[PATCH] audit=0 appears not to completely disable auditing
by Steve Grubb
Hi,
There was a bz, 231371, reporting that current upstream kernels do not completely
disable auditing when boot with audit=0 and the audit daemon not configured to
run. You can reproduce the problem by:
service auditd stop
auditctl -e 0
auditctl -w /etc/passwd
and you'd get an event in syslog:
Mar 9 15:43:04 localhost kernel: audit(1173472984.321:982): auid=4294967295
subj=user_u:system_r:auditctl_t:s0 op=add rule key=(null) list=4 res=1
The patch below solves this problem by checking audit_enabled before creating
an audit event.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.18.x86_64.orig/kernel/audit.c linux-2.6.18.x86_64/kernel/audit.c
--- linux-2.6.18.x86_64.orig/kernel/audit.c 2007-03-09 14:08:18.000000000 -0500
+++ linux-2.6.18.x86_64/kernel/audit.c 2007-03-09 14:06:59.000000000 -0500
@@ -238,46 +238,50 @@ void audit_log_lost(const char *message)
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
{
- int old = audit_rate_limit;
+ if (audit_enabled) {
+ int old = audit_rate_limit;
- if (sid) {
- char *ctx = NULL;
- u32 len;
- int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
- return rc;
- else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+ int rc;
+ if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ return rc;
+ else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_rate_limit=%d old=%d by auid=%u subj=%s",
- limit, old, loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit_rate_limit=%d old=%d by auid=%u",
- limit, old, loginuid);
+ limit, old, loginuid, ctx);
+ kfree(ctx);
+ } else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "audit_rate_limit=%d old=%d by auid=%u",
+ limit, old, loginuid);
+ }
audit_rate_limit = limit;
return 0;
}
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
{
- int old = audit_backlog_limit;
+ if (audit_enabled) {
+ int old = audit_backlog_limit;
- if (sid) {
- char *ctx = NULL;
- u32 len;
- int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
- return rc;
- else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+ int rc;
+ if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ return rc;
+ else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_backlog_limit=%d old=%d by auid=%u subj=%s",
- limit, old, loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit_backlog_limit=%d old=%d by auid=%u",
- limit, old, loginuid);
+ limit, old, loginuid, ctx);
+ kfree(ctx);
+ } else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "audit_backlog_limit=%d old=%d by auid=%u",
+ limit, old, loginuid);
+ }
audit_backlog_limit = limit;
return 0;
}
@@ -289,21 +293,23 @@ static int audit_set_enabled(int state,
if (state != 0 && state != 1)
return -EINVAL;
- if (sid) {
- char *ctx = NULL;
- u32 len;
- int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
- return rc;
- else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ if (audit_enabled || state) {
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+ int rc;
+ if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ return rc;
+ else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_enabled=%d old=%d by auid=%u subj=%s",
- state, old, loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit_enabled=%d old=%d by auid=%u",
- state, old, loginuid);
+ state, old, loginuid, ctx);
+ kfree(ctx);
+ } else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "audit_enabled=%d old=%d by auid=%u",
+ state, old, loginuid);
+ }
audit_enabled = state;
return 0;
}
@@ -317,21 +323,23 @@ static int audit_set_failure(int state,
&& state != AUDIT_FAIL_PANIC)
return -EINVAL;
- if (sid) {
- char *ctx = NULL;
- u32 len;
- int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
- return rc;
- else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ if (audit_enabled) {
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+ int rc;
+ if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ return rc;
+ else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_failure=%d old=%d by auid=%u subj=%s",
- state, old, loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit_failure=%d old=%d by auid=%u",
- state, old, loginuid);
+ state, old, loginuid, ctx);
+ kfree(ctx);
+ } else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "audit_failure=%d old=%d by auid=%u",
+ state, old, loginuid);
+ }
audit_failure = state;
return 0;
}
@@ -536,22 +544,26 @@ static int audit_receive_msg(struct sk_b
if (err < 0) return err;
}
if (status_get->mask & AUDIT_STATUS_PID) {
- int old = audit_pid;
- if (sid) {
- if ((err = selinux_ctxid_to_string(
- sid, &ctx, &len)))
- return err;
- else
+ if (audit_enabled) {
+ int old = audit_pid;
+ if (sid) {
+ if ((err = selinux_ctxid_to_string(
+ sid, &ctx, &len)))
+ return err;
+ else
+ audit_log(NULL, GFP_KERNEL,
+ AUDIT_CONFIG_CHANGE,
+ "audit_pid=%d old=%d by auid=%u subj=%s",
+ status_get->pid, old,
+ loginuid, ctx);
+ kfree(ctx);
+ } else
audit_log(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE,
- "audit_pid=%d old=%d by auid=%u subj=%s",
- status_get->pid, old,
- loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u",
- status_get->pid, old, loginuid);
+ status_get->pid, old,
+ loginuid);
+ }
audit_pid = status_get->pid;
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c
--- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2007-03-09 14:08:18.000000000 -0500
+++ linux-2.6.18.x86_64/kernel/auditfilter.c 2007-03-09 14:05:54.000000000 -0500
