[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 11 months
[RFC PATCH 0/7] audit: clean up audit queue handling
by Richard Guy Briggs
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audit: wake up threads if queue switched from limited to unlimited
audit: allow audit_cmd_mutex holders to use reserves
audit: wake up audit_backlog_wait queue when auditd goes away.
audit: wake up kauditd_thread after auditd registers
kernel/audit.c | 20 +++++++++++++++-----
1 files changed, 15 insertions(+), 5 deletions(-)
8 years, 6 months
Use case not covered by the audit library?
by Gulland, Scott A
Hi,
I have a fairly common use case that I'm not sure is covered by the audit library and I need some advice on how best to handle it. I have a daemon running as root that services REST API calls (or a web UI from a browser). An external application first establishes a session by authenticating a user which returns a token/session ID to the caller. All future REST API calls, supplies the token/session ID which allows them authenticated access to the requested resource. The token/session ID indicates what user the request is associated with. Obviously, there can be many users simultaneously issuing requests.
What I need to do is specify the user on each audit log call. For example, I need to have a way to specify which user is issuing the request when I call audit_log_user_message(). Is this possible? This is a very common use case and really needs to be handled.
Scott Gulland
916.785.1497
HPE Networking, CEB R&D
8000 Foothills Blvd; MS - 5505
Roseville, CA 95747
USA
8 years, 11 months
[PATCH 00/15] Rework tty audit
by Peter Hurley
Hi Greg,
This patch series overhauls tty audit support. The goal was to simplify
and speed up tty auditing, which was a significant performance hit even
when disabled.
The main features of this series are:
* Remove reference counting; the purpose of reference counting the per-
process tty_audit_buf was to prevent premature deletion if the
buffer was in-use when tty auditing was exited for the process.
However, since the process is single-threaded at tty_audit_exit(),
the buffer cannot be in-use by another thread. Patch 11/15.
* Remove functionally dead code, such as tty_put_user(). Patch 2/15.
* Atomically modify tty audit enable/disable flags to support lockless
read. Patch 9/15.
Cc: Ingo Molnar <mingo(a)redhat.com>
Cc: Peter Zijlstra <peterz(a)infradead.org>
for patch 9/15 which removes an audit field from the signal_struct.
Cc: Oleg Nesterov <oleg(a)redhat.com>
to confirm my understanding of the single-threadedness of
if (group_dead) tty_audit_exit(), called from do_exit(). Patch 11/15
Requires: "tty: audit: Fix audit source"
Regards,
Peter Hurley (15):
tty: audit: Early-out pty master reads earlier
tty: audit: Never audit packet mode
tty: audit: Remove icanon mode from call chain
tty: audit: Defer audit buffer association
tty: audit: Take siglock directly
tty: audit: Ignore current association for audit push
tty: audit: Combine push functions
tty: audit: Track tty association with dev_t
tty: audit: Handle tty audit enable atomically
tty: audit: Remove false memory optimization
tty: audit: Remove tty_audit_buf reference counting
tty: audit: Simplify first-use allocation
tty: audit: Check audit enable first
tty: audit: Always push audit buffer before TIOCSTI
tty: audit: Poison tty_audit_buf while process exits
drivers/tty/n_tty.c | 25 ++----
drivers/tty/tty_audit.c | 231 ++++++++++++++----------------------------------
include/linux/audit.h | 4 +
include/linux/sched.h | 1 -
include/linux/tty.h | 12 +--
kernel/audit.c | 27 +++---
6 files changed, 97 insertions(+), 203 deletions(-)
--
2.6.3
8 years, 11 months
audit 2.4.5 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix auditd disk flushing for data and sync modes
- Fix auditctl to not show options not supported on older OS
- Add audit.m4 file to aid adding support to other projects
- Fix C99 inline function build issue
- Add account lock and unlock event types
- Change logging loophole check to geteuid()
- Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
- Fix ausearch to parse FEATURE_CHANGE events
This release fixes disk flushing to work as it was intended. If you use either
the data or sync mode, you might notice a performance change.
This release also fixes a build issue when using a new compiler.
