[PATCH] In some platforms, "connect", "bind", "accept", "sendto", "recvfrom", "sendfile" arenot audit directly.
by zhangxiliang
Hello Steve,
When I use "autrace -r" or "auditctl -a exit,always -S connect" on "ia32" machine, it report some error.
I found in some platforms, "connect", "bind", "accept", "sendto", "recvfrom", "sendfile" isnot supported to call directly.
They are used by syscall "socketcall".
I think when the socket calls are supported, we should insert "socketcall" instead of them.
Do you agree with me?
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
lib/deprecated.c | 7 +++++++
lib/libaudit.c | 6 ++++++
2 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/lib/deprecated.c b/lib/deprecated.c
index 4f0c14e..ced4c62 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -160,6 +160,13 @@ int audit_rule_syscallbyname(struct audit_rule *rule,
if (nr < 0) {
if (isdigit(scall[0]))
nr = strtol(scall, NULL, 0);
+ if(strcmp(scall, "connect") || strcmp(scall, "bind")
+ || strcmp(scall, "accept") || strcmp(scall, "sendto")
+ || strcmp(scall, "recvfrom") || strcmp(scall, "sendfile")) {
+ scall = "socketcall";
+ nr = audit_name_to_syscall(scall, machine);
+ }
+
}
if (nr >= 0)
return audit_rule_syscall(rule, nr);
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 0588537..36baff1 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -761,6 +761,12 @@ int audit_rule_syscallbyname_data(struct audit_rule_data *rule,
if (nr < 0) {
if (isdigit(scall[0]))
nr = strtol(scall, NULL, 0);
+ if(strcmp(scall, "connect") || strcmp(scall, "bind")
+ || strcmp(scall, "accept") || strcmp(scall, "sendto")
+ || strcmp(scall, "recvfrom") || strcmp(scall, "sendfile")) {
+ scall = "socketcall";
+ nr = audit_name_to_syscall(scall, machine);
+ }
}
if (nr >= 0)
return audit_rule_syscall_data(rule, nr);
--
1.5.4.2
--
Regards
Zhang Xiliang
16 years, 5 months
Re: ausearch / policy question
by Cai Xianchao
On Wednesday 23 July 2008 18:30:45 LC Bruzenak wrote:
> 2: why is ausearch producing the AVCs?
>
Low level is the minimum access needed to read files created by that
user.If the low level of a process is lower than the file's, it's
not permitted.
> type=AVC msg=audit(07/23/2008 17:18:44.292:1622) : avc: denied
> { read } for pid=4033 comm=ausearch name=audit.log dev=dm-0 ino=24698
> scontext=root:staff_r:staff_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=file
>
>
In the message, the level of audit.log is s15:c0.c1023, while the current
process is s0. So the process can't read audit.log and AVSs are producted.
Regards
Cai Xianchao
16 years, 5 months
the method to get nlmsg_len in audit_send() is error
by Yu Zhiguo
Hello Steve,
I think micro NLMSG_ALIGN is needless for nlmsg_len, NLMSG_SPACE is sufficient.
because NLMSG_SPACE includes the rounded netlink header size.
Now no errors occurred because struct req has been set to all 0.
Signed-off-by: Yu Zhiguo<yuzg(a)cn.fujitsu.com>
---
lib/netlink.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/lib/netlink.c b/lib/netlink.c
index 2f78a96..2e2e6be 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -220,7 +220,7 @@ int audit_send(int fd, int type, const void *data, unsigned
int size)
sequence = 1;
memset(&req, 0, sizeof(req));
- req.nlh.nlmsg_len = NLMSG_ALIGN(req.nlh.nlmsg_len) + NLMSG_SPACE(size);
+ req.nlh.nlmsg_len = NLMSG_SPACE(size);
req.nlh.nlmsg_type = type;
req.nlh.nlmsg_flags = NLM_F_REQUEST|NLM_F_ACK;
req.nlh.nlmsg_seq = sequence;
16 years, 5 months
[PATCH] the exit field should not be used in entry list
by zhangxiliang
Hello Steve,
The entry list is applied to match fields before excuting syscall. When matching, the exit code of syscall is unknown.
So the exit field should not be used in entry list.
This is a patch for latest audit-1.7.4.
