user message limits
by LC Bruzenak
I know I can go look at the code, however I figured I'd ask here first
about the limits on the user message in both audit_log_user_message and
ausearch.
With audit_log_user_message the maximum length allowed appears to be
around MAX_AUDIT_MESSAGE_LENGTH-100. I think it may depend on the
executable name length (and other stuff auto-pushed into the string)
which is why I say "around".
Even when I get a successful return value (from audit_log_user_message),
I don't get my string back out in "ausearch" unless it is WAY smaller -
~1K or less I think.
Any ideas/thoughts?
This is the latest (1.7.11-2) audit package.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
11 years, 1 month
AUDIT_SIGNAL_INFO
by Matthew Booth
Under what circumstances will the RHEL 4 kernel generate a message of
type AUDIT_SIGNAL_INFO? My understanding is that it should be sent when
a process sends a signal to the audit daemon, however I have not
observed that. Any ideas?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
12 years, 4 months
Near Term Audit Road Map
by Steve Grubb
Hi,
With the proposals sent to the list, I wanted to talk about how this might
play out code-wise. With regard to the current code base, I am working on a
1.8 release. This would represent finishing the remote logging app and
nothing more. The 1.8 series would become just an update series just like the
1.0.x series did.
In parallel with finishing remote logging, I would release a 2.0 version.
Patches applied to 1.8 would also be applied to 2.0. A 2.1 release would
signify the completion of remote logging that branch. I would recommend this
branch for all distributions pulling new code in.
The 2.0 branch will also have a couple more changes. I want to split up the
audit source code a little bit. I want to drop the system-config-audit code
and let it become standalone package updated and distributed separately.
I also want to drop all audispd-plugins in the 2.0 branch and have them
released separately. They cause unnecessary build dependencies for the audit
package.
During the work for a 2.2 release, I would also like to pull the audispd
program inside auditd. In the past, I tried to keep auditd lean and single
purpose, but with adding remote logging and kerberos support, we already have
something that is hard to analyze. So, to improve performance and decrease
system load, the audit daemon will also do event dispatching.
Would this proposal impact anyone in a Bad Way?
Thanks,
-Steve
12 years, 4 months
[PATCH] Fix a bug of "autrace -r /bin/ls" in i386
by Peng Haitao
Hello Steve,
When execute "autrace -r /bin/ls" in i386, The error message
"Error inserting audit rule for pid=349" will be outputed.
When execute "ausyscall i386 connect", The error message
"Unknown syscall connect using i386 lookup table" will be outputed.
After apply the patch,
The output of "ausyscall i386 connect" is "socketcall 102".
The output of "autrace -r /bin/ls" should be OK.
Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com>
---
lib/lookup_table.c | 36 ++++++++++++++++++++++++++++++++++++
tools/ausyscall/ausyscall.c | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+), 0 deletions(-)
diff --git a/lib/lookup_table.c b/lib/lookup_table.c
index b0abe07..c6f892f 100755
--- a/lib/lookup_table.c
+++ b/lib/lookup_table.c
@@ -29,6 +29,7 @@
#include <stdlib.h>
#include <ctype.h>
#include <errno.h>