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
/* Inotify events we care about. */
#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
+extern int audit_enabled;
+
void audit_free_parent(struct inotify_watch *i_watch)
{
struct audit_parent *parent;
@@ -897,7 +899,6 @@ static void audit_update_watch(struct au
struct audit_watch *owatch, *nwatch, *nextw;
struct audit_krule *r, *nextr;
struct audit_entry *oentry, *nentry;
- struct audit_buffer *ab;
mutex_lock(&audit_filter_mutex);
list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -937,13 +938,18 @@ static void audit_update_watch(struct au
call_rcu(&oentry->rcu, audit_free_rule_rcu);
}
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "op=updated rules specifying path=");
- audit_log_untrustedstring(ab, owatch->path);
- audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
- audit_log_format(ab, " list=%d res=1", r->listnr);
- audit_log_end(ab);
-
+ if (audit_enabled) {
+ struct audit_buffer *ab;
+ ab = audit_log_start(NULL, GFP_KERNEL,
+ AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab,
+ "op=updated rules specifying path=");
+ audit_log_untrustedstring(ab, owatch->path);
+ audit_log_format(ab, " with dev=%u ino=%lu\n",
+ dev, ino);
+ audit_log_format(ab, " list=%d res=1", r->listnr);
+ audit_log_end(ab);
+ }
audit_remove_watch(owatch);
goto add_watch_to_parent; /* event applies to a single watch */
}
@@ -962,25 +968,28 @@ static void audit_remove_parent_watches(
struct audit_watch *w, *nextw;
struct audit_krule *r, *nextr;
struct audit_entry *e;
- struct audit_buffer *ab;
mutex_lock(&audit_filter_mutex);
parent->flags |= AUDIT_PARENT_INVALID;
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
-
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "op=remove rule path=");
- audit_log_untrustedstring(ab, w->path);
- if (r->filterkey) {
- audit_log_format(ab, " key=");
- audit_log_untrustedstring(ab, r->filterkey);
- } else
- audit_log_format(ab, " key=(null)");
- audit_log_format(ab, " list=%d res=1", r->listnr);
- audit_log_end(ab);
-
+ if (audit_enabled) {
+ struct audit_buffer *ab;
+ ab = audit_log_start(NULL, GFP_KERNEL,
+ AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab, "op=remove rule path=");
+ audit_log_untrustedstring(ab, w->path);
+ if (r->filterkey) {
+ audit_log_format(ab, " key=");
+ audit_log_untrustedstring(ab,
+ r->filterkey);
+ } else
+ audit_log_format(ab, " key=(null)");
+ audit_log_format(ab, " list=%d res=1",
+ r->listnr);
+ audit_log_end(ab);
+ }
list_del(&r->rlist);
list_del_rcu(&e->list);
call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1409,6 +1418,9 @@ static void audit_log_rule_change(uid_t
{
struct audit_buffer *ab;
+ if (!audit_enabled)
+ return;
+
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (!ab)
return;
17 years, 3 months
[PATCH] dist target fixes
by John D. Ramsdell
Steve,
I discovered a few more files that are being mistakenly omitted when
using the dist target.
John
Only in b/audit-1.5.6: ab.diff
Only in b/audit-1.5.6: ac.diff
Only in b/audit-1.5.6: aclocal.m4
Only in b/audit-1.5.6/audisp: Makefile
Only in b/audit-1.5.6/audisp: Makefile.in
Only in b/audit-1.5.6: audit-1.5.6.tar.gz
Only in b/audit-1.5.6/auparse: .deps
Only in b/audit-1.5.6/auparse: Makefile
Only in b/audit-1.5.6/auparse: Makefile.in
Only in b/audit-1.5.6/auparse/test: .deps
Only in b/audit-1.5.6/auparse/test: Makefile
diff -ur a/audit-1.5.6/auparse/test/Makefile.am b/audit-1.5.6/auparse/test/Makefile.am
--- a/audit-1.5.6/auparse/test/Makefile.am 2007-05-17 15:26:49.000000000 -0400
+++ b/audit-1.5.6/auparse/test/Makefile.am 2007-07-30 07:20:28.000000000 -0400
@@ -50,6 +50,4 @@
../../bindings/python/build/*/auparse.so: ../../bindings/python/auparse_python.c
cd ../../bindings/python && make
-
-
-
+EXTRA_DIST = auparse_test.py auparse_test.ref
diff -ur a/audit-1.5.6/auparse/test/Makefile.in b/audit-1.5.6/auparse/test/Makefile.in
--- a/audit-1.5.6/auparse/test/Makefile.in 2007-07-25 14:23:12.000000000 -0400
+++ b/audit-1.5.6/auparse/test/Makefile.in 2007-07-30 07:54:28.000000000 -0400
@@ -213,6 +213,7 @@
auparse_test_LDFLAGS = -static
auparse_test_LDADD = -L../.libs/ -L../../lib/.libs -lauparse -laudit
auparse_test_DEPENDENCIES = ../.libs/libauparse.a ../*.c ../*.h
+EXTRA_DIST = auparse_test.py auparse_test.ref
all: all-am
.SUFFIXES:
Only in b/audit-1.5.6: autom4te.cache
Only in b/audit-1.5.6/bindings: Makefile
Only in b/audit-1.5.6/bindings: Makefile.in
Only in b/audit-1.5.6/bindings/python: Makefile
Only in b/audit-1.5.6/bindings/python: Makefile.in
Only in b/audit-1.5.6: b.txt
Only in b/audit-1.5.6: config.h
Only in b/audit-1.5.6: config.h.in
Only in b/audit-1.5.6: config.log
Only in b/audit-1.5.6: config.status
Only in b/audit-1.5.6: configure
Only in b/audit-1.5.6: c.txt
Only in b/audit-1.5.6/docs: Makefile
Only in b/audit-1.5.6/docs: Makefile.in
Only in b/audit-1.5.6/init.d: Makefile
diff -ur a/audit-1.5.6/init.d/Makefile.am b/audit-1.5.6/init.d/Makefile.am
--- a/audit-1.5.6/init.d/Makefile.am 2007-07-25 14:10:53.000000000 -0400
+++ b/audit-1.5.6/init.d/Makefile.am 2007-07-30 07:25:54.000000000 -0400
@@ -22,7 +22,7 @@
CONFIG_CLEAN_FILES = Makefile.in *.rej *.orig
EXTRA_DIST = auditd.init auditd.sysconfig auditd.conf audit.rules \
- auditd.cron libaudit.conf
+ auditd.cron libaudit.conf audispd.conf
libconfig = libaudit.conf
dispconfig = audispd.conf
dispconfigdir = $(sysconfdir)/audisp
Only in b/audit-1.5.6/init.d: Makefile.am~
