July 2017 - Linux-audit - Linux-Audit List Archives

[PATCH] audit: always enable syscall auditing when supported and audit is enabled

by Paul Moore

To the best of our knowledge, everyone who enables audit at compile time also enables syscall auditing; this patch simplifies the Kconfig menus by removing the option to disable syscall auditing when audit is selected and the target arch supports it. Signed-off-by: Paul Moore <pmoore(a)redhat.com> --- init/Kconfig | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/init/Kconfig b/init/Kconfig index c24b6f7..d4663b1 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -299,20 +299,15 @@ config AUDIT help Enable auditing infrastructure that can be used with another kernel subsystem, such as SELinux (which requires this for - logging of avc messages output). Does not do system-call - auditing without CONFIG_AUDITSYSCALL. + logging of avc messages output). System call auditing is included + on architectures which support it. config HAVE_ARCH_AUDITSYSCALL bool config AUDITSYSCALL - bool "Enable system-call auditing support" + def_bool y depends on AUDIT && HAVE_ARCH_AUDITSYSCALL - default y if SECURITY_SELINUX - help - Enable low-overhead system-call auditing infrastructure that - can be used independently or with another kernel subsystem, - such as SELinux. config AUDIT_WATCH def_bool y

6 years, 5 months

5
13
0 / 0

How do I get complete list of audit event types

by Satish Chandra Kilaru

Hi I want to understand the logs in /var/log/audit/audit.log. Where can I get complete list of audit event types and what they mean? --Satish Please Donate to www.wikipedia.org

