Beginner question
by Bryan Harris
Hello all,
I joined the mailing list but have not received the confirmation email
yet. Please include me in the reply if you don't mind.
Okay here goes. I must have a simple misunderstanding or I may be
doing something wrong.
When I do the below three commands the auid shown back to me is not
the same from all the commands, but it's the same event. In the first
aureport I'm getting back an auid of zero for root. In the second
aureport I get back my teammate's auid. Also in the ausearch for the
specific event I get my teammate's auid. I would expect my teammate's
auid across all but that's not what I see.
It seems the first aureport replaces the auid with uid.
Can anyone point me in the right direction to get my expected results
working? I'm happy to share audit.rules and/or PAM configuration,
although they appear to be the result of someone following the
standard security guidelines.
The Red Hat support people have pointed me to "Chapter 7. System
Auditing" which I am happy to read. However, I already stumbled upon
"7.8. Creating Audit Reports" and I didn't see anything that helped me
out.
Here are the commands.
$ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Report
============================================
# date time auid host term exe success event
============================================
1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
$ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Summary Report
============================
total auid
============================
1 849603
$ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
04/13/2016 17:02:06
----
time->Wed Apr 13 17:02:06 2016
type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
uid=0 auid=849603 ses=4572
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
terminal=/dev/pts/2 res=success'
V/r,
Bryan
8 years, 8 months
PID's Mapping
by sowndarya kumar
Hi
Is there any way to map the PID's seen in the namespace application with
the PID's seen in global?
If it can be done please provide the documentation or idea on how it can be
done.
-Krithika
8 years, 8 months
audit 2.5.1 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Updated and added audit rules
- Updated errno table for 4.4 kernel
- Change interpretation of exit to use errno define rather than a number
- Add distribute_network configuration option to auditd
- New aggregate only mode for auditd
- Cleanup tmp file left by augenrules --check
- Fix initial build from svn without golang support installed
- Update auparse interpretations for hook, action, macproto, chardev, and net
- Update interpretations for the 4.5 kernel
- Fix DST bug in ausearch/report time handling
- Add optional ExecStopPost to auditd.service to clear rules on service exit
- Update ausearch/report buffer size for locales with large time formats
- Add auparse_feed_age_events function to auparse library
- Use auparse_feed_age_events in zos & prelude plugins
This update includes more rules to compose into a policy. There is a new pci-
dss set of rules, for example.
Interpretations have been updated and improved.
Auditd gained a new configuration options, distribute_network, which determines
if events read from the network should be distributed to audispd for plugin
analysis. This would allow for whole datacenter realtime analysis. The other
configuration option, There is also a new option in the auditd.service file,
ExecStopPost, which clears audit rules on shutdown. This allows makes shutdown
more quiet like the sysVinit systems.
There is a new function in auparse library to age pending events. This is
necessary when an event has accumulated but no new events are arriving which
would cause aging and processing of events that time out. The example plugin
code has been updated to show its proper use.
Please let me know if you run across any problems with this release.
-Steve
8 years, 8 months
Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
by Paul Moore
On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi(a)firstfloor.org> wrote:
>> What kernel version are you using? I believe we fixed that in Linux
>> 4.5 with the following:
>
> This is 4.6-rc2.
>>
>> commit 96368701e1c89057bbf39222e965161c68a85b4b
>> From: Paul Moore <pmoore(a)redhat.com>
>> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
>>
>> audit: force seccomp event logging to honor the audit_enabled flag
>
> No you didn't fix it because audit_enabled is always enabled by systemd
> for user space auditing, see the original description of my patch.
[NOTE: adding the audit list to the CC line]
Sorry, I read your email too quickly; you are correct, that commit
fixed a different problem.
Let me think on this a bit more. Technically I don't see this as a
bug with the kernel, userspace is enabling audit and you are getting
audit messages as a result; from my opinion this is the expected
behavior. However, we've talked in the past about providing better
control over seccomp's auditing/logging and that work would allow you
to quiet all seccomp messages if you desired.