Only in b/audit-1.5.6/init.d: Makefile.in
Only in b/audit-1.5.6/lib: .deps
Only in b/audit-1.5.6/lib: Makefile
Only in b/audit-1.5.6/lib: Makefile.in
Only in b/audit-1.5.6: libtool
Only in b/audit-1.5.6: Makefile
diff -ur a/audit-1.5.6/Makefile.am b/audit-1.5.6/Makefile.am
--- a/audit-1.5.6/Makefile.am 2007-06-27 06:19:18.000000000 -0400
+++ b/audit-1.5.6/Makefile.am 2007-07-30 07:53:45.000000000 -0400
@@ -21,9 +21,14 @@
# Rickard E. (Rik) Faith <faith(a)redhat.com>
#
-SUBDIRS = lib auparse src/mt src audisp swig bindings init.d docs system-config-audit
-EXTRA_DIST = ChangeLog AUTHORS NEWS README sample.rules contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/skeleton.c README-install audit.spec
-CONFIG_CLEAN_FILES = Makefile.in aclocal.m4* config.h.* configure debug*.list config/*
+SUBDIRS = lib auparse src/mt src audisp swig bindings init.d docs \
+system-config-audit
+EXTRA_DIST = ChangeLog AUTHORS NEWS README sample.rules \
+contrib/capp.rules contrib/nispom.rules contrib/lspp.rules \
+contrib/skeleton.c contrib/avc_snap contrib/avc_syslog \
+system-config-audit.lang README-install audit.spec
+CONFIG_CLEAN_FILES = Makefile.in aclocal.m4* config.h.* configure \
+debug*.list config/*
clean-generic:
rm -rf autom4te*.cache
Only in b/audit-1.5.6: Makefile.am~
Only in b/audit-1.5.6: Makefile.in
Only in b/audit-1.5.6: oaudit-1.5.6.tar.gz
Only in b/audit-1.5.6/src: Makefile
Only in b/audit-1.5.6/src: Makefile.in
Only in b/audit-1.5.6/src/mt: audit_logging.c
Only in b/audit-1.5.6/src/mt: deprecated.c
Only in b/audit-1.5.6/src/mt: libaudit.c
Only in b/audit-1.5.6/src/mt: libaudit.h
Only in b/audit-1.5.6/src/mt: lookup_table.c
Only in b/audit-1.5.6/src/mt: Makefile
Only in b/audit-1.5.6/src/mt: Makefile.in
Only in b/audit-1.5.6/src/mt: message.c
Only in b/audit-1.5.6/src/mt: netlink.c
Only in b/audit-1.5.6/src/mt: private.h
Only in b/audit-1.5.6: stamp-h1
Only in b/audit-1.5.6/swig: audit.py
Only in b/audit-1.5.6/swig: audit_wrap.c
Only in b/audit-1.5.6/swig: .deps
Only in b/audit-1.5.6/swig: Makefile
Only in b/audit-1.5.6/swig: Makefile.in
Only in b/audit-1.5.6/system-config-audit: config.log
Only in b/audit-1.5.6/system-config-audit: config.status
Only in b/audit-1.5.6/system-config-audit: intltool-extract
Only in b/audit-1.5.6/system-config-audit: intltool-merge
Only in b/audit-1.5.6/system-config-audit: intltool-update
Only in b/audit-1.5.6/system-config-audit: libtool
Only in b/audit-1.5.6/system-config-audit: m4.txt
Only in b/audit-1.5.6/system-config-audit: Makefile
diff -ur a/audit-1.5.6/system-config-audit/Makefile.am b/audit-1.5.6/system-config-audit/Makefile.am
--- a/audit-1.5.6/system-config-audit/Makefile.am 2007-07-25 14:25:05.000000000 -0400
+++ b/audit-1.5.6/system-config-audit/Makefile.am 2007-07-30 07:49:09.000000000 -0400
@@ -58,11 +58,21 @@
CLEANFILES = $(applications_DATA) $(bin_SCRIPTS) $(nodist_pkgdata_PYTHON) \
admin/system-config-audit-server.console
DISTCLEANFILES = intltool-extract intltool-merge intltool-update
-EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \
- admin/intltool-update.in admin/system-config-audit-server.console.in \
- admin/system-config-audit-server.pam \
- src/settings.py.in src/system-config-audit.in \
- system-config-audit.desktop.in
+EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \
+ admin/intltool-update.in \
+ admin/system-config-audit-server.console.in \
+ admin/system-config-audit-server.pam src/settings.py.in \
+ src/system-config-audit.in system-config-audit.desktop.in \
+ m4/codeset.m4 m4/gettext.m4 m4/glibc21.m4 m4/glibc2.m4 \
+ m4/iconv.m4 m4/intdiv0.m4 m4/intldir.m4 m4/intl.m4 \
+ m4/intmax.m4 m4/inttypes_h.m4 m4/inttypes.m4 \
+ m4/inttypes-pri.m4 m4/isc-posix.m4 m4/lcmessage.m4 \
+ m4/lib-ld.m4 m4/lib-link.m4 m4/lib-prefix.m4 m4/lock.m4 \
+ m4/longdouble.m4 m4/longlong.m4 m4/nls.m4 m4/po.m4 \
+ m4/printf-posix.m4 m4/progtest.m4 m4/signed.m4 m4/size_max.m4 \
+ m4/stdint_h.m4 m4/uintmax_t.m4 m4/ulonglong.m4 \
+ m4/visibility.m4 m4/wchar_t.m4 m4/wint_t.m4 m4/xsize.m4
+
src_system_config_audit_server_SOURCES = src/server.c src/server.h
src_system_config_audit_server_CPPFLAGS = $(AM_CPPFLAGS) \
Only in b/audit-1.5.6/system-config-audit: Makefile.am~
diff -ur a/audit-1.5.6/system-config-audit/Makefile.in b/audit-1.5.6/system-config-audit/Makefile.in
--- a/audit-1.5.6/system-config-audit/Makefile.in 2007-07-25 14:23:56.000000000 -0400
+++ b/audit-1.5.6/system-config-audit/Makefile.in 2007-07-30 07:50:07.000000000 -0400
@@ -314,12 +314,21 @@
CLEANFILES = $(applications_DATA) $(bin_SCRIPTS) $(nodist_pkgdata_PYTHON) \
admin/system-config-audit-server.console
-DISTCLEANFILES = intltool-extract intltool-merge intltool-update src/.libs
-EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \
- admin/intltool-update.in admin/system-config-audit-server.console.in \
- admin/system-config-audit-server.pam \
- src/settings.py.in src/system-config-audit.in \
- system-config-audit.desktop.in
+DISTCLEANFILES = intltool-extract intltool-merge intltool-update
+EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \
+ admin/intltool-update.in \
+ admin/system-config-audit-server.console.in \
+ admin/system-config-audit-server.pam src/settings.py.in \
+ src/system-config-audit.in system-config-audit.desktop.in \
+ m4/codeset.m4 m4/gettext.m4 m4/glibc21.m4 m4/glibc2.m4 \
+ m4/iconv.m4 m4/intdiv0.m4 m4/intldir.m4 m4/intl.m4 \
+ m4/intmax.m4 m4/inttypes_h.m4 m4/inttypes.m4 \
+ m4/inttypes-pri.m4 m4/isc-posix.m4 m4/lcmessage.m4 \