7 years, 7 months

4
5
0 / 0

[PATCH V3] filter: add filesystem filter with fstype

by Richard Guy Briggs

Tracefs or debugfs were causing hundreds to thousands of PATH records to be associated with the init_module and finit_module SYSCALL records on a few modules when the following rule was in place for startup: -a always,exit -F arch=x86_64 -S init_module -F key=mod-load Add the new "filesystem" filter list anchored in __audit_inode_child() to filter out PATH records from uninteresting filesystem types, "fstype", keying on their kernel hexadecimal 4-octet magic identifier. An example rule would look like: -a never,filesystem -F fstype=0x74726163 -F key=ignore_tracefs -a never,filesystem -F fstype=0x64626720 -F key=ignore_debugfs Note: "always,filesystem" will log the PATH record anyways and add latency. See: https://github.com/linux-audit/audit-kernel/issues/8 See: https://github.com/linux-audit/audit-userspace/issues/15 Test case: https://github.com/linux-audit/audit-testsuite/issues/42 Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- v3: Update feature bitmap macros to reflect filter name change. v2: Change filter name from "path" to "filesystem". Rebase onto other patches accepted upstream. docs/audit_add_rule_data.3 | 3 +++ lib/errormsg.h | 5 +++++ lib/fieldtab.h | 2 ++ lib/flagtab.h | 10 ++++++---- lib/libaudit.c | 26 ++++++++++++++++++++++++-- lib/libaudit.h | 10 ++++++++++ lib/private.h | 1 + src/auditctl-listing.c | 6 ++++-- src/auditctl.c | 16 ++++++++++++++-- 9 files changed, 69 insertions(+), 10 deletions(-) diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3 index a0802c0..1e7540c 100644 --- a/docs/audit_add_rule_data.3 +++ b/docs/audit_add_rule_data.3 @@ -22,6 +22,9 @@ AUDIT_FILTER_EXIT - Apply rule at syscall exit. This is the main filter that is .TP \(bu AUDIT_FILTER_TYPE - Apply rule at audit_log_start. This is the exclude filter which discards any records that match. +.TP +\(bu +AUDIT_FILTER_FS - Apply rule when adding PATH auxiliary records to SYSCALL events. This is the filesystem filter. This is used to ignore PATH records that are not of interest. .LP .PP diff --git a/lib/errormsg.h b/lib/errormsg.h index 91d8252..ef54589 100644 --- a/lib/errormsg.h +++ b/lib/errormsg.h @@ -20,6 +20,7 @@ * Authors: * Zhang Xiliang <zhangxiliang(a)cn.fujitsu.com> * Steve Grubb <sgrubb(a)redhat.com> + * Richard Guy Briggs <rgb(a)redhat.com> */ struct msg_tab { @@ -66,6 +67,8 @@ struct msg_tab { #define EAU_FIELDNOFILTER 31 #define EAU_FILTERMISSING 32 #define EAU_COMPINCOMPAT 33 +#define EAU_FIELDUNAVAIL 34 +#define EAU_FILTERNOSUPPORT 35 static const struct msg_tab err_msgtab[] = { { -EAU_OPMISSING, 2, "-F missing operation for" }, { -EAU_FIELDUNKNOWN, 2, "-F unknown field:" }, @@ -100,5 +103,7 @@ static const struct msg_tab err_msgtab[] = { { -EAU_FIELDNOFILTER, 1, "must be used with exclude, user, or exit filter" }, { -EAU_FILTERMISSING, 0, "filter is missing from rule" }, { -EAU_COMPINCOMPAT, 2, "-C incompatible comparison" }, + { -EAU_FIELDUNAVAIL, 1, "field is not valid for the filter" }, + { -EAU_FILTERNOSUPPORT, 1, "filter is not supported ty kernel" }, }; #endif diff --git a/lib/fieldtab.h b/lib/fieldtab.h index 0c5e39d..c425d5b 100644 --- a/lib/fieldtab.h +++ b/lib/fieldtab.h @@ -18,6 +18,7 @@ * * Authors: * Steve Grubb <sgrubb(a)redhat.com> + * Richard Guy Briggs <rgb(a)redhat.com> */ _S(AUDIT_PID, "pid" ) @@ -56,6 +57,7 @@ _S(AUDIT_WATCH, "path" ) _S(AUDIT_PERM, "perm" ) _S(AUDIT_DIR, "dir" ) _S(AUDIT_FILETYPE, "filetype" ) +_S(AUDIT_FSTYPE, "fstype" ) _S(AUDIT_OBJ_UID, "obj_uid" ) _S(AUDIT_OBJ_GID, "obj_gid" ) _S(AUDIT_FIELD_COMPARE, "field_compare" ) diff --git a/lib/flagtab.h b/lib/flagtab.h index 4b04692..7a618e0 100644 --- a/lib/flagtab.h +++ b/lib/flagtab.h @@ -18,8 +18,10 @@ * * Authors: * Steve Grubb <sgrubb(a)redhat.com> + * Richard Guy Briggs <rgb(a)redhat.com> */ -_S(AUDIT_FILTER_TASK, "task" ) -_S(AUDIT_FILTER_EXIT, "exit" ) -_S(AUDIT_FILTER_USER, "user" ) -_S(AUDIT_FILTER_EXCLUDE, "exclude" ) +_S(AUDIT_FILTER_TASK, "task" ) +_S(AUDIT_FILTER_EXIT, "exit" ) +_S(AUDIT_FILTER_USER, "user" ) +_S(AUDIT_FILTER_EXCLUDE, "exclude" ) +_S(AUDIT_FILTER_FS, "filesystem") diff --git a/lib/libaudit.c b/lib/libaudit.c index 18cd384..58134a2 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -19,6 +19,7 @@ * Authors: * Steve Grubb <sgrubb(a)redhat.com> * Rickard E. (Rik) Faith <faith(a)redhat.com> + * Richard Guy Briggs <rgb(a)redhat.com> */ #include "config.h" @@ -85,6 +86,7 @@ int _audit_permadded = 0; int _audit_archadded = 0; int _audit_syscalladded = 0; int _audit_exeadded = 0; +int _audit_filterfsadded = 0; unsigned int _audit_elf = 0U; static struct libaudit_conf config; @@ -1466,6 +1468,23 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, } } + /* FS filter can be used only with FSTYPE field */ + if (flags == AUDIT_FILTER_FS) { + uint32_t features = audit_get_features(); + if ((features & AUDIT_FEATURE_BITMAP_FILTER_FS) == 0) { + return -EAU_FILTERNOSUPPORT; + } else { + switch(field) { + case AUDIT_FSTYPE: + _audit_filterfsadded = 1; + case AUDIT_FILTERKEY: + break; + default: + return -EAU_FIELDUNAVAIL; + } + } + } + rule->fields[rule->field_count] = field; rule->fieldflags[rule->field_count] = op; switch (field) @@ -1580,7 +1599,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, } if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded || - _audit_exeadded)) + _audit_exeadded || + _audit_filterfsadded)) return -EAU_KEYDEP; vlen = strlen(v); if (field == AUDIT_FILTERKEY && @@ -1715,7 +1735,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, return -EAU_EXITONLY; /* fallthrough */ default: - if (field == AUDIT_INODE) { + if (field == AUDIT_INODE || field == AUDIT_FSTYPE) { if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL)) return -EAU_OPEQNOTEQ; @@ -1727,6 +1747,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if (!isdigit((char)*(v))) return -EAU_FIELDVALNUM; + if (field == AUDIT_FSTYPE && flags != AUDIT_FILTER_FS) + return -EAU_FIELDUNAVAIL; if (field == AUDIT_INODE) rule->values[rule->field_count] = strtoul(v, NULL, 0); diff --git a/lib/libaudit.h b/lib/libaudit.h index e5c7a4d..70646cd 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -277,6 +277,9 @@ extern "C" { #define AUDIT_KEY_SEPARATOR 0x01 /* These are used in filter control */ +#ifndef AUDIT_FILTER_FS +#define AUDIT_FILTER_FS 0x06 /* FS record filter in __audit_inode_child */ +#endif #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE #define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */ #define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */ @@ -305,6 +308,9 @@ extern "C" { #ifndef AUDIT_FEATURE_BITMAP_LOST_RESET #define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 #endif +#ifndef AUDIT_FEATURE_BITMAP_FILTER_FS +#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 +#endif /* Defines for interfield comparison update */ #ifndef AUDIT_OBJ_UID @@ -324,6 +330,10 @@ extern "C" { #define AUDIT_SESSIONID 25 #endif +#ifndef AUDIT_FSTYPE +#define AUDIT_FSTYPE 26 +#endif + #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 #endif diff --git a/lib/private.h b/lib/private.h index cde1906..bd5e8b3 100644 --- a/lib/private.h +++ b/lib/private.h @@ -139,6 +139,7 @@ extern int _audit_permadded; extern int _audit_archadded; extern int _audit_syscalladded; extern int _audit_exeadded; +extern int _audit_filterfsadded; extern unsigned int _audit_elf; #ifdef __cplusplus diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c index 3bc8e71..50bc0b8 100644 --- a/src/auditctl-listing.c +++ b/src/auditctl-listing.c @@ -91,7 +91,8 @@ static int is_watch(const struct audit_rule_data *r) if (((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_USER) && ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_TASK) && - ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE)) { + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_EXCLUDE) && + ((r->flags & AUDIT_FILTER_MASK) != AUDIT_FILTER_FS)) { for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) { if (r->mask[i] != (uint32_t)~0) { all = 0; @@ -139,7 +140,8 @@ static int print_syscall(const struct audit_rule_data *r, unsigned int *sc) /* Rules on the following filters do not take a syscall */ if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) || ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) || - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE)) + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) || + ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_FS)) return 0; /* See if its all or specific syscalls */ diff --git a/src/auditctl.c b/src/auditctl.c index 04765f4..b99c957 100644 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -19,6 +19,7 @@ * Authors: * Steve Grubb <sgrubb(a)redhat.com> * Rickard E. (Rik) Faith <faith(a)redhat.com> + * Richard Guy Briggs <rgb(a)redhat.com> */ #include "config.h" @@ -74,6 +75,7 @@ static int reset_vars(void) _audit_permadded = 0; _audit_archadded = 0; _audit_exeadded = 0; + _audit_filterfsadded = 0; _audit_elf = 0; add = AUDIT_FILTER_UNSET; del = AUDIT_FILTER_UNSET; @@ -151,6 +153,8 @@ static int lookup_filter(const char *str, int *filter) *filter = AUDIT_FILTER_EXIT; else if (strcmp(str, "user") == 0) *filter = AUDIT_FILTER_USER; + else if (strcmp(str, "filesystem") == 0) + *filter = AUDIT_FILTER_FS; else if (strcmp(str, "exclude") == 0) { *filter = AUDIT_FILTER_EXCLUDE; exclude = 1; @@ -760,6 +764,13 @@ static int setopt(int count, int lineno, char *vars[]) audit_msg(LOG_ERR, "Error: syscall auditing being added to user list"); return -1; + } else if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_FS || (del & + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_FS)) { + audit_msg(LOG_ERR, + "Error: syscall auditing being added to filesystem list"); + return -1; } else if (exclude) { audit_msg(LOG_ERR, "Error: syscall auditing cannot be put on exclude list"); @@ -936,8 +947,9 @@ static int setopt(int count, int lineno, char *vars[]) break; case 'k': if (!(_audit_syscalladded || _audit_permadded || - _audit_exeadded) || (add==AUDIT_FILTER_UNSET && - del==AUDIT_FILTER_UNSET)) { + _audit_exeadded || + _audit_filterfsadded) || + (add==AUDIT_FILTER_UNSET && del==AUDIT_FILTER_UNSET)) { audit_msg(LOG_ERR, "key option needs a watch or syscall given prior to it"); retval = -1; -- 1.7.1

