[PATCH 0/5] Audit Cross Compile Fixes
by Clayton Shotwell
The following are 5 patches that I have been working on for a while to
allow the audit package to cross compile correctly for various targets.
This work is all being done to add audit along with SELinux to the
Buildroot build system. Most of the changes are minor and only relate
to compile time issues with toolchains, such as uClibc, and missing
dependencies. See the link below for the Buildroot patch submission.
http://buildroot-busybox.2317881.n4.nabble.com/PATCH-v6-00-22-SELinux-Bui...
The one major patch enables cross compiling support for the gen_tables.c
functionality. Since gen_tables needs to be run on the host rather than
the target, I had to add Automake support for handling the host compiler.
I based these changes off of a patch set done a couple of years ago (See
link below), a similar patch set I and done, while incorporating the
feedback received from the community.
https://www.redhat.com/archives/linux-audit/2012-November/msg00000.html
Any feedback would be greatly appreciated.
Clayton Shotwell (5):
Enable cross compiling
Make zos-remote plugin optional
Default ADDR_NO_RANDOMIZE if not found
Do not call posix_fallocate() if unavailable
Fix header detection when cross compiling
audisp/plugins/Makefile.am | 6 +-
audisp/plugins/remote/queue.c | 2 +
auparse/Makefile.am | 276 ++++++++++++++++++++++++++++--------------
auparse/interpret.c | 4 +
configure.ac | 14 ++-
lib/Makefile.am | 133 ++++++++++++--------
lib/gen_tables.c | 2 +-
m4/ax_prog_cc_for_build.m4 | 125 +++++++++++++++++++
8 files changed, 420 insertions(+), 142 deletions(-)
create mode 100644 m4/ax_prog_cc_for_build.m4
--
1.9.1
9 years, 3 months
[PATCH 1/1] Added exe field to audit core dump signal log
by Paul Davies C
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C <pauldaviesc(a)gmail.com>
---
kernel/auditsc.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..988de72 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current->mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, " pid=%d comm=", current->pid);
audit_log_untrustedstring(ab, current->comm);
+ if (mm) {
+ down_read(&mm->mmap_sem);
+ if (mm->exe_file)
+ audit_log_d_path(ab, " exe=", &mm->exe_file->f_path);
+ up_read(&mm->mmap_sem);
+ }
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
1.7.9.5
9 years, 3 months
ausearch with message types does not return what I think it would return. (0 matches when adding a user)
by Alarie, Maxime
Good day,
I am new with auditd, and got some issues..
For example, When I add or delete a user, I cannot see the entry with ausearch -m ADD_USER, it returns 0 match, BUT its logging it under USER_AUTH. If I do a ausearch -x adduser, ill thee se event audit.log with the EXECVE Type:
# ausearch -x useradd | grep titi
type=EXECVE msg=audit(1435677075.900:49410): argc=2 a0="useradd" a1="titi"
I also tried to find a full description of all message types returned by ausearch -m but could not find any.. Any help on this would be appreciated as well.
Many thanks.
9 years, 4 months
[GIT PULL] Audit patches for 4.2
by Paul Moore
Hi Linus,
Four small audit patches for v4.2, all bug fixes. Only 10 lines of change
this time so very unremarkable, the patch subject lines pretty much tell the
whole story. Please pull.
Thanks,
-Paul
---
The following changes since commit 39a8804455fb23f09157341d3ba7db6d7ae6ee76:
Linux 4.0 (2015-04-12 15:12:50 -0700)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit upstream
for you to fetch changes up to 0b08c5e59441d08ab4b5e72afefd5cd98a4d83df:
audit: Fix check of return value of strnlen_user()
(2015-06-11 15:49:54 -0400)
----------------------------------------------------------------
Jan Kara (1):
audit: Fix check of return value of strnlen_user()
Mikhail Klementyev (1):
audit: obsolete audit_context check is removed in audit_filter_rules()
Richard Guy Briggs (1):
lsm: rename duplicate labels in LSM_AUDIT_DATA_TASK audit message type
Shailendra Verma (1):
audit: fix for typo in comment to function audit_log_link_denied()
kernel/audit.c | 2 +-
kernel/auditsc.c | 6 ++----
security/lsm_audit.c | 2 +-
3 files changed, 4 insertions(+), 6 deletions(-)
--
paul moore
security @ redhat
9 years, 4 months
[PATCH] audit: Fix check of return value of strnlen_user()
by Jan Kara
strnlen_user() returns 0 when it hits fault, not -1. Fix the test in
audit_log_single_execve_arg(). Luckily this shouldn't ever happen unless
there's a kernel bug so it's mostly a cosmetic fix.
CC: Paul Moore <pmoore(a)redhat.com>
Signed-off-by: Jan Kara <jack(a)suse.cz>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9fb9d1cb83ce..bb947ceeee4d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1023,7 +1023,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
* for strings that are too long, we should not have created
* any.
*/
- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
+ if (unlikely((len == 0) || len > MAX_ARG_STRLEN - 1)) {
WARN_ON(1);
send_sig(SIGKILL, current, 0);
return -1;
--
2.1.4
9 years, 4 months
[PATCH] Fix a typo in comment of parse_avc()
by Masatake YAMATO
Index: src/ausearch-parse.c
===================================================================
--- src/ausearch-parse.c (revision 1083)
+++ src/ausearch-parse.c (working copy)
@@ -1652,7 +1652,7 @@
/* FIXME: If they are in permissive mode or hit an auditallow, there can
- * be more that 1 avc in the same syscall. For now, we pickup just the first.
+ * be more than 1 avc in the same syscall. For now, we pickup just the first.
*/
static int parse_avc(const lnode *n, search_items *s)
{
9 years, 4 months
Audit rules and practices for docker on RHEL7
by Maupertuis Philippe
Hi list,
Can somebody point me to resources for starting using docker with best auditing practices.
I am looking for guidance both on audit rules and on the exploitation of the log.
We run PCI DSS systems and need to use docker with the same level of trace.
Any help would be greatly appreciated.
Philippe
________________________________
Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
9 years, 5 months