[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 9 months
[RFC PATCH 0/7] audit: clean up audit queue handling
by Richard Guy Briggs
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audit: wake up threads if queue switched from limited to unlimited
audit: allow audit_cmd_mutex holders to use reserves
audit: wake up audit_backlog_wait queue when auditd goes away.
audit: wake up kauditd_thread after auditd registers
kernel/audit.c | 20 +++++++++++++++-----
1 files changed, 15 insertions(+), 5 deletions(-)
8 years, 4 months
auditd and redhat cluster
by Maupertuis Philippe
Hi list,
One clusters fenced the passive node around two hours after auditd was started.
We have found that iowait has increased since auditd was started and was unusually high.
Auditd wasn't generating many messages and there were no noticeable added activity on the disk were the audit and syslog files were written.
Besides watches, the only general rules were :
# creation
-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -S mkdirat -S mknodat -S linkat -S symlinkat -F uid=root -F success=1 -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -S mkdirat -S mknodat -S linkat -S symlinkat -F uid=root -F success=1 -k creation
# deletion
-a exit,always -F arch=b32 -S rmdir -S unlink -S unlinkat -F uid=root -F success=1 -k deletion
-a exit,always -F arch=b64 -S rmdir -S unlink -S unlinkat -F uid=root -F success=1 -k deletion
After the rebot we deleted all rules and didn't notice extra iowait anymore.
Could these rules be the cause of additional iowait even if not generating many events (around 20 in two hours) ?
Is there any other auditd mechanism that could explain this phenomenon ?
I would appreciate any hints.
Regards
Philippe
!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
8 years, 7 months
Regarding log_file_parser
by 张晨峰
|
Hi,
I have some doubt about the bold code below, at audit-2.5/src/auditd-config.c
static int log_file_parser(struct nv_pair *nv, int line,
struct daemon_conf *config)
{
char *dir = NULL, *tdir;
DIR *d;
int fd, mode;
struct stat buf;
audit_msg(LOG_DEBUG, "log_file_parser called with: %s", nv->value);
/* get dir from name. */
tdir = strdup(nv->value);
if (tdir)
dir = dirname(tdir);
if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname
audit_msg(LOG_ERR,
"The directory name: %s is too short - line %d",
dir, line);
free((void *)tdir);
return 1;
}
/* verify the directory path exists */
d = opendir(dir);
if (d == NULL) {
audit_msg(LOG_ERR, "Could not open dir %s (%s)", dir,
strerror(errno));
free((void *)tdir);
return 1;
}
when parsing the field "log_file", If the dir is examined nonexistent, why don't create it ?
what are the reasons for the design?
Thanks.
--
frank
|
8 years, 8 months
RE: Regarding Auditing on RHEL7.1
by Sarthak Jain
Hi,
There has been one issue I am facing with auditing on RHEL 7.1. It is the same one as described here -
https://www.redhat.com/archives/linux-audit/2015-January/msg00045.html
https://bugzilla.redhat.com/show_bug.cgi?id=1155208
Can you please comment on this whether it has been fixed or not?
Thanks
-----Original Message-----
From: Richard Guy Briggs [mailto:rgb@redhat.com]
Sent: Wednesday, February 24, 2016 7:59 PM
To: Sarthak Jain <Sarthak.Jain(a)microfocus.com>
Subject: Re: Regarding Auditing on RHEL7.1
On 16/02/24, Sarthak Jain wrote:
> Thank you Richard for replying and giving the proper contact. But you
> know in meanwhile, I came across this known bug -
>
> https://www.redhat.com/archives/linux-audit/2015-January/msg00045.html
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1155208
>
> Can you tell me whether it is under progress or it has been fixed?
You are welcome to ask on the list and Cc: me if you want my attention.
Please keep this public unless you have a service contract.
> Thanks
> -----Original Message-----
> From: Richard Guy Briggs [mailto:rgb@redhat.com]
> Sent: Wednesday, February 24, 2016 1:13 PM
> To: Sarthak Jain <Sarthak.Jain(a)microfocus.com>
> Subject: Re: Regarding Auditing on RHEL7.1
>
> On 16/02/24, Sarthak Jain wrote:
> > Hi Richard,
>
> Hi Sarthak,
>
> > I am Sarthak Jain working in MicroFocus. I want your small help to
> > clarify one of my doubt regarding the kernel auditing on RHEL 7.1. I
> > hope you are the right person to contact. It will just 2 min (max
> > :P) to go through the problem.
>
> For general audit-related questions, please use the linux-audit(a)redhat.com mailing list. For RHEL support questions, please contact your Red Hat service contract manager.
>
> > Assumption: Ideally, if we change the configuration file (for ex- /etc/hosts), we should be getting audit events for it.
> >
> > Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we modify this file, then audit events are coming as attached in file - 'file1.txt'.
