May 2016 - Linux-audit - Linux-Audit List Archives

[PATCH] audit: always enable syscall auditing when supported and audit is enabled

by Paul Moore

To the best of our knowledge, everyone who enables audit at compile time also enables syscall auditing; this patch simplifies the Kconfig menus by removing the option to disable syscall auditing when audit is selected and the target arch supports it. Signed-off-by: Paul Moore <pmoore(a)redhat.com> --- init/Kconfig | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/init/Kconfig b/init/Kconfig index c24b6f7..d4663b1 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -299,20 +299,15 @@ config AUDIT help Enable auditing infrastructure that can be used with another kernel subsystem, such as SELinux (which requires this for - logging of avc messages output). Does not do system-call - auditing without CONFIG_AUDITSYSCALL. + logging of avc messages output). System call auditing is included + on architectures which support it. config HAVE_ARCH_AUDITSYSCALL bool config AUDITSYSCALL - bool "Enable system-call auditing support" + def_bool y depends on AUDIT && HAVE_ARCH_AUDITSYSCALL - default y if SECURITY_SELINUX - help - Enable low-overhead system-call auditing infrastructure that - can be used independently or with another kernel subsystem, - such as SELinux. config AUDIT_WATCH def_bool y

5 years, 10 months

5
13
0 / 0

How do I get complete list of audit event types

by Satish Chandra Kilaru

Hi I want to understand the logs in /var/log/audit/audit.log. Where can I get complete list of audit event types and what they mean? --Satish Please Donate to www.wikipedia.org

7 years

4
5
0 / 0

[RFC PATCH 0/7] audit: clean up audit queue handling

by Richard Guy Briggs

This set of patches cleans up a number of corner cases in the management of the audit queue. Richard Guy Briggs (7): audit: don't needlessly reset valid wait time audit: include auditd's threads in audit_log_start() wait exception audit: allow systemd to use queue reserves audit: wake up threads if queue switched from limited to unlimited audit: allow audit_cmd_mutex holders to use reserves audit: wake up audit_backlog_wait queue when auditd goes away. audit: wake up kauditd_thread after auditd registers kernel/audit.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-)

8 years, 6 months

4
22
0 / 0

Audit reporting Invalid argument

by Bhagwat, Shriniketan Manjunath

Hello, I am trying to monitor multiple files using Linux audit. In order to get better performance, I am trying to reduce number of rules. If I specify more than one path field as in below example I am getting "Invalid argument". Examle1: # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F path=/home/secpack/test -S open Error sending add rule data request (Invalid argument) # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F dir=/tmp/ -S open Error sending add rule data request (Invalid argument) However, I am able to create a single rule to monitor multiple PIDs or UIDs as below. Examle2: # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 # auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002 As per the auditctl man page, Build a rule field takes up to 64 fields on a single command line. Each one must start with -F. Each field equation is anded with each other to trigger an audit record. My question is, 1. specify more than one path field as in example1 is valid? 2. If not valid than how do I create single audit rule to monitor multiple files/directory? 3. If valid, then why "Invalid argument" is reported? 4. To monitor 10 files, should 10 audit rules required? 5. if 10 rules are required, how to I optimize the rule for performance? My next question is does Linux audit support regular expressions? How do I create audit rule to monitor /var/log/*.log? # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open Error sending add rule data request (Invalid argument) If my questions are already documented, please guide me to the documentation. Regards, Ketan

8 years, 6 months

3
10
0 / 0

krb5 issues

by Ken Bass

Hello, I enabled krb5 in my audisp-remote and audispd-remote reports "GSS-API error sending token length" and fails to log remotely. If I reboot the destination auditd server AFTER the clients are running it appears to work. But if I reboot any clients machine, logging from that rebooted machine fails. I created my service principals using freeipa - all systems are clean installs of Centos 7.2. For now, I disabled krb5, but that is not a good solution. Thank you, Ken

8 years, 7 months

2
4
0 / 0

audit.log with logrotate on CentOS

by Warron S French

Hello, I am using CentOS-6.7 and I have implemented the audispatch configurations and they are working pretty nicely. One of the requirements I have to satisfy, somehow, is 7 years retention of logdata. That is an enormous amount of data to store on /var/log/audit filesystem - even for a single server and 6 workstations combined. I have a 2.0TB sized filesystem in place already - but it won't be enough to satisfy the retention of 7 years of data. So, my plan is a tiered approach to managing the log files if someone could please advise on how best to implement the following: Rotate log files every single Monday morning at 12:01am. When I rotate them place the dateext extension (for example 20160523) to indicate all date is up to that date extension. When I rotate them, I also want to bzip2 compress them (I have the binaries on the server). Only keep at most 15 of those rotated (date-string extension applied) compressed files so that I can once a month take over a DVD burner and burn the files to DvD; however, I want to ensure that the files never grow any larger than the size of a normal (not dual-layer) DvD media which is typically 4.70GB (so I am estimating a 4.0GB limitation) that is after rotation and compression. Can someone help me figure out how to most appropriately (and more importantly) and successfully implement this configuration? Warron French, MBA, SCSA

