user message limits
by LC Bruzenak
I know I can go look at the code, however I figured I'd ask here first
about the limits on the user message in both audit_log_user_message and
ausearch.
With audit_log_user_message the maximum length allowed appears to be
around MAX_AUDIT_MESSAGE_LENGTH-100. I think it may depend on the
executable name length (and other stuff auto-pushed into the string)
which is why I say "around".
Even when I get a successful return value (from audit_log_user_message),
I don't get my string back out in "ausearch" unless it is WAY smaller -
~1K or less I think.
Any ideas/thoughts?
This is the latest (1.7.11-2) audit package.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
10 years, 8 months
[PATCH] Add auditd listener and remote audit protocol
by DJ Delorie
Second in a series, a bit bigger than the first one.
(http://www.redhat.com/archives/linux-audit/2008-August/msg00070.html)
The goal of this patch is to add the server side of the remote logging
feature. To this end, a new auditd-listener.c is added which listens
on a TCP port for connections from other systems' audisp-remote
plugins. A new (private) protocol is added which prepends each
message with a header, giving length, status, version, and sequence
information. Each message begets a reply from the server, so we can
pass along status like "disk full" or "ok". Currently, these call a
set of stub functions, as the details of performing appropriate
actions from the plugin are yet to be decided.
The remote plugin has a new option "format" for "ascii" or "managed"
to choose between the old protocol (ascii strings) and the new one
(the header with ACK, default).
The listener will accept either format. It has new options for the
listen port, accept queue size, and acceptable client-side ports.
Comments?
DJ
Proposed ChangeLog entry:
- Add TCP listener and managed remote protocol features.
diff -N -U 3 -x .svn -r pristine/audisp/plugins/remote/audisp-remote.c trunk/audisp/plugins/remote/audisp-remote.c
--- pristine/audisp/plugins/remote/audisp-remote.c 2008-08-04 12:47:28.000000000 -0400
+++ trunk/audisp/plugins/remote/audisp-remote.c 2008-08-14 14:10:48.000000000 -0400
@@ -30,7 +30,11 @@
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
#include "libaudit.h"
+#include "private.h"
#include "remote-config.h"
#define CONFIG_FILE "/etc/audisp/audisp-remote.conf"
@@ -68,6 +72,56 @@
hup = 0;
}
+/*
+ * Handlers for various events coming back from the remote server.
+ * Return -1 if the remote dispatcher should exit.
+ */
+
+/* Loss of sync - got an invalid response. */
+static int sync_error_handler (const char *why)
+{
+ /* "why" has human-readable details on why we've lost (or will
+ be losing) sync. */
+ syslog (LOG_ERR, "lost/losing sync, %s", why);
+ return -1;
+}
+
+static int remote_disk_low_handler (const char *message)
+{
+ syslog (LOG_WARNING, "remote disk low, %s", message);
+ return 0;
+}
+
+static int remote_disk_full_handler (const char *message)
+{
+ syslog (LOG_ERR, "remote disk full, %s", message);
+ return -1;
+}
+
+static int remote_disk_error_handler (const char *message)
+{
+ syslog (LOG_ERR, "remote disk error, %s", message);
+ return -1;
+}
+
+static int remote_server_ending_handler (const char *message)
+{
+ syslog (LOG_INFO, "remote server ending, %s", message);
+ return -1;
+}
+
+static int generic_remote_error_handler (const char *message)
+{
+ stop = 1;
+ syslog(LOG_INFO, "audisp-remote: remote error: %s", message);
+ return -1;
+}
+static int generic_remote_warning_handler (const char *message)
+{
+ syslog(LOG_INFO, "audisp-remote: remote warning: %s", message);
+ return 0;
+}
+
int main(int argc, char *argv[])
{
@@ -122,6 +176,7 @@
struct addrinfo *ai;
struct addrinfo hints;
char remote[BUF_SIZE];
+ int one=1;
memset(&hints, '\0', sizeof(hints));
hints.ai_flags = AI_ADDRCONFIG|AI_NUMERICSERV;
@@ -140,12 +195,35 @@
freeaddrinfo(ai);
return -1;
}
+
+ setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int));
+
+ if (config.local_port != 0) {
+ struct sockaddr_in address;
+
+ memset (&address, 0, sizeof(address));
+ address.sin_family = htons(AF_INET);
+ address.sin_port = htons(config.local_port);
+ address.sin_addr.s_addr = htonl(INADDR_ANY);
+
+ if ( bind ( sock, (struct sockaddr *)&address, sizeof(address)) ) {
+ syslog(LOG_ERR, "Cannot bind local socket to port %d - exiting",
+ config.local_port);
+ close(sock);
+ return -1;
+ }
+
+ }
if (connect(sock, ai->ai_addr, ai->ai_addrlen)) {
syslog(LOG_ERR, "Error connecting to %s: %s - exiting",
config.remote_server, strerror(errno));
freeaddrinfo(ai);
return -1;
}
+
+ setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (char *)&one, sizeof (int));
+ setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&one, sizeof (int));
+
freeaddrinfo(ai);
return 0;
}
@@ -166,16 +244,143 @@
return rc;
}
-static int relay_sock(const char *s, size_t len)
+static int ar_write (int sock, const void *buf, int len)
{
int rc;
-
do {
- rc = write(sock, s, len);
+ rc = write(sock, buf, len);
} while (rc < 0 && errno == EINTR);
- if (rc > 0)
- return 0;
- return -1;
+ return rc;
+}
+
+static int ar_read (int sock, void *buf, int len)
+{
+ unsigned char *obuf = buf;
+ int rc = 0, r;
+ while (len > 0) {
+ do {
+ r = read(sock, buf, len);
+ } while (r < 0 && errno == EINTR);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ break;
+ rc += r;
+ buf = (void *)((char *)buf + r);
+ len -= r;
+ }
+ return rc;
+}
+
+static int relay_sock_ascii(const char *s, size_t len)
+{
+ int rc;
+
+ rc = ar_write(sock, s, len);
+ if (rc <= 0) {
+ stop = 1;
+ syslog(LOG_ERR, "connection to %s closed unexpectedly - exiting",
+ config.remote_server);
+ return -1;
+ }
+
+ return 0;
+}
+
+static int relay_sock_managed(const char *s, size_t len)
+{
+ static int sequence_id = 1;
+ int rc;
+ unsigned char header[AUDIT_RMW_HEADER_SIZE];
+ int hver, mver;
+ uint32_t magic, type, rlen, seq;
+ char msg[MAX_AUDIT_MESSAGE_LENGTH+1];
+
+ sequence_id ++;
+ AUDIT_RMW_PACK_HEADER (header, 0, 0, len, sequence_id);
+ rc = ar_write(sock, header, AUDIT_RMW_HEADER_SIZE);
+ if (rc <= 0) {
+ stop = 1;
+ syslog(LOG_ERR, "connection to %s closed unexpectedly - exiting",
+ config.remote_server);
+ return -1;
+ }
+
+ rc = ar_write(sock, s, len);
+ if (rc <= 0) {
+ stop = 1;
+ syslog(LOG_ERR, "connection to %s closed unexpectedly - exiting",
+ config.remote_server);
+ return -1;
+ }
+
+ rc = ar_read (sock, header, AUDIT_RMW_HEADER_SIZE);
+ if (rc < 16) {
+ stop = 1;
+ syslog(LOG_ERR, "connection to %s closed unexpectedly - exiting",
+ config.remote_server);
+ return -1;
+ }
+
+
+ if (! AUDIT_RMW_IS_MAGIC (header, AUDIT_RMW_HEADER_SIZE))
+ /* FIXME: the right thing to do here is close the socket and start a new one. */
+ return sync_error_handler ("bad magic number");
+
+ AUDIT_RMW_UNPACK_HEADER (header, hver, mver, type, rlen, seq);
+
+ if (rlen > MAX_AUDIT_MESSAGE_LENGTH)
+ return sync_error_handler ("message too long");
+
+ if (rlen > 0
+ && ar_read (sock, msg, rlen) < rlen)
+ return sync_error_handler ("ran out of data reading reply");
+ msg[rlen] = 0;
+
+ if (seq != sequence_id)
+ /* FIXME: should we read another header and
+ see if it matches? If so, we need to deal
+ with timeouts. */
+ return sync_error_handler ("mismatched response");
+
+ /* Specific errors we know how to deal with. */
+
+ if (type == AUDIT_RMW_TYPE_ENDING)
