Gavin Appleton is out of the office.
by Gavin Appleton
I will be out of the office starting 15/06/2009 and will not return until
17/06/2009.
I will respond to your message when I return.
17 years
[GIT PULL] audit fixes for 2.6.31
by Eric Paris
Al,
Please consider pulling audit fixes for 2.6.31. There are plenty
more changes but they depend on the notification work to be pushed to
Linus first. I'll send another pull request once that is done.
-Eric
The following changes since commit c9059598ea8981d02356eead3188bf7fa4d717b8:
Linus Torvalds (1):
Merge branch 'for-2.6.31' of git://git.kernel.dk/linux-2.6-block
are available in the git repository at:
git://git.infradead.org/users/eparis/audit.git for-next
Eric Paris (11):
Audit: fix audit watch use after free
Audit: better estimation of execve record length
Audit: dereferencing krule as if it were an audit_watch
Audit: unify the printk of an skb when auditd not around
Audit: cleanup netlink mesg handling
Audit: clean up audit_receive_skb
audit: seperate audit inode watches into a subfile
Audit: move audit_get_nd completely into audit_watch
audit: use kern_path rather than namei for watch creation
Audit: clean up the audit_watch split
Audit: clean up all op= output to include string quoting
include/linux/audit.h | 3 +
kernel/Makefile | 2 +-
kernel/audit.c | 130 ++++++------
kernel/audit.h | 31 +--
kernel/audit_tree.c | 10 +-
kernel/audit_watch.c | 541 ++++++++++++++++++++++++++++++++++++++++++++++++
kernel/auditfilter.c | 543 +++----------------------------------------------
kernel/auditsc.c | 17 +-
8 files changed, 660 insertions(+), 617 deletions(-)
create mode 100644 kernel/audit_watch.c
17 years
ausearch issue?
by LC Bruzenak
# auditctl -m "`cat e-1-s`"
# ausearch -ts recent -i -m USER
<no matches>
# ausearch -ts this-week -a 22476
<no matches>
in the raw log:
node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644 ouid=ntp
ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
res=success)'
file "e-1-s" (1 line):
node=jim type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644 ouid=ntp
ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0
Any clues?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
17 years
[PATCH] multiple nodes patch
by LC Bruzenak
Steve,
This seems to work fine with multiple nodes allowed.
Signed-off-by: Lenny Bruzenak <lenny(a)magitekltd.com>
diff -up ./docs/aureport.8.orig ./docs/aureport.8
--- ./docs/aureport.8.orig 2009-06-05 16:15:58.000000000 -0500
+++ ./docs/aureport.8 2009-06-05 16:16:31.000000000 -0500
@@ -55,7 +55,7 @@ Report about account modifications
Report about Mandatory Access Control (MAC) events
.TP
.BR \-\-node \ \fInode-name\fP
-Only select events originating from \fInode name\fP string for processing in the reports. The default is to include all nodes.
+Only select events originating from \fInode name\fP string for processing in the reports. The default is to include all nodes. Multiple nodes are allowed.
.TP
.BR \-p ,\ \-\-pid
Report about processes
diff -up ./docs/ausearch.8.orig ./docs/ausearch.8
--- ./docs/ausearch.8.orig 2009-06-05 16:14:29.000000000 -0500
+++ ./docs/ausearch.8 2009-06-05 16:40:51.000000000 -0500
@@ -5,7 +5,7 @@ ausearch \- a tool to query audit daemon
.B ausearch
.RI [ options ]
.SH DESCRIPTION
-\fBausearch\fP is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with \fB\-m\fP and \fB\-ui\fP means return events that have both the requested type and match the user id given.
+\fBausearch\fP is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with \fB\-m\fP and \fB\-ui\fP means return events that have both the requested type and match the user id given. An exception is the \fB\-n\fP option; multiple nodes are allowed in a search which will return any matching node.
It should also be noted that each syscall excursion from user space into the kernel and back into user space has one event ID that is unique. Any auditable event that is triggered during this trip share this ID so that they may be correlated.
@@ -64,7 +64,7 @@ Flush output on every line. Most useful
Search for an event matching the given \fImessage type\fP. You may also enter a \fIcomma separated list of message types\fP. There is an \fBALL\fP message type that doesn't exist in the actual logs. It allows you to get all messages in the system. The list of valid messages types is long. The program will display the list whenever no message type is passed with this parameter. The message type can be either text or numeric. If you enter a list, there can be only commas and no spaces separating the list.
