Re: namespaces todo list?
by Paul Moore
On Wed, May 31, 2017 at 8:45 AM, Michał Zegan
<webczat_200(a)poczta.onet.pl> wrote:
> Hello.
>
> Trying to track progress with linux containers, however I am quite lost.
> So, what is left to be done? I mean namespace security holes, things you
> cannot do but should be able to, etc.
> I know about those:
...
> 2 - autofs, audit, whatever...?
Proper support for namespaces/containers is a high priority item for
those of us working in the audit space, if you are interested I would
suggest joining the linux-audit mailing list (CC'd).
--
paul moore
www.paul-moore.com
7 years, 7 months
[RFC][PATCH] audit: add ambient capabilities to CAPSET and BPRM_FCAPS records
by Richard Guy Briggs
Capabilities were augmented to include ambient capabilities in v4.3
commit 58319057b784 ("capabilities: ambient capabilities").
Add ambient capabilities to the audit BPRM_FCAPS and CAPSET records.
The record contains fields "old_pp", "old_pi", "old_pe", "new_pp",
"new_pi", "new_pe" so in keeping with the previous record
normalizations, change the "new_*" variants to simply drop the "new_"
prefix.
A sample of the replaced BPRM_FCAPS record:
RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2 fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000 pp=0000000000200000 pi=0000000000000000 pe=0000000000200000 pa=0000000000000000
INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none
A sample of the replaced CAPSET record:
RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833 cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff cap_pa=0000000000000000
INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833
cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
cap_pa=none
See: https://github.com/linux-audit/audit-kernel/issues/40
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.h | 1 +
kernel/auditsc.c | 12 +++++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 144b7eb..364b155 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -68,6 +68,7 @@ struct audit_cap_data {
unsigned int fE; /* effective bit of file cap */
kernel_cap_t effective; /* effective set of process */
};
+ kernel_cap_t ambient;
};
/* When fs/namei.c:getname() is called, we store the pointer in name and bump
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4db32e8..ebfa93d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1260,6 +1260,7 @@ static void show_special(struct audit_context *context, int *call_panic)
audit_log_cap(ab, "cap_pi", &context->capset.cap.inheritable);
audit_log_cap(ab, "cap_pp", &context->capset.cap.permitted);
audit_log_cap(ab, "cap_pe", &context->capset.cap.effective);
+ audit_log_cap(ab, "cap_pa", &context->capset.cap.ambient);
break;
case AUDIT_MMAP:
audit_log_format(ab, "fd=%d flags=0x%x", context->mmap.fd,
@@ -1381,9 +1382,11 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
audit_log_cap(ab, "old_pp", &axs->old_pcap.permitted);
audit_log_cap(ab, "old_pi", &axs->old_pcap.inheritable);
audit_log_cap(ab, "old_pe", &axs->old_pcap.effective);
- audit_log_cap(ab, "new_pp", &axs->new_pcap.permitted);
- audit_log_cap(ab, "new_pi", &axs->new_pcap.inheritable);
- audit_log_cap(ab, "new_pe", &axs->new_pcap.effective);
+ audit_log_cap(ab, "old_pa", &axs->old_pcap.ambient);
+ audit_log_cap(ab, "pp", &axs->new_pcap.permitted);
+ audit_log_cap(ab, "pi", &axs->new_pcap.inheritable);
+ audit_log_cap(ab, "pe", &axs->new_pcap.effective);
+ audit_log_cap(ab, "pa", &axs->new_pcap.ambient);
break; }
}
@@ -2340,10 +2343,12 @@ int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
ax->old_pcap.permitted = old->cap_permitted;
ax->old_pcap.inheritable = old->cap_inheritable;
ax->old_pcap.effective = old->cap_effective;
+ ax->old_pcap.ambient = old->cap_ambient;
ax->new_pcap.permitted = new->cap_permitted;
ax->new_pcap.inheritable = new->cap_inheritable;
ax->new_pcap.effective = new->cap_effective;
+ ax->new_pcap.ambient = new->cap_ambient;
return 0;
}
@@ -2362,6 +2367,7 @@ void __audit_log_capset(const struct cred *new, const struct cred *old)
context->capset.cap.effective = new->cap_effective;
context->capset.cap.inheritable = new->cap_effective;
context->capset.cap.permitted = new->cap_permitted;
+ context->capset.cap.ambient = new->cap_ambient;
context->type = AUDIT_CAPSET;
}
--
1.7.1
7 years, 7 months
BIG performance hit with auditd on large systems (>64 CPUs)
by Klaus Lichtenwalder
Hi,
we have a few SAP systems on RHEV (so virtualized on KVM) with >= 74
CPUs and >= 400G RAM.
When the system is busy with large SAP jobs, it goes onto its knees with
cpu %system up to 80%, thus making the SAP jobs run twice as long. As
soon as you stop auditd everything returns to normal...