+ return remote_server_ending_handler (msg);
+ if (type == AUDIT_RMW_TYPE_DISKLOW)
+ return remote_disk_low_handler (msg);
+ if (type == AUDIT_RMW_TYPE_DISKFULL)
+ return remote_disk_full_handler (msg);
+ if (type == AUDIT_RMW_TYPE_DISKERROR)
+ return remote_disk_error_handler (msg);
+
+ /* Generic errors. */
+ if (type & AUDIT_RMW_TYPE_FATALMASK)
+ return generic_remote_error_handler (msg);
+ if (type & AUDIT_RMW_TYPE_WARNMASK)
+ return generic_remote_warning_handler (msg);
+
+ return 0;
+}
+
+static int relay_sock(const char *s, size_t len)
+{
+ int rc;
+
+ switch (config.format)
+ {
+ case F_MANAGED:
+ rc = relay_sock_managed (s, len);
+ break;
+ case F_ASCII:
+ rc = relay_sock_ascii (s, len);
+ break;
+ default:
+ rc = -1;
+ break;
+ }
+
+ return rc;
}
static int relay_event(const char *s, size_t len)
diff -N -U 3 -x .svn -r pristine/audisp/plugins/remote/audisp-remote.conf trunk/audisp/plugins/remote/audisp-remote.conf
--- pristine/audisp/plugins/remote/audisp-remote.conf 2008-08-04 12:47:28.000000000 -0400
+++ trunk/audisp/plugins/remote/audisp-remote.conf 2008-08-14 15:11:23.000000000 -0400
@@ -5,8 +5,9 @@
remote_server =
port = 60
+#local_port =
transport = tcp
mode = immediate
queue_depth = 20
fail_action = SYSLOG
-
+format = managed
diff -N -U 3 -x .svn -r pristine/audisp/plugins/remote/audisp-remote.conf.5 trunk/audisp/plugins/remote/audisp-remote.conf.5
--- pristine/audisp/plugins/remote/audisp-remote.conf.5 2008-08-04 12:47:28.000000000 -0400
+++ trunk/audisp/plugins/remote/audisp-remote.conf.5 2008-08-14 15:36:53.000000000 -0400
@@ -11,6 +11,13 @@
.I port
This option is an unsigned integer that indicates what port to connect to on the remote machine.
.TP
+.I local_port
+This option is an unsigned integer that indicates what local port to
+connect from on the local machine. If unspecified (the default) or
+set to the word
+.I any
+then any available unpriviledged port is used.
+.TP
.I transport
This parameter tells the remote logging app how to send events to the remote system. Valid values are
.IR tcp ", and " ssl ".
@@ -55,7 +62,22 @@
option will cause the remote logging app to put the computer system in single user mode.
.I halt
option will cause the remote logging app to shutdown the computer system.
+.TP
+.I format
+This parameter tells the remote logging app what data format will be
+used for the messages sent over the network. The default is
+.I managed
+which adds some overhead to ensure each message is properly handled on
+the remote end, and to receive status messages from the remote server.
+If
+.I ascii
+is given instead, each message is a simple ASCII text line with no
+overhead at all.
+.SH "NOTES"
+Specifying a local port may make it difficult to restart the audit
+subsystem due to the previous connection being in a TIME_WAIT state,
+if you're reconnecting to and from the same hosts and ports as before.
.SH "SEE ALSO"
.BR audispd (8),
.BR audisp-remote(8).
diff -N -U 3 -x .svn -r pristine/audisp/plugins/remote/remote-config.c trunk/audisp/plugins/remote/remote-config.c
--- pristine/audisp/plugins/remote/remote-config.c 2008-08-04 12:47:28.000000000 -0400
+++ trunk/audisp/plugins/remote/remote-config.c 2008-08-13 22:19:31.000000000 -0400
@@ -62,6 +62,8 @@
remote_conf_t *config);
static int port_parser(struct nv_pair *nv, int line,
remote_conf_t *config);
+static int local_port_parser(struct nv_pair *nv, int line,
+ remote_conf_t *config);
static int transport_parser(struct nv_pair *nv, int line,
remote_conf_t *config);
static int mode_parser(struct nv_pair *nv, int line,
@@ -70,16 +72,20 @@
remote_conf_t *config);
static int fail_action_parser(struct nv_pair *nv, int line,
remote_conf_t *config);
+static int format_parser(struct nv_pair *nv, int line,
+ remote_conf_t *config);
static int sanity_check(remote_conf_t *config, const char *file);
static const struct kw_pair keywords[] =
{
{"remote_server", server_parser, 0 },
{"port", port_parser, 0 },
+ {"local_port", local_port_parser, 0 },
{"transport", transport_parser, 0 },
{"mode", mode_parser, 0 },
{"queue_depth", depth_parser, 0 },
{"fail_action", fail_action_parser, 0 },
+ {"format", format_parser, 0 },
{ NULL, NULL }
};
@@ -107,6 +113,13 @@
{ NULL, 0 }
};
+static const struct nv_list format_words[] =
+{
+ {"ascii", F_ASCII },
+ {"managed", F_MANAGED },
+ { NULL, 0 }
+};
+
/*
* Set everything to its default value
*/
@@ -114,11 +127,13 @@
{
config->remote_server = NULL;
config->port = 60;
+ config->local_port = 0;
config->port = T_TCP;
config->mode = M_IMMEDIATE;
config->queue_depth = 20;
config->fail_action = F_SYSLOG;
config->fail_exe = NULL;
+ config->format = F_MANAGED;
}
int load_config(remote_conf_t *config, const char *file)
@@ -392,6 +407,46 @@
return 0;
}
+static int local_port_parser(struct nv_pair *nv, int line, remote_conf_t *config)
+{
+ const char *ptr = nv->value;
+ int i;
+
+ if (strcasecmp (ptr, "any") == 0) {
+ config->local_port = 0;
+ return 0;
+ }
+
+ /* check that all chars are numbers */
+ for (i=0; ptr[i]; i++) {
+ if (!isdigit(ptr[i])) {
+ syslog(LOG_ERR,
+ "Value %s should only be numbers - line %d",
+ nv->value, line);
+ return 1;
+ }
+ }
+
+ /* convert to unsigned int */
+ errno = 0;
+ i = strtoul(nv->value, NULL, 10);
+ if (errno) {
+ syslog(LOG_ERR,
+ "Error converting string to a number (%s) - line %d",
+ strerror(errno), line);
+ return 1;
+ }
+ /* Check its range */
+ if (i > INT_MAX) {
+ syslog(LOG_ERR,
+ "Error - converted number (%s) is too large - line %d",
+ nv->value, line);
+ return 1;
+ }
+ config->local_port = (unsigned int)i;
+ return 0;
+}
+
static int transport_parser(struct nv_pair *nv, int line, remote_conf_t *config)
{
int i;
@@ -477,6 +532,20 @@
return 1;
}
+static int format_parser(struct nv_pair *nv, int line,
+ remote_conf_t *config)
+{
+ int i;
+ for (i=0; format_words[i].name != NULL; i++) {
+ if (strcasecmp(nv->value, format_words[i].name) == 0) {
+ config->format = format_words[i].option;
+ return 0;
+ }
+ }
+ syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line);
+ return 1;
+}
+
/*
* This function is where we do the integrated check of the audispd config
* options. At this point, all fields have been read. Returns 0 if no
diff -N -U 3 -x .svn -r pristine/audisp/plugins/remote/remote-config.h trunk/audisp/plugins/remote/remote-config.h
--- pristine/audisp/plugins/remote/remote-config.h 2008-08-04 12:47:28.000000000 -0400
+++ trunk/audisp/plugins/remote/remote-config.h 2008-08-13 22:17:19.000000000 -0400
@@ -27,16 +27,19 @@
typedef enum { M_IMMEDIATE, M_STORE_AND_FORWARD } mode_t;
typedef enum { T_TCP, T_SSL, T_GSSAPI, T_LABELED } transport_t;
typedef enum { F_IGNORE, F_SYSLOG, F_EXEC, F_SUSPEND, F_SINGLE, F_HALT } fail_t;
+typedef enum { F_ASCII, F_MANAGED } format_t;
typedef struct remote_conf
{
const char *remote_server;
unsigned int port;
+ unsigned int local_port;
transport_t transport;
mode_t mode;
unsigned int queue_depth;
fail_t fail_action;
const char *fail_exe;
+ format_t format;
} remote_conf_t;
void clear_config(remote_conf_t *config);
diff -N -U 3 -x .svn -r pristine/docs/auditd.conf.5 trunk/docs/auditd.conf.5
--- pristine/docs/auditd.conf.5 2008-08-04 12:47:31.000000000 -0400
+++ trunk/docs/auditd.conf.5 2008-08-14 15:35:29.000000000 -0400
@@ -212,6 +212,26 @@
option will cause the audit daemon to put the computer system in single user mode.
