(no subject)
by Abhishek Gupta
msg=audit(1116360555.329:2401771).
How to interpret above message?what does 1116360555,329,2401771 means here?
By looking at this type of audit message how can i interpret all the things
related to a particular process?
If i want to trace all syscalls called by particular process how to do that
without using ausearch(means by looking at above type messages)
how can i obtain strace output by this this auditing subsystem ?
16 years, 11 months
[RFC] Obtaining PATH entry without audit userland
by Yuichi Nakamura
Hi.
When debugging SELinux policy, PATH audit entry is useful.
In current audit,
context->dummy should be 0 to obtain PATH entry,
but it is set 1 if no audit rules are registered,
so some audit rule should be registered to obtain PATH entry.
To register audit rule, we need audit userland.
However, in embedded devices
we want as little userland as possible,
because hardware resource is constrained and cross-compiling is tiresome.
We want PATH entry to debug SELinux policy,
we do not want to port audit userland for this purpose,
so we want to do it in kernel.
Following is simple patch to obtain PATH entry without audit userland.
Does this sound reasonable??
Signed-off-by: Yuichi Nakamura<ynakam(a)hitachisoft.jp>
---
init/Kconfig | 10 ++++++++++
kernel/audit.h | 7 +++++++
kernel/auditsc.c | 9 ++++++++-
3 files changed, 25 insertions(+), 1 deletion(-)
diff -purN -X linux-2.6.22.1/Documentation/dontdiff linux-2.6.22.1.old/kernel/audit.h linux-2.6.22.1/kernel/audit.h
--- linux-2.6.22.1.old/kernel/audit.h 2007-12-19 10:00:19.000000000 +0900
+++ linux-2.6.22.1/kernel/audit.h 2008-01-09 09:04:28.000000000 +0900
@@ -143,6 +143,13 @@ static inline int audit_signal_info(int
extern enum audit_state audit_filter_inodes(struct task_struct *,
struct audit_context *);
extern void audit_set_auditable(struct audit_context *);
+
+#ifdef CONFIG_AUDIT_PATH
+#define DEFAULT_AUDIT_PATH_ENTRY 1
+#else
+#define DEFAULT_AUDIT_PATH_ENTRY 0
+#endif
+
#else
#define audit_signal_info(s,t) AUDIT_DISABLED
#define audit_filter_inodes(t,c) AUDIT_DISABLED
diff -purN -X linux-2.6.22.1/Documentation/dontdiff linux-2.6.22.1.old/kernel/auditsc.c linux-2.6.22.1/kernel/auditsc.c
--- linux-2.6.22.1.old/kernel/auditsc.c 2007-12-19 10:00:19.000000000 +0900
+++ linux-2.6.22.1/kernel/auditsc.c 2008-01-09 08:57:44.000000000 +0900
@@ -227,6 +227,8 @@ struct audit_context {
#endif
};
+int audit_path_entry = DEFAULT_AUDIT_PATH_ENTRY;
+
#define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE])
static inline int open_arg(int flags, int mask)
{
@@ -1198,7 +1200,12 @@ void audit_syscall_entry(int arch, int m
context->argv[3] = a4;
state = context->state;
- context->dummy = !audit_n_rules;
+
+ if (audit_path_entry)
+ context->dummy = 0;
+ else
+ context->dummy = !audit_n_rules;
+
if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT))
state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
if (likely(state == AUDIT_DISABLED))
--- linux-2.6.22.1.old/init/Kconfig 2008-01-08 13:49:30.000000000 +0900
+++ linux-2.6.22.1/init/Kconfig 2007-12-19 11:50:17.000000000 +0900
@@ -245,6 +245,16 @@ config AUDITSYSCALL
such as SELinux. To use audit's filesystem watch feature, please
ensure that INOTIFY is configured.
+config AUDIT_PATH
+ bool "Audit always PATH entry"
+ depends on AUDITSYSCALL
+ default n
+ help
+ By default, PATH entry is not audited unless
+ you register some audit rule.
+ With this option, PATH entry is always audited.
+ This is useful in debugging SELinux policy without audit userland.
+
config IKCONFIG
tristate "Kernel .config support"
---help---
--
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/
SELinux Policy Editor: http://seedit.sourceforge.net/
16 years, 11 months
"Error sending add rule request" using 1.5.4
by Brennan, William C
I'm attempting to use the auditd package (1.5.4) as supplied downstream
in the Ubuntu distribution. I'm encountering a problem (as a few others
are as well, Ubuntu bug #140784) in that we can't get auditctl to
successfully handle any new rules. For me, this version of auditd has
not worked at all. I'm only newly acquainted with auditd, so this has
been my only experience.
For example, entering at the command line (taken from the man page):
auditctl -a exit,always -S open -F success!=0
results in the response
Error sending add rule request (Invalid argument)
I tried adding other possible rules via auditctl, and all attempts cause
this response.
Apparently no one using Red Hat is having this problem (i.e., no
complaints on this list), which suggests that perhaps the problem is a
package dependency problem within Ubuntu, but that's just a guess.
Can someone offer any help or suggestions as to what may be causing this
problem for Ubuntu users, and what we might do to fix it? (I also tried
updating to version 1.6.4, which also failed the same way.)
Thanks for any light you can shed!
