July 2016 - Linux-audit - Linux-Audit List Archives

[PATCH] audit: always enable syscall auditing when supported and audit is enabled

by Paul Moore

To the best of our knowledge, everyone who enables audit at compile time also enables syscall auditing; this patch simplifies the Kconfig menus by removing the option to disable syscall auditing when audit is selected and the target arch supports it. Signed-off-by: Paul Moore <pmoore(a)redhat.com> --- init/Kconfig | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/init/Kconfig b/init/Kconfig index c24b6f7..d4663b1 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -299,20 +299,15 @@ config AUDIT help Enable auditing infrastructure that can be used with another kernel subsystem, such as SELinux (which requires this for - logging of avc messages output). Does not do system-call - auditing without CONFIG_AUDITSYSCALL. + logging of avc messages output). System call auditing is included + on architectures which support it. config HAVE_ARCH_AUDITSYSCALL bool config AUDITSYSCALL - bool "Enable system-call auditing support" + def_bool y depends on AUDIT && HAVE_ARCH_AUDITSYSCALL - default y if SECURITY_SELINUX - help - Enable low-overhead system-call auditing infrastructure that - can be used independently or with another kernel subsystem, - such as SELinux. config AUDIT_WATCH def_bool y

5 years, 10 months

5
13
0 / 0

How do I get complete list of audit event types

by Satish Chandra Kilaru

Hi I want to understand the logs in /var/log/audit/audit.log. Where can I get complete list of audit event types and what they mean? --Satish Please Donate to www.wikipedia.org

7 years

4
5
0 / 0

[PATCH] security: lsm_audit: print pid and tid

by Jeff Vander Stoep

dump_common_audit_data() currently contains a field for pid, but the value printed is actually the thread ID, tid. Update this value to return the task group ID. Add a new field for tid. With this change the values printed by audit now match the values returned by the getpid() and gettid() syscalls. Signed-off-by: Jeff Vander Stoep <jeffv(a)google.com> --- security/lsm_audit.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/security/lsm_audit.c b/security/lsm_audit.c index cccbf30..57f26c1 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab, */ BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2); - audit_log_format(ab, " pid=%d comm=", task_pid_nr(current)); + audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk), + task_pid_vnr(tsk)); audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm))); switch (a->type) { @@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab, case LSM_AUDIT_DATA_TASK: { struct task_struct *tsk = a->u.tsk; if (tsk) { - pid_t pid = task_pid_nr(tsk); + pid_t pid = task_tgid_vnr(tsk); if (pid) { char comm[sizeof(tsk->comm)]; audit_log_format(ab, " opid=%d ocomm=", pid); + audit_log_format(ab, " opid=%d otid=%d ocomm=", + pid, task_pid_vnr(tsk)); audit_log_untrustedstring(ab, memcpy(comm, tsk->comm, sizeof(comm))); } -- 2.8.0.rc3.226.g39d4020