If you are interested, I started tracking this issue at the link below:
* https://github.com/linux-audit/audit-kernel/issues/13
--
paul moore
www.paul-moore.com
8 years, 8 months
Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default
by Paul Moore
On Mon, Apr 11, 2016 at 12:13 AM, Andi Kleen <andi(a)firstfloor.org> wrote:
> From: Andi Kleen <ak(a)linux.intel.com>
>
> When I run chrome on my opensuse system every time I open
> a new tab the system log is spammed with:
>
> audit[16857]: SECCOMP auid=1000 uid=1000 gid=100 ses=1 pid=16857
> comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e
> syscall=273 compat=0 ip=0x7fe27c11a444 code=0x50000
>
> This happens because chrome uses SECCOMP for its sandbox,
> and for some reason always reaches a SECCOMP_KILL or more likely
> SECCOMP_RET_ERRNO in the rule set.
>
> The seccomp auditing was originally added by Eric with
>
> commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31
> Author: Eric Paris <eparis(a)redhat.com>
> Date: Tue Jan 3 14:23:05 2012 -0500
>
> seccomp: audit abnormal end to a process due to seccomp
>
> The audit system likes to collect information about processes that end
> abnormally (SIGSEGV) as this may me useful intrusion detection information.
> This patch adds audit support to collect information when seccomp
> forces a task to exit because of misbehavior in a similar way.
>
> I don't have any other syscall auditing enabled,
> just the standard user space auditing used by the systemd
> and PAM userland. So basic auditing is alwas enabled,
> but no other kernel auditing.
>
> Add a sysctl to enable this unconditional behavior with default
> to off. This replaces an earlier patch that simply checked
> whether syscall auditing was on, but Paul Moore preferred
> this more elaborate approach.
>
> Signed-off-by: Andi Kleen <ak(a)linux.intel.com>
> ---
> Documentation/sysctl/kernel.txt | 9 +++++++++
> include/linux/audit.h | 4 +++-
> kernel/seccomp.c | 4 ++++
> kernel/sysctl.c | 11 +++++++++++
> 4 files changed, 27 insertions(+), 1 deletion(-)
Quick response as I'm traveling the next few days and
time/connectivity will be spotty ... thanks for sending an updated
patch, some initial thoughts:
* My thinking was that the sysctl knob could be a threshold value such
that setting it to 0x00030000 would only log TRAP and KILL.
* With the sysctl tunable defaulting to no-logging there is no need to
check for audit_enabled, further, checking for audit_enabled would
prevent logging to dmesg/syslog which I believe is valuable (you may
not).
* A bit nitpicky, but considering the possibility of logging to
dmesg/syslog when auditing is disabled, I think
"seccomp-log-threshold" or similar would be a better sysctl name.
> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
> index 57653a4..abc6ef9 100644
> --- a/Documentation/sysctl/kernel.txt
> +++ b/Documentation/sysctl/kernel.txt
> @@ -21,6 +21,7 @@ show up in /proc/sys/kernel:
> - acct
> - acpi_video_flags
> - auto_msgmni
> +- audit_log_seccomp
> - bootloader_type [ X86 only ]
> - bootloader_version [ X86 only ]
> - callhome [ S390 only ]
> @@ -129,6 +130,14 @@ upon memory add/remove or upon ipc namespace creation/removal.
> Echoing "1" into this file enabled msgmni automatic recomputing.
> Echoing "0" turned it off. auto_msgmni default value was 1.
>
> +==============================================================
> +
> +audit_log_seccomp
> +
> +When this variable is set to 1 every SECCOMP_KILL/SECCOMP_RET_ERRNO
> +results in an audit log. This is generally a bad idea because
> +it leads to a audit message every time Chrome opens a new tab.
> +Defaults to 0.
