user message limits
by LC Bruzenak
I know I can go look at the code, however I figured I'd ask here first
about the limits on the user message in both audit_log_user_message and
ausearch.
With audit_log_user_message the maximum length allowed appears to be
around MAX_AUDIT_MESSAGE_LENGTH-100. I think it may depend on the
executable name length (and other stuff auto-pushed into the string)
which is why I say "around".
Even when I get a successful return value (from audit_log_user_message),
I don't get my string back out in "ausearch" unless it is WAY smaller -
~1K or less I think.
Any ideas/thoughts?
This is the latest (1.7.11-2) audit package.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
11 years, 1 month
linux-audit: reconstruct path names from syscall events?
by John Feuerstein
Hi,
I would like to audit all changes to a directory tree using the linux
auditing system[1].
# auditctl -a exit,always -F dir=/etc/ -F perm=wa
It seems like the GNU coreutils are enough to break the audit trail.
The resulting SYSCALL events provide CWD and multiple PATH records,
depending on the syscall. If one of the PATH records is relative, I can
reconstruct the absolute path using the CWD record.
However, that does not work for the whole *at syscall family
(unlinkat(2), renameat(2), linkat(2), ...); accepting paths relative to
a given directory file descriptor. GNU coreutils are prominent users,
for example "rm -r" making use of unlinkat(2) to prevent races.
Things like dup(2) and fd passing via unix domain sockets come to mind.
It's the same old story again: mapping fds to path names is ambiguous at
best, if not impossible.
I wonder why such incomplete file system auditing rules are considered
sufficient in the CAPP/LSPP/NISPOM/STIG rulesets?
Here's a simplified example:
$ cd /tmp
$ mkdir dir
$ touch dir/file
$ ls -ldi /tmp /tmp/dir /tmp/dir/file
2057 drwxrwxrwt 9 root root 380 Sep 17 00:02 /tmp
58781 drwxr-xr-x 2 john john 40 Sep 17 00:02 /tmp/dir
56228 -rw-r--r-- 1 john john 0 Sep 17 00:02 /tmp/dir/file
$ cat > unlinkat.c
#include <unistd.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
int dirfd = open("dir", O_RDONLY);
unlinkat(dirfd, "file", 0);
return 0;
}
^D
$ make unlinkat
cc unlinkat.c -o unlinkat
$ sudo autrace ./unlinkat
Waiting to execute: ./unlinkat
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 32121'
$ ls -li dir
total 0
Now, looking at the resulting raw SYSCALL event for unlinkat(2):
type=SYSCALL msg=audit(1316210542.899:779): arch=c000003e syscall=263 success=yes exit=0 a0=3 a1=400690 a2=0 a3=0 items=2 ppid=32106 pid=32121 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=36 comm="unlinkat" exe="/tmp/unlinkat" key=(null)
type=CWD msg=audit(1316210542.899:779): cwd="/tmp"
type=PATH msg=audit(1316210542.899:779): item=0 name="/tmp" inode=58781 dev=00:0e mode=040755 ouid=1000 ogid=1000 rdev=00:00
type=PATH msg=audit(1316210542.899:779): item=1 name="file" inode=56228 dev=00:0e mode=0100644 ouid=1000 ogid=1000 rdev=00:00
type=EOE msg=audit(1316210542.899:779):
- From this event alone, there's no way to answer "Who unlinked
/tmp/dir/file?". For what it's worth, the provided path names would be
exactly the same if we had unlinked "/tmp/dir/dir/dir/dir/dir/file".
- PATH item 0 reports the inode of "/tmp/dir" (58781, see ls output
above), however, the reported path name is "/tmp" (bug?).