.I halt
option will cause the audit daemon to shutdown the computer system.
+.TP
+.I tcp_listen_port
+This is a numeric value in the range 1..65535 which, if specified,
+causes auditd to listen on the corresponding TCP port for audit
+records from remote systems.
+.TP
+.I tcp_listen_queue
+This is a numeric value which indicates how many pending (requested
+but unaccepted) connections are allowed. The default is 5. Setting
+this too small may cause connections to be rejected if too many hosts
+start up at exactly the same time, such as after a power failure.
+.TP
+.I tcp_client_ports
+This parameter may be a single numeric value or two values separated
+by a dash (no spaces allowed). It indicates which client ports are
+allowed for incoming connections. If not specified, any port is
+allowed. Allowed values are 1..65535. For example, to require the
+client use a priviledged port, specify
+.I 1-1023
+for this parameter.
.SH NOTES
In a CAPP environment, the audit trail is considered so important that access to system resources must be denied if an audit trail cannot be created. In this environment, it would be suggested that /var/log/audit be on its own partition. This is to ensure that space detection is accurate and that no other process comes along and consumes part of it.
@@ -227,6 +247,11 @@
The disk_full_action is triggered when no more room exists on the partition. All access should be terminated since no more audit capability exists. This can be set to either single or halt.
.PP
The disk_error_action should be set to syslog, single, or halt depending on your local policies regarding handling of hardware malfunctions.
+.PP
+Specifying a single allowed client port may make it difficult for the
+client to restart their audit subsystem, as it will be unable to
+recreate a connection with the same host addresses and ports until the
+connection closure TIME_WAIT state times out.
.SH FILES
.TP
diff -N -U 3 -x .svn -r pristine/init.d/auditd.conf trunk/init.d/auditd.conf
--- pristine/init.d/auditd.conf 2008-08-04 12:47:28.000000000 -0400
+++ trunk/init.d/auditd.conf 2008-08-14 15:22:08.000000000 -0400
@@ -22,4 +22,6 @@
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
-
+#tcp_listen_port =
+#tcp_listen_queue = 5
+#tcp_client_ports = 1024-65535
diff -N -U 3 -x .svn -r pristine/lib/libaudit.h trunk/lib/libaudit.h
--- pristine/lib/libaudit.h 2008-08-04 12:47:34.000000000 -0400
+++ trunk/lib/libaudit.h 2008-08-14 10:58:46.000000000 -0400
@@ -413,10 +413,6 @@
};
};
-struct auditd_reply_list {
- struct audit_reply reply;
- struct auditd_reply_list *next;
-};
//
// End of ABI control
//////////////////////////////////////////////////////
diff -N -U 3 -x .svn -r pristine/lib/private.h trunk/lib/private.h
--- pristine/lib/private.h 2008-08-04 12:47:34.000000000 -0400
+++ trunk/lib/private.h 2008-08-14 10:58:46.000000000 -0400
@@ -55,6 +55,83 @@
;
#endif
+/* This structure is for protocol reference only. All fields are
+ packed and in network order (LSB first). */
+struct auditd_remote_message_wrapper {
+ /* The magic number shall never have LF (0x0a) as one of its bytes. */
+ uint32_t magic;
+ /* Bumped when the layout of this structure changes. */
+ uint8_t header_version;
+ /* The minimum support needed to understand this message type.
+ * Normally zero. */
+ uint8_t message_version;
+ /* Upper 8 bits are generic type, see below. */
+ uint32_t type;
+ /* Number of bytes that follow this header Must be 0..MAX_AUDIT_MESSAGE_LENGTH. */
+ uint16_t length;
+ /* Copied from message to its reply. */
+ uint32_t sequence_id;
+ /* The message follows for LENGTH bytes. */
+};
+
+#define AUDIT_RMW_HEADER_SIZE 16
+/* The magic number shall never have LF (0x0a) as one of its bytes. */
+#define AUDIT_RMW_MAGIC 0xff0000feUL
+
+#define AUDIT_RMW_HEADER_VERSION 0
+
+/* If set, this is a reply. */
+#define AUDIT_RMW_TYPE_REPLYMASK 0x40000000
+/* If set, this reply indicates a fatal error of some sort. */
+#define AUDIT_RMW_TYPE_FATALMASK 0x20000000
+/* If set, this reply indicates success but with some warnings. */
+#define AUDIT_RMW_TYPE_WARNMASK 0x10000000
+/* This part of the message type is the details for the above. */
+#define AUDIT_RMW_TYPE_DETAILMASK 0x0fffffff
+
+/* Version 0 messages. */
+#define AUDIT_RMW_TYPE_MESSAGE 0x00000000
+#define AUDIT_RMW_TYPE_ACK 0x40000000
+#define AUDIT_RMW_TYPE_ENDING 0x40000001
+#define AUDIT_RMW_TYPE_DISKLOW 0x50000001
+#define AUDIT_RMW_TYPE_DISKFULL 0x60000001
+#define AUDIT_RMW_TYPE_DISKERROR 0x60000002
+
+/* These next four should not be called directly. */
+#define _AUDIT_RMW_PUTN32(header,i,v) \
+ header[i] = v & 0xff; \
+ header[i+1] = (v>>8) & 0xff; \
+ header[i+2] = (v>>16) & 0xff; \
+ header[i+3] = (v>>24) & 0xff;
+#define _AUDIT_RMW_PUTN16(header,i,v) \
+ header[i] = v & 0xff; \
+ header[i+1] = (v>>8) & 0xff;
+#define _AUDIT_RMW_GETN32(header,i) \
+ (header[i] | (header[i+1]<<8) | (header[i+2]<<16) | (header[i+3]<<24))
+#define _AUDIT_RMW_GETN16(header,i) \
+ (header[i] | (header[i+1]<<8))
+
+/* For these, HEADER must by of type "unsigned char *" or "unsigned
+ char []" */
+
+#define AUDIT_RMW_PACK_HEADER(header,mver,type,len,seq) \
+ _AUDIT_RMW_PUTN32 (header,0, AUDIT_RMW_MAGIC); \
+ header[4] = AUDIT_RMW_HEADER_VERSION; \
+ header[5] = mver; \
+ _AUDIT_RMW_PUTN32 (header,6, type); \
+ _AUDIT_RMW_PUTN16 (header,10, len); \
+ _AUDIT_RMW_PUTN32 (header,12, seq);
+
+#define AUDIT_RMW_IS_MAGIC(header,length) \
+ (length >= 4 && _AUDIT_RMW_GETN32 (header,0) == AUDIT_RMW_MAGIC)
+
+#define AUDIT_RMW_UNPACK_HEADER(header,hver,mver,type,len,seq) \
+ hver = header[4]; \
+ mver = header[5]; \
+ type = _AUDIT_RMW_GETN32 (header,6); \
+ len = _AUDIT_RMW_GETN16 (header,10); \
+ seq = _AUDIT_RMW_GETN32 (header,12);
+
/* General */
extern int audit_send(int fd, int type, const void *data, unsigned int size)
hidden;
diff -N -U 3 -x .svn -r pristine/src/Makefile.am trunk/src/Makefile.am