7 years, 9 months

2
2
0 / 0

[PATCH] capabilities: add field names for ambient capabilities

by Richard Guy Briggs

Linux kernel capabilities were augmented to include ambient capabilities in v4.3 commit 58319057b784 ("capabilities: ambient capabilities"). Add interpretation types for cap_pa, old_pa, pa. The record contains fields "old_pp", "old_pi", "old_pe", "new_pp", "new_pi", "new_pe" so in keeping with the previous record normalizations, change the "new_p*" variants to simply drop the "new_" prefix. A sample of the replaced BPRM_FCAPS record: RAW: type=BPRM_FCAPS msg=audit(1491468034.252:237): fver=2 fp=0000000000200000 fi=0000000000000000 fe=1 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 old_pa=0000000000000000 pp=0000000000200000 pi=0000000000000000 pe=0000000000200000 pa=0000000000000000 INTERPRET: type=BPRM_FCAPS msg=audit(04/06/2017 04:40:34.252:237) : fver=2 fp=sys_admin fi=none fe=chown old_pp=none old_pi=none old_pe=none old_pa=none pp=sys_admin pi=none pe=sys_admin pa=none A sample of the replaced CAPSET record: RAW: type=CAPSET msg=audit(1491469502.371:242): pid=833 cap_pi=0000003fffffffff cap_pp=0000003fffffffff cap_pe=0000003fffffffff cap_pa=0000000000000000 INTERPRET: type=CAPSET msg=audit(04/06/2017 05:05:02.371:242) : pid=833 \ cap_pi=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read \ cap_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read \ cap_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read \ cap_pa=none Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- auparse/typetab.h | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/auparse/typetab.h b/auparse/typetab.h index be82796..42f3e82 100644 --- a/auparse/typetab.h +++ b/auparse/typetab.h @@ -89,6 +89,7 @@ _S(AUPARSE_TYPE_SESSION, "ses" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_pi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_pe" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_pp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pa" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_fi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "cap_fp" ) _S(AUPARSE_TYPE_CAP_BITMAP, "fp" ) @@ -97,9 +98,14 @@ _S(AUPARSE_TYPE_CAP_BITMAP, "fe" ) _S(AUPARSE_TYPE_CAP_BITMAP, "old_pp" ) _S(AUPARSE_TYPE_CAP_BITMAP, "old_pi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "old_pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "old_pa" ) _S(AUPARSE_TYPE_CAP_BITMAP, "new_pp" ) _S(AUPARSE_TYPE_CAP_BITMAP, "new_pi" ) _S(AUPARSE_TYPE_CAP_BITMAP, "new_pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pi" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "pa" ) _S(AUPARSE_TYPE_NFPROTO, "family" ) _S(AUPARSE_TYPE_ICMPTYPE, "icmptype" ) _S(AUPARSE_TYPE_PROTOCOL, "proto" ) -- 1.7.1

7 years, 10 months

2
1
0 / 0

kauditd hold queue overflow in 4.11

by Laurent Bigonville

Hi, With 4.11.6 (that has been uploaded in debian unstable) I get a lot of messages in dmesg like [100052.120468] audit: audit_lost=66041 audit_rate_limit=0 audit_backlog_limit=8192 [100052.120470] audit: kauditd hold queue overflow And it also seems that the messages are not stored in auditd logs anymore. https://git.kernel.org/linus/264d509637d95f9404e52ced5003ad352e0f6a26 seems to be included in this release An idea? Regards, Laurent Bigonville

