[SOLVED] Re: Completely disable audit.log, only pass logs through dispatcher
by Aaron Lewis
Hi Peter,
Thanks!
On Thu, Dec 26, 2013 at 3:53 AM, Peter Moody <pmoody(a)google.com> wrote:
>
> I asked this same question a couple of months ago.
>
> https://www.redhat.com/archives/linux-audit/2013-October/msg00083.html
>
> On Wed, Dec 25 2013 at 03:21, Aaron Lewis wrote:
>> Hi,
>>
>> is it possible to completely disable audit log?
>>
>> I use a dispatcher to handle everything and doens't want anything on disk.
>> (And I don't care for a trivial data loss)
>>
>> I tried to set the log to /dev/null, but auditd doesn't accept that
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
11 years
Completely disable audit.log, only pass logs through dispatcher
by Aaron Lewis
Hi,
is it possible to completely disable audit log?
I use a dispatcher to handle everything and doens't want anything on disk.
(And I don't care for a trivial data loss)
I tried to set the log to /dev/null, but auditd doesn't accept that
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
11 years
need help interpreting ausearch results
by Stefano Schiavi
Hello,
Thank you Steve and all for keeping up the great work here.
Some time ago I setup some audit rules to monitor what would change the
permissions of the public_html directory since we found that once in a
while it would change to 777 out of the blue.
It happened again yesterday and I believe these parts of the log
represent when the issue happened:
type=PATH msg=audit(1386933561.795:7958476): item=2 name="./www"
inode=4980752 dev=08:08 mode=0120777 ouid=501 ogid=501 rdev=00:00
type=PATH msg=audit(1386933561.795:7958476): item=1 name="./"
inode=4980737 dev=08:08 mode=040711 ouid=501 ogid=501 rdev=00:00
type=PATH msg=audit(1386933561.795:7958476): item=0 name="public_html"
type=CWD msg=audit(1386933561.795:7958476): cwd="/home/lanogbar"
type=SYSCALL msg=audit(1386933561.795:7958476): arch=c000003e syscall=88
success=yes exit=0 a0=1306d160 a1=1306d200 a2=11 a3=0 items=3 ppid=18728
pid=18731 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501
sgid=501 fsgid=501 tty=(none) ses=117304 comm="gtar" exe="/bin/tar"
key="lanogbar-www"
This is just a guess though and I can not be sure as I have no
experience parsing the logs. Looking through with the I flag we can see
the following::
type=PATH msg=audit(12/13/2013 15:00:03.759:7970202) : item=0
name=/home/lanogbar/public_html/ inode=4980744 dev=08:08 mode=dir,750
ouid=lanogbar ogid=nobody rdev=00:00
type=CWD msg=audit(12/13/2013 15:00:03.759:7970202) :
cwd=/home/lanogbar/public_html
type=SYSCALL msg=audit(12/13/2013 15:00:03.759:7970202) : arch=x86_64
syscall=chmod success=yes exit=0 a0=1585e520 a1=1ff a2=2f a3=146c1d40
items=1 ppid=27717 pid=8804 auid=root uid=lanogbar gid=lanogbar
euid=lanogbar suid=lanogbar fsuid=lanogbar egid=lanogbar sgid=lanogbar
fsgid=lanogbar tty=(none) ses=117304 comm=php exe=/usr/bin/php
key=lanogbar-public_html
Do you think this is relevant?
If so it would seem a php script was responsible.
Would you have any suggestion on how to identify the script?
Thank you very much for the very valuable help.
Kind regards,
Stefano
11 years
[RFC Part1 PATCH 00/20 v2] Add namespace support for audit
by Gao feng
Here is the v1 patchset: http://lwn.net/Articles/549546/
The main target of this patchset is allowing user in audit
namespace to generate the USER_MSG type of audit message,
some userspace tools need to generate audit message, or
these tools will broken.
And the login process in container may want to setup
/proc/<pid>/loginuid, right now this value is unalterable
once it being set. this will also broke the login problem
in container. After this patchset, we can reset this loginuid
to zero if task is running in a new audit namespace.
Same with v1 patchset, in this patchset, only the privileged
user in init_audit_ns and init_user_ns has rights to
add/del audit rules. and these rules are gloabl. all
audit namespace will comply with the rules.
Compared with v1, v2 patch has some big changes.