In this example I've used autrace, which traces everything, so I could
possibly search for a previous open(2) of inode 58781. And indeed, there
it is:
type=SYSCALL msg=audit(1316210542.899:778): arch=c000003e syscall=2 success=yes exit=3 a0=40068c a1=0 a2=7fff22724fc8 a3=0 items=1 ppid=32106 pid=32121 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=36 comm="unlinkat" exe="/tmp/unlinkat" key=(null)
type=CWD msg=audit(1316210542.899:778): cwd="/tmp"
type=PATH msg=audit(1316210542.899:778): item=0 name="dir" inode=58781 dev=00:0e mode=040755 ouid=1000 ogid=1000 rdev=00:00
type=EOE msg=audit(1316210542.899:778):
Great, so inode 58781 was opened using "/tmp/dir", and therefore, the relative
path "file" given to unlinkat(2) above could possibly translate to
"/tmp/dir/path"... not really feeling confident here.
- All file system auditing rules in various rulesets and the examples in
the documentation add the "-F perm=wa" (or similar) filter, so the
open(2) wouldn't even make it into the audit trail.
- If you can handle the volume and log all open(2), what happens if the
open(2) was done hours, days, weeks, ... ago?
- What if the open(2) was done by another process which passed the fd
on a unix domain socket?
It looks like the kernel auditing code should provide
... item=0 name="/tmp/dir" inode=58781 ...
in the unlinkat(2) syscall event above. Looking up the unlinkat(2)
documentation:
int unlinkat(int dirfd, const char *pathname, int flags);
If the pathname given in pathname is relative, then it is
interpreted relative to the directory referred to by the file
descriptor dirfd (rather than relative to the current working
directory of the calling process, as is done by unlink(2) and
rmdir(2) for a relative pathname).
If the pathname given in pathname is relative and dirfd is the
special value AT_FDCWD, then pathname is interpreted relative
to the current working directory of the calling process (like
unlink(2) and rmdir(2)).
As you might see, there's not only the fd->pathname problem, but
also the special case for AT_FDCWD. In this case the kernel side should
probably just duplicate CWD's path name into item 0's path name. But
that's just unlinkat(2), there are a lot more.
What am I missing here? Is there no way to audit a directory tree?
I've looked at alternatives: Inotify watches won't scale to big trees
and events lack so much detail that they can't be used for auditing.
Fanotify, while providing the pid, still lacks a lot of events and
passes fds; the example code relies on readlink("/proc/self/fd/...").
Thanks,
John
[1] http://people.redhat.com/sgrubb/audit/
--
John Feuerstein <john(a)feurix.com>
12 years
AUDIT_SIGNAL_INFO
by Matthew Booth
Under what circumstances will the RHEL 4 kernel generate a message of
type AUDIT_SIGNAL_INFO? My understanding is that it should be sent when
a process sends a signal to the audit daemon, however I have not
observed that. Any ideas?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
12 years, 4 months
Near Term Audit Road Map
by Steve Grubb
Hi,
With the proposals sent to the list, I wanted to talk about how this might
play out code-wise. With regard to the current code base, I am working on a
1.8 release. This would represent finishing the remote logging app and
nothing more. The 1.8 series would become just an update series just like the
1.0.x series did.
In parallel with finishing remote logging, I would release a 2.0 version.
Patches applied to 1.8 would also be applied to 2.0. A 2.1 release would
signify the completion of remote logging that branch. I would recommend this
branch for all distributions pulling new code in.
The 2.0 branch will also have a couple more changes. I want to split up the
audit source code a little bit. I want to drop the system-config-audit code
and let it become standalone package updated and distributed separately.
I also want to drop all audispd-plugins in the 2.0 branch and have them
released separately. They cause unnecessary build dependencies for the audit
package.
During the work for a 2.2 release, I would also like to pull the audispd
program inside auditd. In the past, I tried to keep auditd lean and single
purpose, but with adding remote logging and kerberos support, we already have
something that is hard to analyze. So, to improve performance and decrease
system load, the audit daemon will also do event dispatching.
Would this proposal impact anyone in a Bad Way?
Thanks,
-Steve
12 years, 4 months
Audit logs rotation problem
by Nicolas GORALSKI
Hi all
I've a got a problem on my audit log rotation.
Because we've got a lot of logs on our server (a little bit of rules
and lot of activities), we've decided to rotate logs every hours to
compress, backup and delete them.
I'm using the command "/etc/init.d/auditd rotate" to rotate them, no
other commands.