Facts:
RHEL6 instances on RHEL7 hosts.
the rule set (see below) runs fine on any other system with less cpus
(<64, maybe this is the cut off?). We have smaller systems with this
rule set that rotate the audit file nearly every minute without any
noticable performance hit, these SAP systems rotate once every
20-24hours....
Anyone has an idea?
Here's an excerpt from "perf top":
with auditd running:
> Samples: 28M of event 'cpu-clock', Event count (approx.): 236747914918
> Overhead Shared Object Symbol
> 23.13% [kernel] [k] get_task_cred
> 10.05% [kernel] [k] audit_filter_rules
> 4.21% [kernel] [k] _spin_unlock_irqrestore
> 3.30% libdb2e.so.1 [.] sqlbfix
> 2.92% [kernel] [k] finish_task_switch
> 1.69% disp+work [.] rrol_in
> 1.69% disp+work [.] rrol_out
> 0.98% [kernel] [k] run_timer_softirq
> 0.96% [kernel] [k] rcu_process_gp_end
>
auditd stopped:
> Samples: 3M of event 'cpu-clock', Event count (approx.): 526535382557
> Overhead Shared Object Symbol
> 2.41% disp+work [.] memcmpU16
> 2.32% disp+work [.] MmxMalloc2
> 2.25% disp+work [.] ab_Rudi
> 2.07% disp+work [.] rrol_out
> 1.98% disp+work [.] rrol_in
> 1.95% disp+work [.] ab_CompByCmpCntx
> 1.88% libdb2e.so.1 [.] sqlbfix
> 1.73% disp+work [.] MmxFree2
> 1.62% [kernel] [k] run_timer_softirq
> 1.56% [kernel] [k] __do_softirq
> 1.39% disp+work [.] ab_InitRcDecompress
>
> These are the audit rules:
> auditctl -l
> -a always,exit -S all -F path=/etc/environment -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/login.defs -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/rsyslog.conf -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/ssh/sshd_config -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/cron.allow -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/cron.deny -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F dir=/etc/cron.d -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F dir=/etc/cron.daily -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F dir=/etc/cron.hourly -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F dir=/etc/cron.monthly -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F dir=/etc/cron.weekly -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/aliases -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F dir=/etc/alternatives -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/at.allow -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/at.deny -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/audisp/plugins.d/syslog.conf -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
> -a always,exit -S all -F path=/etc/audisp/audispd.conf -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
> -a always,exit -S all -F path=/etc/audit/auditd.conf -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
> -a always,exit -S all -F path=/etc/bashrc -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/crontab -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/shells -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F dir=/etc/default -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/depmod.conf -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F dir=/etc/depmod.d -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/exports -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/group -F perm=wa -F auid>=400 -F key=USER_MGMT
> -a always,exit -S all -F path=/etc/passwd -F perm=wa -F auid>=400 -F key=USER_MGMT
> -a always,exit -S all -F path=/etc/shadow -F perm=wa -F auid>=400 -F key=USER_MGMT
> -a always,exit -S all -F path=/etc/inittab -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F dir=/bin -F perm=wa -F auid>=400 -F key=CRIT_PROG
> -a always,exit -S all -F dir=/sbin -F perm=wa -F auid>=400 -F key=CRIT_PROG
> -a always,exit -S all -F dir=/usr/bin -F perm=wa -F auid>=400 -F key=CRIT_PROG
> -a always,exit -S all -F dir=/usr/sbin -F perm=wa -F auid>=400 -F key=CRIT_PROG
> -a always,exit -S all -F dir=/etc/init.d -F perm=wa -F auid>=400 -F key=CRIT_PROG
> -a always,exit -S all -F path=/etc/nsswitch.conf -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/ldap.conf -F perm=wa -F auid>=400 -F key=USER_MGMT
> -a always,exit -S all -F path=/etc/sssd/sssd.conf -F perm=wa -F auid>=400 -F key=USER_MGMT
> -a always,exit -S all -F dir=/var/spool/cron -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/var/spool/atjobs -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=400 -F key=USER_MGMT
> -a always,exit -S all -F path=/etc/sudoers -F perm=wa -F auid>=400 -F key=USER_MGMT
> -a always,exit -S all -F dir=/etc/sudoers.d -F perm=wa -F auid>=400 -F key=USER_MGMT
> -a always,exit -F arch=b64 -S execve -F auid>=500 -F auid<10000 -F key=USER_EXEC
> -a always,exit -F arch=b64 -S execve -F auid>=5000000 -F auid!=-1 -F key=USER_EXEC
> -a always,exit -S all -F dir=/etc/pam.d -F perm=wa -F auid>=400 -F key=CRIT_PAM
> -a always,exit -S all -F dir=/etc/security -F perm=wa -F auid>=400 -F key=CRIT_CONF
> -a always,exit -S all -F path=/etc/libaudit.conf -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
> -a always,exit -S all -F path=/etc/init.d/auditd -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
> -a always,exit -S all -F dir=/appdata/daten/S3_audit -F perm=rwa -F auid>=400 -F auid<10000 -F auid!=-1 -F key=S3DATA
> -a always,exit -S all -F dir=/appdata/daten/S3_audit -F perm=rwa -F auid>=5000000 -F auid!=-1 -F key=S3DATA
>
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name/
PGP Key fingerprint: 3AE6 044D 1161 1ABF AC2D 23B3 4C15 7232 FDCA 0980
7 years, 7 months
libaudit vsn 1/2 changes
by Frederick House
Does anyone know the specific changes to libaudit v1 that warranted a major version upgrade to v2 (i.e., libaudit.so.0 -> libaudit.so.1)? I'd like to understand the major differences without having to diff the source code of audit-1.8 and audit.2.0!
