user message limits
by LC Bruzenak
I know I can go look at the code, however I figured I'd ask here first
about the limits on the user message in both audit_log_user_message and
ausearch.
With audit_log_user_message the maximum length allowed appears to be
around MAX_AUDIT_MESSAGE_LENGTH-100. I think it may depend on the
executable name length (and other stuff auto-pushed into the string)
which is why I say "around".
Even when I get a successful return value (from audit_log_user_message),
I don't get my string back out in "ausearch" unless it is WAY smaller -
~1K or less I think.
Any ideas/thoughts?
This is the latest (1.7.11-2) audit package.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
11 years, 3 months
linux-audit: reconstruct path names from syscall events?
by John Feuerstein
Hi,
I would like to audit all changes to a directory tree using the linux
auditing system[1].
# auditctl -a exit,always -F dir=/etc/ -F perm=wa
It seems like the GNU coreutils are enough to break the audit trail.
The resulting SYSCALL events provide CWD and multiple PATH records,
depending on the syscall. If one of the PATH records is relative, I can
reconstruct the absolute path using the CWD record.
However, that does not work for the whole *at syscall family
(unlinkat(2), renameat(2), linkat(2), ...); accepting paths relative to
a given directory file descriptor. GNU coreutils are prominent users,
for example "rm -r" making use of unlinkat(2) to prevent races.
Things like dup(2) and fd passing via unix domain sockets come to mind.
It's the same old story again: mapping fds to path names is ambiguous at
best, if not impossible.
I wonder why such incomplete file system auditing rules are considered
sufficient in the CAPP/LSPP/NISPOM/STIG rulesets?
Here's a simplified example:
$ cd /tmp
$ mkdir dir
$ touch dir/file
$ ls -ldi /tmp /tmp/dir /tmp/dir/file
2057 drwxrwxrwt 9 root root 380 Sep 17 00:02 /tmp
58781 drwxr-xr-x 2 john john 40 Sep 17 00:02 /tmp/dir
56228 -rw-r--r-- 1 john john 0 Sep 17 00:02 /tmp/dir/file
$ cat > unlinkat.c
#include <unistd.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
int dirfd = open("dir", O_RDONLY);
unlinkat(dirfd, "file", 0);
return 0;
}
^D
$ make unlinkat
cc unlinkat.c -o unlinkat
$ sudo autrace ./unlinkat
Waiting to execute: ./unlinkat
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 32121'
$ ls -li dir
total 0
Now, looking at the resulting raw SYSCALL event for unlinkat(2):
type=SYSCALL msg=audit(1316210542.899:779): arch=c000003e syscall=263 success=yes exit=0 a0=3 a1=400690 a2=0 a3=0 items=2 ppid=32106 pid=32121 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=36 comm="unlinkat" exe="/tmp/unlinkat" key=(null)
type=CWD msg=audit(1316210542.899:779): cwd="/tmp"
type=PATH msg=audit(1316210542.899:779): item=0 name="/tmp" inode=58781 dev=00:0e mode=040755 ouid=1000 ogid=1000 rdev=00:00
type=PATH msg=audit(1316210542.899:779): item=1 name="file" inode=56228 dev=00:0e mode=0100644 ouid=1000 ogid=1000 rdev=00:00
type=EOE msg=audit(1316210542.899:779):
- From this event alone, there's no way to answer "Who unlinked
/tmp/dir/file?". For what it's worth, the provided path names would be
exactly the same if we had unlinked "/tmp/dir/dir/dir/dir/dir/file".
- PATH item 0 reports the inode of "/tmp/dir" (58781, see ls output
above), however, the reported path name is "/tmp" (bug?).
In this example I've used autrace, which traces everything, so I could
possibly search for a previous open(2) of inode 58781. And indeed, there
it is:
type=SYSCALL msg=audit(1316210542.899:778): arch=c000003e syscall=2 success=yes exit=3 a0=40068c a1=0 a2=7fff22724fc8 a3=0 items=1 ppid=32106 pid=32121 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=36 comm="unlinkat" exe="/tmp/unlinkat" key=(null)
type=CWD msg=audit(1316210542.899:778): cwd="/tmp"
type=PATH msg=audit(1316210542.899:778): item=0 name="dir" inode=58781 dev=00:0e mode=040755 ouid=1000 ogid=1000 rdev=00:00
type=EOE msg=audit(1316210542.899:778):
Great, so inode 58781 was opened using "/tmp/dir", and therefore, the relative
path "file" given to unlinkat(2) above could possibly translate to
"/tmp/dir/path"... not really feeling confident here.
