prelude events
by LC Bruzenak
I don't think file watch events are reported to prelude...right?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 11 months
audit 1.7.5 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Update system-config-audit to 0.4.8 (Miloslav Trmac)
- Don't free const fcntl strings in auparse (Miloslav Trmac)
- Fix priority_boost_parse and freq_parse functions INT_MAX compares (Chu Li)
- Fix parsing in ausearch user records for acct field (Peng Haitao)
- Allow only 1 add or delete operation per auditctl rule (Yu Zhiguo)
- Delay freeing file path in auditd-config.c and audispd-pconfig.c (wangf)
- Update IDMEF node classifications
- Apply cleanup of auditctl.c main(). (Yu Zhiguo)
- Fix parsing of exec options to some auditd actions (Chu Li)
- Correct permission test on dispatcher and exe name (Chu Li)
- Disallow using exit field on the entry filter (Zhang Xiliang)
- Correct the calculation of nlmsg_len (Yu Zhiguo)
- Fix parsing of CONFIG_CHANGE events so that search on keys work (Peng
Haitao)
- Fix parsing of filter,action in auditctl
- Fix format string of audit status in auditctl (Yu Zhiguo)
- Better checking of field & filter combinations (Zhang Xiliang)
- Call prelude_deinit when shutting down prelude plugin
- Make sure value is given after the operator in auditctl rules (Zhang
Xiliang)
- Error when rule require numeric value and one is not given (Zhang Xiliang)
- Remove unnecessary base name code (Chu Li)
- Cleanup checking of field name & operator (Zhang Xiliang)
- Add audit_number_to_errmsg() function for error strings (Zhang Xiliang)
- Reimplement auditd main loop using libev (DJ Delorie)
- Update unknown uid/gid messages in audit rule parsing (Cai Xianchao)
- Don't allow negative uid/gid in audtictl rules (Cai Xianchao)
- Add TCP listener and managed remote protocol features (DJ Delorie)
- Allow config_change audit records with no auid to parse in ausearch/report
- Attempt to solve scheduler issue where queues overflow
- Strip the newline off events converted to string in audispd
This is a huge changelog and is probably one of the more significant code
cleanups in very long time. Thanks to the Fujitsu people for submitting all
the patches!
The other significant item in this release is the receive code for the remote
audit logging. See this email thread for details:
https://www.redhat.com/archives/linux-audit/2008-August/msg00118.html
I will probably follow this release up with another release in about 2-3 weeks
that finishes the remote logging and updates the syscall tables for the
2.6.27 kernel.
Please let me know if you run across any problems with this release.
-Steve
16 years, 11 months
Audit for live supervision
by Kay Hayen
Hello,
I would like to present our plan for using audit briefly. We have made a
prototype implementation, and discovered some things along the way.
We are making a middleware for ATC systems. We are writing it in Ada and
partially in Python. In Python we do mostly the prototypes, so the prototype
code is in Python.
For that, we have one problem, to uniquely identify a process that
communicated with the outside world. We have settled with the process start
date. That date can be determined in a way so that it is stable
(using /proc/stat btime field, elf note for Hertz value, and then translate
ticks from /proc/pid/stat into a date) and reproducible outside of the
process. Given the pid and start_date, we can check if a process is still
alive, reliably. The method is notably different from what ps does, which may
(or so I propose after looking at the source) output different start times in
different runs.
We have a daemon running that may or may not fork processes that it monitors,
for the communicating ones, we want to be able to tell everybody in the
system (spanning several nodes) that a communication partner is no more, for
non-communicating ones we simply want to observe and report that e.g. ntpd or
some monitoring/working shell script is running or not.
The identifier hostname/pid/start_date is therefore what what we call a "life"
of a process. It may restart, but the pid won't wrap around within one tick,
that is at least the limiting restriction.
Now one issue, I see is that the times that we get from auditd through the
socket from its child daemon may not match the start_date exactly. I think
they could. Actually we would prefer to receive the tick at which a process
started, instead of a absolute time dated fork event, because then we could
apply our code to calculate the stable time. Alternatively it would be nice
to know how the time value from auditd comes into existance. In principle
it's true, that for every event we should actually get the tick over a date,
at least both. Ticks are the real kernel time, aren't they?