1, the audit namespace is not assigned to user namespace.
since there is no available bit of flags for clone, we
create audit namespace through netlink, patch[18/20]
introduces a new audit netlink type AUDIT_CREATE_NS.
the privileged user in userns has rights to create a
audit namespace, it means the unprivileged user can
create auditns through create userns first. In order
to prevent them from doing harm to host, the default
audit_backlog_limit of un-init-audit-ns is zero(means
audit is unavailable in audit namespace). and it can't
be changed in auditns through netlink.
2, introduce /proc/<pid>/audit_log_limit
this interface is used to setup log_limit of audit
namespace. we need this interface to make audit
available in un-init-audit-ns. Only the privileged user
has right to set this value, it means only the root user
of host can change it.
3, make audit namespace don't depend on net namespace.
patch[1/20] add a compare function audit_compare for
audit netlink, it always return true, it means the
netlink subsystem will find out the netlink socket
only through portid and netlink type. So we needn't
to create kernel side audit netlink socket for per
net namespace, all userspace audit netlink socket
can find out the audit_sock, and audit_sock can
communicate with them through the proper portid.
it's just like the behavior we don't have net
namespace before.
This patchset still need some work, such as allow changing
audit_enabled in audit namespace, auditd wants this feature.
I send this patchset now in order to get more comments, so
I can keep on improving namespace support for audit.
Gao feng (20):
Audit: make audit netlink socket net namespace unaware
audit: introduce configure option CONFIG_AUDIT_NS
audit: make audit_skb_queue per audit namespace
audit: make audit_skb_hold_queue per audit namespace
audit: make audit_pid per audit namespace
audit: make kauditd_task per audit namespace
aduit: make audit_nlk_portid per audit namespace
audit: make kaudit_wait queue per audit namespace
audit: make audit_backlog_wait per audit namespace
audit: allow un-init audit ns to change pid and portid only
audit: use proper audit namespace in audit_receive_msg
audit: use proper audit_namespace in kauditd_thread
audit: introduce new audit logging interface for audit namespace
audit: pass proper audit namespace to audit_log_common_recv_msg
audit: Log audit pid config change in audit namespace
audit: allow GET,SET,USER MSG operations in audit namespace
nsproxy: don't make create_new_namespaces static
audit: add new message type AUDIT_CREATE_NS
audit: make audit_backlog_limit per audit namespace
audit: introduce /proc/<pid>/audit_backlog_limit
fs/proc/base.c | 53 ++++++
include/linux/audit.h | 26 ++-
include/linux/audit_namespace.h | 92 ++++++++++
include/linux/nsproxy.h | 15 +-
include/uapi/linux/audit.h | 1 +
init/Kconfig | 10 ++
kernel/Makefile | 2 +-
kernel/audit.c | 364 +++++++++++++++++++++++++---------------
kernel/audit.h | 5 +-
kernel/audit_namespace.c | 123 ++++++++++++++
kernel/auditsc.c | 6 +-
kernel/nsproxy.c | 18 +-
12 files changed, 561 insertions(+), 154 deletions(-)
create mode 100644 include/linux/audit_namespace.h
create mode 100644 kernel/audit_namespace.c
--
1.8.3.1
11 years
[RFC][PATCH 1/3] mm: Create utility function for accessing a tasks commandline value
by William Roberts
introduce get_cmdline() for retreiving the value of a processes
proc/self/cmdline value.
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
include/linux/mm.h | 1 +
mm/util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 3552717..01e7970 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1134,6 +1134,7 @@ void account_page_writeback(struct page *page);
int set_page_dirty(struct page *page);
int set_page_dirty_lock(struct page *page);
int clear_page_dirty_for_io(struct page *page);
+int get_cmdline(struct task_struct *task, char *buffer, int buflen);
/* Is the vma a continuation of the stack vma above it? */
static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
diff --git a/mm/util.c b/mm/util.c
index f7bc209..5285ff0 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -410,6 +410,54 @@ unsigned long vm_commit_limit(void)
* sysctl_overcommit_ratio / 100) + total_swap_pages;
}
+/**
+ * get_cmdline() - copy the cmdline value to a buffer.
+ * @task: the task whose cmdline value to copy.
+ * @buffer: the buffer to copy to.
+ * @buflen: the length of the buffer. Larger cmdline values are truncated
+ * to this length.
+ * Returns the size of the cmdline field copied. Note that the copy does
+ * not guarantee an ending NULL byte.