--- pristine/src/Makefile.am 2008-08-07 21:18:16.000000000 -0400
+++ trunk/src/Makefile.am 2008-08-08 16:41:07.000000000 -0400
@@ -27,9 +27,9 @@
LIBS = -Lmt -lauditmt -Llibev -lev -lrt -lm
LDADD = -lpthread
AM_CFLAGS = -D_REENTRANT -D_GNU_SOURCE
-noinst_HEADERS = auditd-config.h auditd-event.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h
+noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h
-auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c
+auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c auditd-listen.c
auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE
auditd_LDFLAGS = -pie -Wl,-z,relro
auditd_DEPENDENCIES = mt/libauditmt.a libev/libev.a
diff -N -U 3 -x .svn -r pristine/src/auditd-config.c trunk/src/auditd-config.c
--- pristine/src/auditd-config.c 2008-08-07 17:32:20.000000000 -0400
+++ trunk/src/auditd-config.c 2008-08-08 15:56:13.000000000 -0400
@@ -39,6 +39,8 @@
#include "libaudit.h"
#include "private.h"
+#define TCP_PORT_MAX 65535
+
/* Local prototypes */
struct nv_pair
{
@@ -103,6 +105,12 @@
struct daemon_conf *config);
static int priority_boost_parser(struct nv_pair *nv, int line,
struct daemon_conf *config);
+static int tcp_listen_port_parser(struct nv_pair *nv, int line,
+ struct daemon_conf *config);
+static int tcp_listen_queue_parser(struct nv_pair *nv, int line,
+ struct daemon_conf *config);
+static int tcp_client_ports_parser(struct nv_pair *nv, int line,
+ struct daemon_conf *config);
static int sanity_check(struct daemon_conf *config);
static const struct kw_pair keywords[] =
@@ -127,6 +135,9 @@
{"disk_full_action", disk_full_action_parser, 1 },
{"disk_error_action", disk_error_action_parser, 1 },
{"priority_boost", priority_boost_parser, 0 },
+ {"tcp_listen_port", tcp_listen_port_parser, 0 },
+ {"tcp_listen_queue", tcp_listen_queue_parser, 0 },
+ {"tcp_client_ports", tcp_client_ports_parser, 0 },
{ NULL, NULL }
};
@@ -227,6 +238,10 @@
config->disk_full_exe = NULL;
config->disk_error_action = FA_SYSLOG;
config->disk_error_exe = NULL;
+ config->tcp_listen_port = 0;
+ config->tcp_listen_queue = 5;
+ config->tcp_client_min_port = 0;
+ config->tcp_client_max_port = TCP_PORT_MAX;
}
static log_test_t log_test = TEST_AUDITD;
@@ -1109,6 +1124,172 @@
return 0;
}
+static int tcp_listen_port_parser(struct nv_pair *nv, int line,
+ struct daemon_conf *config)
+{
+ const char *ptr = nv->value;
+ unsigned long i;
+
+ audit_msg(LOG_DEBUG, "tcp_listen_port_parser called with: %s",
+ nv->value);
+
+ /* check that all chars are numbers */
+ for (i=0; ptr[i]; i++) {
+ if (!isdigit(ptr[i])) {
+ audit_msg(LOG_ERR,
+ "Value %s should only be numbers - line %d",
+ nv->value, line);
+ return 1;
+ }
+ }
+
+ /* convert to unsigned int */
+ errno = 0;
+ i = strtoul(nv->value, NULL, 10);
+ if (errno) {
+ audit_msg(LOG_ERR,
+ "Error converting string to a number (%s) - line %d",
+ strerror(errno), line);
+ return 1;
+ }
+ /* Check its range */
+ if (i > TCP_PORT_MAX) {
+ audit_msg(LOG_ERR,
+ "Error - converted number (%s) is too large - line %d",
+ nv->value, line);
+ return 1;
+ }
+ if (i < 1) {
+ audit_msg(LOG_ERR,
+ "Error - converted number (%s) is too small - line %d",
+ nv->value, line);
+ return 1;
+ }
+ config->tcp_listen_port = (unsigned int)i;
+ return 0;
+}
+
+static int tcp_listen_queue_parser(struct nv_pair *nv, int line,
+ struct daemon_conf *config)
+{
+ const char *ptr = nv->value;
+ unsigned long i;
+
+ audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s",
+ nv->value);
+
+ /* check that all chars are numbers */
+ for (i=0; ptr[i]; i++) {
+ if (!isdigit(ptr[i])) {
+ audit_msg(LOG_ERR,
+ "Value %s should only be numbers - line %d",
+ nv->value, line);
+ return 1;
+ }
+ }
+
+ /* convert to unsigned int */
+ errno = 0;
+ i = strtoul(nv->value, NULL, 10);
+ if (errno) {
+ audit_msg(LOG_ERR,
+ "Error converting string to a number (%s) - line %d",
+ strerror(errno), line);
+ return 1;
+ }
+ /* Check its range. While this value is technically
+ unlimited, it's limited by the kernel, and we limit it here
+ for sanity. */
+ if (i > TCP_PORT_MAX) {
+ audit_msg(LOG_ERR,
+ "Error - converted number (%s) is too large - line %d",
+ nv->value, line);
+ return 1;
+ }
+ if (i < 1) {
+ audit_msg(LOG_ERR,
+ "Error - converted number (%s) is too small - line %d",
+ nv->value, line);
+ return 1;
+ }
+ config->tcp_listen_queue = (unsigned int)i;
+ return 0;
+}
+
+static int tcp_client_ports_parser(struct nv_pair *nv, int line,
+ struct daemon_conf *config)
+{
+ const char *ptr = nv->value;
+ unsigned long i, minv, maxv;
+ const char *saw_dash = NULL;
+
+ audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s",
+ nv->value);
+
+ /* check that all chars are numbers, with an optional inclusive '-'. */
+ for (i=0; ptr[i]; i++) {
+ if (i > 0 && ptr[i] == '-' && ptr[i+1] != '\0') {
+ saw_dash = ptr + i;
+ continue;
+ }
+ if (!isdigit(ptr[i])) {
+ audit_msg(LOG_ERR,
+ "Value %s should only be numbers, or two numbers separated by a dash - line %d",
+ nv->value, line);
+ return 1;
+ }
+ }
+ for (; ptr[i]; i++) {
+ if (!isdigit(ptr[i])) {
+ audit_msg(LOG_ERR,
+ "Value %s should only be numbers, or two numbers separated by a dash - line %d",
+ nv->value, line);
+ return 1;
+ }
+ }
+
+ /* convert to unsigned int */
+ errno = 0;
+ maxv = minv = strtoul(nv->value, NULL, 10);
+ if (errno) {
+ audit_msg(LOG_ERR,
+ "Error converting string to a number (%s) - line %d",
+ strerror(errno), line);
+ return 1;
+ }
+ if (saw_dash) {
+ maxv = strtoul(saw_dash + 1, NULL, 10);
+ if (errno) {
+ audit_msg(LOG_ERR,
+ "Error converting string to a number (%s) - line %d",
+ strerror(errno), line);
+ return 1;
+ }
+ }
+ /* Check their ranges. */
+ if (minv > TCP_PORT_MAX) {
+ audit_msg(LOG_ERR,
+ "Error - converted number (%d) is too large - line %d",
+ minv, line);
+ return 1;
+ }
+ if (maxv > TCP_PORT_MAX) {
+ audit_msg(LOG_ERR,
+ "Error - converted number (%d) is too large - line %d",
+ maxv, line);
+ return 1;
+ }
+ if (minv > maxv) {
+ audit_msg(LOG_ERR,