8 years, 3 months

4
7
0 / 0

Re: [PATCH] prctl: remove one-shot limitation for changing exe link

by Eric W. Biederman

Mateusz Guzik <mguzik(a)redhat.com> writes: > On Sat, Jul 30, 2016 at 12:31:40PM -0500, Eric W. Biederman wrote: >> So what I am requesting is very simple. That the checks in >> prctl_set_mm_exe_file be tightened up to more closely approach what >> execve requires. Thus preserving the value of the /proc/[pid]/exe for >> the applications that want to use the exe link. >> >> Once the checks in prctl_set_mm_exe_file are tightened up please feel >> free to remove the one shot test. >> > > This is more fishy. > > First of all exe_file is used by the audit subsystem. So someone has to > ask audit people what is the significance (if any) of the field. > > All exe_file users but one use get_mm_exe_file and handle NULL > gracefully. > > Even with the current limit of changing the field once, the user can > cause a transient failure of get_mm_exe_file which can fail to increment > the refcount before it drops to 0. > > This transient failure can be used to get a NULL value stored in > ->exe_file during fork (in dup_mmap): > RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm)); > > The one place which is not using get_mm_exe_file to get to the pointer > is audit_exe_compare: > rcu_read_lock(); > exe_file = rcu_dereference(tsk->mm->exe_file); > ino = exe_file->f_inode->i_ino; > dev = exe_file->f_inode->i_sb->s_dev; > rcu_read_unlock(); > > This is buggy on 2 accounts: > 1. exe_file can be NULL > 2. rcu does not protect f_inode > > The issue is made worse with allowing arbitrary number changes. > > Modifying get_mm_exe_file to retry is trivial and in effect never return > NULL is trivial. With arbitrary number of changes allowed this may > require some cond_resched() or something. > > For comments I cc'ed Richard Guy Briggs, who is both an audit person and > the author of audit_exe_compare. That is fair. Keeping the existing users working is what needs to happen. At the same time we have an arbitrary number of possible changes with exec, but I guess that works differently because the mm is changed as well. So yes let's bug fix this piece of code and then we can see about relaxing constraints. Eric

8 years, 4 months

2
1
0 / 0

[PATCH] semanage: add auditing of changes in records

by Miroslav Vadkerti

Common Criteria requirement FMT_MSA.1 needs any configuration change that affect enforcement of policy to be audited. This patch adds auditing of changes in security context mappings for network ports, interfaces, nodes and file contexts. A new function log_change is introduced that audits additions, modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE audit event. The format of the audit events was discussed with the audit userspace maintainer. This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175 Signed-off-by: Miroslav Vadkerti <mvadkert(a)redhat.com> --- policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py index 3b0b108..7d6caa3 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a", "socket file": "s", "symbolic link": "l", "named pipe": "p"} + +proto_to_audit = {"tcp": 17, + "udp": 6, + "ipv4": 4, + "ipv6": 41} + +ftype_to_audit = {"": "any", + "b": "block", + "c": "char", + "d": "dir", + "f": "file", + "l": "symlink", + "p": "pipe", + "s": "socket"} + try: import audit @@ -90,6 +105,7 @@ try: def __init__(self): self.audit_fd = audit.audit_open() self.log_list = [] + self.log_change_list = [] def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): @@ -109,10 +125,17 @@ try: def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""]) + def log_change(self, msg): + self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""]) + def commit(self, success): for l in self.log_list: audit.audit_log_semanage_message(*(l + [success])) + for l in self.log_change_list: + audit.audit_log_user_comm_message(*(l + [success])) + self.log_list = [] + self.log_change_list = [] except: class logger: @@ -138,6 +161,9 @@ except: def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange) + def log_change(self, msg): + self.log_list.append(" %s" % msg) + def commit(self, success): if success == 1: message = "Successful: " @@ -155,6 +181,9 @@ class nulllogger: def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): pass + def log_change(self, msg): + pass + def commit(self, success): pass @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords): semanage_port_key_free(k) semanage_port_free(p) + self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange)) + def add(self, port, proto, serange, type): self.begin() self.