+#include <linux/net.h>
#include "libaudit.h"
#include "gen_tables.h"
@@ -96,6 +97,33 @@ const char *audit_field_to_name(int field)
return field_i2s(field);
}
+/* This is the name/value pair used by search tables */
+struct nv_pair {
+ int value;
+ const char *name;
+};
+
+static struct nv_pair socktab[] = {
+ {SYS_SOCKET, "socket"},
+ {SYS_BIND, "bind"},
+ {SYS_CONNECT, "connect"},
+ {SYS_LISTEN, "listen"},
+ {SYS_ACCEPT, "accept"},
+ {SYS_GETSOCKNAME, "getsockname"},
+ {SYS_GETPEERNAME, "getpeername"},
+ {SYS_SOCKETPAIR, "socketpair"},
+ {SYS_SEND, "send"},
+ {SYS_RECV, "recv"},
+ {SYS_SENDTO, "sendto"},
+ {SYS_RECVFROM, "recvfrom"},
+ {SYS_SHUTDOWN, "shutdown"},
+ {SYS_SETSOCKOPT, "setsockopt"},
+ {SYS_GETSOCKOPT, "getsockopt"},
+ {SYS_SENDMSG, "sendmsg"},
+ {SYS_RECVMSG, "recvmsg"}
+};
+#define SOCK_NAMES (sizeof(socktab)/sizeof(socktab[0]))
+
int audit_name_to_syscall(const char *sc, int machine)
{
int res, found;
@@ -104,6 +132,14 @@ int audit_name_to_syscall(const char *sc, int machine)
{
case MACH_X86:
found = i386_syscall_s2i(sc, &res);
+ if (!found) {
+ int i;
+ for(i = 0; i < SOCK_NAMES; i++)
+ if (strcmp(socktab[i].name, sc) == 0) {
+ sc = "socketcall";
+ found = i386_syscall_s2i(sc, &res);
+ }
+ }
break;
case MACH_86_64:
found = x86_64_syscall_s2i(sc, &res);
diff --git a/tools/ausyscall/ausyscall.c b/tools/ausyscall/ausyscall.c
index 565336f..772aa00 100755
--- a/tools/ausyscall/ausyscall.c
+++ b/tools/ausyscall/ausyscall.c
@@ -25,10 +25,38 @@
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
+#include <linux/net.h>
#include "libaudit.h"
#define LAST_SYSCALL 1400 // IA64 is in the 1300's right now
+/* This is the name/value pair used by search tables */
+struct nv_pair {
+ int value;
+ const char *name;
+};
+
+static struct nv_pair socktab[] = {
+ {SYS_SOCKET, "socket"},
+ {SYS_BIND, "bind"},
+ {SYS_CONNECT, "connect"},
+ {SYS_LISTEN, "listen"},
+ {SYS_ACCEPT, "accept"},
+ {SYS_GETSOCKNAME, "getsockname"},
+ {SYS_GETPEERNAME, "getpeername"},
+ {SYS_SOCKETPAIR, "socketpair"},
+ {SYS_SEND, "send"},
+ {SYS_RECV, "recv"},
+ {SYS_SENDTO, "sendto"},
+ {SYS_RECVFROM, "recvfrom"},
+ {SYS_SHUTDOWN, "shutdown"},
+ {SYS_SETSOCKOPT, "setsockopt"},
+ {SYS_GETSOCKOPT, "getsockopt"},
+ {SYS_SENDMSG, "sendmsg"},
+ {SYS_RECVMSG, "recvmsg"}
+};
+#define SOCK_NAMES (sizeof(socktab)/sizeof(socktab[0]))
+
void usage(void)
{
fprintf(stderr, "usage: ausyscall [arch] name | number | --dump | --exact\n");
@@ -119,6 +147,14 @@ int main(int argc, char *argv[])
if (n && strcasestr(n, name)) {
found = 1;
printf("%-18s %d\n", n, i);
+ } else if (n && strcmp(n, "socketcall") == 0) {
+ int j = 0;
+ for (j = 0; j < SOCK_NAMES; j++)
+ if (strcmp(socktab[j].name, name) == 0) {
+ found = 1;
+ printf("%-18s %d\n", n, i);
+ break;
+ }
}
}
if (!found) {
--
1.7.0.1
--
Best Regards,
Peng Haitao
13 years, 10 months
Audit Uid and login uid
by Ashok Kumar J
Dear ALL,
I want to know the difference between login uid and audit uid. If it is
same, then how i can show that this two things are same. I saw about the
function setauid and setlogin also. Please tell me the difference in between
this.
--
with regards
Ashok Kumar J
13 years, 10 months
Memory Leak Update
by Jim Richard
All:
I wanted to update you on the memory leak I experienced in the audisp-remote plugin. I have been running the patched test packages (1.7.18-2) that RedHat provided to me, for a month now and have not had any more memory leaks.