+ m4/lib-ld.m4 m4/lib-link.m4 m4/lib-prefix.m4 m4/lock.m4 \
+ m4/longdouble.m4 m4/longlong.m4 m4/nls.m4 m4/po.m4 \
+ m4/printf-posix.m4 m4/progtest.m4 m4/signed.m4 m4/size_max.m4 \
+ m4/stdint_h.m4 m4/uintmax_t.m4 m4/ulonglong.m4 \
+ m4/visibility.m4 m4/wchar_t.m4 m4/wint_t.m4 m4/xsize.m4
src_system_config_audit_server_SOURCES = src/server.c src/server.h
src_system_config_audit_server_CPPFLAGS = $(AM_CPPFLAGS) \
Only in b/audit-1.5.6/system-config-audit/po: Makefile
Only in b/audit-1.5.6/system-config-audit/po: Makefile.in
Only in b/audit-1.5.6/system-config-audit/po: POTFILES
Only in b/audit-1.5.6/system-config-audit/po: stamp-it
Only in b/audit-1.5.6/system-config-audit/src: config.h
Only in b/audit-1.5.6/system-config-audit/src: .deps
Only in b/audit-1.5.6/system-config-audit/src: stamp-h1
17 years, 4 months
Audit with path exception rule
by Ameel Kamboh
I would like to audit the file system for anyone creating new files
However I would like to exclude a directory from the watch list.
Here is the sample I have:
#3. create/Remove any files
-a exit,always -S creat -F path!=/var/myApp <--- line 21
-a exit,always -S unlink -F path!=/var/myApp
This is giving me the following error:
auditctl -R test.rules
No rules
AUDIT_STATUS: enabled=1 flag=1 pid=3413 rate_limit=0 backlog_limit=1024
lost=0 backlog=0
Error sending add rule data request (Invalid argument)
There was an error in line 21 of test.rules
Ameel Kamboh
SIP Core Network and Security
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh(a)techtrial.com
email: akamboh(a)nortel.com
17 years, 4 months
High-level audit parser module
by John D. Ramsdell
John,
I'm working on a high-level audit reading Python library built on top
of the auparse module. I suspect it could be made to be useful to
others besides myself. I have enclosed the generated documentation
for the relevant classes in my module.
If you think it could be generally useful, the key question is what
methods should be defined in the AuditEvent and AuditRecord classes.
Some of the current ones are too specific to my needs.
CLASSES
class AuditEvent(__builtin__.list)
| AuditEvent(AuEvent)
|
| An audit event is represented as a list of AuditRecord's. Each
| AuditRecord is a dictionary that represents one of the records
| that make up the event.
|
| Method resolution order:
| AuditEvent
| __builtin__.list
| __builtin__.object
|
| Methods defined here:
|
| __init__(self, timestamp)
|
| find_record_of_type(self, typ)
| Find record of type
|
| Returns a record in the event that has the given type.
| Returns None when there is no such record.
|
| find_value(self, name)
| Find a value
|
| Returns a value associated with the given name in some record
| in the event. Raises KeyError if no field has the given name.
|
| get_timestamp(self)
| Get the timestamp associated with this event.
|
| path_name(self, item)
| Find name and security context in PATH record
|
| Return the name and the security context in a PATH record that
| matches the given item number. Raises KeyError if PATH record
| cannot be found.
|
| ----------------------------------------------------------------------
| Data descriptors defined here:
|
| __dict__
| dictionary for instance variables (if defined)
|
| __weakref__
| list of weak references to the object (if defined)
|
| ----------------------------------------------------------------------
| Methods inherited from __builtin__.list:
!!! inherited methods omitted !!!
class AuditLog(__builtin__.object)
| AuditLog(AuParser or file, bool)
|
| Encapsulates a log accessed by the auparse module. It provides an
| interator to the log's events. Each call to the next method of
| the interator returns an AuditEvent. The boolean determines if
| numeric entities in fields are interpreted.
|
| Methods defined here:
|
| __init__(self, au, interpret=False)
|
| __iter__(self)
|
| ----------------------------------------------------------------------
| Data descriptors defined here:
|
| __dict__
| dictionary for instance variables (if defined)
|
| __weakref__
| list of weak references to the object (if defined)
class AuditLogIter(__builtin__.object)
| AuditLogIter(AuditLog)
|
| An iterator for an audit log.
|
| Methods defined here:
|
| __init__(self, aulog)
|
| next(self)
| Returns an AuditEvent
|
| ----------------------------------------------------------------------
| Data descriptors defined here:
|
| __dict__
| dictionary for instance variables (if defined)
|
| __weakref__
| list of weak references to the object (if defined)
class AuditRecord(__builtin__.dict)
| AuditRecord(AuditEvent)
|
| An audit record is a dictionary.
|
| Method resolution order:
| AuditRecord
| __builtin__.dict
| __builtin__.object
|
| Methods defined here:
|
| __init__(self, event)
|
| get_event(self)
| Get the event associated with this record.
|
| path_name_record(self, item)
| Find name and security context in PATH record
|
| Return the name and the security context in a PATH record that
| matches the given item number. Raises KeyError if PATH record
| cannot be found.
|
| ----------------------------------------------------------------------
| Data descriptors defined here:
|
| __dict__
| dictionary for instance variables (if defined)
|
| __weakref__
| list of weak references to the object (if defined)
|
| ----------------------------------------------------------------------
| Methods inherited from __builtin__.dict:
!!! inherited methods omitted !!!