-- Bill Brennan
16 years, 11 months
[PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format
by Klaus Heinrich Kiwi
Steve, as we talked earlier through IRC, ausearch/aureport are expecting
the kernel anomalies messages to have auid= uid= gid= fields (in this
order). This quick patch changes the ANOM_PROMISCUOUS message to the
correct format (as already used by ANOM_ABEND).
Applies on 2.6.24-rc7 from the audit.git tree
--
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center
--
Fix ANOM_PROMISCUOUS message to the format as expected by
audit userspace: auid=%u uid=%u gid=%u [...]
Signed-off-by: Klaus Heinrich Kiwi <klausk(a)br.ibm.com>
---
net/core/dev.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 0848da3..cd49cd0 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
"left");
audit_log(current->audit_context, GFP_ATOMIC,
AUDIT_ANOM_PROMISCUOUS,
- "dev=%s prom=%d old_prom=%d auid=%u ses=%u",
+ "auid=%u uid=%u gid=%u dev=%s prom=%d old_prom=%d ses=%u",
+ audit_get_loginuid(current->audit_context),
+ current->uid, current->gid,
dev->name, (dev->flags & IFF_PROMISC),
(old_flags & IFF_PROMISC),
- audit_get_loginuid(current->audit_context),
audit_get_sessionid(current->audit_context));
if (dev->change_rx_flags)
--
1.5.3.7
16 years, 11 months
new git tree with audit development
by Eric Paris
I've spent the last couple days trying to get all of the latest audit
development pulled into one place so it can be sent upstream. Some of
my patches in this tree haven't been sent to the list and I plan to do
that tomorrow. But if anyone sent a patch to the list or has a patch
for the audit system they want to see in the next kernel release drop me
a note. This tree has all of the work I know about.
http://git.infradead.org/?p=users/eparis/audit.git
-Eric
16 years, 11 months
audit 1.6.5 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Add more errno strings for use with rules
- Fix config parser to allow either 0640 or 0600 for audit logs (#427062)
- Check for audit log being writable by owner in auditd
- If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639)
- Updated CAPP, LSPP, and NISPOM rules for new capabilities
- Added aulastlog utility
This release fixes up a bug where the config parser was not allowing either
0640 or 0600 for the log file permissions. This was also fixed in auparse.
A new capability was added. When the audit daemon suspends logging and the
admin has taken steps to free disk space again, logging can now be resumed
with SIGUSR2. If you are using the init scripts in the audit package, it
would be usable as "service auditd resume".
The CAPP, LSPP, and NISPOM sample rules have been updated to use the errno
capability for exit codes and to use directory auditing when needing to audit
many things in the same directory. For example, you do not need to watch each
individual audit log. You can just watch /var/log/audit and it will pick up
all changes to any audit log in that directory. This capability requires the
kernel to support directory watches (2.6.24 vanilla for example).
This release also adds a new tool, aulastlog. It displays login information
like lastlog does. It uses the auparse library and its source code can be
used to see how simple writing new audit based tool can be.
Please let me know if you run across any problems with this release.
-Steve
16 years, 11 months
event loss with dispatcher?
by Klaus Heinrich Kiwi
Hi,
I'm trying to debug a potential problem with the dispatcher mechanism
in version 1.6.2. Long story short, I saw that some records were being
missed in the remote system (using the audisp-racf plugin), couldn't
find anything wrong with the code, so I enabled the syslog plugin,
trying to match the the syslog with the audit log output - At least in
my system, they are not matching.
In cases where there are more than one record per event, (eg. SYSCALL,
CWD, PATH), the majority of times only the syscall record is sent to the
syslog.. in rare cases I could see the path or the cwd record as well.
The impression that this would be a timing issue increased when I tried
to debug the daemon itself, placing a breakpoint in the
distribute_event() and/or dispatch_event() functions - in that case, I
could see all records going through, both in the execution path as in
the syslog.
Later also placed some debugging hooks in the process_inbound_event() in
the dispatcher code, and saw that records were already missing at that
point.
The lossy/lossless setting for the dispatcher queue doesn't appear to
affect this behavior. My tests involves a filesystem watch - when
triggered, only 3 records are generated (so not anywhere near the 128K
buffer size)
My env: RHEL 5 GA on s390x (sorry - no other box available for testing
at this time) with audit 1.6.2 (built from src.rpm as downloaded from
Steve's website).
Steve, btw, can you hold the audisp-racf merge a little bit? Found some
issues with selinux policy, the mapping to the remote system and believe
it or not, the plugin name itself :(
Thanks,
-Klaus Kiwi
16 years, 11 months
audit 1.6.4 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- fchmod of log file was on wrong variable
- Allow use of errno strings for exit codes in audit rules
This release fixes a major bug that got introduced in the last release. The
code that fixes a permission problem was using the wrong variable. It happens
that the result was applied to /dev/null instead of the audit log. If you had
selinux in enforcing mode - nothing happened, for everyone else.../dev/null
probably got messed up. Oopsie.
This release also lets you express audit rules with slightly more readable
exits codes. This means you can now do things like:
auditctl -a always,exit -S open -F exit=-EPERM
Please let me know if you run across any problems with this release.
-Steve
16 years, 12 months
Is there a rule for auditing all processes' syscall info?
by Marius.bao
Hi all,
We can use a rule to audit one specific process's all syscall info,
eg: auditctl -a entry,always -S all -F pid=1005, it will log process 1005's
syscall info. Is there a rule available to audit all processes' syscall
info?
Thanks in advance.
16 years, 12 months