+ "Error - converted range (%d-%d) is reversed - line %d",
+ minv, maxv, line);
+ return 1;
+ }
+ config->tcp_client_min_port = (unsigned int)minv;
+ config->tcp_client_max_port = (unsigned int)maxv;
+ return 0;
+}
+
/*
* This function is where we do the integrated check of the audit config
* options. At this point, all fields have been read. Returns 0 if no
diff -N -U 3 -x .svn -r pristine/src/auditd-config.h trunk/src/auditd-config.h
--- pristine/src/auditd-config.h 2008-08-04 12:47:30.000000000 -0400
+++ trunk/src/auditd-config.h 2008-08-14 15:33:28.000000000 -0400
@@ -70,6 +70,10 @@
const char *disk_full_exe;
failure_action_t disk_error_action;
const char *disk_error_exe;
+ unsigned long tcp_listen_port;
+ unsigned long tcp_listen_queue;
+ unsigned long tcp_client_min_port;
+ unsigned long tcp_client_max_port;
};
void set_allow_links(int allow);
@@ -80,7 +84,9 @@
int resolve_node(struct daemon_conf *config);
void init_config_manager(void);
+#ifdef AUDITD_EVENT_H
int start_config_manager(struct auditd_reply_list *rep);
+#endif
void shutdown_config(void);
void free_config(struct daemon_conf *config);
diff -N -U 3 -x .svn -r pristine/src/auditd-event.c trunk/src/auditd-event.c
--- pristine/src/auditd-event.c 2008-08-04 12:47:30.000000000 -0400
+++ trunk/src/auditd-event.c 2008-08-13 21:56:24.000000000 -0400
@@ -148,6 +148,36 @@
dequeue'r is responsible for freeing the memory. */
void enqueue_event(struct auditd_reply_list *rep)
{
+ char *buf;
+ int len;
+
+ rep->ack_socket = 0;
+ rep->sequence_id = 0;
+
+ switch (consumer_data.config->log_format)
+ {
+ case LF_RAW:
+ buf = format_raw(&rep->reply, consumer_data.config);
+ break;
+ case LF_NOLOG:
+ return;
+ default:
+ audit_msg(LOG_ERR,
+ "Illegal log format detected %d",
+ consumer_data.config->log_format);
+ return;
+ }
+
+ len = strlen (buf);
+ if (len < MAX_AUDIT_MESSAGE_LENGTH - 1)
+ memcpy (rep->reply.msg.data, buf, len+1);
+ else
+ {
+ /* FIXME: is truncation the right thing to do? */
+ memcpy (rep->reply.msg.data, buf, MAX_AUDIT_MESSAGE_LENGTH-1);
+ rep->reply.msg.data[MAX_AUDIT_MESSAGE_LENGTH-1] = 0;
+ }
+
rep->next = NULL; /* new packet goes at end - so zero this */
pthread_mutex_lock(&consumer_data.queue_lock);
@@ -164,6 +194,45 @@
pthread_mutex_unlock(&consumer_data.queue_lock);
}
+/* This function takes a preformatted message and places it on the
+ queue. The dequeue'r is responsible for freeing the memory. */
+void enqueue_formatted_event(char *msg, int ack_socket, uint32_t sequence_id)
+{
+ int len;
+ struct auditd_reply_list *rep;
+
+ rep = (struct auditd_reply_list *) calloc (1, sizeof (*rep));
+ if (rep == NULL) {
+ audit_msg(LOG_ERR, "Cannot allocate audit reply");
+ return;
+ }
+
+ rep->ack_socket = ack_socket;
+ rep->sequence_id = sequence_id;
+
+ len = strlen (msg);
+ if (len < MAX_AUDIT_MESSAGE_LENGTH - 1)
+ memcpy (rep->reply.msg.data, msg, len+1);
+ else {
+ /* FIXME: is truncation the right thing to do? */
+ memcpy (rep->reply.msg.data, msg, MAX_AUDIT_MESSAGE_LENGTH-1);
+ rep->reply.msg.data[MAX_AUDIT_MESSAGE_LENGTH-1] = 0;
+ }
+
+ pthread_mutex_lock(&consumer_data.queue_lock);
+ if (consumer_data.head == NULL) {
+ consumer_data.head = consumer_data.tail = rep;
+ pthread_cond_signal(&consumer_data.queue_nonempty);
+ } else {
+ /* FIXME: wait for room on the queue */
+
+ /* OK there's room...add it in */
+ consumer_data.tail->next = rep; /* link in at end */
+ consumer_data.tail = rep; /* move end to newest */
+ }
+ pthread_mutex_unlock(&consumer_data.queue_lock);
+}
+
void resume_logging(void)
{
logging_suspended = 0;
@@ -233,30 +302,8 @@
rotate_logs_now(data);
}
if (!logging_suspended) {
- char *buf = NULL;
-
- switch (data->config->log_format)
- {
- case LF_RAW:
- buf = format_raw(&data->head->reply,
- data->config);
- break;
- case LF_NOLOG:
- return;
- default:
- audit_msg(LOG_ERR,
- "Illegal log format detected %d",
- data->config->log_format);
- break;
- }
- /* The only way buf is NULL is if there is an
- * unidentified format...which is impossible since
- * start up would have failed. */
- if (buf) {
- write_to_log(buf, data);
- buf[0] = 0;
- }
+ write_to_log(data->head->reply.msg.data, data);
/* See if we need to flush to disk manually */
if (data->config->flush == FT_INCREMENTAL) {
@@ -289,12 +336,32 @@
}
}
+static int ar_write (int sock, const void *buf, int len)
+{
+ int rc = 0, w;
+ while (len > 0) {
+ do {
+ w = write(sock, buf, len);
+ } while (w < 0 && errno == EINTR);
+ if (w < 0)
+ return w;
+ if (w == 0)
+ break;
+ rc += w;
+ len -= w;
+ buf = (const void *)((const char *)buf + w);
+ }
+ return rc;
+}
+
/* This function writes the given buf to the current log file */
static void write_to_log(const char *buf, struct auditd_consumer_data *data)
{
int rc;
FILE *f = data->log_file;
struct daemon_conf *config = data->config;
+ int ack_type = AUDIT_RMW_TYPE_ACK;
+ const char *msg = "";
/* write it to disk */
rc = fprintf(f, "%s\n", buf);
@@ -307,20 +374,35 @@
if (saved_errno == ENOSPC && fs_space_left == 1) {
fs_space_left = 0;
do_disk_full_action(config);
- } else
+ ack_type = AUDIT_RMW_TYPE_DISKFULL;
+ msg = "disk full";
+ } else {
do_disk_error_action("write", config);
+ ack_type = AUDIT_RMW_TYPE_DISKERROR;
+ msg = "disk write error";
+ }
+
+ } else {
- return;
+ /* check log file size & space left on partition */
+ if (config->daemonize == D_BACKGROUND) {
+ // If either of these fail, I consider it an inconvenience
+ // as opposed to something that is actionable. There may be
+ // some temporary condition that the system recovers from.
+ // The real error occurs on write.
+ check_log_file_size(data->log_fd, data);
+ check_space_left(data->log_fd, config);
+ }
}
- /* check log file size & space left on partition */
- if (config->daemonize == D_BACKGROUND) {
- // If either of these fail, I consider it an inconvenience
- // as opposed to something that is actionable. There may be
- // some temporary condition that the system recovers from.