- All file system auditing rules in various rulesets and the examples in
the documentation add the "-F perm=wa" (or similar) filter, so the
open(2) wouldn't even make it into the audit trail.
- If you can handle the volume and log all open(2), what happens if the
open(2) was done hours, days, weeks, ... ago?
- What if the open(2) was done by another process which passed the fd
on a unix domain socket?
It looks like the kernel auditing code should provide
... item=0 name="/tmp/dir" inode=58781 ...
in the unlinkat(2) syscall event above. Looking up the unlinkat(2)
documentation:
int unlinkat(int dirfd, const char *pathname, int flags);
If the pathname given in pathname is relative, then it is
interpreted relative to the directory referred to by the file
descriptor dirfd (rather than relative to the current working
directory of the calling process, as is done by unlink(2) and
rmdir(2) for a relative pathname).
If the pathname given in pathname is relative and dirfd is the
special value AT_FDCWD, then pathname is interpreted relative
to the current working directory of the calling process (like
unlink(2) and rmdir(2)).
As you might see, there's not only the fd->pathname problem, but
also the special case for AT_FDCWD. In this case the kernel side should
probably just duplicate CWD's path name into item 0's path name. But
that's just unlinkat(2), there are a lot more.
What am I missing here? Is there no way to audit a directory tree?
I've looked at alternatives: Inotify watches won't scale to big trees
and events lack so much detail that they can't be used for auditing.
Fanotify, while providing the pid, still lacks a lot of events and
passes fds; the example code relies on readlink("/proc/self/fd/...").
Thanks,
John
[1] http://people.redhat.com/sgrubb/audit/
--
John Feuerstein <john(a)feurix.com>
12 years, 1 month
AUDIT_SIGNAL_INFO
by Matthew Booth
Under what circumstances will the RHEL 4 kernel generate a message of
type AUDIT_SIGNAL_INFO? My understanding is that it should be sent when
a process sends a signal to the audit daemon, however I have not
observed that. Any ideas?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
12 years, 6 months
Near Term Audit Road Map
by Steve Grubb
Hi,
With the proposals sent to the list, I wanted to talk about how this might
play out code-wise. With regard to the current code base, I am working on a
1.8 release. This would represent finishing the remote logging app and
nothing more. The 1.8 series would become just an update series just like the
1.0.x series did.
In parallel with finishing remote logging, I would release a 2.0 version.
Patches applied to 1.8 would also be applied to 2.0. A 2.1 release would
signify the completion of remote logging that branch. I would recommend this
branch for all distributions pulling new code in.
The 2.0 branch will also have a couple more changes. I want to split up the
audit source code a little bit. I want to drop the system-config-audit code
and let it become standalone package updated and distributed separately.
I also want to drop all audispd-plugins in the 2.0 branch and have them
released separately. They cause unnecessary build dependencies for the audit
package.
During the work for a 2.2 release, I would also like to pull the audispd
program inside auditd. In the past, I tried to keep auditd lean and single
purpose, but with adding remote logging and kerberos support, we already have
something that is hard to analyze. So, to improve performance and decrease
system load, the audit daemon will also do event dispatching.
Would this proposal impact anyone in a Bad Way?
Thanks,
-Steve
12 years, 6 months
Kernel oops+crash on repeated auditd restarts
by Valentin Avram
Hello.
Did anybody ever experience kernel oopses and even kernel crashes (after a
while), by just restarting repeatedly the auditd daemon?
I ask this because i had this problem on Dell R610 servers running Gentoo
Linux kernels gentoo-sources-3.0.6 and gentoo-sources-2.6.37-r4 (see this
bug: https://bugs.gentoo.org/show_bug.cgi?id=389405 ).
The kernels are nothing special, just the vanilla 2.6.37 and 3.0.6 with a
few gentoo patches (see https://lkml.org/lkml/2011/11/28/330 ).