Signed-off-by: Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com>
---
lib/deprecated.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/lib/deprecated.c b/lib/deprecated.c
index 7c7c808..4f0c14e 100644
--- a/lib/deprecated.c
+++ b/lib/deprecated.c
@@ -281,6 +281,8 @@ int audit_rule_fieldpair(struct audit_rule *rule, const char *pair, int flags)
}
break;
case AUDIT_EXIT:
+ if (flags == AUDIT_FILTER_ENTRY)
+ return -7;
vlen = strlen(v);
if (isdigit((char)*(v)))
rule->values[rule->field_count] =
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
16 years, 5 months
[Patch]Fix the bug of comparing the file's mode in dispatch_parser() and check_exe_name()
by chuli
Hi Mr. Grubby,
When I set "dispatcher = /mydir/audispd" in /etc/audit/auditd.conf and make
the mode of /mydir/audispd to 0755, auditd can be started successfully. But I
found in the codes that such file like "/mydir/audispd" is hoped as 0750.
There
is a little error in comparing the file's mode, "S_IRWXO" should be used not
just
"S_IWOTH", otherwise the file is allowed to be readable or executable by
others.
There is the same bug in check_exe_name(). This bug will allow the script of
"exec /path-to-script" to be readable or executable by others.
Here is my patch for audit-1.7.4. Hope for your opinion about such
modification.
Signed-off-by: Chu Li<chul(a)cn.fujitsu.com>
---
diff --git a/src/auditd-config.c b/src/auditd-config.c
index a7a939e..fc2fd48 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -629,7 +629,7 @@ static int dispatch_parser(struct nv_pair *nv, int line,
audit_msg(LOG_ERR, "%s is not owned by root", nv->value);
return 1;
}
- if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IWOTH)) !=
+ if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
(S_IRWXU|S_IRGRP|S_IXGRP)) {
audit_msg(LOG_ERR, "%s permissions should be 0750", nv->value);
return 1;
@@ -869,7 +869,7 @@ static int check_exe_name(const char *val)
audit_msg(LOG_ERR, "%s is not owned by root", val);
return -1;
}
- if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IWOTH)) !=
+ if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
(S_IRWXU|S_IRGRP|S_IXGRP)) {
audit_msg(LOG_ERR, "%s permissions should be 0750", val);
return -1;
Regards
Chu Li
16 years, 5 months
[PATCH] fix a bug that option '-i' cannot be used
by Yu Zhiguo
Hello Steve,
CC Miloslav,
Option '-i' cannot be used, because the check about option '-R'
in main() is wrong.
When check option '-R', we should consider whether option '-i'
is specified.
Using option '-i' with '-R' should ignore errors when reading
rules from file rather than reporting error message
"Error - nested rule files not supported".
This is a patch to fix the bug of audit-1.7.4.
Signed-off-by: Yu Zhiguo<yuzg(a)cn.fujitsu.com>
---
src/auditctl.c | 45 +++++++++++++++++++++++++--------------------
1 files changed, 25 insertions(+), 20 deletions(-)
diff --git a/src/auditctl.c b/src/auditctl.c
index 2c136ea..ac20fdc 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -1089,39 +1089,44 @@ int main(int argc, char *argv[])
set_aumessage_mode(MSG_STDERR, DBG_NO);
- /* Check where the rules are coming from: commandline or file */
- if ((argc == 3) && (strcmp(argv[1], "-R") == 0)) {
+ if (argc == 1) {
+ usage();
+ return 1;
+ }
#ifndef DEBUG
- /* Make sure we are root */
- if (getuid() != 0) {
- fprintf(stderr,
- "You must be root to run this program.\n");
- return 4;
- }
+ /* Make sure we are root */
+ if (getuid()) {
+ fprintf(stderr,
+ "You must be root to run this program.\n");
+ return 4;
+ }
#endif
+
+ /* Check where the rules are coming from: commandline or file */
+ if ((argc == 3) && (!strcmp(argv[1], "-R"))) {
if (fileopt(argv[2]))
return 1;
else
return 0;
- } else {
- if (argc == 1) {
- usage();
+ } else if ((argc == 4) &&
+ ((!strcmp(argv[1], "-R") && !strcmp(argv[3], "-i")) ||
+ (!strcmp(argv[2], "-R") && !strcmp(argv[1], "-i")))) {
+ ignore = 1;
+ if (!strcmp(argv[1], "-R"))
+ retval = fileopt(argv[2]);
+ else retval = fileopt(argv[3]);
+ if (retval)
return 1;
- }
-#ifndef DEBUG
- /* Make sure we are root */
- if (getuid() != 0) {
- fprintf(stderr,
- "You must be root to run this program.\n");
- return 4;
- }
-#endif
+ else
+ return 0;
+ } else {
if (reset_vars())
return 1;
retval = setopt(argc, argv);
if (retval == -3)
return 0;
}
+
return handle_request(retval);
}
16 years, 5 months
linux-audit project SVN
by Steve Grubb
Hello,
I wanted to announce that we have an SVN project allocated for the linux-audit
source code. You can browse the source code at:
https://fedorahosted.org/audit/browser/trunk
and you can get an anonymous copy with:
svn co http://svn.fedorahosted.org/svn/audit
I believe all patches sent to the mail list are applied at this point. If not,
please point me to the missing patch and I'll see what needs to be done. I'd
like to thank Miloslav Trmač for helping out with the bureaucracy and getting
it setup.