.TP
.BR \-n ,\ \-\-node \ \fInode-name\fP
-Search for events originating from \fInode name\fP string.
+Search for events originating from \fInode name\fP string. Multiple nodes are allowed, and if any nodes match, the event is matched.
.TP
.BR \-o ,\ \-\-object \ \fISE-Linux-context-string\fP
Search for event with \fItcontext\fP (object) matching the string.
diff -up ./src/aureport-options.c.orig ./src/aureport-options.c
--- ./src/aureport-options.c.orig 2009-02-24 15:11:36.000000000 -0600
+++ ./src/aureport-options.c 2009-06-05 16:06:23.000000000 -0500
@@ -40,7 +40,9 @@ int force_logs = 0;
/* These are for compatibility with parser */
unsigned int event_id = -1;
-const char *event_node = NULL;
+int event_nodename_count=0;
+const char **event_node_array=NULL;
+
const char *event_key = NULL;
const char *event_filename = NULL;
const char *event_exe = NULL;
@@ -573,10 +575,20 @@ int check_params(int count, char *vars[]
vars[c]);
retval = -1;
} else {
- event_node = strdup(optarg);
- if (event_node == NULL)
- retval = -1;
c++;
+ event_nodename_count++;
+
+ event_node_array =
+ realloc (event_node_array, sizeof (char *) * event_nodename_count);
+ if (event_node_array== NULL) {
+ retval = -1;
+ break;
+ }
+ event_node_array[event_nodename_count-1] = strdup(optarg);
+ if (event_node_array[event_nodename_count-1] == NULL) {
+ retval = -1;
+ break;
+ }
}
break;
case R_SUMMARY_DET:
diff -up ./src/aureport-scan.c.orig ./src/aureport-scan.c
--- ./src/aureport-scan.c.orig 2009-02-24 15:11:36.000000000 -0600
+++ ./src/aureport-scan.c 2009-06-05 16:21:10.000000000 -0500
@@ -193,18 +193,24 @@ int classify_conf(const llist *l)
*/
int scan(llist *l)
{
+ int i, found=0;
+
// Are we within time range?
if (start_time == 0 || l->e.sec >= start_time) {
if (end_time == 0 || l->e.sec <= end_time) {
// OK - do the heavier checking
int rc = extract_search_items(l);
if (rc == 0) {
- if (event_node) {
- if (l->e.node == NULL)
- return 0;
- if (strcasecmp(event_node, l->e.node))
- return 0;
- }
+ if (event_nodename_count && event_node_array) {
+ if (l->e.node == NULL)
+ return 0;
+ for (i=0; i < event_nodename_count && !found; i++) {
+ if (!strcasecmp(event_node_array[i], l->e.node))
+ found++;
+ }
+ if (!found)
+ return 0;
+ }
if (classify_success(l) && classify_conf(l))
return 1;
return 0;
diff -up ./src/ausearch-common.h.orig ./src/ausearch-common.h
--- ./src/ausearch-common.h.orig 2009-02-24 15:11:36.000000000 -0600
+++ ./src/ausearch-common.h 2009-06-05 16:03:23.000000000 -0500
@@ -31,7 +31,8 @@ extern gid_t event_gid, event_egid;
extern pid_t event_pid;
extern int event_exact_match;
extern uid_t event_uid, event_euid, event_loginuid;
-extern const char *event_node;
+extern int event_nodename_count;
+extern const char **event_node_array;
extern const char *event_comm;
extern const char *event_filename;
extern const char *event_hostname;
diff -up ./src/ausearch-match.c.orig ./src/ausearch-match.c
--- ./src/ausearch-match.c.orig 2009-02-24 15:11:36.000000000 -0600
+++ ./src/ausearch-match.c 2009-06-05 16:22:28.000000000 -0500
@@ -43,6 +43,7 @@ static int context_match(llist *l);
#include <stdio.h>
int match(llist *l)
{
+ int i, found=0;
// Are we within time range?