__add(port, proto, serange, type) @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords): semanage_port_key_free(k) semanage_port_free(p) + self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange)) + def modify(self, port, proto, serange, setype): self.begin() self.__modify(port, proto, serange, setype) @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords): low = semanage_port_get_low(port) high = semanage_port_get_high(port) port_str = "%s-%s" % (low, high) + (k, proto_d, low, high) = self.__genkey(port_str, proto_str) if rc < 0: raise ValueError(_("Could not create a key for %s") % port_str) @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords): raise ValueError(_("Could not delete the port %s") % port_str) semanage_port_key_free(k) + if low == high: + port_str = low + + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str])) + self.commit() def __delete(self, port, proto): @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords): semanage_port_key_free(k) + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto])) + def delete(self, port, proto): self.begin() self.__delete(port, proto) @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords): semanage_node_key_free(k) semanage_node_free(node) + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange)) + def add(self, addr, mask, proto, serange, ctype): self.begin() self.__add(addr, mask, proto, serange, ctype) @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords): semanage_node_key_free(k) semanage_node_free(node) + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange)) + def modify(self, addr, mask, proto, serange, setype): self.begin() self.__modify(addr, mask, proto, serange, setype) @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords): semanage_node_key_free(k) + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]])) + def delete(self, addr, mask, proto): self.begin() self.__delete(addr, mask, proto) @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords): semanage_iface_key_free(k) semanage_iface_free(iface) + self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange)) + def add(self, interface, serange, ctype): self.begin() self.__add(interface, serange, ctype) @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords): semanage_iface_key_free(k) semanage_iface_free(iface) + self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange)) + def modify(self, interface, serange, setype): self.begin() self.__modify(interface, serange, setype) @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords): semanage_iface_key_free(k) + self.mylog.log_change("resrc=interface op=delete netif=%s" % interface) + def delete(self, interface): self.begin() self.__delete(interface) @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords): if i.startswith(target + "/"): raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i])) + self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) + self.equiv[target] = substitute self.equal_ind = True self.commit() @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Equivalence class for %s does not exists") % target) self.equiv[target] = substitute self.equal_ind = True + + self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) + self.commit() def createcon(self, target, seuser="system_u"): @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) + if not seuser: + seuser = "system_u" + + self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange)) + def add(self, target, type, ftype="", serange="", seuser="system_u"): self.begin() self.__add(target, type, ftype, serange, seuser) @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) + if not seuser: + seuser = "system_u" + + self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange)) + def modify(self, target, setype, ftype, serange, seuser): self.begin() self.__modify(target, setype, ftype, serange, seuser) @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str])) + self.equiv = {} self.equal_ind = True self.commit() @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords): if target in self.equiv.keys(): self.equiv.pop(target) self.equal_ind = True + + self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype])) + return (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) @@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype])) + def delete(self, target, ftype): self.begin() self.__delete(target, ftype) -- 1.8.3.1