17 years, 4 months
New audit record types for static network labels
by Paul Moore
I am currently working on a series of patches to add support for static
external network labels to NetLabel/SELinux. The idea is that a user could
define a physical interface, IP address, address mask, and context which
would be applied as an external label to the packet when an explicit label
was not present. This is similar to other trusted OSs which allow
administrators to assign labels to single level, unlabeled networks. For
those of you following the SELinux list it was discussed a month or two ago.
This is relevant to the audit subsystem because adding/removing these
address/context entries should most likely be audited for the same reasons we
audit other NetLabel or XFRM labeling related configuration changes. To
accomplish this I would like to suggest the addition of the following record
types, comments?
#define AUDIT_MAC_UNLBL_STATICADD 14XX /* NetLabel: add a static label */
#define AUDIT_MAC_UNLBL_STATICDEL 14XX /* NetLabel: del a static label */
--
paul moore
linux security @ hp
17 years, 5 months
selinux_audit_set_callback
by Casey Schaufler
What is the rationale behind the selinux_audit_set_callback()
mechanism? It looks for all the world as if the selinux code
ought to be able to call the registered function directly.
Casey Schaufler
casey(a)schaufler-ca.com
17 years, 5 months
[2.6 patch] kernel/audit.c: change the exports to EXPORT_SYMBOL_GPL
by Adrian Bunk
This patch changes some completely unused audit exports from
EXPORT_SYMBOL to EXPORT_SYMBOL_GPL.
They are still completely unused, but hopefully some of the theoretical
code that might use it will appear in the kernel in the near future...
Signed-off-by: Adrian Bunk <bunk(a)stusta.de>
Acked-by: Steve Grubb <sgrubb(a)redhat.com>
---
This patch has been sent on:
- 11 Dec 2006
--- linux-2.6.19-mm1/kernel/audit.c.old 2006-12-11 20:13:54.000000000 +0100
+++ linux-2.6.19-mm1/kernel/audit.c 2006-12-11 20:14:19.000000000 +0100
@@ -1209,7 +1209,7 @@
}
}
-EXPORT_SYMBOL(audit_log_start);
-EXPORT_SYMBOL(audit_log_end);
-EXPORT_SYMBOL(audit_log_format);
-EXPORT_SYMBOL(audit_log);
+EXPORT_SYMBOL_GPL(audit_log_start);
+EXPORT_SYMBOL_GPL(audit_log_end);
+EXPORT_SYMBOL_GPL(audit_log_format);
+EXPORT_SYMBOL_GPL(audit_log);
17 years, 5 months
[patch 058/209] audit: rework execve audit
by akpm@linux-foundation.org
From: Peter Zijlstra <a.p.zijlstra(a)chello.nl>
The purpose of audit_bprm() is to log the argv array to a userspace daemon at
the end of the execve system call. Since user-space hasn't had time to run,
this array is still in pristine state on the process' stack; so no need to
copy it, we can just grab it from there.
In order to minimize the damage to audit_log_*() copy each string into a
temporary kernel buffer first.
Currently the audit code requires that the full argument vector fits in a
single packet. So currently it does clip the argv size to a (sysctl) limit,
but only when execve auditing is enabled.
If the audit protocol gets extended to allow for multiple packets this check
can be removed.
Signed-off-by: Peter Zijlstra <a.p.zijlstra(a)chello.nl>
Signed-off-by: Ollie Wild <aaw(a)google.com>
Cc: <linux-audit(a)redhat.com>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
---
Documentation/filesystems/proc.txt | 7 ++
fs/exec.c | 3
include/linux/binfmts.h | 1
kernel/auditsc.c | 84 ++++++++++++++++++++-------
kernel/sysctl.c | 11 +++
5 files changed, 85 insertions(+), 21 deletions(-)
diff -puN Documentation/filesystems/proc.txt~audit-rework-execve-audit Documentation/filesystems/proc.txt
--- a/Documentation/filesystems/proc.txt~audit-rework-execve-audit
+++ a/Documentation/filesystems/proc.txt
@@ -1065,6 +1065,13 @@ check the amount of free space (value is
resume it if we have a value of 3 or more percent; consider information about
the amount of free space valid for 30 seconds
+audit_argv_kb
+-------------
+
+The file contains a single value denoting the limit on the argv array size
+for execve (in KiB). This limit is only applied when system call auditing for
+execve is enabled, otherwise the value is ignored.
+
ctrl-alt-del
------------
diff -puN fs/exec.c~audit-rework-execve-audit fs/exec.c
--- a/fs/exec.c~audit-rework-execve-audit
+++ a/fs/exec.c
@@ -1154,6 +1154,7 @@ int do_execve(char * filename,
{
struct linux_binprm *bprm;
struct file *file;
+ unsigned long env_p;
int retval;
int i;
@@ -1208,9 +1209,11 @@ int do_execve(char * filename,
if (retval < 0)
goto out;
+ env_p = bprm->p;
retval = copy_strings(bprm->argc, argv, bprm);
if (retval < 0)
goto out;
+ bprm->argv_len = env_p - bprm->p;
retval = search_binary_handler(bprm,regs);
if (retval >= 0) {
diff -puN include/linux/binfmts.h~audit-rework-execve-audit include/linux/binfmts.h
--- a/include/linux/binfmts.h~audit-rework-execve-audit
+++ a/include/linux/binfmts.h
@@ -40,6 +40,7 @@ struct linux_binprm{
unsigned interp_flags;
unsigned interp_data;
unsigned long loader, exec;
+ unsigned long argv_len;
};
#define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
diff -puN kernel/auditsc.c~audit-rework-execve-audit kernel/auditsc.c
--- a/kernel/auditsc.c~audit-rework-execve-audit
+++ a/kernel/auditsc.c
@@ -153,7 +153,7 @@ struct audit_aux_data_execve {
struct audit_aux_data d;
int argc;
int envc;
- char mem[0];
+ struct mm_struct *mm;
};
struct audit_aux_data_socketcall {
@@ -831,6 +831,55 @@ static int audit_log_pid_context(struct
return rc;
}
+static void audit_log_execve_info(struct audit_buffer *ab,
+ struct audit_aux_data_execve *axi)
+{
+ int i;
+ long len, ret;
+ const char __user *p = (const char __user *)axi->mm->arg_start;
+ char *buf;
+
+ if (axi->mm != current->mm)
+ return; /* execve failed, no additional info */
+
+ for (i = 0; i < axi->argc; i++, p += len) {
+ len = strnlen_user(p, MAX_ARG_PAGES*PAGE_SIZE);
+ /*
+ * We just created this mm, if we can't find the strings
+ * we just copied into it something is _very_ wrong. Similar
+ * for strings that are too long, we should not have created
+ * any.
