_del_rcu(&e->list); call_rcu(&e->rcu, audit_free_rule_rcu); @@ -1409,6 +1418,9 @@ static void audit_log_rule_change(uid_t { struct audit_buffer *ab; + if (!audit_enabled) + return; + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (!ab) return;

16 years, 7 months

4
5
0 / 0

[PATCH] dist target fixes

by John D. Ramsdell

Steve, I discovered a few more files that are being mistakenly omitted when using the dist target. John Only in b/audit-1.5.6: ab.diff Only in b/audit-1.5.6: ac.diff Only in b/audit-1.5.6: aclocal.m4 Only in b/audit-1.5.6/audisp: Makefile Only in b/audit-1.5.6/audisp: Makefile.in Only in b/audit-1.5.6: audit-1.5.6.tar.gz Only in b/audit-1.5.6/auparse: .deps Only in b/audit-1.5.6/auparse: Makefile Only in b/audit-1.5.6/auparse: Makefile.in Only in b/audit-1.5.6/auparse/test: .deps Only in b/audit-1.5.6/auparse/test: Makefile diff -ur a/audit-1.5.6/auparse/test/Makefile.am b/audit-1.5.6/auparse/test/Makefile.am --- a/audit-1.5.6/auparse/test/Makefile.am 2007-05-17 15:26:49.000000000 -0400 +++ b/audit-1.5.6/auparse/test/Makefile.am 2007-07-30 07:20:28.000000000 -0400 @@ -50,6 +50,4 @@ ../../bindings/python/build/*/auparse.so: ../../bindings/python/auparse_python.c cd ../../bindings/python && make - - - +EXTRA_DIST = auparse_test.py auparse_test.ref diff -ur a/audit-1.5.6/auparse/test/Makefile.in b/audit-1.5.6/auparse/test/Makefile.in --- a/audit-1.5.6/auparse/test/Makefile.in 2007-07-25 14:23:12.000000000 -0400 +++ b/audit-1.5.6/auparse/test/Makefile.in 2007-07-30 07:54:28.000000000 -0400 @@ -213,6 +213,7 @@ auparse_test_LDFLAGS = -static auparse_test_LDADD = -L../.libs/ -L../../lib/.libs -lauparse -laudit auparse_test_DEPENDENCIES = ../.libs/libauparse.a ../*.c ../*.h +EXTRA_DIST = auparse_test.py auparse_test.ref all: all-am .SUFFIXES: Only in b/audit-1.5.6: autom4te.cache Only in b/audit-1.5.6/bindings: Makefile Only in b/audit-1.5.6/bindings: Makefile.in Only in b/audit-1.5.6/bindings/python: Makefile Only in b/audit-1.5.6/bindings/python: Makefile.in Only in b/audit-1.5.6: b.txt Only in b/audit-1.5.6: config.h Only in b/audit-1.5.6: config.h.in Only in b/audit-1.5.6: config.log Only in b/audit-1.5.6: config.status Only in b/audit-1.5.6: configure Only in b/audit-1.5.6: c.txt Only in b/audit-1.5.6/docs: Makefile Only in b/audit-1.5.6/docs: Makefile.in Only in b/audit-1.5.6/init.d: Makefile diff -ur a/audit-1.5.6/init.d/Makefile.am b/audit-1.5.6/init.d/Makefile.am --- a/audit-1.5.6/init.d/Makefile.am 2007-07-25 14:10:53.000000000 -0400 +++ b/audit-1.5.6/init.d/Makefile.am 2007-07-30 07:25:54.000000000 -0400 @@ -22,7 +22,7 @@ CONFIG_CLEAN_FILES = Makefile.in *.rej *.orig EXTRA_DIST = auditd.init auditd.sysconfig auditd.conf audit.rules \ - auditd.cron libaudit.conf + auditd.cron libaudit.conf audispd.conf libconfig = libaudit.conf dispconfig = audispd.conf dispconfigdir = $(sysconfdir)/audisp Only in b/audit-1.5.6/init.d: Makefile.am~ Only in b/audit-1.5.6/init.d: Makefile.in Only in b/audit-1.5.6/lib: .deps Only in b/audit-1.5.6/lib: Makefile Only in b/audit-1.5.6/lib: Makefile.in Only