8 years, 4 months

3
2
0 / 0

[PATCH 1/2] semanage: add auditing of changes in records

by Miroslav Vadkerti

Common Criteria requirement FMT_MSA.1 needs any configuration change that affect enforcement of policy to be audited. This patch adds auditing of changes in security context mappings for network ports, interfaces, nodes and file contexts. A new function log_change is introduced that audits additions, modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE audit event. The format of the audit events was discussed with the audit userspace maintainer. This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175 Signed-off-by: Miroslav Vadkerti <mvadkert(a)redhat.com> --- policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py index 3b0b108..799ce24 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a", "socket file": "s", "symbolic link": "l", "named pipe": "p"} + +proto_to_audit = {"tcp": 17, + "udp": 6, + "ipv4": 4, + "ipv6": 41} + +ftype_to_audit = {"": "any", + "b": "block", + "c": "char", + "d": "dir", + "f": "file", + "l": "symlink", + "p": "pipe", + "s": "socket"} + try: import audit @@ -90,6 +105,7 @@ try: def __init__(self): self.audit_fd = audit.audit_open() self.log_list = [] + self.log_change_list = [] def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): @@ -109,10 +125,17 @@ try: def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""]) + def log_change(self, msg, hostname="", addr="", tty=""): + self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr, tty]) + def commit(self, success): for l in self.log_list: audit.audit_log_semanage_message(*(l + [success])) + for l in self.log_change_list: + audit.audit_log_user_comm_message(*(l + [success])) + self.log_list = [] + self.log_change_list = [] except: class logger: @@ -138,6 +161,9 @@ except: def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange) + def log_change(self, msg, hostname="", addr="", tty=""): + self.log_list.append(" %s" % msg) + def commit(self, success): if success == 1: message = "Successful: " @@ -155,6 +181,9 @@ class nulllogger: def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): pass + def log_change(self, msg, hostname="", addr="", tty=""): + pass + def commit(self, success): pass @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords): semanage_port_key_free(k) semanage_port_free(p) + self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange)) + def add(self, port, proto, serange, type): self.begin() self.__add(port, proto, serange, type) @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords): semanage_port_key_free(k) semanage_port_free(p) + self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange)) + def modify(self, port, proto, serange, setype): self.begin() self.__modify(port, proto, serange, setype) @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords): low = semanage_port_get_low(port) high = semanage_port_get_high(port) port_str = "%s-%s" % (low, high) + (k, proto_d, low, high) = self.__genkey(port_str, proto_str) if rc < 0: raise ValueError(_("Could not create a key for %s") % port_str) @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords): raise ValueError(_("Could not delete the port %s") % port_str) semanage_port_key_free(k) + if low == high: + port_str = low + + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str])) + self.commit() def __delete(self, port, proto): @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords): semanage_port_key_free(k) + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto])) + def delete(self, port, proto): self.begin() self.__delete(port, proto) @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords): semanage_node_key_free(k) semanage_node_free(node) + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange)) + def add(self, addr, mask, proto, serange, ctype): self.begin() self.__add(addr, mask, proto, serange, ctype) @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords): semanage_node_key_free(k) semanage_node_free(node) + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange)) + def modify(self, addr, mask, proto, serange, setype): self.begin() self.__modify(addr, mask, proto, serange, setype) @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords): semanage_node_key_free(k) + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]])) + def delete(self, addr, mask, proto): self.begin() self.__delete(addr, mask, proto) @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords): semanage_iface_key_free(k) semanage_iface_free(iface) + self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange)) + def add(self, interface, serange, ctype): self.begin() self.__add(interface, serange, ctype) @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords): semanage_iface_key_free(k) semanage_iface_free(iface) + self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange)) + def modify(self, interface, serange, setype): self.begin() self.__modify(interface, serange, setype) @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords): semanage_iface_key_free(k) + self.mylog.log_change("resrc=interface op=delete netif=%s" % interface) + def delete(self, interface): self.begin() self.__delete(interface) @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords): if i.startswith(target + "/"): raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i])) + self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) + self.equiv[target] = substitute self.equal_ind = True self.commit() @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Equivalence class for %s does not exists") % target) self.equiv[target] = substitute self.equal_ind = True + + self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) + self.commit() def createcon(self, target, seuser="system_u"): @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) + if not seuser: + seuser = "system_u" + + self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange)) + def add(self, target, type, ftype="", serange="", seuser="system_u"): self.begin() self.__add(target, type, ftype, serange, seuser) @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) + if not seuser: + seuser = "system_u" + + self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange)) + def modify(self, target, setype, ftype, serange, seuser): self.begin() self.__modify(target, setype, ftype, serange, seuser) @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str])) + self.equiv = {} self.equal_ind = True self.commit() @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords): if target in self.equiv.keys(): self.equiv.pop(target) self.equal_ind = True + + self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype])) + return (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) @@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype])) + def delete(self, target, ftype): self.begin() self.__delete(target, ftype) -- 1.8.3.1

8 years, 4 months

3
4
0 / 0

Question about the a[[:digit:]+]\[.*\] fields

by Mateusz Piotrowski

Hello, According to the field dictionary[1] there are fields which names are defined by the following regex: "a[[:digit:]+]\[.*\]". I was able to find examples of fields like "a4" and "a5" (see [2]) but it doesn't fit the regex which seems to require a pair of square brackets (so "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the Linux Audit source code. My questions are: 1. Is this regex valid and up-to-date? Or is it an outdated rule which doesn't apply anymore? 2. Could you suggest me where to look to see how those arguments to the execve syscall are handled? 3. Could you post an example of a record with a field which fits the regex (assuming the regex is valid)? Cheers! -Mateusz [1]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fiel... [2]: https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html

8 years, 4 months

3
5
0 / 0

How can I install the latest version of Linux Audit on CentOS 6.8?