Thanks,
Fred
-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of linux-audit-request(a)redhat.com
Sent: Tuesday, May 30, 2017 13:43 PM
To: Frederick House <fred.house(a)mandiant.com>
Subject: Welcome to the "Linux-audit" mailing list
Welcome to the Linux-audit(a)redhat.com mailing list!
To post to this list, send your email to:
linux-audit(a)redhat.com
General information about the mailing list is at:
https://www.redhat.com/mailman/listinfo/linux-audit
If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at:
https://www.redhat.com/mailman/options/linux-audit/fred.house%40mandiant.com
You can also make such adjustments via email by sending a message to:
Linux-audit-request(a)redhat.com
with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions.
You must know your password to change your options (including changing the password, itself) or to unsubscribe. It is:
TKOSlU3vUH0qJCXgZ6Jd
Normally, Mailman will remind you of your redhat.com mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you.
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
7 years, 7 months
[PATCH] audit: fix the RCU locking for the auditd_connection structure
by Paul Moore
From: Paul Moore <paul(a)paul-moore.com>
This patch is the stable-4.11.y backport of commit 48d0e023af97 (same
subject) in Linus' master branch. Unfortunately the commit in Linus'
tree doesn't merge cleanly in the v4.11.y tree due to the auditd PID
conversion from an int/pid_t to the pid structure; almost all of the
merge fuzzing in this patch is due to that difference.
Original patch description:
"Cong Wang correctly pointed out that the RCU read locking of the
auditd_connection struct was wrong, this patch correct this by
adopting a more traditional, and correct RCU locking model.
This patch is heavily based on an earlier prototype by Cong Wang."
Cc: <stable(a)vger.kernel.org> # 4.11.x-
Reported-by: Cong Wang <xiyou.wangcong(a)gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong(a)gmail.com>
Signed-off-by: Paul Moore <paul(a)paul-moore.com>
---
kernel/audit.c | 167 +++++++++++++++++++++++++++++++++++++++-----------------
1 file changed, 115 insertions(+), 52 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index a871bf80fde1..dd2c339c8eb9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -110,18 +110,19 @@ struct audit_net {
* @pid: auditd PID
* @portid: netlink portid
* @net: the associated network namespace
- * @lock: spinlock to protect write access
+ * @rcu: RCU head
*
* Description:
* This struct is RCU protected; you must either hold the RCU lock for reading
- * or the included spinlock for writing.
+ * or the associated spinlock for writing.
*/
static struct auditd_connection {
int pid;
u32 portid;
struct net *net;
- spinlock_t lock;
-} auditd_conn;
+ struct rcu_head rcu;
+} *auditd_conn = NULL;
+static DEFINE_SPINLOCK(auditd_conn_lock);
/* If audit_rate_limit is non-zero, limit the rate of sending audit records
* to that number per second. This prevents DoS attacks, but results in
@@ -223,15 +224,39 @@ struct audit_reply {
int auditd_test_task(const struct task_struct *task)
{
int rc;
+ struct auditd_connection *ac;
rcu_read_lock();
- rc = (auditd_conn.pid && task->tgid == auditd_conn.pid ? 1 : 0);
+ ac = rcu_dereference(auditd_conn);
+ rc = (ac && ac->pid == task->tgid ? 1 : 0);
rcu_read_unlock();
return rc;
}
/**
+ * auditd_pid_vnr - Return the auditd PID relative to the namespace
+ *
+ * Description:
+ * Returns the PID in relation to the namespace, 0 on failure.
