[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 9 months
[PATCH] audit: less stack usage for /proc/*/loginuid
by Alexey Dobriyan
%u requires 10 characters at most not 20.
Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com>
---
fs/proc/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1243,7 +1243,7 @@ static const struct file_operations proc_oom_score_adj_operations = {
};
#ifdef CONFIG_AUDITSYSCALL
-#define TMPBUFLEN 21
+#define TMPBUFLEN 11
static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
size_t count, loff_t *ppos)
{
7 years, 12 months
ausearch message types
by LC Bruzenak
I'm on the 2.4.5 version of the audit code.
Has anyone thought about or implemented a exclusionary message list,
such as:
ausearch -m ALL-avc,user_avc -ts today
I'd like to be able to search in this manner, where I exclude certain
message types.
I could write a patch, but if anyone has already done this I'd happily
use theirs.
The message type list is so long that it would be painful to have the
comma-delimited list of all but a couple.
Thx,
LCB
--
LC Bruzenak
magitekltd.com
8 years
Syscalls to use
by warron.french
I apologize, but I am not sure how to go about determining the appropriate
syscalls to use for various audit goals.
I know that recently I learned to use the ausyscall --dump command to list
the ausyscalls; but apparently I mis-understood/interpreted the purpose of
1 or 2 of the syscalls and had to be corrected (thanks Steve).
Anyway, my organization has a goal to audit several things; of which I know
how to manage most, for examples:
1. File & Object
- Creation (Success/Failure) | w
- Access (Success/Failure) | r
- Deletion (Success/Failure) | w
- Content Modification (Success/Failure) | a
- Permission Modification (Success/Failure) | a
- Ownership Modification (Success/Failure) | a
For these I would have used a watch (*-w*) rule and set the -p flags to *r,
w* or *a* as shown above. From what I understand though, correct me if I
am wrong Steve, we should be getting away from the watch rules and move
towards Syscalls and using *-F path=/path/to/file*, or
*-F path=/path/to/several_files/* -- is this correct, both for RHEL6 and
RHEL7?
Also, I need to audit (Success/Failure) for the following sort of things:
*Authentications*
Logons
Logoffs
*Writes/downloads to external devices/media*
*Uploads from external devices/media *(
*such as DvD, thumbdrive, etc)*
*User & Group* *events*
User: Creation, deletion, Modification, suspending/locking
Group/Role: Creation, deletion, modification
*Use of Privileged/Special Rights events* (
*such as sudo, su, etc..)*
*Printing to a print-device*
*Printing to a file*
Thanks in advance for any steering someone could provide to get me moving
in the correct direction.
--------------------------
Warron French
8 years
auditd not triggering ANOM_ROOT_TRANS record
by teroz
I used one of the dirtycow root exploits on Fedora24 configured
with 30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful privilege escalation?
8 years
Audit watches on NFS mounts
by Vaughn, Chad M
I noticed a weird behavior. I NFS mount /usr/local on my Redhat machines.
If I put a watch for a directory in that NFS mount:
-w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k watch
On Redhat 6.4, I don't see audit events when trying to remove or change files in that dir.
On Redhat 6.8, I do see the audit events when trying to remove or changes files in that dir.
Any ideas of possible features added to auditd between those releases? I would like to be able to speak to it for security audits.
8 years