>
> ==============================================================
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index e38e3fc..c7787ba 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -315,9 +315,11 @@ static inline void audit_inode_child(struct inode *parent,
> }
> void audit_core_dumps(long signr);
>
> +extern int audit_log_seccomp;
> +
> static inline void audit_seccomp(unsigned long syscall, long signr, int code)
> {
> - if (!audit_enabled)
> + if (!audit_enabled || !audit_log_seccomp)
> return;
>
> /* Force a record to be reported if a signal was delivered. */
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index e1e5a35..09a8b03 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -25,6 +25,10 @@
> #include <asm/syscall.h>
> #endif
>
> +#ifdef CONFIG_AUDIT
> +int audit_log_seccomp __read_mostly = 0;
> +#endif
> +
> #ifdef CONFIG_SECCOMP_FILTER
> #include <linux/filter.h>
> #include <linux/pid.h>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 725587f..0c7611e 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -65,6 +65,7 @@
> #include <linux/sched/sysctl.h>
> #include <linux/kexec.h>
> #include <linux/bpf.h>
> +#include <linux/audit.h>
>
> #include <asm/uaccess.h>
> #include <asm/processor.h>
> @@ -529,6 +530,16 @@ static struct ctl_table kern_table[] = {
> .proc_handler = proc_dointvec,
> },
> #endif
> +#ifdef CONFIG_AUDIT
> + {
> + .procname = "audit-log-seccomp",
> + .data = &audit_log_seccomp,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec,
> + },
> +
> +#endif
> {
> .procname = "print-fatal-signals",
> .data = &print_fatal_signals,
> --
> 2.7.4
>
--
paul moore
www.paul-moore.com
8 years, 8 months
Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
by Paul Moore
On Mon, Apr 11, 2016 at 12:07 AM, Andi Kleen <andi(a)firstfloor.org> wrote:
> On Sun, Apr 10, 2016 at 10:30:10PM -0400, Paul Moore wrote:
>> On Sun, Apr 10, 2016 at 6:31 PM, Andi Kleen <ak(a)linux.intel.com> wrote:
>> > On Sun, Apr 10, 2016 at 06:17:53PM -0400, Paul Moore wrote:
>> >> On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi(a)firstfloor.org> wrote:
>> >> >> What kernel version are you using? I believe we fixed that in Linux
>> >> >> 4.5 with the following:
>> >> >
>> >> > This is 4.6-rc2.
>> >> >>
>> >> >> commit 96368701e1c89057bbf39222e965161c68a85b4b
>> >> >> From: Paul Moore <pmoore(a)redhat.com>
>> >> >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
>> >> >>
>> >> >> audit: force seccomp event logging to honor the audit_enabled flag
>> >> >
>> >> > No you didn't fix it because audit_enabled is always enabled by systemd
>> >> > for user space auditing, see the original description of my patch.
>> >>
>> >> [NOTE: adding the audit list to the CC line]
>> >
>> > This mailing list is marked subscriber only in MAINTAINERS so I
>> > intentionally didn't add it. It's unlikely that my emails
>> > will make it through.
>>
>> Steve Grubb checks it on a regular basis and approves anything
>> remotely audit related. Please make use of it in the future; it's
>> listed in MAINTAINERS for a reason.
>
> Nothing has appeared by now. A mailing list that does not allow
> real time discussion is fairly useless.
>
> Dropped again.
Re-added.
There is always value in having the conversation archived.
--
paul moore
www.paul-moore.com
8 years, 8 months
[PATCH] audit: we don't need to __set_current_state(TASK_RUNNING)
by Paul Moore
From: Paul Moore <paul(a)paul-moore.com>
Remove the calls to __set_current_state() to mark the task as running
and do some related cleanup in wait_for_auditd() to limit the amount
of work we do when we aren't going to reschedule the current task.
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
kernel/audit.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3a3e5de..f52fbef 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -430,7 +430,6 @@ restart:
attempts, audit_pid);
set_current_state(TASK_INTERRUPTIBLE);
schedule();
- __set_current_state(TASK_RUNNING);
goto restart;
}
}
@@ -1324,15 +1323,14 @@ static inline void audit_get_stamp(struct audit_context *ctx,
static long wait_for_auditd(long sleep_time)
{
DECLARE_WAITQUEUE(wait, current);
- set_current_state(TASK_UNINTERRUPTIBLE);
- add_wait_queue_exclusive(&audit_backlog_wait, &wait);
if (audit_backlog_limit &&
- skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
+ skb_queue_len(&audit_skb_queue) > audit_backlog_limit) {
+ add_wait_queue_exclusive(&audit_backlog_wait, &wait);
+ set_current_state(TASK_UNINTERRUPTIBLE);
sleep_time = schedule_timeout(sleep_time);
-
- __set_current_state(TASK_RUNNING);
- remove_wait_queue(&audit_backlog_wait, &wait);
+ remove_wait_queue(&audit_backlog_wait, &wait);
+ }
return sleep_time;
}
8 years, 8 months
syscall - "comm" field truncated
by Lev Stipakov
Hello,
Sometimes audit of "execve" syscall generates events with truncated
"comm" values, for example:
type=SYSCALL msg=audit(1459950426.152:1097081): arch=c000003e syscall=59
success=yes exit=0 a0=35bae3e a1=1bc0cf0 a2=2b09280 a3=58c items=2
ppid=2183 pid=26566 auid=4294967295 uid=1001 gid=1001 euid=1001
suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none)
ses=4294967295 comm="gnome-calculato" exe="/usr/bin/gnome-calculator"
Why "comm" is "gnome-calculato" and not "/usr/bin/gnome-calculator" ?