by Mateusz Piotrowski

Hello, I’m trying to update the 2013 version of auditd on a just installed CentOS 6.8-i386. So far I’ve downloaded audit-userspace from GitHub[1] and I’ve faced a couple of problems: 1. README says that I should consult the README-install file. I cannot see this file. Where is it? 2. I consulted the INSTALL.tmp and since I’ve not got any ./configure file inside my clone I deducted I’ve got to run ./autogen.sh. I was missing some dependencies so I ran `yum install autoconf automake libtool`. Then I ran `./configure --sbindir=/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes` but the command failed at this is a part of the log I got (the full log file is available here[2]): configure: WARNING: unrecognized options: --with-libcap-ng ... Checking for programs ... ./configure: line 13130: AX_PROG_CC_FOR_BUILD: command not found ... Checking for header files ... checking for python... /usr/bin/python checking for python version... 2.6 checking for python platform... linux2 checking for python script directory... ${prefix}/lib/python2.6/site-packages checking for python extension module directory... ${exec_prefix}/lib/python2.6/site-packages configure: error: Python explicitly requested and python headers were not found Have you got any idea what the problem is? Is there an easier way to get the latest Linux Audit version on my system? Cheers! -m [1]: https://github.com/linux-audit/audit-userspace <https://github.com/linux-audit/audit-userspace> [2]: http://pastebin.com/jd7ZSmLV <http://pastebin.com/jd7ZSmLV> [Logs in a raw txt format]: http://pastebin.com/raw/Jd7ZSmLV <http://pastebin.com/raw/Jd7ZSmLV>

8 years, 4 months

2
3
0 / 0

[GIT PULL] Audit patches for 4.8

by Paul Moore

Hi Linus, Six audit patches for 4.8. There are a couple of style and minor whitespace tweaks for the logs, as well as a minor fixup to catch errors on user filter rules, however the major improvements are a fix to the s390 syscall argument masking code (reviewed by the nice s390 folks), some consolidation around the exclude filtering (less code, always a win), and a double-fetch fix for recording the execve arguments. Please pull for 4.8. Thanks, -Paul --- The following changes since commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a: Linux 4.6 (2016-05-15 15:43:13 -0700) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.8 for you to fetch changes up to 43761473c254b45883a64441dd0bc85a42f3645c: audit: fix a double fetch in audit_log_single_execve_arg() (2016-07-20 14:15:46 -0400) ---------------------------------------------------------------- Paul Moore (3): audit: fix some horrible switch statement style crimes s390: ensure that syscall arguments are properly masked on s390 audit: fix a double fetch in audit_log_single_execve_arg() Richard Guy Briggs (2): audit: fixup: log on errors from filter user rules audit: add fields to exclude filter by reusing user filter Steve Grubb (1): audit: fix whitespace in CWD record arch/s390/kernel/ptrace.c | 10 +- include/linux/audit.h | 2 - kernel/audit.c | 4 +- kernel/audit.h | 2 + kernel/auditfilter.c | 147 +++++++------------- kernel/auditsc.c | 342 +++++++++++++++++++++--------------------- 6 files changed, 235 insertions(+), 272 deletions(-) -- paul moore security @ redhat

8 years, 4 months

1
0
0 / 0

[PATCH] alpha_table.h: Syscall 511 is getrandom, not renameat2

by James Clarke

--- This fixes gen_alpha_tables_h aborting due to renameat2 being duplicated. lib/alpha_table.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/alpha_table.h b/lib/alpha_table.h index 08171cc..c43744f 100644 --- a/lib/alpha_table.h +++ b/lib/alpha_table.h @@ -451,6 +451,6 @@ _S(507, "finit_module") _S(508, "sched_setattr") _S(509, "sched_getattr") _S(510, "renameat2") -_S(511, "renameat2") +_S(511, "getrandom") _S(512, "memfd_create") _S(513, "execveat") -- 2.9.1

8 years, 4 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit July 2016