8 years, 7 months

2
2
0 / 0

Better error message in auditd wanted

by Christian Boltz

Hello, I'd like to ask for a more useful error message in auditd ;-) If audit.log is world-readable (chmod 644 [1]), auditd refuses to start. The problem is that it gives a completely useless error message when doing that: # systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sa 2016-05-21 12:43:55 CEST; 4min 14s ago Process: 8656 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 8654 ExecStart=/sbin/auditd -n (code=exited, status=6) Main PID: 8654 (code=exited, status=6) Mai 21 12:43:55 tux systemd[1]: Starting Security Auditing Service... Mai 21 12:43:55 tux systemd[1]: auditd.service: Main process exited, code=exited, status=6/NOTCONFIGURED Mai 21 12:43:55 tux augenrules[8656]: /sbin/augenrules: No change Mai 21 12:43:55 tux augenrules[8656]: No rules Mai 21 12:43:55 tux systemd[1]: Failed to start Security Auditing Service. Mai 21 12:43:55 tux systemd[1]: auditd.service: Unit entered failed state. Mai 21 12:43:55 tux systemd[1]: auditd.service: Failed with result 'exit-code'. Exit status 6/NOTCONFIGURED is not really helpful and not even a correct) information :-( After searching around, reading the manpage etc. I tried to start auditd manually in debug mode: # auditd -f Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log /var/log/audit/audit.log permissions should be 0600 or 0640 The audit daemon is exiting. Now _that_ is a useful message and clearly states what the problem is. Can you please change auditd so that it prints or logs this useful message independent of the given parameters? In case it matters: I'm using openSUSE Tumbleweed with audit 2.5. Regards, Christian Boltz [1] I did that chmod to make testing of aa-logprof (part of the AppArmor userspace tools) easier. -- > I see no "do" in your script, so this will give you a "syntax error > near unexpected token `done'" after shutdown ;-)) I've been hearing funny noises after shutdown, that must be it :-) [> Christian Boltz and Chris Maaskant in opensuse]

8 years, 7 months

2
2
0 / 0

[PATCH] audit: fixup: log on errors from filter user rules

by Richard Guy Briggs

In commit 724e4fcc the intention was to pass any errors back from audit_filter_user_rules() to audit_filter_user(). Add that code. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- kernel/auditfilter.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index b8ff9e1..96c9a1b 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1339,8 +1339,8 @@ static int audit_filter_user_rules(struct audit_krule *rule, int type, break; } - if (!result) - return 0; + if (result <= 0) + return result; } switch (rule->action) { case AUDIT_NEVER: *state = AUDIT_DISABLED; break; -- 1.7.1

8 years, 7 months

2
1
0 / 0

[PATCH] audit: add support for session ID user filter

by Richard Guy Briggs

Define AUDIT_SESSIONID in the uapi and add support for specifying user filters based on the session ID. https://github.com/linux-audit/audit-kernel/issues/4 RFE: add a session ID filter to the kernel's user filter Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- Like loginuid (auid), should this have a seperate field type (AUDIT_SESSIONID_UNDEFINED maybe?) to explicitly indicate that this value should be undefined rather than depending on an in-band value of -1 (or 4294967295)? If so, now would be the time to fix it. --- include/uapi/linux/audit.h | 1 + kernel/auditfilter.c | 2 ++ kernel/auditsc.c | 5 +++++ 3 files changed, 8 insertions(+), 0 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 843540c..b6feaa7 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -251,6 +251,7 @@ #define AUDIT_OBJ_LEV_LOW 22 #define AUDIT_OBJ_LEV_HIGH 23 #define AUDIT_LOGINUID_SET 24 +#define AUDIT_SESSIONID 25 /* Session ID */ /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index b8ff9e1..23d076c 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_EXIT: case AUDIT_SUCCESS: case AUDIT_INODE: + case AUDIT_SESSIONID: /* bit ops are only useful on syscall args */ if (f->op == Audit_bitmask || f->op == Audit_bittest) return -EINVAL; @@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, if (!gid_valid(f->gid)) goto exit_free; break; + case AUDIT_SESSIONID: case AUDIT_ARCH: entry->rule.arch_f = f; break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b5daaa0..a82b1d9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -445,6 +445,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + unsigned int sessionid; cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); @@ -507,6 +508,10 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_FSGID: result = audit_gid_comparator(cred->fsgid, f->op, f->gid); break; + case AUDIT_SESSIONID: + sessionid = audit_get_sessionid(current); + result = audit_comparator(sessionid, f->op, f->val); + break; case AUDIT_PERS: result = audit_comparator(tsk->personality, f->op, f->val); break; -- 1.7.1

8 years, 7 months

2
1
0 / 0

Monitoring "root-level" commands

by Warron S French

My Special Security Team, not being UNIX/Linux savvy asked me if I could put into place audit rules that monitor "Root-Level" commands. I don't know of any specific identifier for such a term, and the closest thing I could come up with was monitoring those files that fall under /usr/sbin/ and /sbin/; does anyone else have any thoughts about how to approach this task? I figured I would use a rule such as: -w /sbin/ -p rawx -k watch_root_commands (I used rawx, to account for replacement by a hacker) Thank you in advance, Warron French, MBA, SCSA

8 years, 7 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit May 2016