By the way we have some errors, sometimes logs are rotated twice.
The rotation job was successful and we have as a result this
compressed file :
audit_20120507-0940--20120507-1040.log.gz
The file contain in the firts line this information about the previous
rotation at 9h40
type=DAEMON_ROTATE msg=audit(1336376401.094:8139): auditd sending
auid=0 pid=20084 subj=root:system_r:initrc_t:s0
But we have a second file created a few seconds after the previous one
named : audit_20120507-1040--20120507-1040.log.gz
The first line contain this text :
type=DAEMON_ROTATE msg=audit(1336380001.723:8140): auditd error
getting usr1 info - no change, sending auid=? pid=? subj=? res=failed
My search on the internet doesn't give me any clues about a solution.
Does anybody have any clues ?
I'm using RH ES 5.7 with auditd 1.7.18
Regards.
12 years, 5 months
auditctl exit code
by Stephen Quinney
I am using Linux Audit version 2.1.3 and I'm wondering if the
following behaviour of auditctl is intentional. When I do a complete
list of the current rules (with auditctl -l) I get an exit code of
zero, as expected. When I do a list which is restricted to a
particular key (auditctl -l -k foo) I get 255. It doesn't matter which
of my keys I use and there are no error messages sent to stderr to
indicate a problem. The auditctl manpage doesn't say what various exit
values mean so I'm not sure what type of error is occurring.
Stephen Quinney
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
12 years, 5 months
Rule Compatibility Issues With Old Version of Audit
by Patrick Synor
I am struggling here quite a bit trying to implement a ruleset to help
us log PCI related events. I was able to get a good ruleset that I am
using successfully on RHEL5 which consists of the following rules:
-a exclude,always -F msgtype=CWD
-a exit,never -F arch=b32 -F path=/var/log/audit/audit.log
-a exit,never -F arch=b32 -F path=/var/log/messages
-a always,exit -F euid=0 -F perm=wxa -k ROOT_ACTION
-a exit,always -S all -F dir=/var/log -k LOG_ACCESS
-a exit,always -F arch=b32 -F dir=/var/log -S truncate -S unlink -S
rename -S unlinkat -k LOGS_INIT
-a exit,always -F arch=b64 -F dir=/var/log -S truncate -S unlink -S
rename -S unlinkat -k LOGS_INIT
-w /etc -p wa -k CONF_ACCESS
However, when I started deploying this I ran into some RHEL4 servers,
and it appears the version of audit on the RHEL4 servers is 1.0.16.
This version doesn't seem to like the rules above. For example, the
first rule results in the following:
Append rule - bad keyword exclude,always
Changing this rule to -a entry,never -F msgtype=CWD results in:
-F unknown field: msgtype=CWD
And -a always,exit -S all -F euid=0 -k ROOT_ACTION results in:
filterkey option needs a watch given prior to it
So clearly a lot has changed from this version to the version on the
RHEL5 box (1.7.18). Anyhow, since upgrading the RHEL4 boxes for this
isn't an option, I am trying to figure out what I can do to possibly
modify these rules to work with the older version, or replace the older
version with a newer version for the sake of this project. From what I
understand, the kernel on the RHEL4 box (2.6.9-103.EL) may not allow
this since I understand that the versions of audit are generally kernel
dependant. Additionally, just looking at some of the dependencies on
the audit-libs package on the RHEL4 box I am seeing that a lot of
critical things depend on it (e.g. PAM, passwd, shadow-utils,
openssh-server, etc.) so removing it and replacing it will likely be
quite a mess.
If anyone has any input or suggestions I would greatly appreciate it.
Ideally, we shouldn't have any RHEL4 boxes today, but the case is that
we do, and they cannot be upgraded for the sake of this project, so
creative solutions are welcomed, and encouraged.
Thanks!
-Pat
------------------
Patrick Synor
Web Hosting Engineer
RouteOne
CONFIDENTIALITY NOTE:
This message and any attachments are confidential, may contain information that is privileged and is intended only for the use of the addressee. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. This message is not meant to constitute an electronic signature or evidence intent to contract electronically.
12 years, 5 months