> >
> > Problem: Let say if we change the permissions of the '/etc/hosts' to (rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" event at all. I have attached the file - 'file2.txt' for your reference. Can you please clarify this ? Is it a kernel level bug?
> >
> > I would be greatly thankful to you if you could please comment on this.
> >
> > Thanks.
> >
> >
>
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=CONFIG_CHANGE msg=audit(1456296260.392:3012733752): auid=0
> > ses=612921 op="updated rules" path="/etc/hosts" key=(null) list=4
> > res=1
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.392:3012733753): item=3
> > name="/etc/hosts~" inode=133015 dev=fd:01 mode=0100700 ouid=0 ogid=0
> > rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=CREATE
> > type=PATH msg=audit(1456296260.392:3012733753): item=2
> > name="/etc/hosts" inode=133015 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=DELETE type=PATH msg=audit(1456296260.392:3012733753): item=1 name="/etc/" inode=130309 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=PATH msg=audit(1456296260.392:3012733753): item=0 name="/etc/" inode=130309 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=CWD msg=audit(1456296260.392:3012733753): cwd="/root"
> > type=SYSCALL msg=audit(1456296260.392:3012733753): arch=c000003e
> > syscall=82 success=yes exit=0 a0=1d5c730 a1=1d82ab0
> > a2=fffffffffffffea0 a3=7fffcc152380 items=4 ppid=7009 pid=7575
> > auid=0
> > uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
> > ses=612921 comm="vi" exe="/usr/bin/vi"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=CONFIG_CHANGE msg=audit(1456296260.393:3012733754): auid=0
> > ses=612921 op="updated rules" path="/etc/hosts" key=(null) list=4
> > res=1
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.393:3012733755): item=1
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0
> > rdev=00:00 obj=unconfined_u:object_r:net_conf_t:s0 objtype=CREATE type=PATH msg=audit(1456296260.393:3012733755): item=0 name="/etc/" inode=130309 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT type=CWD msg=audit(1456296260.393:3012733755): cwd="/root"
> > type=SYSCALL msg=audit(1456296260.393:3012733755): arch=c000003e
> > syscall=2 success=yes exit=3 a0=1d5c730 a1=241 a2=1c0 a3=0 items=2
> > ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.413:3012733759): item=0
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296260.413:3012733759): cwd="/root"
> > type=SYSCALL msg=audit(1456296260.413:3012733759): arch=c000003e
> > syscall=188 success=yes exit=0 a0=1d5c730 a1=7fc4923b877e a2=1d81fd0
> > a3=20 items=1 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi"
> > exe="/usr/bin/vi"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.413:3012733761): item=0
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296260.413:3012733761): cwd="/root"
> > type=SYSCALL msg=audit(1456296260.413:3012733761): arch=c000003e
> > syscall=90 success=yes exit=0 a0=1d5c730 a1=81c0 a2=0 a3=20 items=1
> > ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
> > ----
> > time->Wed Feb 24 00:44:20 2016
> > type=PATH msg=audit(1456296260.414:3012733762): item=0
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296260.414:3012733762): cwd="/root"
> > type=SYSCALL msg=audit(1456296260.414:3012733762): arch=c000003e
> > syscall=188 success=yes exit=0 a0=1d5c730 a1=7fc491f71ddf a2=1d81c30
> > a3=1c items=1 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0
> > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi"
> > exe="/usr/bin/vi"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
>
> > ----
> > time->Wed Feb 24 00:45:55 2016
> > type=PATH msg=audit(1456296355.292:3012759691): item=0
> > name="/etc/hosts~" inode=133015 dev=fd:01 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296355.292:3012759691): cwd="/root"
> > type=SYSCALL msg=audit(1456296355.292:3012759691): arch=c000003e syscall=132 success=yes exit=0 a0=2245a70 a1=7fffdf2b4390 a2=2000 a3=7fffdf2b4050 items=1 ppid=7009 pid=7704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="9980284E037547A8A9364B62ACB360C6"
> > ----
> > time->Wed Feb 24 00:45:55 2016
> > type=PATH msg=audit(1456296355.303:3012759696): item=0
> > name="/etc/hosts" inode=133022 dev=fd:01 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL type=CWD msg=audit(1456296355.303:3012759696): cwd="/root"
> > type=SYSCALL msg=audit(1456296355.303:3012759696): arch=c000003e
> > syscall=90 success=yes exit=0 a0=221f730 a1=81b6 a2=0
> > a3=7fffdf2b4050
> > items=1 ppid=7009 pid=7704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)
>
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs(a)redhat.com> Senior Software Engineer,
> Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote,
> Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt:
> +1.613.693.0684x3545
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
8 years, 8 months
Regarding Auditing on RHEL 7.1
by Sarthak Jain
Hi,
I am Sarthak Jain working in MicroFocus. I want your small help to clarify one of my doubt regarding the kernel auditing on RHEL 7.1. I hope you are the right person to contact. It will just 2 min (max :P) to go through the problem.