if (start_time == 0 || l->e.sec >= start_time) {
if (end_time == 0 || l->e.sec <= end_time) {
@@ -53,12 +54,14 @@ int match(llist *l)
}
// perform additional tests for the field
- if (event_node) {
+ if (event_nodename_count && event_node_array) {
if (l->e.node == NULL)
+ return 0;
+ for (i=0; i < event_nodename_count && !found; i++)
+ if (strmatch(event_node_array[i], l->e.node))
+ found++;
+ if (!found)
return 0;
- if (strmatch(event_node,
- l->e.node) == 0)
- return 0;
}
if (user_match(l) == 0)
return 0;
diff -up ./src/ausearch-options.c.orig ./src/ausearch-options.c
--- ./src/ausearch-options.c.orig 2009-02-24 15:11:36.000000000 -0600
+++ ./src/ausearch-options.c 2009-06-05 16:05:18.000000000 -0500
@@ -53,7 +53,6 @@ int event_session_id = -1;
int event_exit = 0, event_exit_is_set = 0;
int line_buffered = 0;
const char *event_key = NULL;
-const char *event_node = NULL;
const char *event_filename = NULL;
const char *event_exe = NULL;
const char *event_comm = NULL;
@@ -63,6 +62,9 @@ const char *event_subject = NULL;
const char *event_object = NULL;
report_t report_format = RPT_DEFAULT;
+int event_nodename_count=0;
+const char **event_node_array=NULL;
+
struct nv_pair {
int value;
const char *name;
@@ -591,10 +593,19 @@ int check_params(int count, char *vars[]
vars[c]);
retval = -1;
} else {
- event_node = strdup(optarg);
- if (event_node == NULL)
- retval = -1;
c++;
+ event_nodename_count++;
+
+ event_node_array = realloc (event_node_array, sizeof (char *) * event_nodename_count);
+ if (event_node_array== NULL) {
+ retval = -1;
+ break;
+ }
+ event_node_array[event_nodename_count-1] = strdup(optarg);
+ if (event_node_array[event_nodename_count-1] == NULL) {
+ retval = -1;
+ break;
+ }
}
break;
case S_SYSCALL:
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
17 years
ausearch discrepancies?
by LC Bruzenak
F10, audit-1.7.12
[root@slim ~]# ausearch -i -ts yesterday -te yesterday | grep "node=" |
tail
...
node=slim type=PATH msg=audit(06/03/2009 19:11:29.348:2884) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0
node=slim type=CWD msg=audit(06/03/2009 19:11:29.348:2884) :
cwd=/home/lcb
node=slim type=SYSCALL msg=audit(06/03/2009 19:11:29.348:2884) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=2bb999c a1=2bb999c a2=0
a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
subj=user_u:user_r:user_t:s0 key=delete
The results end with the above record.
Then:
[root@slim ~]# ausearch -i -ts yesterday | grep "node=" | less
...
node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=
542803 dev=fd:00 mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0
node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
cwd=/home/lcb
node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=
36763bc a2=0 a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb
gid=lcb euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lc
b fsgid=lcb tty=(none) ses=1 comm=firefox
exe=/usr/lib64/firefox-3.0.10/firefox subj=user_u:user_r:user_t:s0
key=delete
node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acb
b60 a1=5 a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset
uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=n
tp fsgid=ntp tty=(none) ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-ch
ange
node=slim type=USER_ACCT msg=audit(06/04/2009 00:01:01.716:3013) : user
pid=14269 uid=root auid=unset ses=4294967295 subj=sys
tem_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:accounting acct=root
exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cro
n res=success)'
This shows plenty of events after the 19:11 event shown.
Any ideas?
# date
Thu Jun 4 19:29:10 CDT 2009
Reading the manpage is a little confusing on the -ts and -te meanings.
I'm not sure I agree with the way it is stated, regardless the behavior
above appears wrong ... but this appears to work correctly:
ausearch -ts 06/03/2009 00:00:00 -te 06/03/2009 23:59:59 -i | grep
"node=" | tail
...
node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
obj=system_u:object_r:mozilla_home_t:s0
node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
cwd=/home/lcb
node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=36763bc a2=0
a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
subj=user_u:user_r:user_t:s0 key=delete
node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acbb60 a1=5
a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset uid=ntp gid=ntp
euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none)
ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-change
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
17 years
ausearch nodes option
by LC Bruzenak
On an audit collector machine, I (obviously) have data from different
hosts.
In an ausearch I would like to look for events from multiple hosts.
Ideally I would have multiple "-n <HOSTNAME>" entries which would return
events for any of the hosts.
The man page says that the options form an "and" statement. I find this
isn't the case with multiple hosts specified, but the result is the
"last host listed wins":
[root@audit audit]# ausearch -i -n client3 -n client12 | grep client3 |
wc
0 0 0
[root@audit audit]# ausearch -i -n client12 -n client3 | grep client3 |
wc
2035 35292 529086
[root@audit audit]# ausearch -i -n client12 -n client3 | grep client12 |
wc
0 0 0
[root@audit audit]# ausearch -i -n client3 -n client12 | grep client12
| wc
1709 29481 445211
I may patch my own ausearch to behave differently. I could just extract
them independently, however then I'd need to weave them back together
because I need the events to be sequential.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
17 years
Gavin Appleton is out of the office.
by Gavin Appleton
I will be out of the office starting 04/06/2009 and will not return until
08/06/2009.