in b/audit-1.5.6: libtool Only in b/audit-1.5.6: Makefile diff -ur a/audit-1.5.6/Makefile.am b/audit-1.5.6/Makefile.am --- a/audit-1.5.6/Makefile.am 2007-06-27 06:19:18.000000000 -0400 +++ b/audit-1.5.6/Makefile.am 2007-07-30 07:53:45.000000000 -0400 @@ -21,9 +21,14 @@ # Rickard E. (Rik) Faith <faith(a)redhat.com> # -SUBDIRS = lib auparse src/mt src audisp swig bindings init.d docs system-config-audit -EXTRA_DIST = ChangeLog AUTHORS NEWS README sample.rules contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/skeleton.c README-install audit.spec -CONFIG_CLEAN_FILES = Makefile.in aclocal.m4* config.h.* configure debug*.list config/* +SUBDIRS = lib auparse src/mt src audisp swig bindings init.d docs \ +system-config-audit +EXTRA_DIST = ChangeLog AUTHORS NEWS README sample.rules \ +contrib/capp.rules contrib/nispom.rules contrib/lspp.rules \ +contrib/skeleton.c contrib/avc_snap contrib/avc_syslog \ +system-config-audit.lang README-install audit.spec +CONFIG_CLEAN_FILES = Makefile.in aclocal.m4* config.h.* configure \ +debug*.list config/* clean-generic: rm -rf autom4te*.cache Only in b/audit-1.5.6: Makefile.am~ Only in b/audit-1.5.6: Makefile.in Only in b/audit-1.5.6: oaudit-1.5.6.tar.gz Only in b/audit-1.5.6/src: Makefile Only in b/audit-1.5.6/src: Makefile.in Only in b/audit-1.5.6/src/mt: audit_logging.c Only in b/audit-1.5.6/src/mt: deprecated.c Only in b/audit-1.5.6/src/mt: libaudit.c Only in b/audit-1.5.6/src/mt: libaudit.h Only in b/audit-1.5.6/src/mt: lookup_table.c Only in b/audit-1.5.6/src/mt: Makefile Only in b/audit-1.5.6/src/mt: Makefile.in Only in b/audit-1.5.6/src/mt: message.c Only in b/audit-1.5.6/src/mt: netlink.c Only in b/audit-1.5.6/src/mt: private.h Only in b/audit-1.5.6: stamp-h1 Only in b/audit-1.5.6/swig: audit.py Only in b/audit-1.5.6/swig: audit_wrap.c Only in b/audit-1.5.6/swig: .deps Only in b/audit-1.5.6/swig: Makefile Only in b/audit-1.5.6/swig: Makefile.in Only in b/audit-1.5.6/system-config-audit: config.log Only in b/audit-1.5.6/system-config-audit: config.status Only in b/audit-1.5.6/system-config-audit: intltool-extract Only in b/audit-1.5.6/system-config-audit: intltool-merge Only in b/audit-1.5.6/system-config-audit: intltool-update Only in b/audit-1.5.6/system-config-audit: libtool Only in b/audit-1.5.6/system-config-audit: m4.txt Only in b/audit-1.5.6/system-config-audit: Makefile diff -ur a/audit-1.5.6/system-config-audit/Makefile.am b/audit-1.5.6/system-config-audit/Makefile.am --- a/audit-1.5.6/system-config-audit/Makefile.am 2007-07-25 14:25:05.000000000 -0400 +++ b/audit-1.5.6/system-config-audit/Makefile.am 2007-07-30 07:49:09.000000000 -0400 @@ -58,11 +58,21 @@ CLEANFILES = $(applications_DATA) $(bin_SCRIPTS) $(nodist_pkgdata_PYTHON) \ admin/system-config-audit-server.console DISTCLEANFILES = intltool-extract intltool-merge intltool-update -EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \ - admin/intltool-update.in admin/system-config-audit-server.console.in \ - admin/system-config-audit-server.pam \ - src/settings.py.in src/system-config-audit.in \ - system-config-audit.desktop.in +EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \ + admin/intltool-update.in \ + admin/system-config-audit-server.console.in \ + admin/system-config-audit-server.pam src/settings.py.in \ + src/system-config-audit.in system-config-audit.desktop.in \ + m4/codeset.m4 m4/gettext.m4 m4/glibc21.m4 m4/glibc2.m4 \ + m4/iconv.m4 m4/intdiv0.m4 m4/intldir.m4 m4/intl.m4 \ + m4/intmax.m4 m4/inttypes_h.m4 m4/inttypes.m4 \ + m4/inttypes-pri.m4 m4/isc-posix.m4 m4/lcmessage.m4 \ + m4/lib-ld.m4 m4/lib-link.m4 m4/lib-prefix.m4 m4/lock.m4 \ + m4/longdouble.m4 m4/longlong.m4 m4/nls.m4 m4/po.m4 \ + m4/printf-posix.m4 m4/progtest.m4 m4/signed.m4 m4/size_max.m4 \ + m4/stdint_h.m4 m4/uintmax_t.m4 m4/ulonglong.m4 \ + m4/visibility.m4 m4/wchar_t.m4 m4/wint_t.m4 m4/xsize.m4 + src_system_config_audit_server_SOURCES = src/server.c src/server.h src_system_config_audit_server_CPPFLAGS = $(AM_CPPFLAGS) \ Only in b/audit-1.5.6/system-config-audit: Makefile.am~ diff -ur a/audit-1.5.6/system-config-audit/Makefile.in b/audit-1.5.6/system-config-audit/Makefile.in --- a/audit-1.5.6/system-config-audit/Makefile.in 2007-07-25 14:23:56.000000000 -0400 +++ b/audit-1.5.6/system-config-audit/Makefile.in 2007-07-30 07:50:07.000000000 -0400 @@ -314,12 +314,21 @@ CLEANFILES = $(applications_DATA) $(bin_SCRIPTS) $(nodist_pkgdata_PYTHON) \ admin/system-config-audit-server.console -DISTCLEANFILES = intltool-extract intltool-merge intltool-update src/.libs -EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \ - admin/intltool-update.in admin/system-config-audit-server.console.in \ - admin/system-config-audit-server.pam \ - src/settings.py.in src/system-config-audit.in \ - system-config-audit.desktop.in +DISTCLEANFILES = intltool-extract intltool-merge intltool-update +EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \ + admin/intltool-update.in \ + admin/system-config-audit-server.console.in \ + admin/system-config-audit-server.pam src/settings.py.in \ + src/system-config-audit.in system-config-audit.desktop.in \ + m4/codeset.m4 m4/gettext.m4 m4/glibc21.m4 m4/glibc2.m4 \ + m4/iconv.m4 m4/intdiv0.m4 m4/intldir.m4 m4/intl.m4 \ + m4/intmax.m4 m4/inttypes_h.m4 m4/inttypes.m4 \ + m4/inttypes-pri.m4 m4/isc-posix.m4 m4/lcmessage.m4 \ + m4/lib-ld.m4 m4/lib-link.m4 m4/lib-prefix.m4 m4/lock.m4 \ + m4/longdouble.m4 m4/longlong.m4 m4/nls.m4 m4/po.m4 \ + m4/printf-posix.m4 m4/progtest.m4 m4/signed.m4 m4/size_max.m4 \ + m4/stdint_h.m4 m4/uintmax_t.m4 m4/ulonglong.m4 \ + m4/visibility.m4 m4/wchar_t.m4 m4/wint_t.m4 m4/xsize.m4 src_system_config_audit_server_SOURCES = src/server.c src/server.h src_system_config_audit_server_CPPFLAGS = $(AM_CPPFLAGS) \ Only in b/audit-1.5.6/system-config-audit/po: Makefile Only in b/audit-1.5.6/system-config-audit/po: Makefile.in Only in b/audit-1.5.6/system-config-audit/po: POTFILES Only in b/audit-1.5.6/system-config-audit/po: stamp-it Only in b/audit-1.5.6/system-config-audit/src: config.h Only in b/audit-1.5.6/system-config-audit/src: .deps Only in b/audit-1.5.6/system-config-audit/src: stamp-h1