7 years, 10 months

3
8
0 / 0

[PATCH] selinux: remove AVC init audit log message

by Richard Guy Briggs

In the process of normalizing audit log messages, it was noticed that the AVC initialization code registered an audit log KERNEL record that didn't fit the standard format. In the process of attempting to normalize it it was determined that this record was not even necessary. Remove it. Ref: http://marc.info/?l=selinux&m=149614868525826&w=2 See: https://github.com/linux-audit/audit-kernel/issues/48 Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- security/selinux/avc.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index e60c79d..4b42931 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -197,8 +197,6 @@ void __init avc_init(void) avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", sizeof(struct extended_perms_data), 0, SLAB_PANIC, NULL); - - audit_log(current->audit_context, GFP_KERNEL, AUDIT_KERNEL, "AVC INITIALIZED\n"); } int avc_get_hash_stats(char *page) -- 1.7.1

7 years, 11 months

4
8
0 / 0

[PATCH ALT4 V2 1/2] audit: show fstype:pathname for entries with anonymous parents

by Richard Guy Briggs

Tracefs or debugfs were causing hundreds to thousands of null PATH records to be associated with the init_module and finit_module SYSCALL records on a few modules when the following rule was in place for startup: -a always,exit -F arch=x86_64 -S init_module -F key=mod-load This happens because the parent inode is not found in the task's audit_names list and hence treats it as anonymous. This gives us no information other than a numerical device number that may no longer be visible upon log inspeciton, and an inode number. Fill in the filesystem type, filesystem magic number and full pathname from the filesystem mount point on previously null PATH records from entries that have an anonymous parent from the child dentry using dentry_path_raw(). Make the dentry argument of __audit_inode_child() non-const so that we can take a reference to it in the case of an anonymous parent with dget() and dget_parent() to be able to later print a partial path from the host filesystem rather than null. Since all we are given is an inode of the parent and the dentry of the child, finding the path from the mount point to the root of the filesystem is more challenging that would involve searching all vfsmounts from "/" until a matching dentry is found for that filesystem's root dentry. Even if one is found, there may be more than one mount point. At this point the gain seems marginal since knowing the filesystem type and path are a significant help in tracking down the source of the PATH records and being to address them. Sample output: type=PROCTITLE msg=audit(1488317694.446:143): proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D006E66737634 type=PATH msg=audit(1488317694.446:143): item=797 name=tracefs(74726163):/events/nfs4/nfs4_setclientid/format inode=15969 dev=00:09 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE type=PATH msg=audit(1488317694.446:143): item=796 name=tracefs(74726163):/events/nfs4/nfs4_setclientid inode=15964 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT ... type=PATH msg=audit(1488317694.446:143): item=1 name=tracefs(74726163):/events/nfs4 inode=15571 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=CREATE type=PATH msg=audit(1488317694.446:143): item=0 name=tracefs(74726163):/events inode=119 dev=00:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tracefs_t:s0 nametype=PARENT type=UNKNOWN[1330] msg=audit(1488317694.446:143): name="nfsv4" type=SYSCALL msg=audit(1488317694.446:143): arch=c000003e syscall=313 success=yes exit=0 a0=1 a1=55d5a35ce106 a2=0 a3=1 items=798 ppid=6 pid=528 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:insmod_t:s0 key="mod-load" See: https://github.com/linux-audit/audit-kernel/issues/8 Test case: https://github.com/linux-audit/audit-testsuite/issues/42 Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- include/linux/audit.h | 8 ++++---- kernel/audit.c | 16 ++++++++++++++++ kernel/audit.h | 1 + kernel/auditsc.c | 8 +++++++- 4 