+ */
+static pid_t auditd_pid_vnr(void)
+{
+ pid_t pid;
+ const struct auditd_connection *ac;
+
+ rcu_read_lock();
+ ac = rcu_dereference(auditd_conn);
+ if (!ac)
+ pid = 0;
+ else
+ pid = ac->pid;
+ rcu_read_unlock();
+
+ return pid;
+}
+
+/**
* audit_get_sk - Return the audit socket for the given network namespace
* @net: the destination network namespace
*
@@ -427,6 +452,23 @@ static int audit_set_failure(u32 state)
}
/**
+ * auditd_conn_free - RCU helper to release an auditd connection struct
+ * @rcu: RCU head
+ *
+ * Description:
+ * Drop any references inside the auditd connection tracking struct and free
+ * the memory.
+ */
+static void auditd_conn_free(struct rcu_head *rcu)
+{
+ struct auditd_connection *ac;
+
+ ac = container_of(rcu, struct auditd_connection, rcu);
+ put_net(ac->net);
+ kfree(ac);
+}
+
+/**
* auditd_set - Set/Reset the auditd connection state
* @pid: auditd PID
* @portid: auditd netlink portid
@@ -434,22 +476,33 @@ static int audit_set_failure(u32 state)
*
* Description:
* This function will obtain and drop network namespace references as
- * necessary.
+ * necessary. Returns zero on success, negative values on failure.
*/
-static void auditd_set(int pid, u32 portid, struct net *net)
+static int auditd_set(int pid, u32 portid, struct net *net)
{
unsigned long flags;
+ struct auditd_connection *ac_old, *ac_new;
- spin_lock_irqsave(&auditd_conn.lock, flags);
- auditd_conn.pid = pid;
- auditd_conn.portid = portid;
- if (auditd_conn.net)
- put_net(auditd_conn.net);
- if (net)
- auditd_conn.net = get_net(net);
- else
- auditd_conn.net = NULL;
- spin_unlock_irqrestore(&auditd_conn.lock, flags);
+ if (!pid || !net)
+ return -EINVAL;
+
+ ac_new = kzalloc(sizeof(*ac_new), GFP_KERNEL);
+ if (!ac_new)
+ return -ENOMEM;
+ ac_new->pid = pid;
+ ac_new->portid = portid;
+ ac_new->net = get_net(net);
+
+ spin_lock_irqsave(&auditd_conn_lock, flags);
+ ac_old = rcu_dereference_protected(auditd_conn,
+ lockdep_is_held(&auditd_conn_lock));
+ rcu_assign_pointer(auditd_conn, ac_new);
+ spin_unlock_irqrestore(&auditd_conn_lock, flags);
+
+ if (ac_old)
+ call_rcu(&ac_old->rcu, auditd_conn_free);
+
+ return 0;
}
/**
@@ -544,13 +597,19 @@ static void kauditd_retry_skb(struct sk_buff *skb)
*/
static void auditd_reset(void)
{
+ unsigned long flags;
struct sk_buff *skb;
+ struct auditd_connection *ac_old;
/* if it isn't already broken, break the connection */
- rcu_read_lock();
- if (auditd_conn.pid)
- auditd_set(0, 0, NULL);
- rcu_read_unlock();
+ spin_lock_irqsave(&auditd_conn_lock, flags);
+ ac_old = rcu_dereference_protected(auditd_conn,
+ lockdep_is_held(&auditd_conn_lock));
+ rcu_assign_pointer(auditd_conn, NULL);
+ spin_unlock_irqrestore(&auditd_conn_lock, flags);
+
+ if (ac_old)
+ call_rcu(&ac_old->rcu, auditd_conn_free);
/* flush all of the main and retry queues to the hold queue */
while ((skb = skb_dequeue(&audit_retry_queue)))
@@ -576,6 +635,7 @@ static int auditd_send_unicast_skb(struct sk_buff *skb)
u32 portid;
struct net *net;
struct sock *sk;
+ struct auditd_connection *ac;
/* NOTE: we can't call netlink_unicast while in the RCU section so
* take a reference to the network namespace and grab local
@@ -585,15 +645,15 @@ static int auditd_send_unicast_skb(struct sk_buff *skb)
* section netlink_unicast() should safely return an error */
rcu_read_lock();
- if (!auditd_conn.pid) {
+ ac = rcu_dereference(auditd_conn);
+ if (!ac) {
rcu_read_unlock();
rc = -ECONNREFUSED;
goto err;
}
- net = auditd_conn.net;
- get_net(net);
+ net = get_net(ac->net);
sk = audit_get_sk(net);
- portid = auditd_conn.portid;
+ portid = ac->portid;
rcu_read_unlock();
rc = netlink_unicast(sk, skb, portid, 0);
@@ -728,6 +788,7 @@ static int kauditd_thread(void *dummy)