16 years, 8 months

3
10
0 / 0

Audit with path exception rule

by Ameel Kamboh

I would like to audit the file system for anyone creating new files However I would like to exclude a directory from the watch list. Here is the sample I have: #3. create/Remove any files -a exit,always -S creat -F path!=/var/myApp <--- line 21 -a exit,always -S unlink -F path!=/var/myApp This is giving me the following error: auditctl -R test.rules No rules AUDIT_STATUS: enabled=1 flag=1 pid=3413 rate_limit=0 backlog_limit=1024 lost=0 backlog=0 Error sending add rule data request (Invalid argument) There was an error in line 21 of test.rules Ameel Kamboh SIP Core Network and Security Phone: 972.685.4922 (esn 445-4922) Mobile: 978-590-2280 SIP: akamboh(a)techtrial.com email: akamboh(a)nortel.com

16 years, 9 months

3
2
0 / 0

High-level audit parser module

by John D. Ramsdell

John, I'm working on a high-level audit reading Python library built on top of the auparse module. I suspect it could be made to be useful to others besides myself. I have enclosed the generated documentation for the relevant classes in my module. If you think it could be generally useful, the key question is what methods should be defined in the AuditEvent and AuditRecord classes. Some of the current ones are too specific to my needs. CLASSES class AuditEvent(__builtin__.list) | AuditEvent(AuEvent) | | An audit event is represented as a list of AuditRecord's. Each | AuditRecord is a dictionary that represents one of the records | that make up the event. | | Method resolution order: | AuditEvent | __builtin__.list | __builtin__.object | | Methods defined here: | | __init__(self, timestamp) | | find_record_of_type(self, typ) | Find record of type | | Returns a record in the event that has the given type. | Returns None when there is no such record. | | find_value(self, name) | Find a value | | Returns a value associated with the given name in some record | in the event. Raises KeyError if no field has the given name. | | get_timestamp(self) | Get the timestamp associated with this event. | | path_name(self, item) | Find name and security context in PATH record | | Return the name and the security context in a PATH record that | matches the given item number. Raises KeyError if PATH record | cannot be found. | | ---------------------------------------------------------------------- | Data descriptors defined here: | | __dict__ | dictionary for instance variables (if defined) | | __weakref__ | list of weak references to the object (if defined) | | ---------------------------------------------------------------------- | Methods inherited from __builtin__.list: !!! inherited methods omitted !!! class AuditLog(__builtin__.object) | AuditLog(AuParser or file, bool) | | Encapsulates a log accessed by the auparse module. It provides an | interator to the log's events. Each call to the next method of | the interator returns an AuditEvent. The boolean determines if | numeric entities in fields are interpreted. | | Methods defined here: | | __init__(self, au, interpret=False) | | __iter__(self) | | ---------------------------------------------------------------------- | Data descriptors defined here: | | __dict__ | dictionary for instance variables (if defined) | | __weakref__ | list of weak references to the object (if defined) class AuditLogIter(__builtin__.object) | AuditLogIter(AuditLog) | | An iterator for an audit log. | | Methods defined here: | | __init__(self, aulog) | | next(self) | Returns an AuditEvent | | ---------------------------------------------------------------------- | Data descriptors defined here: | | __dict__ | dictionary for instance variables (if defined) | | __weakref__ | list of weak references to the object (if defined) class AuditRecord(__builtin__.dict) | AuditRecord(AuditEvent) | | An audit record is a dictionary. | | Method resolution order: | AuditRecord | __builtin__.dict | __builtin__.object | | Methods defined here: | | __init__(self, event) | | get_event(self) | Get the event associated with this record. | | path_name_record(self, item) | Find name and security context in PATH record | | Return the name and the security context in a PATH record that | matches the given item number. Raises KeyError if PATH record | cannot be found. | | ---------------------------------------------------------------------- | Data descriptors defined here: | | __dict__ | dictionary for instance variables (if defined) | | __weakref__ | list of weak references to the object (if defined) | | ---------------------------------------------------------------------- | Methods inherited from __builtin__.dict: !!! inherited methods omitted !!!

16 years, 9 months

1
1
0 / 0

New audit record types for static network labels

by Paul Moore

I am currently working on a series of patches to add support for static external network labels to NetLabel/SELinux. The idea is that a user could define a physical interface, IP address, address mask, and context which would be applied as an external label to the packet when an explicit label was not present. This is similar to other trusted OSs which allow administrators to assign labels to single level, unlabeled networks. For those of you following the SELinux list it was discussed a month or two ago. This is relevant to the audit subsystem because adding/removing these address/context entries should most likely be audited for the same reasons we audit other NetLabel or XFRM labeling related configuration changes. To accomplish this I would like to suggest the addition of the following record types, comments? #define AUDIT_MAC_UNLBL_STATICADD 14XX /* NetLabel: add a static label */ #define AUDIT_MAC_UNLBL_STATICDEL 14XX /* NetLabel: del a static label */ -- paul moore linux security @ hp

16 years, 9 months

1
0
0 / 0

selinux_audit_set_callback

by Casey Schaufler

What is the rationale behind the selinux_audit_set_callback() mechanism? It looks for all the world as if the selinux code ought to be able to call the registered function directly. Casey Schaufler casey(a)schaufler-ca.com

16 years, 9 months

2
1
0 / 0

[2.6 patch] kernel/audit.c: change the exports to EXPORT_SYMBOL_GPL

by Adrian Bunk

This patch changes some completely unused audit exports from EXPORT_SYMBOL to EXPORT_SYMBOL_GPL. They are still completely unused, but hopefully some of the theoretical code that might use it will appear in the kernel in the near future... Signed-off-by: Adrian Bunk <bunk(a)stusta.de> Acked-by: Steve Grubb <sgrubb(a)redhat.com> --- This patch has been sent on: - 11 Dec 2006 --- linux-2.6.19-mm1/kernel/audit.c.old 2006-12-11 20:13:54.000000000 +0100 +++ linux-2.6.19-mm1/kernel/audit.c 2006-12-11 20:14:19.000000000 +0100 @@ -1209,7 +1209,7 @@ } } -EXPORT_SYMBOL(audit_log_start); -EXPORT_SYMBOL(audit_log_end); -EXPORT_SYMBOL(audit_log_format); -EXPORT_SYMBOL(audit_log); +EXPORT_SYMBOL_GPL(audit_log_start); +EXPORT_SYMBOL_GPL(audit_log_end); +EXPORT_SYMBOL_GPL(audit_log_format); +EXPORT_SYMBOL_GPL(audit_log);