Currently we feel we should apply a delta around the times to match them, and
that's somehow unstable methinks. We would prefer delta to be 0. Otherwise we
may e.g. run into pid number overruns much easier.
The other thing is sequence numbers. We see in the output sequence numbers for
each audit event. Very nice. But can you confirm where these sequence numbers
are created? Are they done in the kernel, in auditd or in its child daemon?
The underlying question is, how safe can we be that we didn't miss anything
when sequence numbers don't suggest so. We would like to use the lossless
mode of auditd. Does that simply mean that auditd may get behind in worst
case?
Then, we have first looked at auditd 1.2 (RHEL3), auditd 1.6 (RHEL5/Ubuntu)
and auditd 1.7 (Debian and self-compiled for RHEL 5.2). The format did
undergo important changes and it seems that 1.7 is much more friendly to
parse. Can you confirm that a type=EOE delimits every event (is that even the
correct term to use, audit trace, how is it called).
We can't build the rpm due to dependency problems, so I was using the hard
way, ./configure --prefix=/opt/auditd-1.7 and that works fine on our RHEL 5.2
it seems. What's not so clear to (me) is which kernel dependency there really
is. Were there interface changes at all? The changelog didn't suggest so.
BTW: Release-wise, will RHEL 5.3 include the latest auditd? That is our target
platform for a release next year, and it sure would be nice not to have to
fix up the audit installation.
One thing I observed with 1.7.4-1 from Debian Testing amd64 that we won't ever
see any clone events on the socket (and no forks, but we only know of cron
doing these anyway), but all execs and exit_groups.
The rules we use are:
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a entry,always -S clone -S fork -S vfork
-a entry,always -S execve
-a entry,always -S exit_group -S exit
Very strange. Works fine with self-compile RHEL 5.2, I understand that you are
not Debian guys, I just wanted to ask you briefly if you were aware of
anything that could cause that. I am going to report that as a bug (to them)
otherwise.
With our rules file, we have grouped only similar purpose syscalls that we
care about. The goal we have is to track all newly created processes, their
exits and the code they run. If you are aware of anything we miss, please
point it out.
Also, it is true (I read that yesterday) that every syscall is slowed down for
every new rule? That means, we are making a mistake by not having only one
line? And is open() performance really affected by this? Does audit not
(yet?) use other tracing interface like SystemTap, etc. where people try to
have 0 cost for inactive traces.
Also on a general basis. Do you recommend using the sub-daemon for the job or
should we rather use libaudit for the task instead? Any insight is welcome
here.
What we would like to achieve is:
1. Monitor every created process if it (was) relevant to something. We don't
want to miss a process however briefly it ran.
2. We don't want to poll periodically, but rather only wake up (and then with
minimal latency) when something interesting happened. We would want to poll a
periodic check that forks are still reported, so we would detect a loss of
service from audit.
3. We don't want to possible loose or miss anything, even if load gets higher,
although we don't require to survive a fork bomb.
Sorry for the overlong email. We just hope you can help us identify how to
make best use of audit for our project.
Best regards,
Kay Hayen
16 years, 12 months
some files are missing
by Yu Zhiguo
Hello steve,
I download trunk-r52.zip from SVN webpage. It seems that some files are missing.
In src/Makefile.am, auditd-listen.h and auditd-listen.c are used, but they are nonexistent.
So error occurred when make:
#make
...
Making all in src
make[2]: Entering directory `/home/yuzg/audit/trunk/src'
make[2]: *** No rule to make target `auditd-listen.c', needed by `auditd-auditd-listen.o'. Stop.
make[2]: Leaving directory `/home/yuzg/audit/trunk/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/yuzg/audit/trunk'
make: *** [all] Error 2
Can you provide these files?
16 years, 12 months
no logging of successful events?
by Brian LaMere
with the following auditd.conf and audit.rules, we generate MASSIVE logs
very quickly. I don't care about successful audit events; I'm not
required to log them, and there's no way I could have the space for a
year's worth anyway. So...why is it that "LIST_RULES: exit,always
success!=0 syscall=open" doesn't disregard the successful calls? I can
still see them if I do an aureport.