The loophole that we allow for a process to continue when it should fail was
changed to use the euid rather than the uid. This should be more correct based
on the capabilities man page.
Ausearch was having problems parsing AUDIT_PROCTITLE and FEATURE_CHANGE
events. This was cleaned up and now passed the ausearch-test test suite.
This release will also be the beginning point of a new branch, audit-2.4, that
will be lightly maintained for a while. At this point I don't think there will
be a 2.4.6 release, but you never know.
Going forward to the 2.5 release, I would like to make a lot of changes to the
rules and break them up into small ones that can be assembled by augenrules. I
will also restructure a few of the directories and get things ready to start
doing more with the data format. The audit by process name patch will be
applied real soon since a kernel with that work should be landing soon.
Please let me know if you run across any problems with this release.
-Steve
8 years, 12 months
New draft standards
by Steve Grubb
Hello,
I would like to point out 2 new standards that have been posted to the linux
audit web page. The first establishes the events around system start up and
shutdown. This is important because it sets the session boundaries for when a
system is up or down or crashed.
http://people.redhat.com/sgrubb/audit/system-lifecycle.txt
The second standard is more of a forward looking standard. It explains how the
audit daemon and utilities will perform event enrichment before being stored
long term in an aggregator. The target for implementation is the 2.5 release
of the audit daemon.
http://people.redhat.com/sgrubb/audit/event-enrichment
Let me know if anyone has feedback on these standards, especially the second
one.
-Steve
9 years
auditd performance
by Steve Grubb
Hello,
I've been looking into auditd's performance. The first thing I did was to
measure the rate at which it could log things with various settings. To do
this test, I had 2 windows open. One to start auditd from the command line
without systemd interference and one to run a script as follows:
auditctl -D
auditctl -b 16440
auditctl -f 0
auditctl --backlog_wait_time 100
auditctl -a always,exit -F arch=x86_64 -S all
sleep 3
service auditd stop
auditctl -D
The results of various settings are as follows:
FLUSH FREQ Events/sec
------------------------------------------------------
SYNC 45
DATA 105
INCREMENTAL 20 400
50 1000
100 1815
200 3080
400 5800
1000 10100
2000 15275
4000 18650
8000 24075
NONE 38300
In looking further, I found that there was a lot of lock contention and
scheduling issues because of pthreads. I mapped out the paths in the code to
get a picture of where events come from and where they go:
http://people.readhat.com/sgrubb/audit/auditd-data-flow.pdf
The blue boxes are where events come from, the red boxes are where we have
contention. The gray is the path on the logging thread. The white boxes are
the main thread.
What I found is that if I make enqueue_event call write_to_log directly, it
doubles the throughput of the audit daemon. IOW, going from multi-threaded to
singly threaded makes a huge difference. The audit daemon was multi-threaded
from the very first public release back in 2004 before I started working on it.
So, what I think I am going to do is fix it to be singly threaded, fix the
signal handlers to set a variable on error so that the main thread picks it up
to serialize it with other events, move size check and rotate code, and remove
the pthreads code.
That leaves an issue with dispatching events to other programs. What I have
been thinking about is perhaps using libevfibers to manage switching between
logging and dispatching.
One other tidbit that I found out during testing, if I generate so many events
that it overflows the kernel queue, the default settings for backlog_wait_time
makes the system unusable. It acts like its live-locked. So, I would recommend
that the default setting in the kernel be changed to something more livable
and anyone concerned about this to explicitly set the value to something low.
-Steve
9 years
[PATCH V3 1/2] audit: stop an old auditd being starved out by a new auditd
by Richard Guy Briggs
Nothing prevents a new auditd starting up and replacing a valid
audit_pid when an old auditd is still running, effectively starving out
the old auditd since audit_pid no longer points to the old valid auditd.
If no message to auditd has been attempted since auditd died unnaturally
or got killed, audit_pid will still indicate it is alive. There isn't
an easy way to detect if an old auditd is still running on the existing
audit_pid other than attempting to send a message to see if it fails.
An -ECONNREFUSED almost certainly means it disappeared and can be
replaced. Other errors are not so straightforward and may indicate
transient problems that will resolve themselves and the old auditd will
recover. Yet others will likely need manual intervention for which a
new auditd will not solve the problem.