Best Regards,
Jim Richard
13 years, 10 months
[PATCH 1/3] From Neil Horman <nhorman@tuxdriver.com>
by Eric Paris
audit: add additional audit info (read/write length & rng name) for RNG devices
Add /dev/[u]random auditing
Patch to enhance auditing of user visible random number generators. Allows us to
determine how many bytes of random data were obtained on each read from an RNG
device
Signed-off-by: Neil Horman <nhorman(a)tuxdriver.com>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
drivers/char/random.c | 18 +++++++++++++++---
include/linux/audit.h | 11 +++++++++++
kernel/auditsc.c | 29 +++++++++++++++++++++++++++++
3 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 5a1aa64..94ee4a6 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -241,6 +241,7 @@
#include <linux/percpu.h>
#include <linux/cryptohash.h>
#include <linux/fips.h>
+#include <linux/audit.h>
#ifdef CONFIG_GENERIC_HARDIRQS
# include <linux/irq.h>
@@ -1000,7 +1001,7 @@ random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
ssize_t n, retval = 0, count = 0;
if (nbytes == 0)
- return 0;
+ goto out;
while (nbytes > 0) {
n = nbytes;
@@ -1047,13 +1048,22 @@ random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
/* like a named pipe */
}
+out:
+ audit_rng("random", count);
return (count ? count : retval);
}
static ssize_t
urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
{
- return extract_entropy_user(&nonblocking_pool, buf, nbytes);
+ ssize_t count;
+
+ count = extract_entropy_user(&nonblocking_pool, buf, nbytes);
+
+ if (count >= 0)
+ audit_rng("urandom", count);
+
+ return count;
}
static unsigned int
@@ -1101,10 +1111,12 @@ static ssize_t random_write(struct file *file, const char __user *buffer,
ret = write_pool(&blocking_pool, buffer, count);
if (ret)
return ret;
+ audit_rng("random", count);
+
ret = write_pool(&nonblocking_pool, buffer, count);
if (ret)
return ret;
-
+ audit_rng("urandom", count);
return (ssize_t)count;
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 8b5c062..2f90d9e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -123,6 +123,8 @@
#define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */
#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
+#define AUDIT_RNG 1601 /* usage of /dev/random and /dev/urandom */
+
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
@@ -428,6 +430,7 @@ extern void __audit_inode(const char *name, const struct dentry *dentry);
extern void __audit_inode_child(const struct dentry *dentry,
const struct inode *parent);
extern void __audit_ptrace(struct task_struct *t);
+extern int __audit_rng(const char *name, size_t len);
static inline int audit_dummy_context(void)
{
@@ -456,6 +459,13 @@ static inline void audit_ptrace(struct task_struct *t)
__audit_ptrace(t);
}
+static inline int audit_rng(const char *name, size_t len)
+{
+ if (likely(audit_dummy_context()))
+ return 0;
+ return __audit_rng(name, len);
+}
+
/* Private API (for audit.c only) */
extern unsigned int audit_serial(void);
extern int auditsc_get_stamp(struct audit_context *ctx,
@@ -574,6 +584,7 @@ extern int audit_signals;
#define audit_log_capset(pid, ncr, ocr) ((void)0)
#define audit_mmap_fd(fd, flags) ((void)0)
#define audit_ptrace(t) ((void)0)
+#define audit_rng(c, l) (0)
#define audit_n_rules 0
#define audit_signals 0
#endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e96c30e..5500adf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -165,6 +165,12 @@ struct audit_aux_data_capset {
struct audit_cap_data cap;
};
+struct audit_aux_data_rng {
+ struct audit_aux_data d;
+ const char *name;
+ size_t len;
+};
+
struct audit_tree_refs {
struct audit_tree_refs *next;
struct audit_chunk *c[31];
@@ -1507,6 +1513,13 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
break; }
+ case AUDIT_RNG: {
+ struct audit_aux_data_rng *axr = (void *)aux;
+ audit_log_format(ab, "name=");
+ audit_log_string(ab, axr->name);
+ audit_log_format(ab, " len=%zu", axr->len);
+ break; }
+
}
audit_log_end(ab);
}
@@ -2312,6 +2325,22 @@ int audit_bprm(struct linux_binprm *bprm)
return 0;
}
+int __audit_rng(const char *name, size_t len)
+{
+ struct audit_aux_data_rng *ax;
+ struct audit_context *context = current->audit_context;
+
+ ax = kmalloc(sizeof(*ax), GFP_KERNEL);
+ if (!ax)
+ return -ENOMEM;
+
+ ax->name = name;
+ ax->len = len;
+ ax->d.type = AUDIT_RNG;
+ ax->d.next = context->aux;
+ context->aux = (void *)ax;
+ return 0;
+}
/**
* audit_socketcall - record audit data for sys_socketcall
13 years, 10 months
How to reconstruct file path from PATH records?