u32 portid = 0;
struct net *net = NULL;
struct sock *sk = NULL;
+ struct auditd_connection *ac;
#define UNICAST_RETRIES 5
@@ -735,14 +796,14 @@ static int kauditd_thread(void *dummy)
while (!kthread_should_stop()) {
/* NOTE: see the lock comments in auditd_send_unicast_skb() */
rcu_read_lock();
- if (!auditd_conn.pid) {
+ ac = rcu_dereference(auditd_conn);
+ if (!ac) {
rcu_read_unlock();
goto main_queue;
}
- net = auditd_conn.net;
- get_net(net);
+ net = get_net(ac->net);
sk = audit_get_sk(net);
- portid = auditd_conn.portid;
+ portid = ac->portid;
rcu_read_unlock();
/* attempt to flush the hold queue */
@@ -1102,9 +1163,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
memset(&s, 0, sizeof(s));
s.enabled = audit_enabled;
s.failure = audit_failure;
- rcu_read_lock();
- s.pid = auditd_conn.pid;
- rcu_read_unlock();
+ s.pid = auditd_pid_vnr();
s.rate_limit = audit_rate_limit;
s.backlog_limit = audit_backlog_limit;
s.lost = atomic_read(&audit_lost);
@@ -1143,38 +1202,44 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
/* test the auditd connection */
audit_replace(requesting_pid);
- rcu_read_lock();
- auditd_pid = auditd_conn.pid;
+ auditd_pid = auditd_pid_vnr();
/* only the current auditd can unregister itself */
if ((!new_pid) && (requesting_pid != auditd_pid)) {
- rcu_read_unlock();
audit_log_config_change("audit_pid", new_pid,
auditd_pid, 0);
return -EACCES;
}
/* replacing a healthy auditd is not allowed */
if (auditd_pid && new_pid) {
- rcu_read_unlock();
audit_log_config_change("audit_pid", new_pid,
auditd_pid, 0);
return -EEXIST;
}
- rcu_read_unlock();
-
- if (audit_enabled != AUDIT_OFF)
- audit_log_config_change("audit_pid", new_pid,
- auditd_pid, 1);
if (new_pid) {
/* register a new auditd connection */
- auditd_set(new_pid,
- NETLINK_CB(skb).portid,
- sock_net(NETLINK_CB(skb).sk));
+ err = auditd_set(new_pid,
+ NETLINK_CB(skb).portid,
+ sock_net(NETLINK_CB(skb).sk));
+ if (audit_enabled != AUDIT_OFF)
+ audit_log_config_change("audit_pid",
+ new_pid,
+ auditd_pid,
+ err ? 0 : 1);
+ if (err)
+ return err;
+
/* try to process any backlog */
wake_up_interruptible(&kauditd_wait);
- } else
+ } else {
+ if (audit_enabled != AUDIT_OFF)
+ audit_log_config_change("audit_pid",
+ new_pid,
+ auditd_pid, 1);
+
/* unregister the auditd connection */
auditd_reset();
+ }
}
if (s.mask & AUDIT_STATUS_RATE_LIMIT) {
err = audit_set_rate_limit(s.rate_limit);
@@ -1447,10 +1512,11 @@ static void __net_exit audit_net_exit(struct net *net)
{
struct audit_net *aunet = net_generic(net, audit_net_id);
- rcu_read_lock();
- if (net == auditd_conn.net)
- auditd_reset();
- rcu_read_unlock();
+ /* NOTE: you would think that we would want to check the auditd
+ * connection and potentially reset it here if it lives in this
+ * namespace, but since the auditd connection tracking struct holds a
+ * reference to this namespace (see auditd_set()) we are only ever
+ * going to get here after that connection has been released */
netlink_kernel_release(aunet->sk);
}
@@ -1470,9 +1536,6 @@ static int __init audit_init(void)
if (audit_initialized == AUDIT_DISABLED)
return 0;
- memset(&auditd_conn, 0, sizeof(auditd_conn));
- spin_lock_init(&auditd_conn.lock);
-
skb_queue_head_init(&audit_queue);
skb_queue_head_init(&audit_retry_queue);
skb_queue_head_init(&audit_hold_queue);
7 years, 7 months
[PATCH] errormsg: add descriptive macros to replace overloaded error codes
by Richard Guy Briggs
Several return codes were overloaded and no longer giving helpful error
return messages from the field and comparison functions
audit_rule_fieldpair_data() and audit_rule_interfield_comp_data().
Introduce 2 new macros with more helpful error descriptions for filter
missing, incompatible comparison data.
