[PATCH 0/5] Audit Cross Compile Fixes
by Clayton Shotwell
The following are 5 patches that I have been working on for a while to
allow the audit package to cross compile correctly for various targets.
This work is all being done to add audit along with SELinux to the
Buildroot build system. Most of the changes are minor and only relate
to compile time issues with toolchains, such as uClibc, and missing
dependencies. See the link below for the Buildroot patch submission.
http://buildroot-busybox.2317881.n4.nabble.com/PATCH-v6-00-22-SELinux-Bui...
The one major patch enables cross compiling support for the gen_tables.c
functionality. Since gen_tables needs to be run on the host rather than
the target, I had to add Automake support for handling the host compiler.
I based these changes off of a patch set done a couple of years ago (See
link below), a similar patch set I and done, while incorporating the
feedback received from the community.
https://www.redhat.com/archives/linux-audit/2012-November/msg00000.html
Any feedback would be greatly appreciated.
Clayton Shotwell (5):
Enable cross compiling
Make zos-remote plugin optional
Default ADDR_NO_RANDOMIZE if not found
Do not call posix_fallocate() if unavailable
Fix header detection when cross compiling
audisp/plugins/Makefile.am | 6 +-
audisp/plugins/remote/queue.c | 2 +
auparse/Makefile.am | 276 ++++++++++++++++++++++++++++--------------
auparse/interpret.c | 4 +
configure.ac | 14 ++-
lib/Makefile.am | 133 ++++++++++++--------
lib/gen_tables.c | 2 +-
m4/ax_prog_cc_for_build.m4 | 125 +++++++++++++++++++
8 files changed, 420 insertions(+), 142 deletions(-)
create mode 100644 m4/ax_prog_cc_for_build.m4
--
1.9.1
9 years, 3 months
[PATCH 1/1] Added exe field to audit core dump signal log
by Paul Davies C
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com>
---
kernel/auditsc.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..988de72 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current->mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, " pid=%d comm=", current->pid);
audit_log_untrustedstring(ab, current->comm);
+ if (mm) {
+ down_read(&mm->mmap_sem);
+ if (mm->exe_file)
+ audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
+ up_read(&mm->mmap_sem);
+ }
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
1.7.9.5
9 years, 3 months
[PATCH 1/1] Obsolete check is now removed.
by Mikhail Klementyev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- From a2e33ce7c9b5ceff2a8b570b570ddd0023ce077f Mon Sep 17 00:00:00 2001
From: Mikhail Klementyev<jollheef(a)riseup.net>
Date: Mon, 25 May 2015 23:20:38 +0300
Subject: [PATCH 1/1] Obsolete check is now removed.
Signed-off-by: Mikhail Klementyev<jollheef(a)riseup.net>
- ---
kernel/auditsc.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9fb9d1c..ee09794 100644
- --- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -599,9 +599,7 @@ static int audit_filter_rules(struct task_struct *tsk,
result = match_tree_refs(ctx, rule->tree);
break;
case AUDIT_LOGINUID:
- - result = 0;
- - if (ctx)
- - result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
+ result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
break;
case AUDIT_LOGINUID_SET:
result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
- --
2.0.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBAgAGBQJVY4cJAAoJEE7XYCHzWN5TQVkQAMYCSkzSlIVA9sTmrZk0bDA1
62pbY22hEFfWN41268hjhhQ/wiuM14LI34oTeCPnqxQIopTt9bnAW9ZwPfgNFG2F
T/nSLZVJMwjjs/b1DrAV4fDWYtlIjedm/HhhumFIyOfDkAPIgs2cBcWiGkB6D9ly
oi/ccMaTo4c59kfTwCjYKgpY8iPMdm547fR8YVEt+eX+nfJSMbCcrnkBoFoZl4tk
RHjKmuTyjJ9U5ht94Rws/xKMYQ+g+I+CV6L1FpzOY9ZVaFLelsOJKiipkXMemwih
NCC4qtd6HF/rbd0jFQpzU1QViw7y/ZxcduAmqmr7yg1oxNYqhzt9OIcKlH1QWqrQ
eKdPDxd23n+t9yri1cIExb0Cik6ySRR0lRn/IOfSAgaJAZX0r5+Db+LkWYymXgHp
D8edl1WvpjkNo+R/GjNvaDM9jKB3Z6FblUlteqMQB9mCnwys3YKcc4ma5aGXbO24
fF28r632nDZrj+knIU171VtEyEjbnzo05bJnIiOW167STKBmbFgHgGTI/yhCHBro
wp6kg0ns+WK3tE+BvXhG/iysTAUvAhf/bnMlFaZ8j1GGhEzWGJveDINEIcCzRsoR
UncA/96yN4Sqw1Acq5+s9SaD+NMt++Iz1JbYck8rpJlO8zgpxF/6lb9Fz1B9o/LH
B20jap46V3UDEjzEp3DS
=Puu1
-----END PGP SIGNATURE-----
9 years, 5 months
[PATCH] kernel:audit - Fix for typo in comment to function audit_log_link_denied().