16 years, 9 months

4
5
0 / 0

[patch 058/209] audit: rework execve audit

by akpm＠linux-foundation.org

From: Peter Zijlstra <a.p.zijlstra(a)chello.nl> The purpose of audit_bprm() is to log the argv array to a userspace daemon at the end of the execve system call. Since user-space hasn't had time to run, this array is still in pristine state on the process' stack; so no need to copy it, we can just grab it from there. In order to minimize the damage to audit_log_*() copy each string into a temporary kernel buffer first. Currently the audit code requires that the full argument vector fits in a single packet. So currently it does clip the argv size to a (sysctl) limit, but only when execve auditing is enabled. If the audit protocol gets extended to allow for multiple packets this check can be removed. Signed-off-by: Peter Zijlstra <a.p.zijlstra(a)chello.nl> Signed-off-by: Ollie Wild <aaw(a)google.com> Cc: <linux-audit(a)redhat.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- Documentation/filesystems/proc.txt | 7 ++ fs/exec.c | 3 include/linux/binfmts.h | 1 kernel/auditsc.c | 84 ++++++++++++++++++++------- kernel/sysctl.c | 11 +++ 5 files changed, 85 insertions(+), 21 deletions(-) diff -puN Documentation/filesystems/proc.txt~audit-rework-execve-audit Documentation/filesystems/proc.txt --- a/Documentation/filesystems/proc.txt~audit-rework-execve-audit +++ a/Documentation/filesystems/proc.txt @@ -1065,6 +1065,13 @@ check the amount of free space (value is resume it if we have a value of 3 or more percent; consider information about the amount of free space valid for 30 seconds +audit_argv_kb +------------- + +The file contains a single value denoting the limit on the argv array size +for execve (in KiB). This limit is only applied when system call auditing for +execve is enabled, otherwise the value is ignored. + ctrl-alt-del ------------ diff -puN fs/exec.c~audit-rework-execve-audit fs/exec.c --- a/fs/exec.c~audit-rework-execve-audit +++ a/fs/exec.c @@ -1154,6 +1154,7 @@ int do_execve(char * filename, { struct linux_binprm *bprm; struct file *file; + unsigned long env_p; int retval; int i; @@ -1208,9 +1209,11 @@ int do_execve(char * filename, if (retval < 0) goto out; + env_p = bprm->p; retval = copy_strings(bprm->argc, argv, bprm); if (retval < 0) goto out; + bprm->argv_len = env_p - bprm->p; retval = search_binary_handler(bprm,regs); if (retval >= 0) { diff -puN include/linux/binfmts.h~audit-rework-execve-audit include/linux/binfmts.h --- a/include/linux/binfmts.h~audit-rework-execve-audit +++ a/include/linux/binfmts.h @@ -40,6 +40,7 @@ struct linux_binprm{ unsigned interp_flags; unsigned interp_data; unsigned long loader, exec; + unsigned long argv_len; }; #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0 diff -puN kernel/auditsc.c~audit-rework-execve-audit kernel/auditsc.c --- a/kernel/auditsc.c~audit-rework-execve-audit +++ a/kernel/auditsc.c @@ -153,7 +153,7 @@ struct audit_aux_data_execve { struct audit_aux_data d; int argc; int envc; - char mem[0]; + struct mm_struct *mm; }; struct audit_aux_data_socketcall { @@ -831,6 +831,55 @@ static int audit_log_pid_context(struct return rc; } +static void audit_log_execve_info(struct audit_buffer *ab, + struct audit_aux_data_execve *axi) +{ + int i; + long len, ret; + const char __user *p = (const char __user *)axi->mm->arg_start; + char *buf; + + if (axi->mm != current->mm) + return; /* execve failed, no additional info */ + + for (i = 0; i < axi->argc; i++, p += len) { + len = strnlen_user(p, MAX_ARG_PAGES*PAGE_SIZE); + /* + * We just created this mm, if we can't find the strings + * we just copied into it something is _very_ wrong. Similar + * for strings that are too long, we should not have created + * any. + */ + if (!len || len > MAX_ARG_STRLEN) { + WARN_ON(1); + send_sig(SIGKILL, current, 0); + } + + buf = kmalloc(len, GFP_KERNEL); + if (!buf) { + audit_panic("out of memory for argv string\n"); + break; + } + + ret = copy_from_user(buf, p, len); + /* + * There is no reason for this copy to be short. We just + * copied them here, and the mm hasn't been exposed to user- + * space yet. + */ + if (!ret) { + WARN_ON(1); + send_sig(SIGKILL, current, 0); + } + + audit_log_format(ab, "a%d=", i); + audit_log_untrustedstring(ab, buf); + audit_log_format(ab, "\n"); + + kfree(buf); + } +} + static void audit_log_exit(struct audit_context *context, struct task_struct *tsk) { int i, call_panic = 0; @@ -971,13 +1020,7 @@ static void audit_log_exit(struct audit_ case AUDIT_EXECVE: { struct audit_aux_data_execve *axi = (void *)aux; - int i; - const char *p; - for (i = 0, p = axi->mem; i < axi->argc; i++) { - audit_log_format(ab, "a%d=", i); - p = audit_log_untrustedstring(ab, p); - audit_log_format(ab, "\n"); - } + audit_log_execve_info(ab, axi); break; } case AUDIT_SOCKETCALL: { @@ -1821,32 +1864,31 @@ int __audit_ipc_set_perm(unsigned long q return 0; } +int audit_argv_kb = 32; + int audit_bprm(struct linux_binprm *bprm) { struct audit_aux_data_execve *ax; struct audit_context *context = current->audit_context; - unsigned long p, next; - void *to; if (likely(!audit_enabled || !context || context->dummy)) return 0; - ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p, - GFP_KERNEL); + /* + * Even though the stack code doesn't limit the arg+env size any more, + * the audit code requires that _all_ arguments be logged in a single + * netlink skb. Hence cap it :-( + */ + if (bprm->argv_len > (audit_argv_kb << 10)) + return -E2BIG; + + ax = kmalloc(sizeof(*ax), GFP_KERNEL); if (!ax) return -ENOMEM; ax->argc = bprm->argc; ax->envc = bprm->envc; - for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) { - struct page *page = bprm->page[p / PAGE_SIZE]; - void *kaddr = kmap(page); - next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1); - memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p); - to += next - p; - kunmap(page); - } - + ax->mm = bprm->mm; ax->d.type = AUDIT_EXECVE; ax->d.next = context->aux; context->aux = (void *)ax; diff -puN kernel/sysctl.c~audit-rework-execve-audit kernel/sysctl.c --- a/kernel/sysctl.c~audit-rework-execve-audit +++ a/kernel/sysctl.c @@ -78,6 +78,7 @@ extern int percpu_pagelist_fraction; extern int compat_log; extern int maps_protect; extern int sysctl_stat_interval; +extern int audit_argv_kb; /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ static int maxolduid = 65535; @@ -306,6 +307,16 @@ static ctl_table kern_table[] = { .mode = 0644, .proc_handler = &proc_dointvec, }, +#ifdef CONFIG_AUDITSYSCALL + { + .ctl_name = CTL_UNNUMBERED, + .procname = "audit_argv_kb", + .data = &audit_argv_kb, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = &proc_dointvec, + }, +#endif { .ctl_name = KERN_CORE_PATTERN, .procname = "core_pattern", _