The logs are simply too massive to keep; if I set the max_log_file to
much higher than 50 with 99 logs, an aureport takes eons.
Unfortunately, it needs to be that high to save even a day's worth of
logs when they're running certain programs. Any suggestions?
----------------------
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 50
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 20
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
--------------------------
LIST_RULES: exit,always success!=0 syscall=open
LIST_RULES: exit,always syscall=rmdir,unlink
LIST_RULES: exit,always syscall=acct,swapon,reboot
LIST_RULES: exit,always syscall=setrlimit,settimeofday,setdomainname
LIST_RULES: exit,always syscall=sched_setparam,sched_setscheduler
LIST_RULES: exit,always syscall=chmod,fchmod,chown,fchown
LIST_RULES: exit,always syscall=lchown
LIST_RULES: exit,always watch=/etc/auditd.conf perm=rwxa
LIST_RULES: exit,always watch=/etc/audit.rules perm=rwxa
------------------------------------------
17 years
audit-viewer error
by LC Bruzenak
My audit-viewer (audit-viewer-0.3-1) crashes at startup with the
following:
Traceback (most recent call last):
File "/usr/share/audit-viewer/main.py", line 71, in <module>
if w.setup_initial_window(args):
File "/usr/share/audit-viewer/main_window.py", line 158, in
setup_initial_window
self.new_list_tab([])
File "/usr/share/audit-viewer/main_window.py", line 176, in
new_list_tab
tab = ListTab(filters, self)
File "/usr/share/audit-viewer/list_tab.py", line 161, in __init__
self.refresh()
File "/usr/share/audit-viewer/list_tab.py", line 195, in refresh
event_sequence = self.__refresh_get_event_sequence()
File "/usr/share/audit-viewer/list_tab.py", line 483, in
__refresh_get_event_sequence
want_other_fields, True)
File "/usr/share/audit-viewer/main_window.py", line 265, in
read_events
keep_raw_records)
File "/usr/share/audit-viewer/event_source.py", line 135, in
read_events
e = events[(ts.serial, ts.sec, ts.milli)]
AttributeError: 'NoneType' object has no attribute 'serial'
I looked back through all the event IDs from today (I assume
ts.serial==auid) and didn't see any missing yet.
I did see some ordering inconsistency (probably normal) - from "ausearch
-ts today -i" (note the second event set - the time and auid are not
consecutive as with the others). Surrounding events concatenated for
brevity:
----
type=PATH msg=audit(08/13/2008 10:35:11.661:2406) : item=1...
type=PATH msg=audit(08/13/2008 10:35:11.661:2406) : item=0...
type=CWD msg=audit(08/13/2008 10:35:11.661:2406) : cwd=/
type=SYSCALL msg=audit(08/13/2008 10:35:11.661:2406) : ...
----
type=SYSCALL msg=audit(08/13/2008 09:47:47.411:1015) : arch=x86_64
syscall=read success=no exit=-4(Interrupted system call) a0=3
a1=7f0807344010 a2=21000 a3=3597f67a58 items=0 ppid=1 pid=5239
auid=lenny uid=lenny gid=lenny euid=lenny suid=lenny fsuid=lenny
egid=lenny sgid=lenny fsgid=lenny tty=(none) ses=2 comm=gvfs-fuse-daemo
exe=/usr/libexec/gvfs-fuse-daemon
subj=user_u:user_r:user_t:s0-s15:c0.c1023 key=(null)
----
type=PATH msg=audit(08/13/2008 10:35:11.663:2407) : item=0...
type=CWD msg=audit(08/13/2008 10:35:11.663:2407) : cwd=/
type=SYSCALL msg=audit(08/13/2008 10:35:11.663:2407) : arch=x86_64...
----
Any thoughts as to what I can do?
I guess I can selectively move audit.log files out of the directory
until I can see which one has data causing the problem...
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
17 years
[PATCH 1/2] fix a bug that use option '-r' cannot output all unformatted logs
by Peng Haitao
Hello Steve,
Executing command "echo 'type=CONFIG_CHANGE msg=audit(1214114026.152:1641): op=updated rules specifying path="/home/pht/source/sys_temp" with dev=4294967295 ino=4294967295 list=-672208416 res=1' | ausearch -r", the output is NULL.
