[PATCH] audit: always enable syscall auditing when supported and audit is enabled
by Paul Moore
To the best of our knowledge, everyone who enables audit at compile
time also enables syscall auditing; this patch simplifies the Kconfig
menus by removing the option to disable syscall auditing when audit
is selected and the target arch supports it.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
init/Kconfig | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index c24b6f7..d4663b1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -299,20 +299,15 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). Does not do system-call
- auditing without CONFIG_AUDITSYSCALL.
+ logging of avc messages output). System call auditing is included
+ on architectures which support it.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
+ def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
- default y if SECURITY_SELINUX
- help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
config AUDIT_WATCH
def_bool y
5 years, 3 months
[RFC PATCH 0/7] audit: clean up audit queue handling
by Richard Guy Briggs
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audit: wake up threads if queue switched from limited to unlimited
audit: allow audit_cmd_mutex holders to use reserves
audit: wake up audit_backlog_wait queue when auditd goes away.
audit: wake up kauditd_thread after auditd registers
kernel/audit.c | 20 +++++++++++++++-----
1 files changed, 15 insertions(+), 5 deletions(-)
7 years, 11 months
auditd reports port number '0' for connect() system call
by Kangkook Jee
Hi all,
I'm developing custom audit client to monitor Linux system activities.
I'm testing my client from Ubuntu 14.04 (64-bit) system with the following auditctl rules.
sudo auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=open,close,dup,dup2,socket,connect,accept,listen,socketpair,clone,fork,vfork,execve,exit,creat,unlink,exit_group,openat,unlinkat,accept4,dup3
And I captured the raw system messages with the following command.
sudo auditd -f > /tmp/log.txt
While /tmp/log.txt contains a considerable amount of raw audit messages, I grep'ed only connect() system calls with its associated saddr entries.
grep -A1 -e "syscall=42 success=yes" /tmp/log.txt
--
type=SYSCALL msg=audit(1459302277.538:35891018): arch=c000003e syscall=42 success=yes exit=0 a0=61 a1=7f2ec75a1ed0 a2=10 a3=1 items=0 ppid=2779 pid=21581 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=5001 fsgid=5001 tty=(none) ses=4294967295 comm="Chrome_IOThread" exe="/opt/google/chrome/chrome" key=(null)
type=SOCKADDR msg=audit(1459302277.538:35891018): saddr=020000358A0F6C0B0000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898719): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898719): saddr=0200006F8A0FA5090000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898722): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898722): saddr=0200030B8A0FA5090000000000000000
...
For these entries, I decoded saddr entries with the attached program and extracted entries port values '0'.
g++ -o sock_decode sock_decode.cpp
grep -A1 -e "syscall=42 success=yes" /tmp/log.txt |grep saddr | awk 'BEGIN{FS="="} {print “ ./sock_decode " $4}' |sh |grep "sa_family: 2.* port: 0" |more
0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
....
If I understood correctly, connect() should return error when sin_port field is set with '0'.
Would anyone explain this to me or help me with fix this problem?
Thanks a lot for your help in advance!
8 years, 1 month
[PATCH] audit: cleanup prune_tree_thread
by Jiri Slaby
We can use kthread_run instead of kthread_create+wake_up_process for
creating the thread.
We do not need to set the task state to TASK_RUNNING after schedule(),
the process is in that state already.
And we do not need to set the state to TASK_INTERRUPTIBLE when not
doing schedule() as we set the state to TASK_RUNNING immediately
afterwards.
Signed-off-by: Jiri Slaby <jslaby(a)suse.cz>
Cc: Paul Moore <paul(a)paul-moore.com>
Cc: Eric Paris <eparis(a)redhat.com>
Cc: <linux-audit(a)redhat.com>
---
kernel/audit_tree.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 5efe9b299a12..25772476fa4a 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -661,10 +661,10 @@ static int tag_mount(struct vfsmount *mnt, void *arg)
static int prune_tree_thread(void *unused)
{
for (;;) {
- set_current_state(TASK_INTERRUPTIBLE);
- if (list_empty(&prune_list))
+ if (list_empty(&prune_list)) {
+ set_current_state(TASK_INTERRUPTIBLE);
schedule();
- __set_current_state(TASK_RUNNING);
+ }
mutex_lock(&audit_cmd_mutex);
mutex_lock(&audit_filter_mutex);
@@ -693,16 +693,14 @@ static int audit_launch_prune(void)
{
if (prune_thread)
return 0;
- prune_thread = kthread_create(prune_tree_thread, NULL,
+ prune_thread = kthread_run(prune_tree_thread, NULL,
"audit_prune_tree");
if (IS_ERR(prune_thread)) {
pr_err("cannot start thread audit_prune_tree");
prune_thread = NULL;
return -ENOMEM;
- } else {
- wake_up_process(prune_thread);
- return 0;
}
+ return 0;
}
/* called with audit_filter_mutex */
--
2.7.4
8 years, 1 month
audit.rules setting
by Warron S French
Does the "-e 2" have to be the last line of the audit.rules file?
Does it have to be listed prior to all of the syscalls and watches configured in the file?
Thank you in advance,
Warron French, MBA, SCSA
8 years, 1 month
Strings encoding
by Lev Stipakov
Hello,
The string values can be either enclosed in quotation marks or
hex-encoded. Is it safe to assume that sequence of bytes after hex
decoding is always utf-8 encoded string?
-Lev
8 years, 1 month
Adding New field into audit records
by Deepika Sundar
Hi All,
Audit log contains already defined <name>=<value> pair in each record.Is
there any possibility to add new field <name>=<value>? and Is there any
compatibility issues associated with it ? please specify if any.
8 years, 1 month
AUDIT changes - true sense of security
by Warron S French
Hello all,
I do work that requires me to configure auditing on my systems. I am a relative novice to the audit configurations in most operating systems.
I have an issue, I believe, and I am asking for help on how to properly address/assess it.
I have been given guidance in support of auditing on CentOS-6.x systems:
1. To place various watch (-w) and action (-a) rules into place.
2. Make certain the configurations are immutable.
Sometimes I have to add more rules, so I do that. However, I am not certain if the rules are working properly, and I do know that I have broken the auditd init-scripts on my systems a few times, and just commented out the offending audit controls to work around/fix this very type of problem.
What I need to know is, since the configurations have to be immutable ( with the -e 2) how can I properly start the audit service, and without any inkling of a doubt be certain that the rules are in place and are functioning properly?
Also, being a total novice, how can I test/trigger audit log actions on watch and action rules to see that the rules are configured properly?
Finally, is there a tool that will do a sanity check on the audit.rules file? Or is the only option to attempt to restart the auditd service, and think "It started, it worked!" is acceptable?
I just don't want a false sense of security, I also don't want a nagging sense of paranoia.
Thank you,
Warron French, MBA, SCSA
The Aerospace Corporation
8 years, 2 months