Same for Firefiox:
type=SYSCALL msg=audit(1459950158.667:1092149): arch=c000003e syscall=59
success=yes exit=0 a0=7f913ed1ddf0 a1=7f9144819be0 a2=7f9173f14400
a3=786f666572696600 items=2 ppid=26165 pid=26247 auid=4294967295
uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001
fsgid=1001 tty=(none) ses=4294967295 comm="plugin-containe"
exe="/usr/lib/firefox/plugin-container"
comm is "plugin-containe" and not "plugin-container".
Audit version is 2.4.2-1ubuntu1.
-Lev
8 years, 8 months
Auditing User Additions - Critical Oversight?
by Blackwell, Joseph M
Steve / et all,
I am working on scripting a report that can be run to filter and display the audits on a weekly basis, and I am having issues pulling specific events that indicate when users are added through the User Manager GUI (GNOME 2.28.2). I have nispom.rules file running on kernel "2.6.32-220.el6.x86_64 (RHEL 6.2)". The following are the only events that show up in the audit.log for this activity.
type=USER_ACCT msg=audit(04/05/2016 14:21:42.854:36615) : user pid=15667 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=root exe=/usr/sbin/userhelper hostname=? addr=? terminal=? res=success'
----
type=USER_START msg=audit(04/05/2016 14:21:42.870:36616) : user pid=15667 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=root exe=/usr/sbin/userhelper hostname=? addr=? terminal=? res=success'
These events are followed by other SYSCALL events showing root writing to shadow, gshadow, and passwd, but no indication of the actual account that was created/modified. Unless I am not configured correctly, these seems like a critical oversight. Perhaps I am missing something?
I know that we can gather other events, such as when the useradd command is used, but there are many admins that prefer to use the GUI. I suppose I could copy the passwd file on a weekly basis and perform a diff, but it seems to me that this type of information should be baked in already, especially in cases where we are using indexers such as splunk.
-Joe Blackwell
8 years, 8 months
[RFC] Create an audit record of USB specific details
by wmealing
From: Wade Mealing <wmealing(a)redhat.com>
Gday,
I'm looking to create an audit trail for when devices are added or removed
from the system.
The audit subsystem is a logging subsystem in kernel space that can be
used to create advanced filters on generated events. It has partnered userspace
utilities ausearch, auditd, aureport, auditctl which work exclusively on audit
records.
These tools are able to set filters to "trigger" on specific in-kernel events
specified by privileged users. While the userspace tools can create audit
events these are not able to be handled intelligently (decoded,filtered or
ignored) as kernel generated audit events are.
I have this working at the moment with the USB subsystem (as an example).
Its been suggested that I use systemd-udev however this means that the audit
tools (ausearch) will not be able to index these records.
Here is an example of picking out the AUDIT_DEVICE record type for example.
> # ausearch -l -i -ts today -m AUDIT_DEVICE
> ----
> type=AUDIT_DEVICE msg=audit(31/03/16 16:37:15.642:2) : action=add
> manufacturer=Linux 4.4.0-ktest ehci_hcd product=EHCI Host Controller
> serial=0000:00:06.7 major=189 minor=0 bus="usb"
Admittedly this is only the USB device type at the moment, but I'd like to break
this
out into other bus types at some time in the future, gotta start somewhere.