+ */
+int get_cmdline(struct task_struct *task, char *buffer, int buflen)
+{
+ int res = 0;
+ unsigned int len;
+ struct mm_struct *mm = get_task_mm(task);
+ if (!mm)
+ goto out;
+ if (!mm->arg_end)
+ goto out_mm; /* Shh! No looking before we're done */
+
+ len = mm->arg_end - mm->arg_start;
+
+ if (len > buflen)
+ len = buflen;
+
+ res = access_process_vm(task, mm->arg_start, buffer, len, 0);
+
+ /*
+ * If the nul at the end of args has been overwritten, then
+ * assume application is using setproctitle(3).
+ */
+ if (res > 0 && buffer[res-1] != '\0' && len < buflen) {
+ len = strnlen(buffer, res);
+ if (len < res) {
+ res = len;
+ } else {
+ len = mm->env_end - mm->env_start;
+ if (len > buflen - res)
+ len = buflen - res;
+ res += access_process_vm(task, mm->env_start,
+ buffer+res, len, 0);
+ res = strnlen(buffer, res);
+ }
+ }
+out_mm:
+ mmput(mm);
+out:
+ return res;
+}
/* Tracepoints definitions. */
EXPORT_TRACEPOINT_SYMBOL(kmalloc);
--
1.7.9.5
11 years
[PATCH] audit: listen in all network namespaces
by Richard Guy Briggs
Convert audit from only listening in init_net to use register_pernet_subsys()
to dynamically manage the netlink socket list.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++---------
kernel/audit.h | 4 +++
2 files changed, 57 insertions(+), 11 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 91e53d0..06e2676 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -64,6 +64,7 @@
#include <linux/freezer.h>
#include <linux/tty.h>
#include <linux/pid_namespace.h>
+#include <net/netns/generic.h>
#include "audit.h"
@@ -122,6 +123,7 @@ static atomic_t audit_lost = ATOMIC_INIT(0);
/* The netlink socket. */
static struct sock *audit_sock;
+int audit_net_id;
/* Hash for inode-based rules */
struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
@@ -391,6 +393,7 @@ static void kauditd_send_skb(struct sk_buff *skb)
printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
audit_log_lost("auditd disappeared\n");
audit_pid = 0;
+ audit_sock = NULL;
/* we might get lucky and get this in the next auditd */
audit_hold_skb(skb);
} else
@@ -474,13 +477,15 @@ int audit_send_list(void *_dest)
struct audit_netlink_list *dest = _dest;
int pid = dest->pid;
struct sk_buff *skb;
+ struct net *net = get_net_ns_by_pid(pid);
+ struct audit_net *aunet = net_generic(net, audit_net_id);
/* wait for parent to finish and send an ACK */
mutex_lock(&audit_cmd_mutex);
mutex_unlock(&audit_cmd_mutex);
while ((skb = __skb_dequeue(&dest->q)) != NULL)
- netlink_unicast(audit_sock, skb, pid, 0);
+ netlink_unicast(aunet->nlsk, skb, pid, 0);
kfree(dest);
@@ -515,13 +520,15 @@ out_kfree_skb:
static int audit_send_reply_thread(void *arg)
{
struct audit_reply *reply = (struct audit_reply *)arg;
+ struct net *net = get_net_ns_by_pid(reply->pid);
+ struct audit_net *aunet = net_generic(net, audit_net_id);
mutex_lock(&audit_cmd_mutex);
mutex_unlock(&audit_cmd_mutex);
/* Ignore failure. It'll only happen if the sender goes away,
because our timeout is set to infinite. */
- netlink_unicast(audit_sock, reply->skb, reply->pid, 0);
+ netlink_unicast(aunet->nlsk , reply->skb, reply->pid, 0);
kfree(reply);
return 0;
}
@@ -690,6 +697,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid;
audit_nlk_portid = NETLINK_CB(skb).portid;
+ audit_sock = NETLINK_CB(skb).sk;
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
err = audit_set_rate_limit(status_get->rate_limit);
@@ -886,24 +894,58 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
-/* Initialize audit support at boot time. */
-static int __init audit_init(void)
+static int __net_init audit_net_init(struct net *net)
{
- int i;
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
};
+ struct audit_net *aunet = net_generic(net, audit_net_id);
+
+ pr_info("audit: initializing netlink socket in namespace\n");
+
+ aunet->nlsk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg);
+ if (aunet->nlsk == NULL)
+ return -ENOMEM;
+ if (!aunet->nlsk)
+ audit_panic("cannot initialize netlink socket in namespace");
+ else
+ aunet->nlsk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+ return 0;
+}
+
+static void __net_exit audit_net_exit(struct net *net)
+{
+ struct audit_net *aunet = net_generic(net, audit_net_id);
+ struct sock *sock = aunet->nlsk;
+ if (sock == audit_sock) {
+ audit_pid = 0;
+ audit_sock = NULL;
+ }
+
+ rcu_assign_pointer(aunet->nlsk, NULL);
+ synchronize_net();
+ netlink_kernel_release(sock);
+}
+