by Shailendra Verma
Signed-off-by: Shailendra Verma <shailendra.capricorn(a)gmail.com>
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 1c13e42..f9e6065 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1904,7 +1904,7 @@ EXPORT_SYMBOL(audit_log_task_info);
/**
* audit_log_link_denied - report a link restriction denial
- * @operation: specific link opreation
+ * @operation: specific link operation
* @link: the path that triggered the restriction
*/
void audit_log_link_denied(const char *operation, struct path *link)
--
1.7.9.5
9 years, 5 months
[PATCH] lsm: rename duplicate labels in LSM_AUDIT_DATA_TASK audit message type
by Richard Guy Briggs
The LSM_AUDIT_DATA_TASK pid= and comm= labels are duplicates of those at the
start of this function with different values. Rename them to their object
counterparts opid= and ocomm= to disambiguate.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/lsm_audit.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index b526ddc..3323144 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -282,7 +282,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,
pid_t pid = task_pid_nr(tsk);
if (pid) {
char comm[sizeof(tsk->comm)];
- audit_log_format(ab, " pid=%d comm=", pid);
+ audit_log_format(ab, " opid=%d ocomm=", pid);
audit_log_untrustedstring(ab,
memcpy(comm, tsk->comm, sizeof(comm)));
}
--
1.7.1
9 years, 5 months
Excluding files from auditing
by Xavier Lashmar
Hi there,
I've configured audit.rules on a server that I administer, to log all file-system activity matching permissions "wa". A few files under these directories are to be excluded. In particular, I am attempting to exclude the logging of actions on files which may not yet exist.
For example:
A user like "Apache" might try to read and write to a file called "thisfileexists.php" which exists on the FS. I consider this action perfectly valid and do not require it to be logged; instead I create a rule to exclude it, using the system call matching rule "exit,never -F path=..."
On the other hand, a user like "Apache" might try to write to a file called "thisfilesdoesnotyetexist.php" which does not yet exist, which I also consider to be a perfectly valid action, and require no log of. This action however, is on a specific file that I know Apache will try to write to, but has not yet been created and may never exist.
An example configuration of /etc/audit/audit.rules
#### EXCLUDE FALSE POSITIVES ####
-a exit,never -F path=/var/www/html/somepath/thisfilesdoesnotexist.php
-a exit,never -F path=/var/www/html/somepath/thisfileexists.php
#### LOG EVERYTHING ELSE ####
-w /var/www/html -p wa -k webserver-writes
Essentially the above rule should log all activity, except for the excluded items:
/var/www/html/somepath/thisfilesdoesnotexist.php
/var/www/html/somepath/thisfileexists.php
However, since "thisfiledoesnotexist.php" does not actually exist, it seems that the audit rule does not apply and if the "Apache" user tries to create it, the action gets logged. This is not what I want or expected.
The "thisfileexists.php" on the other hand, does exist and the audit rule seem to function and does NOT log write actions. This is what I want and expected.
>From the above experiment I deduce that an audit rule to exclude from logging a system-call using "exit,never", will not function if the file it refers to does not exist. Is this correct or did I simply make a mistake?
Thank you for any clarification provided,
Xavier Lashmar
Analyste de Systèmes | Systems Analyst
Service étudiants | Student Web Services
Service de l'informatique et des communications | Computing and Communications Services.
Tél. | Tel. 613-562-5800 (2120)
9 years, 5 months
auditd and SSHD exported variables
by Guillaume L.
Hello,
Is there a way to log with auditd exported variables through ssd ?
My servers are used by many users but with the same account. So, I export
the SSH_USER variable from our "bastion" (where each user has a specific
account). With this configuration I can retrieve the remote login.
I use this script in /etc/profile.d/:
logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
$SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " " -f2`
for $USER
($SSH_USER is the variable exported via SSHD)
The ultimate goal is to match the following log with the "remote user"
(because all users use the uid 1000 to connect to the server):
type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2 ppid=30894
pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts3 ses=17 comm="ls" exe="/bin/ls" key="auditcmd"
type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
type=CWD msg=audit(1431694892.457:37824): cwd="/root"
type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls" inode=157
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1431694892.457:37824): item=1 name=(null) inode=4212
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
Thank you in advance.
Regards,
--
Guillaume
9 years, 5 months