The auditd version is 2.1.3 (latest). The audit.rules file contains
basically the following rules:
-D
-w /etc -p wa -k etc-directory
[snip: same for /sbin, /bin, /usr/sbin, /usr/bin]
-a exit,never -F dir=/lib/rc -k skip-lib-rc
-w /lib -p wa -k lib-directory
-w /usr/lib -p wa -k usr-lib-directory
-a exit,never -F arch=b32 -S read [snip: -S for write,open,fstat,mmap etc.]
-k excluded-syscalls
-b 8192
The bug seems to be somewhere in the fsnotify kernel part, however Gentoo
kernel devs and ppl on lkml did not seem too interested, so.. did anybody
notice a similar behaviour? Or better yet, is anybody willing to run on one
of your servers this simple test: start the minimum server services, use a
similar audit.rules configuration, then start auditd and run in a shell the
following one-liner:
while :; do /etc/init.d/auditd stop ; sleep 5 ; /etc/init.d/auditd start ;
sleep 5 ; done
This was enough to oops and crash the kernel in less than one hour on the
servers where i did the tests. If any similar behavior happens, i'd be very
interested to know the the kernel version and distro.
Thank you for your time.
12 years, 8 months
audit-2.2.1 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Add more interpretations in auparse for syscall parameters
- Add some interpretations to ausearch for syscall parameters
- In ausearch/report and auparse, allocate extra space for node names
- Update syscall tables for the 3.3.0 kernel
- Update libev to 4.0.4
- Reduce the size of some applications
- In auditctl, check usage against euid rather than uid
As I mentioned in another email, one of the best features of this release is
that for ausearch a little over 40 common syscalls can now have some of their
arguments interpreted. This means that if you are doing an investigation and you
needed to know what flags was being passed, it will now tell you. If the
arguments to the syscall involve uid's or gid's, they are now resolves to the
account name. Also in the interpreted mode, a 0x is prefixed to all syscall
arguments that are not interpreted as a visual reminder that the numbers are in
hex.
This also contains an important bug fix where all records of a single event could
not be grouped if the records contained a node name that was modest or large in
size. All other changes in this release are self explanatory.
Please let me know if you run across any problems with this release.
-Steve
12 years, 9 months
[PATCH] Have auditctl check the capability rather than the uid if we were compiled with cap-ng support. Check the euid rather than uid if we were compiled without cap-ng support
by Peter Moody
This is against the 2.2 release. I wasn't able to get HEAD to compile
(issues with mounttab.h that didn't want to run down because this is
such a small patch).
Signed-off-by: Peter Moody <pmoody(a)google.com>
---
trunk/src/Makefile.am | 2 +-
trunk/src/auditctl.c | 11 +++++++++--
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/trunk/src/Makefile.am b/trunk/src/Makefile.am
index d321233..e36bc9f 100644
--- a/trunk/src/Makefile.am
+++ b/trunk/src/Makefile.am
@@ -25,7 +25,7 @@ AUTOMAKE_OPTIONS = no-dependencies
SUBDIRS = test
INCLUDES = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src/libev
sbin_PROGRAMS = auditd auditctl aureport ausearch autrace
-LIBS = -Lmt -lauditmt -lpthread
+LIBS = -Lmt -lauditmt -lpthread $(CAPNG_LDADD)
AM_LDFLAGS = -pthread
AM_CFLAGS = -D_REENTRANT -D_GNU_SOURCE -pthread
noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h
ausearch-llist.h ausearch-options.h auditctl-llist.h
aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h
ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h
ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index d3643fb..936a1a0 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -36,6 +36,9 @@
#include <errno.h>
#include <libgen.h> /* For basename */
#include <limits.h> /* PATH_MAX */
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#endif
#include "libaudit.h"
#include "private.h"
@@ -1160,9 +1163,13 @@ int main(int argc, char *argv[])
return 1;
}
#ifndef DEBUG
+#ifdef HAVE_LIBCAP_NG
+ /* Make sure we have the approprirate capabilities */
+ if (capng_have_capability(CAPNG_PERMITTED, CAP_AUDIT_CONTROL) != 1) {
+#else
/* Make sure we are root */
- if (getuid() != 0) {
+ if (geteuid() != 0) {
+#endif
fprintf(stderr, "You must be root to run this program.\n");
return 4;
}
--
1.7.7.3
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12 years, 9 months
getuid() vs. geteuid() in auditctl
by Peter Moody
line 1162 in auditctl.c has this:
#ifndef DEBUG
/* Make sure we are root */
if (getuid() != 0) {
fprintf(stderr, "You must be root to run this program.\n");
return 4;
}
#endif
Is there any particular reason to use getuid() there as opposed to
geteuid()? In my particular case, we have a setuid helper that allows
a normal user to run 'auditctl -l' (with a clean environment), and
this prevents the setuid helper from working.