+ */
+ if (!len || len > MAX_ARG_STRLEN) {
+ WARN_ON(1);
+ send_sig(SIGKILL, current, 0);
+ }
+
+ buf = kmalloc(len, GFP_KERNEL);
+ if (!buf) {
+ audit_panic("out of memory for argv string\n");
+ break;
+ }
+
+ ret = copy_from_user(buf, p, len);
+ /*
+ * There is no reason for this copy to be short. We just
+ * copied them here, and the mm hasn't been exposed to user-
+ * space yet.
+ */
+ if (!ret) {
+ WARN_ON(1);
+ send_sig(SIGKILL, current, 0);
+ }
+
+ audit_log_format(ab, "a%d=", i);
+ audit_log_untrustedstring(ab, buf);
+ audit_log_format(ab, "\n");
+
+ kfree(buf);
+ }
+}
+
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
{
int i, call_panic = 0;
@@ -971,13 +1020,7 @@ static void audit_log_exit(struct audit_
case AUDIT_EXECVE: {
struct audit_aux_data_execve *axi = (void *)aux;
- int i;
- const char *p;
- for (i = 0, p = axi->mem; i < axi->argc; i++) {
- audit_log_format(ab, "a%d=", i);
- p = audit_log_untrustedstring(ab, p);
- audit_log_format(ab, "\n");
- }
+ audit_log_execve_info(ab, axi);
break; }
case AUDIT_SOCKETCALL: {
@@ -1821,32 +1864,31 @@ int __audit_ipc_set_perm(unsigned long q
return 0;
}
+int audit_argv_kb = 32;
+
int audit_bprm(struct linux_binprm *bprm)
{
struct audit_aux_data_execve *ax;
struct audit_context *context = current->audit_context;
- unsigned long p, next;
- void *to;
if (likely(!audit_enabled || !context || context->dummy))
return 0;
- ax = kmalloc(sizeof(*ax) + PAGE_SIZE * MAX_ARG_PAGES - bprm->p,
- GFP_KERNEL);
+ /*
+ * Even though the stack code doesn't limit the arg+env size any more,
+ * the audit code requires that _all_ arguments be logged in a single
+ * netlink skb. Hence cap it :-(
+ */
+ if (bprm->argv_len > (audit_argv_kb << 10))
+ return -E2BIG;
+
+ ax = kmalloc(sizeof(*ax), GFP_KERNEL);
if (!ax)
return -ENOMEM;
ax->argc = bprm->argc;
ax->envc = bprm->envc;
- for (p = bprm->p, to = ax->mem; p < MAX_ARG_PAGES*PAGE_SIZE; p = next) {
- struct page *page = bprm->page[p / PAGE_SIZE];
- void *kaddr = kmap(page);
- next = (p + PAGE_SIZE) & ~(PAGE_SIZE - 1);
- memcpy(to, kaddr + (p & (PAGE_SIZE - 1)), next - p);
- to += next - p;
- kunmap(page);
- }
-
+ ax->mm = bprm->mm;
ax->d.type = AUDIT_EXECVE;
ax->d.next = context->aux;
context->aux = (void *)ax;
diff -puN kernel/sysctl.c~audit-rework-execve-audit kernel/sysctl.c
--- a/kernel/sysctl.c~audit-rework-execve-audit
+++ a/kernel/sysctl.c
@@ -78,6 +78,7 @@ extern int percpu_pagelist_fraction;
extern int compat_log;
extern int maps_protect;
extern int sysctl_stat_interval;
+extern int audit_argv_kb;
/* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */
static int maxolduid = 65535;
@@ -306,6 +307,16 @@ static ctl_table kern_table[] = {
.mode = 0644,
.proc_handler = &proc_dointvec,
},
+#ifdef CONFIG_AUDITSYSCALL
+ {
+ .ctl_name = CTL_UNNUMBERED,
+ .procname = "audit_argv_kb",
+ .data = &audit_argv_kb,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ },
+#endif
{
.ctl_name = KERN_CORE_PATTERN,
.procname = "core_pattern",
_
17 years, 5 months
audit 1.5.6 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Fix potential buffer overflow in print clone flags of auparse
- Add new App Armor types (John Johansen)
- Adjust Menu Location for system-config-audit (Miloslav Trmac)
- Fix python traceback parsing watches without perm statement (Miloslav Trmac)
- Added databuf_strcat function to auparse (John Dennis)
- Update auditctl to handle legacy kernels when putting a watch on a dir
- Fix invalid free and memory leak on reload in auditd (Miloslav Trmac)
- Fix clone flags in auparse (John Ramsdell)
- Add interpretation for F_SETFL of fcntl (John Ramsdell)
- Fix acct interpretation in auparse
- Makefile cleanups (John Ramsdell)
This is nothing but a bugfix release. Anyone using 1.5.5 is advised to
upgrade.
Please note that the audit event dispatcher will be changing again in the next
release. This is the current area of work and this one is considered
temporary. This release is primarily to get some other needed fixes out for
people to use. I should have a new release soon.
Please let me know if there are any problems with this release.
-Steve
17 years, 5 months
[PATCH]: 2nd revision of make xfrm_audit_log more generic
by Joy Latten
This is 2nd revision of patch to modify xfrm_audit_log() such
that it can accomodate auditing other ipsec events
besides add/delete of an SA or SPD entry.
2nd revision includes new define for all IPsec
events in audit.h and introduces "op=" entry
in logfile as well as add a hyphen in description
for report parsing.
This is a small change to accomodate updating
ipsec protocol to RFCs 4301, 4302 and 4303 which
require auditing some ipsec events if auditing
is available. Please let me know if ok.