Send a new message type (AUDIT_REPLACE) to the old auditd containing a
u32 with the PID of the new auditd. If the audit replace message
succeeds (or doesn't fail with certainty), fail to register the new
auditd and return an error (-EEXIST).
This is expected to make the patch preventing an old auditd orphaning a
new auditd redundant.
V3: Switch audit message type from 1000 to 1300 block.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 16 +++++++++++++++-
2 files changed, 16 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..d820aa9 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -110,6 +110,7 @@
#define AUDIT_SECCOMP 1326 /* Secure Computing event */
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
+#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 36989a1..0368be2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -809,6 +809,16 @@ static int audit_set_feature(struct sk_buff *skb)
return 0;
}
+static int audit_replace(pid_t pid)
+{
+ struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0,
+ &pid, sizeof(pid));
+
+ if (!skb)
+ return -ENOMEM;
+ return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
+}
+
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
u32 seq;
@@ -870,9 +880,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
if (s.mask & AUDIT_STATUS_PID) {
int new_pid = s.pid;
+ pid_t requesting_pid = task_tgid_vnr(current);
- if ((!new_pid) && (task_tgid_vnr(current) != audit_pid))
+ if ((!new_pid) && (requesting_pid != audit_pid))
return -EACCES;
+ if (audit_pid && new_pid &&
+ audit_replace(requesting_pid) != -ECONNREFUSED)
+ return -EEXIST;
if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid;
--
1.7.1
9 years
[PATCH V2 1/2] audit: stop an old auditd being starved out by a new auditd
by Richard Guy Briggs
Nothing prevents a new auditd starting up and replacing a valid
audit_pid when an old auditd is still running, effectively starving out
the old auditd since audit_pid no longer points to the old valid auditd.
If no message to auditd has been attempted since auditd died unnaturally
or got killed, audit_pid will still indicate it is alive. There isn't
an easy way to detect if an old auditd is still running on the existing
audit_pid other than attempting to send a message to see if it fails.
An -ECONNREFUSED almost certainly means it disappeared and can be
replaced. Other errors are not so straightforward and may indicate
transient problems that will resolve themselves and the old auditd will
recover. Yet others will likely need manual intervention for which a
new auditd will not solve the problem.
Send a new message type (AUDIT_REPLACE) to the old auditd containing a
u32 with the PID of the new auditd. If the audit replace message
succeeds (or doesn't fail with certainty), fail to register the new
auditd and return an error (-EEXIST).
This is expected to make the patch preventing an old auditd orphaning a
new auditd redundant.
V2: Rename audit_ping to audit_replace, set seq and portid to 0 in
the call to audit_make_reply().
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 16 +++++++++++++++-
2 files changed, 16 insertions(+), 1 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..cf84991 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -70,6 +70,7 @@
#define AUDIT_TTY_SET 1017 /* Set TTY auditing status */
#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */
#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */
+#define AUDIT_REPLACE 1020 /* Replace auditd if this packet unanswerd */
#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
#define AUDIT_USER_AVC 1107 /* We filter this differently */
diff --git a/kernel/audit.c b/kernel/audit.c
index 36989a1..0368be2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -809,6 +809,16 @@ static int audit_set_feature(struct sk_buff *skb)
return 0;
}
+static int audit_replace(pid_t pid)
+{
+ struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0,
+ &pid, sizeof(pid));
+
+ if (!skb)
+ return -ENOMEM;
+ return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0);
+}
+
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
u32 seq;
@@ -870,9 +880,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
if (s.mask & AUDIT_STATUS_PID) {
int new_pid = s.pid;
+ pid_t requesting_pid = task_tgid_vnr(current);
- if ((!new_pid) && (task_tgid_vnr(current) != audit_pid))
+ if ((!new_pid) && (requesting_pid != audit_pid))
return -EACCES;
+ if (audit_pid && new_pid &&
+ audit_replace(requesting_pid) != -ECONNREFUSED)
+ return -EEXIST;
if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid;
--
1.7.1
9 years