I will respond to your message when I return.
17 years
[PATCH] Audit: dereferencing krule as if it were an audit_watch
by Eric Paris
audit_update_watch() runs all of the rules for a given watch and duplicates
them, attaches a new watch to them, and then when it finishes that process
and has called free on all of the old rules (ok maybe still inside the rcu
grace period) it proceeds to use the last element from list_for_each_entry_safe()
as if it were a krule rather than being the audit_watch which was anchoring
the list to output a message about audit rules changing.
This patch unfies the audit message from two different places into a helper
function and calls it from the correct location in audit_update_rules(). We
will now get an audit message about the config changing for each rule (with
each rules filterkey) rather than the previous garbage.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/auditfilter.c | 58 +++++++++++++++++++++-----------------------------
1 files changed, 24 insertions(+), 34 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 19c0a0a..55d6bef 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -977,6 +977,27 @@ static struct audit_entry *audit_dupe_rule(struct audit_krule *old,
return entry;
}
+static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
+{
+ if (audit_enabled) {
+ struct audit_buffer *ab;
+ ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab, "auid=%u ses=%u op=",
+ audit_get_loginuid(current),
+ audit_get_sessionid(current));
+ audit_log_string(ab, op);
+ audit_log_format(ab, "=");
+ audit_log_untrustedstring(ab, w->path);
+ if (r->filterkey) {
+ audit_log_format(ab, " key=");
+ audit_log_untrustedstring(ab, r->filterkey);
+ } else
+ audit_log_format(ab, " key=(null)");
+ audit_log_format(ab, " list=%d res=1", r->listnr);
+ audit_log_end(ab);
+ }
+}
+
/* Update inode info in audit rules based on filesystem event. */
static void audit_update_watch(struct audit_parent *parent,
const char *dname, dev_t dev,
@@ -1023,24 +1044,11 @@ static void audit_update_watch(struct audit_parent *parent,
&nentry->rule.list);
}
+ audit_watch_log_rule_change(r, owatch, "updated rules specifying path");
+
call_rcu(&oentry->rcu, audit_free_rule_rcu);
}
- if (audit_enabled) {
- struct audit_buffer *ab;
- ab = audit_log_start(NULL, GFP_NOFS,
- AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "auid=%u ses=%u",
- audit_get_loginuid(current),
- audit_get_sessionid(current));
- audit_log_format(ab,
- " op=updated rules specifying path=");
- audit_log_untrustedstring(ab, owatch->path);
- audit_log_format(ab, " with dev=%u ino=%lu\n",
- dev, ino);
- audit_log_format(ab, " list=%d res=1", r->listnr);
- audit_log_end(ab);
- }
audit_remove_watch(owatch);
goto add_watch_to_parent; /* event applies to a single watch */
}
@@ -1065,25 +1073,7 @@ static void audit_remove_parent_watches(struct audit_parent *parent)
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
- if (audit_enabled) {
- struct audit_buffer *ab;
- ab = audit_log_start(NULL, GFP_NOFS,
- AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "auid=%u ses=%u",
- audit_get_loginuid(current),
- audit_get_sessionid(current));
- audit_log_format(ab, " op=remove rule path=");
- audit_log_untrustedstring(ab, w->path);
- if (r->filterkey) {
- audit_log_format(ab, " key=");
- audit_log_untrustedstring(ab,
- r->filterkey);
- } else
- audit_log_format(ab, " key=(null)");
- audit_log_format(ab, " list=%d res=1",
- r->listnr);
- audit_log_end(ab);
- }
+ audit_watch_log_rule_change(r, w, "remove rule path");
list_del(&r->rlist);
list_del(&r->list);
list_del_rcu(&e->list);
17 years
[PATCH] SELinux: define audit permissions for audit tree netlink messages
by Eric Paris
Audit trees defined 2 new netlink messages but the netlink mapping tables for
selinux permissions were not set up. This patch maps these 2 new operations
to AUDIT_WRITE.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
security/selinux/nlmsgtab.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index c6875fd..dd7cc6d 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -112,6 +112,8 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
{ AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
{ AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
+ { AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
+ { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
{ AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT },
};
17 years