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12 years, 9 months
auparse, stdin, and AUPARSE_CB_EVENT_READY
by dump@tzib.net
Hi,
I made a audispd plugin, which reads from stdin and sends the strings to
auparse_feed() (auditd-2.1.3).
This works fine on the command line.
When called from audispd however, it gives AUPARSE_CB_EVENT_READY for
each single message, instead of after a complete event has been parsed.
So when you have 4 messages for one event:
- each of them appear as a single event when the plugin is started via
audispd.
- a single even for all 4 messages appear when the plugin is started on
the command line (and the log data fed via stdin, like cat test |
audispd-testplugin)
Looking at the write code it looks ok (audisp/audispd.c):
static int write_to_plugin(event_t *e, const char *string, size_t
string_len,
.. (note that i'm using string type so its the string code part)
if (conf->p->format == F_STRING) {
do {
rc = write(conf->p->plug_pipe[1], string, string_len);
} while (rc < 0 && errno == EINTR);
}
Do you know what causes this behavior, and/or how to "fix" it?
Thanks
12 years, 9 months
[PATCH] Fix output of configure.ac
by Marcelo Cerri
configure.ac doesn't show a "yes" when apparmor or some other features are
enabled. This patch fix it.
---
configure.ac | 14 ++++++--------
1 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9ac4719..b6d68ff 100644
--- a/configure.ac
+++ b/configure.ac
@@ -157,10 +157,9 @@ use_alpha=$withval,
use_alpha=no)
if test x$use_alpha != xno ; then
AC_DEFINE(WITH_ALPHA,1,[Define if you want to enable Alpha processor support.])
-else
- AC_MSG_RESULT(no)
fi
AM_CONDITIONAL(USE_ALPHA, test x$use_alpha = xyes)
+AC_MSG_RESULT($use_alpha)
AC_MSG_CHECKING(whether to include arm eabi processor support)
AC_ARG_WITH(armeb,
@@ -169,10 +168,9 @@ use_armeb=$withval,
use_armeb=no)
if test x$use_armeb != xno ; then
AC_DEFINE(WITH_ARMEB,1,[Define if you want to enable Arm eabi processor support.])
-else
- AC_MSG_RESULT(no)
fi
AM_CONDITIONAL(USE_ARMEB, test x$use_armeb = xyes)
+AC_MSG_RESULT($use_armeb)
AC_MSG_CHECKING(whether to use apparmor)
AC_ARG_WITH(apparmor,
@@ -181,17 +179,17 @@ use_apparmor=$withval,
use_apparmor=no)
if test x$use_apparmor != xno ; then
AC_DEFINE(WITH_APPARMOR,1,[Define if you want to enable AppArmor events.])
-else
- AC_MSG_RESULT(no)
fi
+AC_MSG_RESULT($use_apparmor)
+AC_MSG_CHECKING(whether to use prelude)
AC_ARG_WITH(prelude,
AS_HELP_STRING([--with-prelude],[enable prelude IDS support]),
use_prelude=$withval,
use_prelude=no)
+AC_MSG_RESULT($use_prelude)
if test x$use_prelude = xno ; then
have_prelude=no;
- AC_MSG_RESULT(no)
else
AC_CHECK_LIB(prelude, prelude_init,
have_prelude=yes, have_prelude=no)
@@ -200,7 +198,7 @@ else
else
LIBPRELUDE_CFLAGS=`libprelude-config --pthread-cflags 2>/dev/null`
LIBPRELUDE_LDFLAGS=`libprelude-config --ldflags 2>/dev/null`
-
+ AC_MSG_RESULT(yes)
fi
fi
AM_CONDITIONAL(HAVE_PRELUDE, test x$have_prelude = xyes)
--
1.7.1
12 years, 9 months
