[PATCH, RFC] Add expression support to libauparse
by Miloslav Trmac
Hello,
this patch extends libauparse to support arbitrary boolean expressions
and searching for record type ranges.
It seems best to define expression syntax and add a single
ausearch_add_expression() call, rather than build the expression from
atomic subexpressions. The defined syntax could be shared by all tools
that link to libauparse, and programs would be able to run (and display
meaningful error messages, as opposed to crashing when a relocation can
not be resloved) even if the installed libauparse version does not
support the used filter.
Attached is a description of the expression syntax. Please check
whether the design is reasonably future-proof. A nicer alternative to
using three different sets of comparison operators would be welcome.
Mirek
LEXICAL STRUCTURE
White space (ASCII space, tab and new-line characters) between tokens
is ignored. The following tokens are recognized:
Punctuation
( ) \
Logical operators
! && ||
Comparison operators
< <= == > >= !== i= i!= r= r!=
Unquoted strings
Any non-empty sequence of ASCII letters, digits, and the _ sym-
bol.
Quoted strings
A sequence of characters surrounded by the " quotes. The \
character starts an escape sequence. The only defined escape
sequences are \\ and \". The semantics of other escape
sequences is undefined.
Anywhere an unquoted string is valid, a quoted string is valid as well,
and vice versa. In particular, field names may be specified using
quoted strings, and field values may be specified using unquoted
strings.
EXPRESSION SYNTAX
The primary expression has the following form:
field comparison-operator value
field is either a string, which specifies the first field with that
name within the current audit record, or the \ escape character fol-
lowed by a string, which specifies a virtual field with the specified
name (virtual fields are defined in a later section).
field is a string. operator specifies the comparison to perform
r= r!= Get the "raw" string of field, and compare it to value. For
fields in audit records, the "raw" string is the exact string
stored in the audit record (with all escaping and unprintable
character encoding left alone); applications can read the "raw"
string using auparse get field str(3). Each virtual field may
define a "raw" string. If field is not present or does not
define a "raw" string, the result of the comparison is false
(regardless of the operator).
i= i!= Get the "interpreted" string of field, and compare it to value.
For fields in audit records, the "interpreted" string is an
"user-readable" interpretation of the field value; applications
can read the "interpreted" string using auparse inter-
pret field(3). Each virtual field may define an "interpreted"
string. If field is not present or does not define an "inter-
preted" string, the result of the comparison is false (regard-
less of the operator).
< <= == > >= !==
Evaluate the "value" of field, and compare it to value. A
"value" may be defined for any field or virtual field, but no
"value" is currently defined for any audit record field. The
rules of parsing value for comparing it with the "value" of
field are specific for each field. If field is not present, the
result of the comparison is false (regardless of the operator).
If field does not define a "value", an error is reported when
parsing the expression.
If E1 and E2 are valid expressions, then ! E1, E1 && E2, and E1 || E2
are valid expressions as well, with the usual C semantics and evalua-
tion priorities. Note that ! field op value is interpreted as !(field
op value), not as (!field) op value.
VIRTUAL FIELDS
The following virtual fields are defined:
\timestamp
The value is the timestamp of the current event. value must
have the ts:seconds.milli format, where seconds and milli are
decimal numbers specifying the seconds and milliseconds part of
the timestamp, respectively.
\record_type
The value is the type of the current record. value is either
the record type name, or a decimal number specifying the type.
SEMANTICS
The expression as a whole applies to a single record. The expression
is true for a specified event if it is true for any record associated
with the event.
EXAMPLES
As a demonstration of the semantics of handling missing fields, the
following expression is true if field is present:
(field r= "") || (field r!= "")
and the same expression surrounded by !( and ) is true if field is not
present.
FUTURE DIRECTIONS
New escape sequences for quoted strings may be defined.
For currently defined virtual fields that do not define a "raw" or
"interpreted" string, the definition may be added. Therefore, don’t
rely on the fact that comparing the "raw" or "interpreted" string of
the field with any value is false.
New formats of value constants for the \timestamp virtual field may be
added.