Thanks,
Wade Mealing
---
include/uapi/linux/audit.h | 1 +
init/Kconfig | 10 ++++++
kernel/Makefile | 1 +
kernel/audit_device.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 102 insertions(+)
create mode 100644 kernel/audit_device.c
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..344c97b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -110,6 +110,7 @@
#define AUDIT_SECCOMP 1326 /* Secure Computing event */
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
+#define AUDIT_DEVICE_CHANGE 1330 /* Device added/removed to the system */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/init/Kconfig b/init/Kconfig
index 2232080..e171f74 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -309,6 +309,16 @@ config AUDITSYSCALL
def_bool y
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
+config DEVICE_AUDIT
+ bool "Create audit records for devices added to the systems"
+ depends on AUDIT && USB
+ default y
+ help
+ Generate audit events in the system for USB devices that
+ are added or removed from the system from boot time onwards.
+ Records the manufacturer, product serial number, device major
+ and minor number and bus which the device was added to.
+
config AUDIT_WATCH
def_bool y
depends on AUDITSYSCALL
diff --git a/kernel/Makefile b/kernel/Makefile
index 53abf00..909c869 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -68,6 +68,7 @@ obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_fsnotify.o
obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
+obj-$(CONFIG_DEVICE_AUDIT) += audit_device.o
obj-$(CONFIG_GCOV_KERNEL) += gcov/
obj-$(CONFIG_KPROBES) += kprobes.o
obj-$(CONFIG_KGDB) += debug/
diff --git a/kernel/audit_device.c b/kernel/audit_device.c
new file mode 100644
index 0000000..8dfdf04
--- /dev/null
+++ b/kernel/audit_device.c
@@ -0,0 +1,90 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/usb.h>
+#include <linux/usb/hcd.h>
+#include <linux/slab.h>
+#include <linux/notifier.h>
+#include <linux/mutex.h>
+#include <linux/device.h>
+#include <linux/usb.h>
+#include <linux/audit.h>
+#include <linux/kdev_t.h>
+
+static void log_string(struct audit_buffer *ab, char *key, char *val)
+{
+ if (val) {
+ audit_log_format(ab, " %s=", key);
+ audit_log_untrustedstring(ab, val);
+ }
+ else {
+ audit_log_format(ab, " %s=%s", key, "?");
+ }
+
+}
+
+static void log_major_minor(struct audit_buffer *ab, struct device *dev)
+{
+ if (dev && dev->devt) {
+ audit_log_format(ab, " major=%d", MAJOR(dev->devt));
+ audit_log_format(ab, " minor=%d", MINOR(dev->devt));
+ }
+}
+
+/* Blocking call when device has reference and will keep reference until
+ * all notifiers are done, no usb_dev_get/ usb_dev_put required.
+ */
+static int audit_notify(struct notifier_block *self,
+ unsigned long action, void *d)
+{
+ struct usb_device *usbdev = (struct usb_device *)d;
+ char *op;
+ struct audit_buffer *ab;
+
+ switch (action) {
+ case USB_DEVICE_ADD:
+ op = "add";
+ break;
+ case USB_DEVICE_REMOVE:
+ op = "remove";
+ break;
+ default: /* ignore any other USB events */
+ return NOTIFY_DONE;
+ }
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_DEVICE_CHANGE);
+
+ if (ab) {
+ audit_log_format(ab, "action=%s", op);
+ log_string(ab, "manufacturer", usbdev->manufacturer);
+ log_string(ab, "product", usbdev->product);
+ log_string(ab, "serial", usbdev->serial);
+ log_major_minor(ab, &usbdev->dev);
+ log_string(ab, "bus", "usb");
+ audit_log_end(ab);
+ }
+
+ return NOTIFY_DONE;
+}
+
+static struct notifier_block audit_nb = {
+ .notifier_call = audit_notify,
+ .priority = INT_MIN
+};
+
+static int __init audit_device_init(void)
+{
+ pr_info("Registering usb audit notification callback\n");
+ usb_register_notify(&audit_nb);
+ return 0;
+}
+
+static void __exit audit_device_exit(void)
+{
+ pr_info("Unregistering usb audit notification callback\n");
+ usb_unregister_notify(&audit_nb);
+}
+
+module_init(audit_device_init);
+module_exit(audit_device_exit);
+
+MODULE_LICENSE("GPL");
--
1.8.3.1
8 years, 8 months