files changed, 28 insertions(+), 5 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index aba3a26..367a03a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -241,7 +241,7 @@ extern void __audit_inode(struct filename *name, const struct dentry *dentry, unsigned int flags); extern void __audit_file(const struct file *); extern void __audit_inode_child(struct inode *parent, - const struct dentry *dentry, + struct dentry *dentry, const unsigned char type); extern void __audit_seccomp(unsigned long syscall, long signr, int code); extern void __audit_ptrace(struct task_struct *t); @@ -306,7 +306,7 @@ static inline void audit_inode_parent_hidden(struct filename *name, AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); } static inline void audit_inode_child(struct inode *parent, - const struct dentry *dentry, + struct dentry *dentry, const unsigned char type) { if (unlikely(!audit_dummy_context())) __audit_inode_child(parent, dentry, type); @@ -487,7 +487,7 @@ static inline void __audit_inode(struct filename *name, unsigned int flags) { } static inline void __audit_inode_child(struct inode *parent, - const struct dentry *dentry, + struct dentry *dentry, const unsigned char type) { } static inline void audit_inode(struct filename *name, @@ -501,7 +501,7 @@ static inline void audit_inode_parent_hidden(struct filename *name, const struct dentry *dentry) { } static inline void audit_inode_child(struct inode *parent, - const struct dentry *dentry, + struct dentry *dentry, const unsigned char type) { } static inline void audit_core_dumps(long signr) diff --git a/kernel/audit.c b/kernel/audit.c index 25dd70a..7d83c5a 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -66,6 +66,7 @@ #include <linux/freezer.h> #include <linux/pid_namespace.h> #include <net/netns/generic.h> +#include <linux/dcache.h> #include "audit.h" @@ -1884,6 +1885,10 @@ void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, name->gid = inode->i_gid; name->rdev = inode->i_rdev; security_inode_getsecid(inode, &name->osid); + if (name->dentry) { + dput(name->dentry); + name->dentry = NULL; + } audit_copy_fcaps(name, dentry); } @@ -1925,6 +1930,17 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, audit_log_n_untrustedstring(ab, n->name->name, n->name_len); } + } else if (n->dentry) { + char *fullpath; + const char *fullpathp; + + fullpath = kmalloc(PATH_MAX, GFP_KERNEL); + if (!fullpath) + return; + fullpathp = dentry_path_raw(n->dentry, fullpath, PATH_MAX); + audit_log_format(ab, " name=%s(0x%lx):%s", + n->dentry->d_sb->s_type->name?:"?", + n->dentry->d_sb->s_magic, fullpathp?:"?"); } else audit_log_format(ab, " name=(null)"); diff --git a/kernel/audit.h b/kernel/audit.h index 144b7eb..2a11583 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -84,6 +84,7 @@ struct audit_names { unsigned long ino; dev_t dev; + struct dentry *dentry; umode_t mode; kuid_t uid; kgid_t gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4db32e8..b3797c7 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -74,6 +74,7 @@ #include <linux/string.h> #include <linux/uaccess.h> #include <uapi/linux/limits.h> +#include <linux/dcache.h> #include "audit.h" @@ -881,6 +882,8 @@ static inline void audit_free_names(struct audit_context *context) list_del(&n->list); if (n->name) putname(n->name); + if (n->dentry) + dput(n->dentry); if (n->should_free) kfree(n); } @@ -1858,7 +1861,7 @@ void __audit_file(const struct file *file) * unsuccessful attempts. */ void __audit_inode_child(struct inode *parent, - const struct dentry *dentry, + struct dentry *dentry, const unsigned char type) { struct audit_context *context = current->audit_context; @@ -1914,6 +1917,7 @@ void __audit_inode_child(struct inode *parent, if (!n) return; audit_copy_inode(n, NULL, parent); + n->dentry = dget_parent(dentry); } if (!found_child) { @@ -1935,6 +1939,8 @@ void __audit_inode_child(struct inode *parent, audit_copy_inode(found_child, dentry, inode); else found_child->ino = AUDIT_INO_UNSET; + if (!found_parent) + found_child->dentry = dget(dentry); } EXPORT_SYMBOL_GPL(__audit_inode_child); -- 1.7.1