16 years, 9 months
auditing nfs
by Bob Kryger
So, I'm looking to audit file access (via syscalls
create,open,unlink,etc. because I want every file in the filesystem and
do not want to have to specify an audit rule for each dir/file) that are
accessed via nfs from the nfs server. It seems, I assume because nfs is
in the kernel, that I am not getting any audit messages for those nfs
files access.
Is my assumption correct?
Any suggestions for auditing from the nfs server side?
BTW: not a list subscriber, please reply directly.
Thanks
Bob
--
Bob Kryger Office: 212-813-8677
Systems/Network Administrator Cell: 917-913-6670
SAC Capital, Synapse Group email: bobk(a)sac.com
540 Madison Ave AIM: sacbobk
New York, NY 10022
DISCLAIMER: This e-mail message and any attachments are intended solely for the use of the individual or entity to which it is addressed and may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, copying or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately and permanently delete this message and any attachments.
16 years, 9 months
[PATCH] Fix __attribute__((hidden)) use
by Miloslav Trmac
Hello,
this patch fixes __attribute__ ((hidden)) use. The
hidden_def(SYM)/hidden_proto(SYM) pair should be used for symbols that
are a part of the public API; it creates hidden aliases (SYM_internal)
for use within the shared library, which speeds up both dynamic linking
and code execution. Symbols that are not in the public API should use
"hidden" in the function declaration.
This patch replaces all incorrect uses of hidden_def/hidden_proto by
"hidden" (some uses in lib/private.h are left because these symbols used
to be declared in libaudit.h). It also adds hidden_def/hidden_proto
macros to those public symbols that are referenced from within the
libraries.
Mirek
16 years, 9 months
[PATCH] Audit: Fix the format type for size_t variables
by Paul Moore
Fix the following compiler warning by using "%zu" as defined in C99.
CC kernel/auditsc.o
kernel/auditsc.c: In function 'audit_log_single_execve_arg':
kernel/auditsc.c:1074: warning: format '%ld' expects type 'long int', but
argument 4 has type 'size_t'
Signed-off-by: Paul Moore <paul.moore(a)hp.com>
---
kernel/auditsc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2087d6d..782262e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1070,7 +1070,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
* so we can be sure nothing was lost.
*/
if ((i == 0) && (too_long))
- audit_log_format(*ab, "a%d_len=%ld ", arg_num,
+ audit_log_format(*ab, "a%d_len=%zu ", arg_num,
has_cntl ? 2*len : len);
/*
16 years, 10 months
Audit Dispatcher
by Kevin Boyce
All,
Is there any recommended audit dispatcher for the the RHEL audit daemon?
Thanks,
Kevin Boyce
Northrop Grumman Corp.
16 years, 10 months
[PATCH] drop EOE records from printk
by Steve Grubb
Hi,
While we are looking at the printk issue, I see that its printk'ing the EOE
(end of event) records which is really not something that we need in syslog.
Its really intended for the realtime audit event stream handled by the audit
daemon. So, lets avoid printk'ing that record type.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.24.x86_64.orig/kernel/audit.c linux-2.6.24.x86_64/kernel/audit.c
--- linux-2.6.24.x86_64.orig/kernel/audit.c 2008-02-21 16:44:01.000000000 -0500
+++ linux-2.6.24.x86_64/kernel/audit.c 2008-02-21 16:52:28.000000000 -0500
@@ -1350,17 +1350,19 @@ void audit_log_end(struct audit_buffer *
if (!audit_rate_check()) {
audit_log_lost("rate limit exceeded");
} else {
+ struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
if (audit_pid) {
- struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
skb_queue_tail(&audit_skb_queue, ab->skb);
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
- } else if (printk_ratelimit()) {
- struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
- printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
- } else {
- audit_log_lost("printk limit exceeded\n");
+ } else if (nlh->nlmsg_type != AUDIT_EOE) {
+ if (printk_ratelimit()) {
+ printk(KERN_NOTICE "type=%d %s\n",
+ nlh->nlmsg_type,
+ ab->skb->data + NLMSG_SPACE(0));
+ } else
+ audit_log_lost("printk limit exceeded\n");
}
}
audit_buffer_free(ab);
16 years, 10 months
[RFC] AUDIT: do not panic when printk loses messages
by Eric Paris
On the latest kernels if one was to load about 15 rules, set the failure
state to panic, and then run service auditd stop the kernel will panic.