- // The real error occurs on write.
- check_log_file_size(data->log_fd, data);
- check_space_left(data->log_fd, config);
+ if (data->head->ack_socket) {
+ unsigned char header[AUDIT_RMW_HEADER_SIZE];
+
+ AUDIT_RMW_PACK_HEADER (header, 0, ack_type, strlen(msg), data->head->sequence_id);
+
+ ar_write (data->head->ack_socket, header, AUDIT_RMW_HEADER_SIZE);
+ if (msg[0])
+ ar_write (data->head->ack_socket, msg, strlen(msg));
}
}
diff -N -U 3 -x .svn -r pristine/src/auditd-event.h trunk/src/auditd-event.h
--- pristine/src/auditd-event.h 2008-08-04 12:47:30.000000000 -0400
+++ trunk/src/auditd-event.h 2008-08-13 20:41:41.000000000 -0400
@@ -25,12 +25,21 @@
#define AUDITD_EVENT_H
#include "libaudit.h"
+
+struct auditd_reply_list {
+ struct audit_reply reply;
+ struct auditd_reply_list *next;
+ int ack_socket;
+ unsigned long sequence_id;
+};
+
#include "auditd-config.h"
void shutdown_events(void);
int init_event(struct daemon_conf *config);
void resume_logging(void);
void enqueue_event(struct auditd_reply_list *rep);
+void enqueue_formatted_event(char *msg, int ack_socket, uint32_t sequence_id);
void *consumer_thread_main(void *arg);
#endif
diff -N -U 3 -x .svn -r pristine/src/auditd-listen.c trunk/src/auditd-listen.c
--- pristine/src/auditd-listen.c 1969-12-31 19:00:00.000000000 -0500
+++ trunk/src/auditd-listen.c 2008-08-13 22:29:22.000000000 -0400
@@ -0,0 +1,335 @@
+/* auditd-listen.c --
+ * Copyright 2008 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * DJ Delorie <dj(a)redhat.com>
+ *
+ */
+
+#include "config.h"
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <string.h>
+#include <dirent.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <fcntl.h> /* O_NOFOLLOW needs gnu defined */
+#include <libgen.h>
+#include <arpa/inet.h>
+#include <limits.h> /* INT_MAX */
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include "libaudit.h"
+#include "auditd-event.h"
+#include "auditd-config.h"
+#include "private.h"
+
+#include "ev.h"
+
+extern volatile int stop;
+
+typedef struct ev_tcp {
+ struct ev_io io;
+ struct sockaddr_in addr;
+ struct ev_tcp *next, *prev;
+ int bufptr;
+ unsigned char buffer [MAX_AUDIT_MESSAGE_LENGTH + 17];
+} ev_tcp;
+
+static int listen_socket;
+static struct ev_io tcp_listen_watcher;
+static int min_port, max_port;
+
+static struct ev_tcp *client_chain = 0;
+
+static char *sockaddr_to_ip (struct sockaddr_in *addr)
+{
+ unsigned char *uaddr = (unsigned char *)&(addr->sin_addr);
+ static char buf[40];
+
+ sprintf (buf, "%d.%d.%d.%d:%d",
+ uaddr[0], uaddr[1], uaddr[2], uaddr[3], ntohs (addr->sin_port));
+ return buf;
+}
+
+static void set_close_on_exec (int fd)
+{
+ int flags = fcntl (fd, F_GETFD);
+ if (flags == -1)
+ flags = 0;
+ flags |= FD_CLOEXEC;
+ fcntl (fd, F_SETFD, flags);
+}
+
+static void close_client (struct ev_tcp *client)
+{
+ close (client->io.fd);
+ if (client_chain == client)
+ client_chain = client->next;
+ if (client->next)
+ client->next->prev = client->prev;
+ if (client->prev)
+ client->prev->next = client->next;
+ free (client);
+}
+
+static void client_message (struct ev_tcp *io, unsigned int length, unsigned char *header)
+{
+ unsigned char ch;
+ uint32_t magic, type, mlen, seq;
+ int hver, mver;
+ int i;
+
+ if (AUDIT_RMW_IS_MAGIC (header, length)) {
+ AUDIT_RMW_UNPACK_HEADER (header, hver, mver, type, mlen, seq)
+
+ ch = header[length];
+ header[length] = 0;
+ if (length > 1 && header[length-1] == '\n')
+ header[length-1] = 0;
+ enqueue_formatted_event (header+AUDIT_RMW_HEADER_SIZE, io->io.fd, seq);
+ header[length] = ch;
+ } else {
+ header[length] = 0;
+ if (length > 1 && header[length-1] == '\n')
+ header[length-1] = 0;
+ enqueue_formatted_event (header, 0, 0);
+ }
+}
+
+static void auditd_tcp_client_handler( struct ev_loop *loop, struct ev_io *_io, int revents )
+{
+ struct ev_tcp *io = (struct ev_tcp *) _io;
+ int i, r;
+ int total_this_call = 0;
+
+ /* The socket is non-blocking, but we have a limited buffer
+ size. In the event that we get a packet that's bigger than
+ our buffer, we need to read it in multiple parts. Thus, we
+ keep reading/parsing/processing until we run out of ready
+ data. */
+read_more:
+ r = read (io->io.fd,
+ io->buffer + io->bufptr,
+ MAX_AUDIT_MESSAGE_LENGTH - io->bufptr);
+
+ if (r < 0 && errno == EAGAIN)
+ r = 0;
+
+ /* We need to keep track of the difference between "no data
+ * because it's closed" and "no data because we've read it
+ * all". */
+ if (r == 0 && total_this_call > 0) {
+ return;
+ }
+
+ /* If the connection is gracefully closed, the first read we
+ try will return zero. If the connection times out or
+ otherwise fails, the read will return -1. */
+ if (r <= 0) {
+ if (r < 0)
+ audit_msg (LOG_WARNING, "client %s socket closed unexpectedly",
+ sockaddr_to_ip (&io->addr));
+
+ /* There may have been a final message without a LF. */
+ if (io->bufptr) {
+ client_message (io, io->bufptr, io->buffer);
+
+ }
+
+ ev_io_stop (loop, _io);
+ close_client (io);
+ return;
+ }
+
+ total_this_call += r;
+
+more_messages:
+ if (AUDIT_RMW_IS_MAGIC (io->buffer, io->bufptr+r)) {
+ uint32_t type, len, seq;
+ int hver, mver;
+ unsigned char *header = (unsigned char *)io->buffer;
+
+ io->bufptr += r;
+
+ if (io->bufptr < AUDIT_RMW_HEADER_SIZE)
+ return;
+
+ AUDIT_RMW_UNPACK_HEADER (header, hver, mver, type, len, seq);
+
+ i = len;
+ i += AUDIT_RMW_HEADER_SIZE;
+
+ /* See if we have enough bytes to extract the whole message. */
+ if (io->bufptr < i)
+ return;
+
+ } else {
+ /* At this point, the buffer has IO->BUFPTR+R bytes in it.