Have fun...
-Steve
16 years, 5 months
[Patch] Fix the bug of action "exec /path-to-script" can never be taken
by chuli
Hi Mr. Steve,
I set "space_left_action = exec /script" in /etc/audit/auditd.conf.
It is said that this parameter tells the system what action to take when
the system has detected that it is starting to get low on disk space (The
limitation of disk space size is set by space_left.) in the manual. But I
found the action "exec /script" will never be taken.
I found an error message "Audit daemon failed to exec null" in
/var/log/messages. The filename "/script" does not be gotten by auditd,
so though the disk space size is less than the value of "space_left",
/script does not be executed.
It has the same bug with admin_space_left_action, disk_full_action,
disk_error_action.
Here is my patch for audit-1.7.4. What's your opinion about such
modification?
Signed-off-by: Chu Li<chul(a)cn.fujitsu.com>
---
diff --git a/src/auditd-config.c b/src/auditd-config.c
index 8a81b46..a7a939e 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -892,17 +892,13 @@ static int space_action_parser(struct nv_pair *nv, int
line,
email_command);
}
}
- config->space_left_action = failure_actions[i].option;
- return 0;
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->space_left_exe = strdup(nv->option);
- config->space_left_action = FA_EXEC;
- return 0;
}
+ config->space_left_action = failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
@@ -1021,19 +1017,15 @@ static int admin_space_left_action_parser(struct
nv_pair *nv, int line,
email_command);
}
}
- config->admin_space_left_action =
- failure_actions[i].option;
- return 0;
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->admin_space_left_exe =
strdup(nv->option);
- config->admin_space_left_action = FA_EXEC;
- return 0;
}
+ config->admin_space_left_action =
+ failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
@@ -1049,25 +1041,20 @@ static int disk_full_action_parser(struct nv_pair *nv,
int line,
nv->value);
for (i=0; failure_actions[i].name != NULL; i++) {
if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
- if (failure_actions[i].option != FA_EMAIL) {
- config->disk_full_action =
- failure_actions[i].option;
- return 0;
- } else {
+ if (failure_actions[i].option == FA_EMAIL ) {
audit_msg(LOG_ERR,
"Illegal option %s for disk_full_action - line %d",
nv->value, line);
return 1;
}
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->disk_full_exe = strdup(nv->option);
- config->disk_full_action = FA_EXEC;
- return 0;
}
+ config->disk_full_action =
+ failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
@@ -1083,25 +1070,20 @@ static int disk_error_action_parser(struct nv_pair
*nv, int line,
nv->value);
for (i=0; failure_actions[i].name != NULL; i++) {
if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
- if (failure_actions[i].option != FA_EMAIL) {
- config->disk_error_action =
- failure_actions[i].option;
- return 0;
- } else {
- audit_msg(LOG_ERR,
- "Illegal option %s for disk_error_action - line %d",
+ if (failure_actions[i].option == FA_EMAIL ) {
+ audit_msg(LOG_ERR,
+ "Illegal option %s for disk_error_action - line %d",
nv->value, line);
return 1;
}
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->disk_error_exe = strdup(nv->option);
- config->disk_error_action = FA_EXEC;
- return 0;
}
+ config->disk_error_action =
+ failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
Regards
Chu Li
16 years, 5 months
[PATCH]fix the bug of using strtoul in priority_boost_parse() and freq_parse()
by chuli
Hello Mr. Steve£¬
In src/auditd-config.c and audisp/audispd-config.c, the function
priority_boost_parser() and freq_parse() use strtoul to convert the numeric
and
then compare it with INT_MAX. It meant that the value of priority_boost and
freq
in /etc/audit/auditd.conf should not be larger than INT_MAX.
But there is a little error in the codes: it uses an int variable to store
the
result of strtoul() and then compare the variable with INT_MAX. So the result
of comparison is always "not larger than".
I think it's better to modify the codes to implement its intention.
The attached patch fixes the problem in src/auditd-config.c and
audisp/audispd-config.c of audit-1.7.4.
What's your opinion about such modification?
PS:
priority_boost: a non-negative number that tells the audit daemon how much of
a priority boost it should take.
freq: a non-negative number that tells the audit damon how many records to
write
before issuing an explicit flush to disk command.