See: https://github.com/linux-audit/audit-userspace/issues/12
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/errormsg.h | 4 ++++
lib/libaudit.c | 28 ++++++++++++++--------------
2 files changed, 18 insertions(+), 14 deletions(-)
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 35b7f95..159d8f6 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -67,6 +67,8 @@ static const struct msg_tab err_msgtab[] = {
{ -29, 1, "only takes = operator" },
{ -30, 2, "Field option not supported by kernel:" },
{ -31, 1, "must be used with exclude, user, or exit filter" },
+ { -32, 0, "filter is missing from rule" },
+ { -33, 2, "-C incompatible comparison" },
};
#define EAU_OPMISSING 1
#define EAU_FIELDUNKNOWN 2
@@ -97,4 +99,6 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_OPEQ 29
#define EAU_FIELDNOSUPPORT 30
#define EAU_FIELDNOFILTER 31
+#define EAU_FILTERMISSING 32
+#define EAU_COMPINCOMPAT 33
#endif
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b481f52..18cd384 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -976,7 +976,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
struct audit_rule_data *rule = *rulep;
if (f == NULL)
- return -1;
+ return -EAU_FILTERMISSING;
if (rule->field_count >= (AUDIT_MAX_FIELDS - 1))
return -EAU_FIELDTOOMANY;
@@ -1043,7 +1043,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_UID_TO_EUID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
case AUDIT_FSUID:
@@ -1069,7 +1069,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_UID_TO_FSUID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
case AUDIT_LOGINUID:
@@ -1095,7 +1095,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_UID_TO_AUID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
case AUDIT_SUID:
@@ -1121,7 +1121,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_UID_TO_SUID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
case AUDIT_OBJ_UID:
@@ -1147,7 +1147,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_SUID_TO_OBJ_UID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
case AUDIT_UID:
@@ -1173,7 +1173,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_UID_TO_SUID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
@@ -1197,7 +1197,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_EGID_TO_SGID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
case AUDIT_FSGID:
@@ -1219,7 +1219,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_EGID_TO_FSGID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
case AUDIT_GID:
@@ -1241,7 +1241,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_GID_TO_SGID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
case AUDIT_OBJ_GID:
@@ -1263,7 +1263,7 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_SGID_TO_OBJ_GID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
case AUDIT_SGID:
@@ -1285,11 +1285,11 @@ int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
AUDIT_COMPARE_EGID_TO_SGID;
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
}
break;
default:
- return -1;
+ return -EAU_COMPINCOMPAT;
break;
}
rule->field_count++;
@@ -1389,7 +1389,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
struct audit_rule_data *rule = *rulep;
if (f == NULL)
- return -1;
+ return -EAU_FILTERMISSING;
if (rule->field_count >= (AUDIT_MAX_FIELDS - 1))
return -EAU_FIELDTOOMANY;
--
1.7.1
7 years, 7 months
[PATCH 1/2] errormsg: correct a number of messages that have drifted
by Richard Guy Briggs
A number of error message descriptions have drifted from the conditions that
caused them in audit_rule_fieldpair_data() including expansion of fields to be
used by the user filter list, restriction to the exit list only and changing an
operator to "equals" only. Correct these, using the new errormsg macros.
See: https://github.com/linux-audit/audit-userspace/issues/12
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
lib/errormsg.h | 4 ++--
lib/libaudit.c | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/lib/errormsg.h b/lib/errormsg.h
index 17ff767..35b7f95 100644
--- a/lib/errormsg.h
+++ b/lib/errormsg.h
@@ -44,7 +44,7 @@ static const struct msg_tab err_msgtab[] = {
{ -6, 1, "requested bit level not supported by machine" },
{ -7, 1, "can only be used with exit filter list" },
{ -8, 2, "-F unknown message type -" },
- { -9, 0, "msgtype field can only be used with exclude filter list" },
+ { -9, 0, "msgtype field can only be used with exclude or user filter list" },
{ -10, 0, "Failed upgrading rule" },
{ -11, 0, "String value too long" },
{ -12, 0, "Only msgtype, *uid, *gid, pid, and subj* fields can be used with exclude filter" },
@@ -76,7 +76,7 @@ static const struct msg_tab err_msgtab[] = {
#define EAU_ARCHNOBIT 6
#define EAU_EXITONLY 7
#define EAU_MSGTYPEUNKNOWN 8
-#define EAU_MSGTYPEEXCLUDE 9
+#define EAU_MSGTYPEEXCLUDEUSER 9
#define EAU_UPGRADEFAIL 10
#define EAU_STRTOOLONG 11
#define EAU_MSGTYPECREDEXCLUDE 12
diff --git a/lib/libaudit.c b/lib/libaudit.c
index a3b4261..b481f52 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1516,7 +1516,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
break;
case AUDIT_EXIT:
if (flags != AUDIT_FILTER_EXIT)
- return -7;
+ return -EAU_EXITONLY;
vlen = strlen(v);
if (isdigit((char)*(v)))
rule->values[rule->field_count] =
@@ -1535,7 +1535,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_MSGTYPE:
if (flags != AUDIT_FILTER_EXCLUDE &&
flags != AUDIT_FILTER_USER)
- return -EAU_MSGTYPEEXCLUDE;
+ return -EAU_MSGTYPEEXCLUDEUSER;
if (isdigit((char)*(v)))
rule->values[rule->field_count] =
@@ -1639,7 +1639,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (flags != AUDIT_FILTER_EXIT)
return -EAU_EXITONLY;
else if (op != AUDIT_EQUAL)
- return -EAU_OPEQNOTEQ;
+ return -EAU_OPEQ;
else {
unsigned int i, len, val = 0;
@@ -1670,7 +1670,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
break;
case AUDIT_FILETYPE:
if (!(flags == AUDIT_FILTER_EXIT))
- return -EAU_EXITENTRYONLY;
+ return -EAU_EXITONLY;
rule->values[rule->field_count] =
audit_name_to_ftype(v);
if ((int)rule->values[rule->field_count] < 0) {
@@ -1722,7 +1722,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
}
if (field == AUDIT_PPID && !(flags==AUDIT_FILTER_EXIT))
- return -EAU_EXITENTRYONLY;
+ return -EAU_EXITONLY;
if (!isdigit((char)*(v)))
return -EAU_FIELDVALNUM;
--
1.7.1
7 years, 7 months
[PATCH] audit: unswing cap_* fields in PATH records
by Richard Guy Briggs
The cap_* fields swing in and out of PATH records.