16 years, 9 months

5
13
0 / 0

audit 1.5.6 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Fix potential buffer overflow in print clone flags of auparse - Add new App Armor types (John Johansen) - Adjust Menu Location for system-config-audit (Miloslav Trmac) - Fix python traceback parsing watches without perm statement (Miloslav Trmac) - Added databuf_strcat function to auparse (John Dennis) - Update auditctl to handle legacy kernels when putting a watch on a dir - Fix invalid free and memory leak on reload in auditd (Miloslav Trmac) - Fix clone flags in auparse (John Ramsdell) - Add interpretation for F_SETFL of fcntl (John Ramsdell) - Fix acct interpretation in auparse - Makefile cleanups (John Ramsdell) This is nothing but a bugfix release. Anyone using 1.5.5 is advised to upgrade. Please note that the audit event dispatcher will be changing again in the next release. This is the current area of work and this one is considered temporary. This release is primarily to get some other needed fixes out for people to use. I should have a new release soon. Please let me know if there are any problems with this release. -Steve

16 years, 9 months

3
7
0 / 0

[PATCH]: 2nd revision of make xfrm_audit_log more generic

by Joy Latten

This is 2nd revision of patch to modify xfrm_audit_log() such that it can accomodate auditing other ipsec events besides add/delete of an SA or SPD entry. 2nd revision includes new define for all IPsec events in audit.h and introduces "op=" entry in logfile as well as add a hyphen in description for report parsing. This is a small change to accomodate updating ipsec protocol to RFCs 4301, 4302 and 4303 which require auditing some ipsec events if auditing is available. Please let me know if ok. Regards, Joy Signed-off-by: Joy Latten <latten(a)austin.ibm.com> diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22.patch/include/linux/audit.h --- linux-2.6.22/include/linux/audit.h 2007-07-23 14:35:28.000000000 -0500 +++ linux-2.6.22.patch/include/linux/audit.h 2007-07-23 14:38:51.000000000 -0500 @@ -112,6 +112,7 @@ #define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */ #define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */ #define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */ +#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit IPSec events */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h --- linux-2.6.22/include/net/xfrm.h 2007-07-23 14:35:28.000000000 -0500 +++ linux-2.6.22.patch/include/net/xfrm.h 2007-07-23 14:38:51.000000000 -0500 @@ -427,9 +427,11 @@ struct xfrm_audit #ifdef CONFIG_AUDITSYSCALL extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result, - struct xfrm_policy *xp, struct xfrm_state *x); + u16 family, xfrm_address_t saddr, + xfrm_address_t daddr, __be32 spi, __be32 flowid, + struct xfrm_sec_ctx *sctx, char *buf); #else -#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0) +#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0) #endif /* CONFIG_AUDITSYSCALL */ static inline void xfrm_pol_hold(struct xfrm_policy *policy) diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c --- linux-2.6.22/net/key/af_key.c 2007-07-08 18:32:17.000000000 -0500 +++ linux-2.6.22.patch/net/key/af_key.c 2007-07-24 11:50:35.000000000 -0500 @@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st err = xfrm_state_update(x); xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, "SAD-add"); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk, km_state_notify(x, &c); out: xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x->props.family, + x->props.saddr, x->id.daddr, x->id.spi, 0, + x->security, "SAD-delete"); + xfrm_state_put(x); return err; @@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk, hdr->sadb_msg_type != SADB_X_SPDUPDATE); xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, "SPD-add"); if (err) goto out; @@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock * return -ENOENT; xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, "SPD-delete"); if (err) goto out; @@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk, if (delete) { xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, + "SPD-delete"); if (err) goto out; diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c linux-2.6.22.patch/net/xfrm/xfrm_policy.c --- linux-2.6.22/net/xfrm/xfrm_policy.c 2007-07-23 14:35:29.000000000 -0500 +++ linux-2.6.22.patch/net/xfrm/xfrm_policy.c 2007-07-24 11:46:24.000000000 -0500 @@ -853,8 +853,11 @@ xfrm_policy_flush_secctx_check(u8 type, if (err) { xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 0, - pol, NULL); + AUDIT_MAC_IPSEC_EVENT, 0, + pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, 0, 0, + pol->security, "SPD-delete"); return err; } } @@ -868,8 +871,12 @@ xfrm_policy_flush_secctx_check(u8 type, if (err) { xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, - 0, pol, NULL); + AUDIT_MAC_IPSEC_EVENT, + 0, pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, + 0, 0, pol->security, + "SPD-delete"); return err; } } @@ -911,7 +918,11 @@ int xfrm_policy_flush(u8 type, struct xf write_unlock_bh(&xfrm_policy_lock); xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL); + AUDIT_MAC_IPSEC_EVENT, 1, + pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, 0, 0, + pol->security, "SPD-delete"); xfrm_policy_kill(pol); killed++; @@ -933,8 +944,11 @@ int xfrm_policy_flush(u8 type, struct xf xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSPD, 1, - pol, NULL); + AUDIT_MAC_IPSEC_EVENT, 1, + pol->selector.family, + pol->selector.saddr, + pol->selector.daddr, 0, 0, + pol->security, "SPD-delete"); xfrm_policy_kill(pol); killed++; @@ -2154,44 +2168,23 @@ EXPORT_SYMBOL(xfrm_bundle_ok); /* Audit addition and deletion of SAs and ipsec policy */ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, - struct xfrm_policy *xp, struct xfrm_state *x) + u16 family, xfrm_address_t saddr, xfrm_address_t daddr, + __be32 spi, __be32 flowlabel, struct xfrm_sec_ctx *sctx, + char *buf) { - char *secctx; u32 secctx_len; - struct xfrm_sec_ctx *sctx = NULL; struct audit_buffer *audit_buf; - int family; extern int audit_enabled; if (audit_enabled == 0) return; - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA || - type == AUDIT_MAC_IPSEC_DELSA) && !x); - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD || - type == AUDIT_MAC_IPSEC_DELSPD) && !xp); - audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); if (audit_buf == NULL) return; - switch(type) { - case AUDIT_MAC_IPSEC_ADDSA: - audit_log_format(audit_buf, "SAD add: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_DELSA: - audit_log_format(audit_buf, "SAD delete: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_ADDSPD: - audit_log_format(audit_buf, "SPD add: auid=%u", auid); - break; - case AUDIT_MAC_IPSEC_DELSPD: - audit_log_format(audit_buf, "SPD delete: auid=%u", auid); - break; - default: - return; - } + audit_log_format(audit_buf, "op=%s: auid=%u", buf, auid); if (sid != 0 && security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) @@ -2199,16 +2192,6 @@ void xfrm_audit_log(uid_t auid, u32 sid, else audit_log_task_context(audit_buf); - if (xp) { - family = xp->selector.family; - if (xp->security) - sctx = xp->security; - } else { - family = x->props.family; - if (x->security) - sctx = x->security; - } - if (sctx) audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", @@ -2216,48 +2199,24 @@ void xfrm_audit_log(uid_t auid, u32 sid, switch(family) { case AF_INET: - { - struct in_addr saddr, daddr; - if (xp) { - saddr.s_addr = xp->selector.saddr.a4; - daddr.s_addr = xp->selector.daddr.a4; - } else { - saddr.s_addr = x->props.saddr.a4; - daddr.s_addr = x->id.daddr.a4; - } - audit_log_format(audit_buf, - " src=%u.%u.%u.%u dst=%u.%u.%u.