Regards,
Joy
Signed-off-by: Joy Latten <latten(a)austin.ibm.com>
diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22.patch/include/linux/audit.h
--- linux-2.6.22/include/linux/audit.h 2007-07-23 14:35:28.000000000 -0500
+++ linux-2.6.22.patch/include/linux/audit.h 2007-07-23 14:38:51.000000000 -0500
@@ -112,6 +112,7 @@
#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */
#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */
#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit IPSec events */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h
--- linux-2.6.22/include/net/xfrm.h 2007-07-23 14:35:28.000000000 -0500
+++ linux-2.6.22.patch/include/net/xfrm.h 2007-07-23 14:38:51.000000000 -0500
@@ -427,9 +427,11 @@ struct xfrm_audit
#ifdef CONFIG_AUDITSYSCALL
extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
- struct xfrm_policy *xp, struct xfrm_state *x);
+ u16 family, xfrm_address_t saddr,
+ xfrm_address_t daddr, __be32 spi, __be32 flowid,
+ struct xfrm_sec_ctx *sctx, char *buf);
#else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0)
#endif /* CONFIG_AUDITSYSCALL */
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c 2007-07-08 18:32:17.000000000 -0500
+++ linux-2.6.22.patch/net/key/af_key.c 2007-07-24 11:50:35.000000000 -0500
@@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st
err = xfrm_state_update(x);
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ x->props.family, x->props.saddr, x->id.daddr,
+ x->id.spi, 0, x->security, "SAD-add");
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk,
km_state_notify(x, &c);
out:
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x->props.family,
+ x->props.saddr, x->id.daddr, x->id.spi, 0,
+ x->security, "SAD-delete");
+
xfrm_state_put(x);
return err;
@@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk,
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security, "SPD-add");
if (err)
goto out;
@@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock *
return -ENOENT;
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security, "SPD-delete");
if (err)
goto out;
@@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk,
if (delete) {
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security,
+ "SPD-delete");
if (err)
goto out;
diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c linux-2.6.22.patch/net/xfrm/xfrm_policy.c
--- linux-2.6.22/net/xfrm/xfrm_policy.c 2007-07-23 14:35:29.000000000 -0500
+++ linux-2.6.22.patch/net/xfrm/xfrm_policy.c 2007-07-24 11:46:24.000000000 -0500
@@ -853,8 +853,11 @@ xfrm_policy_flush_secctx_check(u8 type,
if (err) {
xfrm_audit_log(audit_info->loginuid,
audit_info->secid,
- AUDIT_MAC_IPSEC_DELSPD, 0,
- pol, NULL);
+ AUDIT_MAC_IPSEC_EVENT, 0,
+ pol->selector.family,
+ pol->selector.saddr,
+ pol->selector.daddr, 0, 0,
+ pol->security, "SPD-delete");
return err;
}
}
@@ -868,8 +871,12 @@ xfrm_policy_flush_secctx_check(u8 type,
if (err) {
xfrm_audit_log(audit_info->loginuid,
audit_info->secid,
- AUDIT_MAC_IPSEC_DELSPD,
- 0, pol, NULL);
+ AUDIT_MAC_IPSEC_EVENT,
+ 0, pol->selector.family,
+ pol->selector.saddr,
+ pol->selector.daddr,
+ 0, 0, pol->security,
+ "SPD-delete");
return err;
}
}
@@ -911,7 +918,11 @@ int xfrm_policy_flush(u8 type, struct xf
write_unlock_bh(&xfrm_policy_lock);
xfrm_audit_log(audit_info->loginuid, audit_info->secid,
- AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL);
+ AUDIT_MAC_IPSEC_EVENT, 1,
+ pol->selector.family,
+ pol->selector.saddr,
+ pol->selector.daddr, 0, 0,
+ pol->security, "SPD-delete");
xfrm_policy_kill(pol);
killed++;
@@ -933,8 +944,11 @@ int xfrm_policy_flush(u8 type, struct xf
xfrm_audit_log(audit_info->loginuid,
audit_info->secid,
- AUDIT_MAC_IPSEC_DELSPD, 1,
- pol, NULL);
+ AUDIT_MAC_IPSEC_EVENT, 1,
+ pol->selector.family,
+ pol->selector.saddr,
+ pol->selector.daddr, 0, 0,
+ pol->security, "SPD-delete");
xfrm_policy_kill(pol);
killed++;
@@ -2154,44 +2168,23 @@ EXPORT_SYMBOL(xfrm_bundle_ok);
/* Audit addition and deletion of SAs and ipsec policy */
void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
- struct xfrm_policy *xp, struct xfrm_state *x)
+ u16 family, xfrm_address_t saddr, xfrm_address_t daddr,
+ __be32 spi, __be32 flowlabel, struct xfrm_sec_ctx *sctx,
+ char *buf)
{
-
char *secctx;
u32 secctx_len;
- struct xfrm_sec_ctx *sctx = NULL;
struct audit_buffer *audit_buf;
- int family;
extern int audit_enabled;
if (audit_enabled == 0)
return;
- BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
- type == AUDIT_MAC_IPSEC_DELSA) && !x);
- BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
- type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
-
audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
if (audit_buf == NULL)
return;
- switch(type) {
- case AUDIT_MAC_IPSEC_ADDSA:
- audit_log_format(audit_buf, "SAD add: auid=%u", auid);
- break;
- case AUDIT_MAC_IPSEC_DELSA:
- audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
- break;
- case AUDIT_MAC_IPSEC_ADDSPD:
- audit_log_format(audit_buf, "SPD add: auid=%u", auid);
- break;
- case AUDIT_MAC_IPSEC_DELSPD:
- audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
- break;
- default:
- return;
- }
+ audit_log_format(audit_buf, "op=%s: auid=%u", buf, auid);