+ The first IO->BUFPTR bytes do not have a LF in them (we've
+ already checked), we must check the R new bytes. */
+
+ for (i = io->bufptr; i < io->bufptr + r; i ++)
+ if (io->buffer [i] == '\n')
+ break;
+
+ io->bufptr += r;
+
+ /* Check for a partial message, with no LF yet. */
+ if (i == io->bufptr)
+ return;
+
+ i ++;
+ }
+
+ /* We have an I-byte message in buffer. */
+ client_message (io, i, io->buffer);
+
+ /* Now copy any remaining bytes to the beginning of the
+ buffer. */
+ memmove (io->buffer, io->buffer + i, io->bufptr);
+ io->bufptr -= i;
+
+ /* See if this packet had more than one message in it. */
+ if (io->bufptr > 0) {
+ r = io->bufptr;
+ io->bufptr = 0;
+ goto more_messages;
+ }
+
+ /* Go back and see if there's more data to read. */
+ goto read_more;
+}
+
+static void auditd_tcp_listen_handler( struct ev_loop *loop, struct ev_io *_io, int revents )
+{
+ int one=1;
+ int afd;
+ socklen_t aaddrlen;
+ struct sockaddr_in aaddr;
+ struct linger li;
+ struct ev_tcp *client;
+ unsigned char *uaddr;
+
+ /* Accept the connection and see where it's coming from. */
+ aaddrlen = sizeof(aaddr);
+ afd = accept (listen_socket, (struct sockaddr *)&aaddr, &aaddrlen);
+ if (afd == -1) {
+ audit_msg(LOG_ERR, "Unable to accept TCP connection");
+ return;
+ }
+
+ uaddr = (unsigned char *)&aaddr.sin_addr;
+
+ /* Verify it's coming from an authorized port. We assume the firewall will
+ block attempts from unauthorized machines. */
+ if (min_port > ntohs (aaddr.sin_port) || ntohs (aaddr.sin_port) > max_port) {
+ audit_msg(LOG_ERR, "TCP connection from %s rejected", sockaddr_to_ip (&aaddr));
+ close (afd);
+ return;
+ }
+
+ setsockopt(afd, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int));
+ setsockopt(afd, SOL_SOCKET, SO_KEEPALIVE, (char *)&one, sizeof (int));
+ setsockopt(afd, IPPROTO_TCP, TCP_NODELAY, (char *)&one, sizeof (int));
+ fcntl(afd, F_SETFL, O_NONBLOCK | O_NDELAY);
+ set_close_on_exec (afd);
+
+ client = (struct ev_tcp *) malloc (sizeof (struct ev_tcp));
+ if (client == NULL) {
+ audit_msg(LOG_CRIT, "Unable to allocate TCP client data");
+ close (afd);
+ return;
+ }
+
+ memset (client, 0, sizeof (struct ev_tcp));
+
+ ev_io_init (&(client->io), auditd_tcp_client_handler, afd, EV_READ | EV_ERROR);
+ ev_io_start (loop, &(client->io));
+
+ memcpy (&client->addr, &aaddr, sizeof (struct sockaddr_in));
+
+ /* Keep a linked list of active clients. */
+ client->next = client_chain;
+ if (client->next)
+ client->next->prev = client;
+ client_chain = client;
+}
+
+int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config )
+{
+ struct sockaddr_in address;
+ int one = 1;
+ int flags;
+
+ /* If the port is not set, that means we aren't going to
+ listen for connections. */
+ if (config->tcp_listen_port == 0)
+ return;
+
+ listen_socket = socket (AF_INET, SOCK_STREAM, 0);
+ if (listen_socket == 0) {
+ audit_msg(LOG_ERR, "Cannot create tcp listener socket");
+ return 1;
+ }
+
+ set_close_on_exec (listen_socket);
+ setsockopt(listen_socket, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int));
+
+ memset (&address, 0, sizeof(address));
+ address.sin_family = htons(AF_INET);
+ address.sin_port = htons(config->tcp_listen_port);
+ address.sin_addr.s_addr = htonl(INADDR_ANY);
+
+ /* This avoids problems if auditd needs to be restarted. */
+ setsockopt(listen_socket, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int));
+
+ if ( bind ( listen_socket, (struct sockaddr *)&address, sizeof(address)) ) {
+ audit_msg(LOG_ERR, "Cannot bind tcp listener socket to port %d",
+ config->tcp_listen_port);
+ close(listen_socket);
+ return 1;
+ }
+
+ listen(listen_socket, config->tcp_listen_queue);
+
+ audit_msg(LOG_DEBUG, "Listening on TCP port %d", config->tcp_listen_port);
+
+ ev_io_init (&tcp_listen_watcher, auditd_tcp_listen_handler, listen_socket, EV_READ);
+ ev_io_start (loop, &tcp_listen_watcher);
+
+ min_port = config->tcp_client_min_port;
+ max_port = config->tcp_client_max_port;
+
+ return 0;
+}
+
+void auditd_tcp_listen_uninit ( struct ev_loop *loop )
+{
+ ev_io_stop ( loop, &tcp_listen_watcher );
+ close ( listen_socket );
+
+ while (client_chain) {
+ close_client (client_chain);
+ }
+}
diff -N -U 3 -x .svn -r pristine/src/auditd-listen.h trunk/src/auditd-listen.h
--- pristine/src/auditd-listen.h 1969-12-31 19:00:00.000000000 -0500
+++ trunk/src/auditd-listen.h 2008-08-08 17:01:37.000000000 -0400
@@ -0,0 +1,30 @@
+/* auditd-config.h --
+ * Copyright 2004-2007 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * DJ Delorie <dj(a)redhat.com>
+ *
+ */
+
+#ifndef AUDITD_LISTEN_H
+#define AUDITD_LISTEN_H
+
+int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config );
+void auditd_tcp_listen_uninit ( struct ev_loop *loop );
+
+#endif
diff -N -U 3 -x .svn -r pristine/src/auditd-reconfig.c trunk/src/auditd-reconfig.c
--- pristine/src/auditd-reconfig.c 2008-08-04 12:47:30.000000000 -0400
+++ trunk/src/auditd-reconfig.c 2008-08-12 18:54:20.000000000 -0400
@@ -28,9 +28,9 @@
#include <unistd.h>
#include <string.h>
#include <stdio.h>
-#include "auditd-config.h"
-#include "auditd-event.h"
#include "libaudit.h"
+#include "auditd-event.h"
+#include "auditd-config.h"
#include "private.h"
/* This is the configuration manager code */
diff -N -U 3 -x .svn -r pristine/src/auditd.c trunk/src/auditd.c
--- pristine/src/auditd.c 2008-08-08 14:36:19.000000000 -0400
+++ trunk/src/auditd.c 2008-08-13 20:51:35.000000000 -0400
@@ -40,8 +40,8 @@
#include <getopt.h>
#include "libaudit.h"
-#include "auditd-config.h"
#include "auditd-event.h"
+#include "auditd-config.h"
#include "auditd-dispatch.h"
#include "private.h"
@@ -670,7 +670,15 @@
ev_signal_init (&sigchld_watcher, child_handler, SIGCHLD);
ev_signal_start (loop, &sigchld_watcher);
- ev_loop (loop, 0);
+ if (auditd_tcp_listen_init (loop, &config)) {
+ tell_parent (FAILURE);
+ stop = 1;
+ }
+
+ if (!stop)
+ ev_loop (loop, 0);
+
+ auditd_tcp_listen_uninit (loop);
/* Write message to log that we are going down */
14 years, 7 months
Watch in audit 1.6
by Ameel Kamboh
We are using audit 1.6 in our system.
When I add a watch rule for write and append to a directory, the log
will report any changes to the directory and all the sub directories as
well.
Is there a way to exclude watching sub directories as well.
Example:
Watch directory /var/mydir
The tree for mydir is as follows:
/var/mydir
|
---- runtime
|
---- dir1
|
---- dir2
I would like to watch /var/mydir + /var/mydir/dir1 + /var/mydir/dir2,
but exclude /var/mydir/runtime
Rule:
-w /var/mydir -p aw
Is there a way to do what I am asking?
Ameel Kamboh
SIP Core Network and Security
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh(a)techtrial.com
email: akamboh(a)nortel.com
15 years, 4 months
Audit Logs and EventLog Analyzer
by Dan Gruhn
I'm currently using AdventNet's EventLog Analyzer for auditing of a
secure Windows machine and thought it would be nice to use for a secure
RHEL 5.2 cluster as well since people would only need to use one
interface. It seems to do well with the syslog entries, but I don't see
anything about getting the auditd/ audit.log entries into it. Can
anyone point me to some information on how to do this or should I give
up on this and go the Prewikka route?