Assumption: Ideally, if we change the configuration file (for ex- /etc/hosts), we should be getting audit events for it.
Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we modify this file, then audit events are coming as attached in file - 'file1.txt'.
Problem: Let say if we change the permissions of the '/etc/hosts' to (rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" event at all. I have attached the file - 'file2.txt' for your reference. Can you please clarify this ? Is it a kernel level bug?
I would be greatly thankful to you if you could please comment on this.
Thanks.
8 years, 8 months
Audisp plugin and SELinux
by Lev Stipakov
Hello,
My audisp plugin has a file-based database in /var/lib/xxx directory. I
noticed that on systems with SELinux enabled plugin cannot read/write
that file.
According to ps, plugin is run under audisp_t domain:
-bash-4.1$ ps axZ | grep plugin
unconfined_u:system_r:audisp_t:s0 1845 ? S< 0:00 /usr/sbin/plugin 1
Obviously I don't want to disable SELinux. What would be the recommended
way to allow plugin read/write file(s) under /var/run/xxx ?
-Lev
8 years, 8 months
space_left_action syslog
by Maupertuis Philippe
Hi list,
The man page reads space_left_action : syslog means that it will issue a warning to syslog.
Please tell me where can I find an example of such a message to look for it in the syslog ?
Would the message be different for admin_space_left_action and disk_full_action ?
When audispd is configured to send audit events to syslog would these messages follow the same path.
I would like to be able to separate these messages for an easy notice should something go wrong.
Regards.
Philippe
________________________________
Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
8 years, 8 months
[PATCH 2/2] vfs: don't always include audit-specific members of struct filename
by Rasmus Villemoes
The three members uptr, aname and refcnt are only used when
CONFIG_AUDITSYSCALL, a fact which is not obvious from the header file
or namei.c alone. So aside from eliminating a few useless instructions
in getname_flags and making EMBEDDED_NAME_MAX a little larger, this
patch also serves to document whoe the actual user of these members
is.
Signed-off-by: Rasmus Villemoes <linux(a)rasmusvillemoes.dk>
---
fs/namei.c | 10 ++++------
include/linux/audit.h | 9 +++++++++
include/linux/fs.h | 2 ++
3 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index bd150fa799a2..21410db25814 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -185,7 +185,6 @@ getname_flags(const char __user *filename, int flags, int *empty)
}
}
- result->refcnt = 1;
/* The empty path is special. */
if (unlikely(!len)) {
if (empty)
@@ -196,8 +195,7 @@ getname_flags(const char __user *filename, int flags, int *empty)
}
}
- result->uptr = filename;
- result->aname = NULL;
+ audit_init_filename(result, filename);
audit_getname(result);
return result;
}
@@ -235,9 +233,7 @@ getname_kernel(const char * filename)
return ERR_PTR(-ENAMETOOLONG);
}
memcpy((char *)result->name, filename, len);
- result->uptr = NULL;
- result->aname = NULL;
- result->refcnt = 1;
+ audit_init_filename(result, NULL);
audit_getname(result);
return result;
@@ -245,10 +241,12 @@ getname_kernel(const char * filename)
void putname(struct filename *name)
{
+#ifdef CONFIG_AUDITSYSCALL
BUG_ON(name->refcnt <= 0);
if (--name->refcnt > 0)
return;
+#endif
if (name->name != name->iname) {
__putname(name->name);
diff --git a/include/linux/audit.h b/include/linux/audit.h
index b40ed5df5542..7d7143674d85 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -232,6 +232,12 @@ extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
extern void __audit_syscall_exit(int ret_success, long ret_value);
extern struct filename *__audit_reusename(const __user char *uptr);
extern void __audit_getname(struct filename *name);
+static inline void audit_init_filename(struct filename *name, const __user char *uptr)
+{
+ name->refcnt = 1;
+ name->aname = NULL;
+ name->uptr = uptr;
+}
#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */
#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */
@@ -459,6 +465,9 @@ static inline struct filename *audit_reusename(const __user char *name)
}
static inline void audit_getname(struct filename *name)
{ }
+static inline void audit_init_filename(struct filename *name, const __user char *uptr)
+{ }
+
static inline void __audit_inode(struct filename *name,
const struct dentry *dentry,
unsigned int flags)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index d522e6391855..df769f738695 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2243,12 +2243,14 @@ static inline int break_layout(struct inode *inode, bool wait)
struct audit_names;
struct filename {
const char *name; /* pointer to actual string */
+#ifdef CONFIG_AUDITSYSCALL
const __user char *uptr; /* original userland pointer */
struct audit_names *aname;
union {
int refcnt;
long __padding;
};
+#endif
const char iname[];
};
--
2.1.4
8 years, 8 months