if (sid != 0 &&
security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
@@ -2199,16 +2192,6 @@ void xfrm_audit_log(uid_t auid, u32 sid,
else
audit_log_task_context(audit_buf);
- if (xp) {
- family = xp->selector.family;
- if (xp->security)
- sctx = xp->security;
- } else {
- family = x->props.family;
- if (x->security)
- sctx = x->security;
- }
-
if (sctx)
audit_log_format(audit_buf,
" sec_alg=%u sec_doi=%u sec_obj=%s",
@@ -2216,48 +2199,24 @@ void xfrm_audit_log(uid_t auid, u32 sid,
switch(family) {
case AF_INET:
- {
- struct in_addr saddr, daddr;
- if (xp) {
- saddr.s_addr = xp->selector.saddr.a4;
- daddr.s_addr = xp->selector.daddr.a4;
- } else {
- saddr.s_addr = x->props.saddr.a4;
- daddr.s_addr = x->id.daddr.a4;
- }
- audit_log_format(audit_buf,
- " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
- NIPQUAD(saddr), NIPQUAD(daddr));
- }
- break;
+ audit_log_format(audit_buf,
+ " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT,
+ NIPQUAD(saddr.a4), NIPQUAD(daddr.a4));
+ break;
case AF_INET6:
- {
- struct in6_addr saddr6, daddr6;
- if (xp) {
- memcpy(&saddr6, xp->selector.saddr.a6,
- sizeof(struct in6_addr));
- memcpy(&daddr6, xp->selector.daddr.a6,
- sizeof(struct in6_addr));
- } else {
- memcpy(&saddr6, x->props.saddr.a6,
- sizeof(struct in6_addr));
- memcpy(&daddr6, x->id.daddr.a6,
- sizeof(struct in6_addr));
- }
- audit_log_format(audit_buf,
- " src=" NIP6_FMT " dst=" NIP6_FMT,
- NIP6(saddr6), NIP6(daddr6));
- }
+ audit_log_format(audit_buf, " src=" NIP6_FMT " dst=" NIP6_FMT,
+ NIP6(*((struct in6_addr *)&saddr.a6)),
+ NIP6(*((struct in6_addr *)&daddr.a6)));
break;
}
- if (x)
- audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s",
- (unsigned long)ntohl(x->id.spi),
- (unsigned long)ntohl(x->id.spi),
- x->id.proto == IPPROTO_AH ? "AH" :
- (x->id.proto == IPPROTO_ESP ?
- "ESP" : "IPCOMP"));
+ if (flowlabel)
+ audit_log_format(audit_buf, " flowlabel=%u", flowlabel);
+
+ if (spi)
+ audit_log_format(audit_buf, " spi=%lu(0x%lx)",
+ (unsigned long)ntohl(spi),
+ (unsigned long)ntohl(spi));
audit_log_format(audit_buf, " res=%u", result);
audit_log_end(audit_buf);
diff -urpN linux-2.6.22/net/xfrm/xfrm_state.c linux-2.6.22.patch/net/xfrm/xfrm_state.c
--- linux-2.6.22/net/xfrm/xfrm_state.c 2007-07-23 14:35:29.000000000 -0500
+++ linux-2.6.22.patch/net/xfrm/xfrm_state.c 2007-07-24 11:48:27.000000000 -0500
@@ -303,7 +303,9 @@ expired:
km_state_expired(x, 1, 0);
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ x->props.family, x->props.saddr, x->id.daddr, x->id.spi,
+ 0, x->security, "SAD-delete");
out:
spin_unlock(&x->lock);
@@ -406,9 +408,10 @@ xfrm_state_flush_secctx_check(u8 proto,
(err = security_xfrm_state_delete(x)) != 0) {
xfrm_audit_log(audit_info->loginuid,
audit_info->secid,
- AUDIT_MAC_IPSEC_DELSA,
- 0, NULL, x);
-
+ AUDIT_MAC_IPSEC_EVENT, 0,
+ x->props.family, x->props.saddr,
+ x->id.daddr, x->id.spi, 0,
+ x->security, "SAD-delete");
return err;
}
}
@@ -446,8 +449,11 @@ restart:
err = xfrm_state_delete(x);
xfrm_audit_log(audit_info->loginuid,
audit_info->secid,
- AUDIT_MAC_IPSEC_DELSA,
- err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT,
+ err ? 0 : 1, x->props.family,
+ x->props.saddr, x->id.daddr,
+ x->id.spi, 0, x->security,
+ "SAD-delete");
xfrm_state_put(x);
spin_lock_bh(&xfrm_state_lock);
diff -urpN linux-2.6.22/net/xfrm/xfrm_user.c linux-2.6.22.patch/net/xfrm/xfrm_user.c
--- linux-2.6.22/net/xfrm/xfrm_user.c 2007-07-08 18:32:17.000000000 -0500
+++ linux-2.6.22.patch/net/xfrm/xfrm_user.c 2007-07-24 11:49:33.000000000 -0500
@@ -456,7 +456,9 @@ static int xfrm_add_sa(struct sk_buff *s
err = xfrm_state_update(x);
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ x->props.family, x->props.saddr, x->id.daddr,
+ x->id.spi, 0, x->security, "SAD-add");
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@@ -539,7 +541,9 @@ static int xfrm_del_sa(struct sk_buff *s
out:
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ x->props.family, x->props.saddr, x->id.daddr,
+ x->id.spi, 0, x->security, "SAD-delete");
xfrm_state_put(x);
return err;
}
@@ -1149,7 +1153,9 @@ static int xfrm_add_policy(struct sk_buf
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl);
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security, "SPD-delete");
if (err) {
security_xfrm_policy_free(xp);
@@ -1395,7 +1401,10 @@ static int xfrm_get_policy(struct sk_buf
}
} else {
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security,
+ "SPD-delete");
if (err != 0)
goto out;
@@ -1644,8 +1653,9 @@ static int xfrm_add_pol_expire(struct sk
if (up->hard) {
xfrm_policy_delete(xp, p->dir);
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
-
+ AUDIT_MAC_IPSEC_EVENT, 1, xp->selector.family,
+ xp->selector.saddr, xp->selector.daddr, 0, 0,
+ xp->security, "SPD-delete");
} else {
// reset the timers here?
printk("Dont know what to do with soft policy expire\n");
@@ -1680,7 +1690,9 @@ static int xfrm_add_sa_expire(struct sk_
if (ue->hard) {
__xfrm_state_delete(x);
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSA, 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, 1, x->props.family,
+ x->props.saddr, x->id.daddr, x->id.spi, 0,
+ x->security, "SAD-delete");
}
err = 0;
out:
17 years, 5 months