+static struct pernet_operations __net_initdata audit_net_ops = {
+ .init = audit_net_init,
+ .exit = audit_net_exit,
+ .id = &audit_net_id,
+ .size = sizeof(struct audit_net),
+};
+
+/* Initialize audit support at boot time. */
+static int __init audit_init(void)
+{
+ int i;
+
if (audit_initialized == AUDIT_DISABLED)
return 0;
- printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
+ pr_info("audit: initializing netlink subsys (%s)\n",
audit_default ? "enabled" : "disabled");
- audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg);
- if (!audit_sock)
- audit_panic("cannot initialize netlink socket");
- else
- audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+ register_pernet_subsys(&audit_net_ops);
skb_queue_head_init(&audit_skb_queue);
skb_queue_head_init(&audit_skb_hold_queue);
diff --git a/kernel/audit.h b/kernel/audit.h
index 123c9b7..b7cc537 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -249,6 +249,10 @@ struct audit_netlink_list {
int audit_send_list(void *);
+struct audit_net {
+ struct sock *nlsk;
+};
+
extern int selinux_audit_rule_update(void);
extern struct mutex audit_filter_mutex;
--
1.7.1
11 years
[PATCH] audit: fix build error when disable audit
by Gao feng
kernel/capability.c: In function ‘SYSC_capset’:
kernel/capability.c:280:2: warning: passing argument 1 of ‘audit_log_capset’ makes integer from pointer without a cast [enabled by default]
audit_log_capset(new, current_cred());
^
In file included from kernel/capability.c:10:0:
include/linux/audit.h:400:20: note: expected ‘pid_t’ but argument is of type ‘struct cred *’
static inline void audit_log_capset(pid_t pid, const struct cred *new,
^
kernel/capability.c:280:2: error: too few arguments to function ‘audit_log_capset’
audit_log_capset(new, current_cred());
^
In file included from kernel/capability.c:10:0:
include/linux/audit.h:400:20: note: declared here
static inline void audit_log_capset(pid_t pid, const struct cred *new,
^
make[1]: *** [kernel/capability.o] Error 1
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
include/linux/audit.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index b4d5160..6976219 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -397,8 +397,8 @@ static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
{
return 0;
}
-static inline void audit_log_capset(pid_t pid, const struct cred *new,
- const struct cred *old)
+static inline void audit_log_capset(const struct cred *new,
+ const struct cred *old)
{ }
static inline void audit_mmap_fd(int fd, int flags)
{ }
--
1.8.3.1
11 years
Rational behind RefuseManualStop=yes in auditd.service
by Laurent Bigonville
Hi,
I would like to know the rational behind RefuseManualStop=yes in
auditd.service file.
I'm currently looking at upgrading the audit package in debian and
RefuseManualStop=yes is preventing the daemon to be restarted during
upgrade.
Looking at systemd.unit(5) manpage, I don't have the feeling that it
should be used in this case.
As a side note, it seems that the *.spec file is stopping the daemon in
the %preun so this could fail I guess?
Any thoughts on this?
Laurent Bigonville
11 years
audisp-remote usage
by Maupertuis Philippe
Hello,
I am currently using syslog to send audit events to a central log server and I am wondering if it would not be better to use audisp-remote instead.
I didn't found any performance comparison between the two ways.
Is it safe to use audisp-remote to concentrate 400 servers ?
Another point that bother me is it seems that all events from all server go to the same file.
Is there a way to segregate the events by sources, either when receiving them or when rotating the file ?
I would very much appreciate any advice on this topic.
Best regards,
Philippe
________________________________
Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
11 years
[PATCH] - auditing cmdline
by William Roberts
This patch series relates to work started on the audit mailing list.
It eventually involved touching other modules, so I am trying to
pull in those owners as well. In a nutshell I add new utility
functions for accessing a processes cmdline value as displayed
in proc/<self>/cmdline, and then refactor procfs to use the
utility functions, and then add the ability to the audit subsystem
to record this value.
Thanks for any feedback and help.
[PATCH 1/3] mm: Create utility functions for accessing a tasks
[PATCH 2/3] proc: Update get proc_pid_cmdline() to use mm.h helpers
[PATCH 3/3] audit: Audit proc cmdline value
11 years