The log is from /var/log/audit/audit.log and not modified.
Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com>
---
src/ausearch-parse.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 141fdee..0c38be1 100755
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1403,7 +1403,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
// get loginuid
str = strstr(n->message, "auid=");
if (str == NULL)
- return 1;
+ return 0;
ptr = str + 5;
term = strchr(ptr, ' ');
if (term)
--
1.5.4.2
--
Regards
Peng Haitao
17 years
get_field_str() and interpret_field() bug with multi-word fields
by Jonathan Kelly
Hello,
When using the python auparse library to call AuParser.interpret_field()
on a multi-word field, only the first word in the field is returned.
Using get_field_str() instead of interpret_field() yields the same
output. I have verified that this issue exists in the C library, as
well as the Python. I suspect that this may be an issue for multi-word
fields in general, but have not noticed any other than 'op'.
Here is some sample code and input/output:
---
#/usr/bin/python
from auparse import *
parser = AuParser(AUSOURCE_LOGS)
parser.search_add_item("type", "=", "USER_CHAUTHTOK",
AUSEARCH_STOP_EVENT)
account_changes = []
while(parser.search_next_event() == True):
for record in range(parser.get_num_records()):
event = {}
event ['timestamp'] = parser.get_timestamp().sec
for field in range(parser.get_num_fields()):
key = parser.get_field_name()
value = parser.interpret_field()
event[key] = value
parser.next_field()
if event['type'] == 'USER_CHAUTHTOK':
account_changes.append(event)
parser.next_record()
parser.parse_next_event()
print account_changes
---
#include <auparse.h>
#include <stdio.h>
#include <libaudit.h>
int main(void)
{
auparse_state_t *au = auparse_init(AUSOURCE_LOGS, NULL);
if (au == NULL)
exit(1);
if ( ausearch_add_item(au, "type", "=", "USER_CHAUTHTOK",
AUSEARCH_RULE_CLEAR))
exit(1);
if ( ausearch_set_stop(au, AUSEARCH_STOP_EVENT) )
exit(1);
while (ausearch_next_event(au) > 0) {
if (auparse_find_field(au, "op")) {
printf("interpret: op=%s\n",
auparse_interpret_field(au));
printf("str: op=%s\n",
auparse_get_field_str(au));
}
auparse_next_event(au);
}
auparse_destroy(au);
return 0;
}
---
(audit.log)
type=USER_CHAUTHTOK msg=audit(1218562665.856:1103638): user pid=13396
uid=0 auid=502 msg='op=adding user acct=testuser exe="/usr/sbin/useradd"
(hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_CHAUTHTOK msg=audit(1218562665.895:1103662): user pid=13396
uid=0 auid=502 msg='op=adding home directory acct=testuser
exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0
res=success)'
type=USER_CHAUTHTOK msg=audit(1218562670.415:1103686): user pid=13401
uid=0 auid=502 msg='op=deleting user entries acct=testuser
exe="/usr/sbin/userdel" (hostname=?, addr=?, terminal=pts/0
res=success)'
type=USER_CHAUTHTOK msg=audit(1218562670.416:1103687): user pid=13401
uid=0 auid=502 msg='op=deleting group acct=testuser
exe="/usr/sbin/userdel" (hostname=?, addr=?, terminal=pts/0 res=failed)'
(python with full event)
{'auid': '502', 'exe': '"/usr/sbin/useradd"', 'uid': '0', 'timestamp':
1218562665, 'hostname': '?', 'pid': '13396', 'terminal': 'pts/0', 'res':
'success', 'addr': '?', 'acct': 'testuser', 'type': 'USER_CHAUTHTOK',
'op': 'adding'},
{'auid': '502', 'exe': '"/usr/sbin/useradd"', 'uid': '0', 'timestamp':
1218562665, 'hostname': '?', 'pid': '13396', 'terminal': 'pts/0', 'res':
'success', 'addr': '?', 'acct': 'testuser', 'type': 'USER_CHAUTHTOK',
'op': 'adding'},
{'auid': '502', 'exe': '"/usr/sbin/userdel"', 'uid': '0', 'timestamp':
1218562670, 'hostname': '?', 'pid': '13401', 'terminal': 'pts/0', 'res':
'success', 'addr': '?', 'acct': 'testuser', 'type': 'USER_CHAUTHTOK',
'op': 'deleting'},
{'auid': '502', 'exe': '"/usr/sbin/userdel"', 'uid': '0', 'timestamp':
1218562670, 'hostname': '?', 'pid': '13401', 'terminal': 'pts/0', 'res':
'failed', 'addr': '?', 'acct': 'testuser', 'type': 'USER_CHAUTHTOK',
'op': 'deleting'}]
(c with just op field)
interpret: op=adding
str: op=adding
interpret: op=adding
str: op=adding
interpret: op=deleting
str: op=deleting
interpret: op=deleting
str: op=deleting
---
Unfortunately, my C is a little too rusty for me to attempt a patch
myself, but I hope this gives you everything you need to get this fixed!