Thanks,
Dan
15 years, 4 months
Authentication Events
by Kevin Boyce
Does anyone know if the auditd on RHEL4 is capable of capturing
logon/logoff and failed authentication events? This seems to work
flawlessly without any additional changes on a RHEL5 system.
Would this just be a configuration change in the PAM stack to allow
auditd to get these events, rather than using syslog?
Any ideas would be helpful.
Thanks,
Kevin
15 years, 4 months
audit 1.7.11 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Don't error out in auditd when calling setsid
- Reformat a couple auditd error messages (Oden Eriksson)
- If log rotate fails, leave the old log writable
- Fixed bug in setting up auditd event loop when listening
- Warn if on biarch machine and auditctl rules show a syscall mismatch
- Audisp-remote was not parsing some config options correctly
- In auparse, check for single key in addition to virtual keys
- When auditd shuts down, send AUDIT_RMW_TYPE_ENDING messages to clients
- Updated sample plugin code to use auparse
- Created reconnect option to remote ending setting of audisp-remote
This is mostly a bugfix release. When being started by init, auditd was dying
when trying to set its session id since init already does this. When logs
were rotated and failed for some reason, the original log was left in a
readonly state, this has been corrected. I found several problems with remote
logging and fixed them for the non-kerberos use case...I'll try to check the
work for kerberos in the next release. And the sample audispd plugin code was
updated to show how to use auparse library to make a plugin.
That leaves one item left to go over. People have discovered over time that 32
and 64 bit syscalls can have a different syscall number. Auditctl in this
version no issues a warning to stderr when it loads a syscall audit rules for
64 bit machines where the 32 bit version has a syscall number mismatch.
Hopefully, this will help educate people that they may not have all the
syscalls they intended covered. But at the same time, some people might just
consider this spamming the console. I would like feedback on this new warning
and if its obtrusive and how you would suggest making it better.
Please let me know if you run across any problems with this release.
-Steve
15 years, 4 months
Re: audit: EXECVE record - removed bogus newline
by Eric Paris
On Fri, 2009-01-09 at 13:21 +0100, Jiri Pirko wrote:
> On Thu, 08 Jan 2009 10:33:18 -0500
> Eric Paris <eparis(a)redhat.com> wrote:
>
> > On Thu, 2009-01-08 at 15:38 +0100, Jiri Pirko wrote:
> > > EXECVE records contain a newline after every argument. auditd converts
> > > "\n" to " " so you cannot see newlines even in raw logs, but they're
> > > there nevertheless. If you're not using auditd, you need to work round
> > > them. These '\n' chars are can be easily replaced by spaces when
> > > creating record in kernel. Note there is no need for trailing '\n' in
> > > an audit record.
> >
> > While I completely agree the \n was my mistake and should be
> > dropped/fixed can you fix one more thing and look at another? First
> > arg_num_len is being miscalculated since I included the \n in that
> > calculation (might be the only place....)
> I think that calculation is correct only the comment needs to be changed like this:
> - /* how many digits are in arg_num? 3 is the length of a=\n */
> + /* how many digits are in arg_num? 3 is the length of " a=" */
>
> the count is still 3 - with '\n' or with ' '.
You're right. Sorry, I'd like to see the comment fixed. That 3 does
matter and I don't want to see someone not realize how important getting
that len right is....
> > and I remember not wanting to
> > follow convention and put the space at the beginning of the aX= for some
> > reason. If you add thousands of arguments so this is larger than
> > MAX_EXECVE_AUDIT_LEN do you end up with an extra space somewhere in the
> > second EXECVE record?
> Is this a problem? We can do some workaround but is it necessary?
I'll go ahead and vote I don't care, even though I brought it up. My
code left an extra space at the end of the record. Yours puts it at the
beginning. From the point of view of auditd the spaces don't mean
anything, so I'm ok with your method. I guess it saves a call to
audit_log_format, and saving a call is benefit enough
Don't care if it's this window or the next, it's been like this for 3
weeks short of a year now :)
Acked-by: Eric Paris <eparis(a)redhat.com>
15 years, 4 months
Re: audit: EXECVE record - removed bogus newline
by Eric Paris
On Thu, 2009-01-08 at 15:38 +0100, Jiri Pirko wrote:
> EXECVE records contain a newline after every argument. auditd converts
> "\n" to " " so you cannot see newlines even in raw logs, but they're
> there nevertheless. If you're not using auditd, you need to work round
> them. These '\n' chars are can be easily replaced by spaces when
> creating record in kernel. Note there is no need for trailing '\n' in
> an audit record.
While I completely agree the \n was my mistake and should be
dropped/fixed can you fix one more thing and look at another? First
arg_num_len is being miscalculated since I included the \n in that
calculation (might be the only place....) and I remember not wanting to
follow convention and put the space at the beginning of the aX= for some
reason. If you add thousands of arguments so this is larger than
MAX_EXECVE_AUDIT_LEN do you end up with an extra space somewhere in the
second EXECVE record? Or maybe it was a single argument that was larger
than the max, can't remember which, but I do remember having a random
extra space (maybe we'd rather have that for consistency?)
-Eric
>
> record before this patch:
> "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\"\na1=\"a\"\na2=\"b\"\na3=\"c\"\n"
>
> record after this patch:
> "type=EXECVE msg=audit(1231421801.566:31): argc=4 a0=\"./test\" a1=\"a\" a2=\"b\" a3=\"c\""
>
>
> Signed-off-by: Jiri Pirko <jpirko(a)redhat.com>
> ---
> kernel/auditsc.c | 7 +++----
> 1 files changed, 3 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 8cbddff..c7012e0 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1109,7 +1109,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
> * so we can be sure nothing was lost.
> */
> if ((i == 0) && (too_long))
> - audit_log_format(*ab, "a%d_len=%zu ", arg_num,
> + audit_log_format(*ab, " a%d_len=%zu", arg_num,
> has_cntl ? 2*len : len);
>
> /*
> @@ -1129,7 +1129,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
> buf[to_send] = '\0';
>
> /* actually log it */
> - audit_log_format(*ab, "a%d", arg_num);
> + audit_log_format(*ab, " a%d", arg_num);
> if (too_long)
> audit_log_format(*ab, "[%d]", i);
> audit_log_format(*ab, "=");
> @@ -1137,7 +1137,6 @@ static int audit_log_single_execve_arg(struct audit_context *context,
> audit_log_n_hex(*ab, buf, to_send);
> else
> audit_log_format(*ab, "\"%s\"", buf);
> - audit_log_format(*ab, "\n");
>
> p += to_send;
> len_left -= to_send;
> @@ -1165,7 +1164,7 @@ static void audit_log_execve_info(struct audit_context *context,
>
> p = (const char __user *)axi->mm->arg_start;
>
> - audit_log_format(*ab, "argc=%d ", axi->argc);
> + audit_log_format(*ab, "argc=%d", axi->argc);
>
> /*
> * we need some kernel buffer to hold the userspace args. Just
15 years, 4 months
audit_pid with multiple userspace auditd processes
by Eric Paris
So I noticed today something strange, but maybe not wrong?
lets say userspace starts 2 copies of auditd. Then they kill the first
copy. The kernel at that point thinks there is no userspace auditd
running and will instead send things to dmesg
We could fix it by changing the handling in audit_receive_msg to reject
setting the audit_pid to 0 if the current audit_nlk_pid !=
NETLINK_CB(skb).pid.
It's not a big deal, maybe we just call results of audit with multiple
userspace auditd's running at the same time a undefined and not care.
Anyone think that's worth a patch?
-Eric
15 years, 4 months
crond
by Starr-Renee Corbin
Hello,
I would like to filter out audit log entries that are created from the
default cron.daily, hourly etc. However, I would like to still be
able to view cron jobs that are run by users.
Is there a way to run an auditctl command that will do both of the
above?
Thanks in advance.
Starr-Renee Corbin
Applied Research Lab
The University of Texas at Austin
512-835-3628
15 years, 4 months