by Dilin Mao
Hi,
We are developing a system to monitor file operations, the difficulties
is how to reconstruct file path from audit records. we have written some
testcases for system calls of file/dir operation, and found that the numbers
of path records differs when we try different combinations of absolute or
relative pathname. For rename/renameat function, we have seen four or five
path records per system call, for link/linkat function, the number of path
records is two or three. Is there any rule for how the path records is
generated?
We have also found that the file path can't be reconstruct correctly
sometimes. Taken linkat function as example:
olddirfd = open("/home/dlmao/test-syscall/tests/tmpdir",O_RDONLY);
newdirfd = open("/home/dlmao/test-syscall/tests/tmpdir",O_RDONLY);
linkat(olddirfd,"tmp.f1C3HgoJ1K",newdirfd,"tmpfile4",0)
but the audit record outputted is:
type=SYSCALL msg=audit(1291697940.405:66): arch=40000003 syscall=303
success=yes exit=0 a0=3 a1=bfe7ff2c a2=4 a3=bfe7feac items=3 ppid=3573
pid=3609 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=4294967295 comm="test-linkat"
exe="/home/dlmao/test-syscall/tests/test-linkat" key=(null)
type=CWD msg=audit(1291697940.405:66): cwd="/home/dlmao/test-syscall/tests"
type=PATH msg=audit(1291697940.405:66): item=0 name="tmp.f1C3HgoJ1K"
inode=284275 dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1291697940.405:66): item=1
name="/home/dlmao/test-syscall/tests" inode=287306 dev=08:01 mode=040755
ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1291697940.405:66): item=2 name="tmpfile4" inode=284275
dev=08:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
Thanks,
Mao
13 years, 11 months
[PATCH] Fix the bug that use option "--session Login-Session-ID" cannot search out all matched logs
by Peng Haitao
Hello Steve,
Use option '--session Login-Session-ID' cannot search out the log which
contains the given Login Session ID and message type is MAC_POLICY_LOAD.
For example:
# echo "type=MAC_POLICY_LOAD msg=audit(1290670949.711:413341): policy loaded auid=0 ses=218" | ausearch --session 218
<no matches>
Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com>
---
src/ausearch-parse.c | 18 +++++++++---------
1 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 30a96a2..0ffea14 100755
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1551,14 +1551,14 @@ static int parse_simple_message(const lnode *n, search_items *s)
if (str) {
ptr = str + 4;
term = strchr(ptr, ' ');
- if (term == NULL)
- return 3;
- *term = 0;
+ if (term)
+ *term = 0;
errno = 0;
s->session_id = strtoul(ptr, NULL, 10);
if (errno)
- return 4;
- *term = ' ';
+ return 3;
+ if (term)
+ *term = ' ';
}
}
@@ -1582,7 +1582,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
else // Set it back to something sane
term = str;
} else
- return 5;
+ return 4;
}
}
@@ -1593,7 +1593,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
//create
s->key = malloc(sizeof(slist));
if (s->key == NULL)
- return 6;
+ return 5;
slist_create(s->key);
}
ptr = str + 4;
@@ -1612,7 +1612,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
}
*term = '"';
} else
- return 7;
+ return 6;
} else {
if (s->key) {
char *saved=NULL;
@@ -1652,7 +1652,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
errno = 0;
s->success = strtoul(ptr, NULL, 10);
if (errno)
- return 8;
+ return 7;
if (term)
*term = ' ';
}
--
1.7.0.1
--
Best Regards,
Peng Haitao
13 years, 11 months