If no capabilities are set, the cap_* fields are completely missing and when
one of the cap_fi or cap_fp values is empty, that field is omitted.
Original:
type=PATH msg=audit(04/20/2017 12:17:11.222:193) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=787694 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=PATH msg=audit(04/20/2017 12:17:11.222:193) : item=0 name=/home/sleep inode=1319469 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=sys_admin cap_fe=1 cap_fver=2
Normalize the PATH record by always printing all 4 cap_* fields.
Fixed:
type=PATH msg=audit(04/20/2017 13:01:31.679:201) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=787694 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/20/2017 13:01:31.679:201) : item=0 name=/home/sleep inode=1319469 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=sys_admin cap_fi=none cap_fe=1 cap_fver=2
See: https://github.com/linux-audit/audit-kernel/issues/42
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 20 ++++----------------
1 files changed, 4 insertions(+), 16 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 10bc2ba..de264d1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1956,22 +1956,10 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
{
- kernel_cap_t *perm = &name->fcap.permitted;
- kernel_cap_t *inh = &name->fcap.inheritable;
- int log = 0;
-
- if (!cap_isclear(*perm)) {
- audit_log_cap(ab, "cap_fp", perm);
- log = 1;
- }
- if (!cap_isclear(*inh)) {
- audit_log_cap(ab, "cap_fi", inh);
- log = 1;
- }
-
- if (log)
- audit_log_format(ab, " cap_fe=%d cap_fver=%x",
- name->fcap.fE, name->fcap_ver);
+ audit_log_cap(ab, "cap_fp", &name->fcap.permitted);
+ audit_log_cap(ab, "cap_fi", &name->fcap.inheritable);
+ audit_log_format(ab, " cap_fe=%d cap_fver=%x",
+ name->fcap.fE, name->fcap_ver);
}
static inline int audit_copy_fcaps(struct audit_names *name,
--
1.7.1
7 years, 7 months
From where ANOM_MK_EXEC , ANOM_ROOT_TRANS ,comes ?
by Lev Olshvang
Hello list
There are particularly interesting for IDS evens , like ANOM_MK_EXEC , ANOM_ROOT_TRANS
These audit events are listed in RHEL7 Security guide.
On my Ubuntu distro they are absent on user space level /usr/include/linux/audit.h
I have RHEL7 kernel sourcel linux-3.10.0-514.16.1.el7 which I downloaded from Centos
ANOM_MK_EXE, ANOM_ROOT_TRANS does not appear there, neither in include
linux-3.10.0-514.16.1.el7/include/uapi/linux/audit.h nor in c files
Please help me to unsderstand who sends these events ?
ThanX,
Lev
7 years, 7 months
BIG performance hit with auditd on large cpus (>64 cpus)
by Klaus Lichtenwalder
(note to moderator: i sent this before from the wrong address, hope it doesn't get duplicated)
Hi,
we have a few SAP systems on RHEV (so virtualized on KVM) with >= 74
CPUs and >= 400G RAM.
When the system is busy with large SAP jobs, it goes onto its knees with
cpu %system up to 80%, thus making the SAP jobs run twice as long. As
soon as you stop auditd everything returns to normal...
Facts:
RHEL6 instances on RHEL7 hosts.
the rule set (see below) runs fine on any other system with less cpus
(<64, maybe this is the cut off?). We have smaller systems with this
rule set that rotate the audit file nearly every minute without any
noticable performance hit, these SAP systems rotate once every
20-24hours....
Anyone has an idea?