Best regards,
Jonathan Kelly
17 years
Re: Linux-audit Digest, Vol 47, Issue 12
by Randy Zagar
On Wednesday 13 August 2008 13:02:05 Steve Grub wrote:
> On Wednesday 13 August 2008 12:25:09 Klaus Heinrich Kiwi wrote:
>> > I like Mathew's idea of having a binary format though. Maybe it's
>> > possible to carry the legacy format for some time while we have a more
>> > robust (and extensible) binary format in parallel? And then having a
>> > binary format version tag within each record?
>>
>
> Yes, there would have to be a migration path. I think we talked about XDR as a
> possibility 4 years ago because its already inside the kernel. The kernel
> guys at the time wanted to re-use something already inside or something that
> was compact in its representation.
>
> What I believe lead to text based was the general feeling that logs should be
> human readable with less, tail, or vi if need be.
>
> A problem with binary representations will be what happens with aggregated
> big-endian and little-endian system logs?
>
Aggregated logs from big-endian and little-endian systems should not be
a problem if you use XDR... the endian-ness of the cpu is completely
irrelevant.
IMHO, text would be preferable, but I don't have a dog in this fight...
-RZ
--
Randy Zagar Sr. Unix Systems Administrator
E-mail: zagar(a)arlut.utexas.edu Applied Research Laboratories
Phone: 512 835-3131 Univ. of Texas at Austin
17 years
[RFC][PATCH] audit: get inode pathname patch
by Mimi Zohar
We are interested in using auditing's context pathname information.
Is this the best way of accessing it?
Add support for accessing auditing's inode full pathname.
Signed-off-by: Mimi Zohar <zohar(a)us.ibm.com>
Index: security-testing-2.6/include/linux/audit.h
===================================================================
--- security-testing-2.6.orig/include/linux/audit.h
+++ security-testing-2.6/include/linux/audit.h
@@ -403,6 +403,8 @@ extern void audit_syscall_entry(int arch
unsigned long a2, unsigned long a3);
extern void audit_syscall_exit(int failed, long return_code);
extern void __audit_getname(const char *name);
+extern const char *audit_get_inode_pathname(struct task_struct *tsk,
+ struct inode *inode);
extern void audit_putname(const char *name);
extern void __audit_inode(const char *name, const struct dentry *dentry);
extern void __audit_inode_child(const char *dname, const struct dentry *dentry,
Index: security-testing-2.6/kernel/auditsc.c
===================================================================
--- security-testing-2.6.orig/kernel/auditsc.c
+++ security-testing-2.6/kernel/auditsc.c
@@ -1677,6 +1677,28 @@ retry:
#endif
}
+const char *audit_get_inode_pathname(struct task_struct *tsk,
+ struct inode *inode)
+{
+ struct audit_context *context;
+ int idx;
+
+ context = tsk->audit_context;
+ if (!context)
+ return NULL;
+ for (idx = 0; idx < context->name_count; idx++) {
+ struct audit_names *n = &context->names[idx];
+
+ if (!n->name)
+ continue;
+
+ if (n->ino == inode->i_ino)
+ return n->name;
+ }
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(audit_get_inode_pathname);
+
/**
* audit_getname - add a name to the list
* @name: name to add
17 years