This is because auditd stops, then the script deletes all of the rules.
These deletions are sent as audit messages out of the printk kernel
interface which is already known to be lossy. These will overun the
default kernel rate limiting (10 really fast messages) and will call
audit_panic(). The same effect can happen if a slew of avc's come
through while auditd is stopped.
This can be fixed a number of ways but this patch fixes the problem by
just not panicing if auditd is not running. We know printk is lossy and
if the user chooses to set the failure mode to panic and tries to use
printk we can't make any promises no matter how hard we try, so why try?
At least in this way we continue to get lost message accounting and will
eventually know that things went bad.
The other change is to add a new call to audit_log_lost() if auditd
disappears. We already pulled the skb off the queue and couldn't send
it so that message is lost. At least this way we will account for the
last message and panic if the machine is configured to panic. This code
path should only be run if auditd dies for unforeseen reasons. If
auditd closes correctly audit_pid will get set to 0 and we won't walk
this code path.
---
If anyone has a better solution please let us know what and how/why it
is better....
kernel/audit.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2eeea9a..6d7175c 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -170,7 +170,9 @@ void audit_panic(const char *message)
printk(KERN_ERR "audit: %s\n", message);
break;
case AUDIT_FAIL_PANIC:
- panic("audit: %s\n", message);
+ /* test audit_pid since printk is always losey, why bother? */
+ if (audit_pid)
+ panic("audit: %s\n", message);
break;
}
}
@@ -352,6 +354,7 @@ static int kauditd_thread(void *dummy)
if (err < 0) {
BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
+ audit_log_lost("auditd dissapeared\n");
audit_pid = 0;
}
} else {
16 years, 10 months
[PATCH] Audit: use == not = in if statements
by Eric Paris
Clearly this was supposed to be an == not an = in the if statement.
This patch also causes us to stop processing execve args once we have
failed rather than continuing to loop on failure over and over and over.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/auditsc.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ac6d9b2..2087d6d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1000,9 +1000,10 @@ static int audit_log_single_execve_arg(struct audit_context *context,
* for strings that are too long, we should not have created
* any.
*/
- if (unlikely((len = -1) || len > MAX_ARG_STRLEN - 1)) {
+ if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
WARN_ON(1);
send_sig(SIGKILL, current, 0);
+ return -1;
}
/* walk the whole argument looking for non-ascii chars */
@@ -1020,6 +1021,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
if (ret) {
WARN_ON(1);
send_sig(SIGKILL, current, 0);
+ return -1;
}
buf[to_send] = '\0';
has_cntl = audit_string_contains_control(buf, to_send);
@@ -1083,6 +1085,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
if (ret) {
WARN_ON(1);
send_sig(SIGKILL, current, 0);
+ return -1;
}
buf[to_send] = '\0';
16 years, 10 months
problem in adding rule on the file having spaces in the name
by Abhishek Gupta
I want to add a rule in audit.rules file to watch a file named "jsp doc".
Note there is space between jsp and doc.
How to write the rule for that in the rule file?
Please suggest.
I tried writing the rule in the file as
-w /jsp\ doc/ -p rw
also
-w /jsp doc -p rw
Both gives error
16 years, 10 months
audit 1.6.8 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Update for gcc 4.3
- Cleanup descriptors in audispd before running plugins
- Fix 'recent' keyword for aureport/search
- Fix SE Linux policy for zos_remote plugin
- Add event type for group password authentication attempts
- Couple of updates to the translation tables
- Add detection of failed group authentication to audisp-prelude
This release is mostly for people that need a fixed version that compiles
against gcc 4.3.
Please let me know if you run across any problems with this release.
-Steve
16 years, 10 months