Here's an excerpt from "perf top":
with auditd running:
Samples: 28M of event 'cpu-clock', Event count (approx.): 236747914918
Overhead Shared Object Symbol
23.13% [kernel] [k] get_task_cred
10.05% [kernel] [k] audit_filter_rules
4.21% [kernel] [k] _spin_unlock_irqrestore
3.30% libdb2e.so.1 [.] sqlbfix
2.92% [kernel] [k] finish_task_switch
1.69% disp+work [.] rrol_in
1.69% disp+work [.] rrol_out
0.98% [kernel] [k] run_timer_softirq
0.96% [kernel] [k] rcu_process_gp_end
auditd stopped:
Samples: 3M of event 'cpu-clock', Event count (approx.): 526535382557
Overhead Shared Object Symbol
2.41% disp+work [.] memcmpU16
2.32% disp+work [.] MmxMalloc2
2.25% disp+work [.] ab_Rudi
2.07% disp+work [.] rrol_out
1.98% disp+work [.] rrol_in
1.95% disp+work [.] ab_CompByCmpCntx
1.88% libdb2e.so.1 [.] sqlbfix
1.73% disp+work [.] MmxFree2
1.62% [kernel] [k] run_timer_softirq
1.56% [kernel] [k] __do_softirq
1.39% disp+work [.] ab_InitRcDecompress
These are the audit rules:
auditctl -l
-a always,exit -S all -F path=/etc/environment -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/login.defs -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/rsyslog.conf -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/ssh/sshd_config -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/cron.allow -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/cron.deny -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F dir=/etc/cron.d -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F dir=/etc/cron.daily -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F dir=/etc/cron.hourly -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F dir=/etc/cron.monthly -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F dir=/etc/cron.weekly -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/aliases -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F dir=/etc/alternatives -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/at.allow -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/at.deny -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/audisp/plugins.d/syslog.conf -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
-a always,exit -S all -F path=/etc/audisp/audispd.conf -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
-a always,exit -S all -F path=/etc/audit/auditd.conf -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
-a always,exit -S all -F path=/etc/bashrc -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/crontab -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/shells -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F dir=/etc/default -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/depmod.conf -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F dir=/etc/depmod.d -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/exports -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/group -F perm=wa -F auid>=400 -F key=USER_MGMT
-a always,exit -S all -F path=/etc/passwd -F perm=wa -F auid>=400 -F key=USER_MGMT
-a always,exit -S all -F path=/etc/shadow -F perm=wa -F auid>=400 -F key=USER_MGMT
-a always,exit -S all -F path=/etc/inittab -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F dir=/bin -F perm=wa -F auid>=400 -F key=CRIT_PROG
-a always,exit -S all -F dir=/sbin -F perm=wa -F auid>=400 -F key=CRIT_PROG
-a always,exit -S all -F dir=/usr/bin -F perm=wa -F auid>=400 -F key=CRIT_PROG
-a always,exit -S all -F dir=/usr/sbin -F perm=wa -F auid>=400 -F key=CRIT_PROG
-a always,exit -S all -F dir=/etc/init.d -F perm=wa -F auid>=400 -F key=CRIT_PROG
-a always,exit -S all -F path=/etc/nsswitch.conf -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/ldap.conf -F perm=wa -F auid>=400 -F key=USER_MGMT
-a always,exit -S all -F path=/etc/sssd/sssd.conf -F perm=wa -F auid>=400 -F key=USER_MGMT
-a always,exit -S all -F dir=/var/spool/cron -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/var/spool/atjobs -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=400 -F key=USER_MGMT
-a always,exit -S all -F path=/etc/sudoers -F perm=wa -F auid>=400 -F key=USER_MGMT
-a always,exit -S all -F dir=/etc/sudoers.d -F perm=wa -F auid>=400 -F key=USER_MGMT
-a always,exit -F arch=b64 -S execve -F auid>=500 -F auid<10000 -F key=USER_EXEC
-a always,exit -F arch=b64 -S execve -F auid>=5000000 -F auid!=-1 -F key=USER_EXEC
-a always,exit -S all -F dir=/etc/pam.d -F perm=wa -F auid>=400 -F key=CRIT_PAM
-a always,exit -S all -F dir=/etc/security -F perm=wa -F auid>=400 -F key=CRIT_CONF
-a always,exit -S all -F path=/etc/libaudit.conf -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
-a always,exit -S all -F path=/etc/init.d/auditd -F perm=wa -F auid>=400 -F key=CRIT_AUDIT
-a always,exit -S all -F dir=/appdata/daten/S3_audit -F perm=rwa -F auid>=400 -F auid<10000 -F auid!=-1 -F key=S3DATA
-a always,exit -S all -F dir=/appdata/daten/S3_audit -F perm=rwa -F auid>=5000000 -F auid!=-1 -F key=S3DATA
Klaus
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
7 years, 7 months