%u", - NIPQUAD(saddr), NIPQUAD(daddr)); - } - break; + audit_log_format(audit_buf, + " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT, + NIPQUAD(saddr.a4), NIPQUAD(daddr.a4)); + break; case AF_INET6: - { - struct in6_addr saddr6, daddr6; - if (xp) { - memcpy(&saddr6, xp->selector.saddr.a6, - sizeof(struct in6_addr)); - memcpy(&daddr6, xp->selector.daddr.a6, - sizeof(struct in6_addr)); - } else { - memcpy(&saddr6, x->props.saddr.a6, - sizeof(struct in6_addr)); - memcpy(&daddr6, x->id.daddr.a6, - sizeof(struct in6_addr)); - } - audit_log_format(audit_buf, - " src=" NIP6_FMT " dst=" NIP6_FMT, - NIP6(saddr6), NIP6(daddr6)); - } + audit_log_format(audit_buf, " src=" NIP6_FMT " dst=" NIP6_FMT, + NIP6(*((struct in6_addr *)&saddr.a6)), + NIP6(*((struct in6_addr *)&daddr.a6))); break; } - if (x) - audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s", - (unsigned long)ntohl(x->id.spi), - (unsigned long)ntohl(x->id.spi), - x->id.proto == IPPROTO_AH ? "AH" : - (x->id.proto == IPPROTO_ESP ? - "ESP" : "IPCOMP")); + if (flowlabel) + audit_log_format(audit_buf, " flowlabel=%u", flowlabel); + + if (spi) + audit_log_format(audit_buf, " spi=%lu(0x%lx)", + (unsigned long)ntohl(spi), + (unsigned long)ntohl(spi)); audit_log_format(audit_buf, " res=%u", result); audit_log_end(audit_buf); diff -urpN linux-2.6.22/net/xfrm/xfrm_state.c linux-2.6.22.patch/net/xfrm/xfrm_state.c --- linux-2.6.22/net/xfrm/xfrm_state.c 2007-07-23 14:35:29.000000000 -0500 +++ linux-2.6.22.patch/net/xfrm/xfrm_state.c 2007-07-24 11:48:27.000000000 -0500 @@ -303,7 +303,9 @@ expired: km_state_expired(x, 1, 0); xfrm_audit_log(audit_get_loginuid(current->audit_context), 0, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, x->id.spi, + 0, x->security, "SAD-delete"); out: spin_unlock(&x->lock); @@ -406,9 +408,10 @@ xfrm_state_flush_secctx_check(u8 proto, (err = security_xfrm_state_delete(x)) != 0) { xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSA, - 0, NULL, x); - + AUDIT_MAC_IPSEC_EVENT, 0, + x->props.family, x->props.saddr, + x->id.daddr, x->id.spi, 0, + x->security, "SAD-delete"); return err; } } @@ -446,8 +449,11 @@ restart: err = xfrm_state_delete(x); xfrm_audit_log(audit_info->loginuid, audit_info->secid, - AUDIT_MAC_IPSEC_DELSA, - err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, + err ? 0 : 1, x->props.family, + x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, + "SAD-delete"); xfrm_state_put(x); spin_lock_bh(&xfrm_state_lock); diff -urpN linux-2.6.22/net/xfrm/xfrm_user.c linux-2.6.22.patch/net/xfrm/xfrm_user.c --- linux-2.6.22/net/xfrm/xfrm_user.c 2007-07-08 18:32:17.000000000 -0500 +++ linux-2.6.22.patch/net/xfrm/xfrm_user.c 2007-07-24 11:49:33.000000000 -0500 @@ -456,7 +456,9 @@ static int xfrm_add_sa(struct sk_buff *s err = xfrm_state_update(x); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, "SAD-add"); if (err < 0) { x->km.state = XFRM_STATE_DEAD; @@ -539,7 +541,9 @@ static int xfrm_del_sa(struct sk_buff *s out: xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + x->props.family, x->props.saddr, x->id.daddr, + x->id.spi, 0, x->security, "SAD-delete"); xfrm_state_put(x); return err; } @@ -1149,7 +1153,9 @@ static int xfrm_add_policy(struct sk_buf excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY; err = xfrm_policy_insert(p->dir, xp, excl); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, "SPD-delete"); if (err) { security_xfrm_policy_free(xp); @@ -1395,7 +1401,10 @@ static int xfrm_get_policy(struct sk_buf } } else { xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL); + AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, + xp->selector.family, xp->selector.saddr, + xp->selector.daddr, 0, 0, xp->security, + "SPD-delete"); if (err != 0) goto out; @@ -1644,8 +1653,9 @@ static int xfrm_add_pol_expire(struct sk if (up->hard) { xfrm_policy_delete(xp, p->dir); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL); - + AUDIT_MAC_IPSEC_EVENT, 1, xp->selector.family, + xp->selector.saddr, xp->selector.daddr, 0, 0, + xp->security, "SPD-delete"); } else { // reset the timers here? printk("Dont know what to do with soft policy expire\n"); @@ -1680,7 +1690,9 @@ static int xfrm_add_sa_expire(struct sk_ if (ue->hard) { __xfrm_state_delete(x); xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid, - AUDIT_MAC_IPSEC_DELSA, 1, NULL, x); + AUDIT_MAC_IPSEC_EVENT, 1, x->props.family, + x->props.saddr, x->id.daddr, x->id.spi, 0, + x->security, "SAD-delete"); } err = 0; out:

16 years, 9 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit July 2007