Signed-off-by: Chu Li<chul(a)cn.fujitsu.com>
---
diff --git a/src/auditd-config.c b/src/auditd-config.c
index 8a81b46..e9111a4 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -782,7 +782,7 @@ static int freq_parser(struct nv_pair *nv, int line,
struct daemon_conf *config)
{
const char *ptr = nv->value;
- int i;
+ unsigned long i;
audit_msg(LOG_DEBUG, "freq_parser called with: %s", nv->value);
@@ -1112,7 +1112,7 @@ static int priority_boost_parser(struct nv_pair *nv, int
line,
struct daemon_conf *config)
{
const char *ptr = nv->value;
- int i;
+ unsigned long i;
audit_msg(LOG_DEBUG, "priority_boost_parser called with: %s",
nv->value);
diff --git a/audisp/audispd-config.c b/audisp/audispd-config.c
index b0bcaef..e9d254a 100644
--- a/audisp/audispd-config.c
+++ b/audisp/audispd-config.c
@@ -387,7 +387,7 @@ static int priority_boost_parser(struct nv_pair *nv, int
line,
struct daemon_conf *config)
{
const char *ptr = nv->value;
- int i;
+ unsigned long i;
audit_msg(LOG_DEBUG, "priority_boost_parser called with: %s",
nv->value);
Regards
Chu Li
16 years, 5 months
Re: There is a bug on parsing file path in auditd-config.c and audispd-pconfig.c
by wangf
Hi Steve,
What do think about this patch?
When user defines path's dirname's length < 4bit in
/etc/audit/auditd.conf or in plugin configure file,this error always
happens.
If you have other opinion, please tell me, thank you.
-----Original Message-----
From: wangf
Sent: 2008-7-1 14:43
> Hi Steve,
>
> There is a bug in function dispatch_parser() and path_parser().
>
> when we use dir = dirname (tdir), if tdir is not NULL, tdir and dir
> point to the same addr., so if we use free(tdir) before
> audit_msg(LOG_ERR, "The directory name: %s is too short - line %d",
> dir, line); we can not get the dir's correct value.
Because dir's space has been freed, so the space can be used by others.
when we get dir's value, it will be wrong.
Please look the two examples:
1)
define "dispatcher = /my/audispd" in /etc/audit/auditd.conf
This error message will be printed into syslog such as:
"Jul 11 10:39:04 localhost auditd: The directory name: /etc/localtime is
too short - line 12"
but in fact it should be such error message:
"Jul 11 10:39:04 localhost auditd: The directory name: /my is too short
- line 12"
2)
The same problem in plugin configure file:
define "path = /my/myplugin" in /etc/audisp/plugins.d/user.conf
This error message will be printed into syslog such as:
"Jul 11 10:38:39 localhost audispd: The directory name: 8óô·^C is too
short - line 3"
but in fact it should be such error message:
"Jul 11 10:38:39 localhost audispd: The directory name: /my is too short
- line 3"
>
> This patch can solve this problem.
>
> Signed-off-by: Wang Fang <wangf(a)cn.fujitsu.com>
> ---
> diff -Nrup audit-1.7.4/audisp/audispd-pconfig.c
> audit-1.7.4-new/audisp/audispd-pconfig.c
> --- audit-1.7.4/audisp/audispd-pconfig.c 2007-09-02
> 23:24:15.000000000 +0800
> +++ audit-1.7.4-new/audisp/audispd-pconfig.c 2008-06-21
> 18:33:14.000000000 +0800
> @@ -379,10 +379,10 @@ static int path_parser(struct nv_pair *n
> if (tdir)
> dir = dirname(tdir);
> if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname
> - free(tdir);
> audit_msg(LOG_ERR,
> "The directory name: %s is too short - line %d",
> dir, line);
> + free(tdir);
> return 1;
> }
>
> diff -Nrup audit-1.7.4/src/auditd-config.c
> audit-1.7.4-new/src/auditd-config.c
> --- audit-1.7.4/src/auditd-config.c 2008-05-09 22:44:38.000000000
> +0800
> +++ audit-1.7.4-new/src/auditd-config.c 2008-06-21
> 18:39:58.000000000 +0800
> @@ -592,10 +592,10 @@ static int dispatch_parser(struct nv_pai
> if (tdir)
> dir = dirname(tdir);
> if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname
> - free(tdir);
> audit_msg(LOG_ERR,
> "The directory name: %s is too short - line %d",
> dir, line);
> + free(tdir);
> return 1;
> }
>
> --
> Best Regards,
> Wang Fang
>
>
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
16 years, 5 months