7 years, 11 months

3
16
0 / 0

[PATCH v5 0/6] Improved seccomp logging

by Tyler Hicks

This is an update to the previous seccomp logging patch sets. The main difference in this revision compared to the last is that the application now has the ability to request that all actions in a filter, except for RET_ALLOW, should be logged. This is done with a new filter flag. In support of that change, the log_max_action sysctl was renamed to actions_logged as it now lists the actions that an admin has allowed to be logged. The admin has the final say in what actions get logged. Please see the individual patches for summaries of changes since the last revision. Thanks! Tyler

7 years, 11 months

2
20
0 / 0

Please adjust the SELinux/audit trees for linux-next

by Paul Moore

Hello, I have just relocated the SELinux and audit kernel trees from infradead.org to kernel.org, please pull from the repositories below. Thank you. SELinux * git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next Audit * git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next -- paul moore www.paul-moore.com

7 years, 11 months

2
1
0 / 0

Re: [RESEND PATCH 2/6] ipc: mqueue: Replace timespec with timespec64

by Richard Guy Briggs

On 2017-07-28 11:52, Deepa Dinamani wrote: > struct timespec is not y2038 safe. Replace > all uses of timespec by y2038 safe struct timespec64. > > Even though timespec is used here to represent timeouts, > replace these with timespec64 so that it facilitates > in verification by creating a y2038 safe kernel image > that is free of timespec. > > The syscall interfaces themselves are not changed as part > of the patch. They will be part of a different series. > > Signed-off-by: Deepa Dinamani <deepa.kernel(a)gmail.com> > Cc: Paul Moore <paul(a)paul-moore.com> > Cc: Richard Guy Briggs <rgb(a)redhat.com> Looks reasonable to me. Reviewed-by: Richard Guy Briggs <rgb(a)redhat.com> > --- > include/linux/audit.h | 6 +++--- > ipc/mqueue.c | 28 ++++++++++++++-------------- > kernel/audit.h | 2 +- > kernel/auditsc.c | 12 ++++++------ > 4 files changed, 24 insertions(+), 24 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 2150bdccfbab..74d4d4e8e3db 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -351,7 +351,7 @@ extern int __audit_socketcall(int nargs, unsigned long *args); > extern int __audit_sockaddr(int len, void *addr); > extern void __audit_fd_pair(int fd1, int fd2); > extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); > -extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout); > +extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout); > extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification); > extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat); > extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, > @@ -412,7 +412,7 @@ static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) > if (unlikely(!audit_dummy_context())) > __audit_mq_open(oflag, mode, attr); > } > -static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout) > +static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec64 *abs_timeout) > { > if (unlikely(!audit_dummy_context())) > __audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout); > @@ -549,7 +549,7 @@ static inline void audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) > { } > static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, > unsigned int msg_prio, > - const struct timespec *abs_timeout) > + const struct timespec64 *abs_timeout) > { } > static inline void audit_mq_notify(mqd_t mqdes, > const struct sigevent *notification) > diff --git a/ipc/mqueue.c b/ipc/mqueue.c > index c9ff943f19ab..5be1346a9167 100644 > --- a/ipc/mqueue.c > +++ b/ipc/mqueue.c > @@ -668,11 +668,11 @@ static void __do_notify(struct mqueue_inode_info *info) > } > > static int prepare_timeout(const struct timespec __user *u_abs_timeout, > - struct timespec *ts) > + struct timespec64 *ts) > { > - if (copy_from_user(ts, u_abs_timeout, sizeof(struct timespec))) > + if (get_timespec64(ts, u_abs_timeout)) > return -EFAULT; > - if (!timespec_valid(ts)) > + if (!timespec64_valid(ts)) > return -EINVAL; > return 0; > } > @@ -962,7 +962,7 @@ static inline void pipelined_receive(struct wake_q_head *wake_q, > > static int do_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr, > size_t msg_len, unsigned int msg_prio, > - struct timespec *ts) > + struct timespec64 *ts) > { > struct fd f; > struct inode *inode; > @@ -979,7 +979,7 @@ static int do_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr, > return -EINVAL; > > if (ts) { > - expires = timespec_to_ktime(*ts); > + expires = timespec64_to_ktime(*ts); > timeout = &expires; > } > > @@ -1080,7 +1080,7 @@ static int do_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr, > > static int do_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr, > size_t msg_len, unsigned int __user *u_msg_prio, > - struct timespec *ts) > + struct timespec64 *ts) > { > ssize_t ret; > struct msg_msg *msg_ptr; > @@ -1092,7 +1092,7 @@ static int do_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr, > struct posix_msg_tree_node *new_leaf = NULL; > > if (ts) { > - expires = timespec_to_ktime(*ts); > + expires = timespec64_to_ktime(*ts); > timeout = &expires; > } > > @@ -1184,7 +1184,7 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr, > size_t, msg_len, unsigned int, msg_prio, > const struct timespec __user *, u_abs_timeout) > { > - struct timespec ts, *p = NULL; > + struct timespec64 ts, *p = NULL; > if (u_abs_timeout) { > int res = prepare_timeout(u_abs_timeout, &ts); > if (res) > @@ -1198,7 +1198,7 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr, > size_t, msg_len, unsigned int __user *, u_msg_prio, > const struct timespec __user *, u_abs_timeout) > { > - struct timespec ts, *p = NULL; > + struct timespec64 ts, *p = NULL; > if (u_abs_timeout) { > int res = prepare_timeout(u_abs_timeout, &ts); > if (res) > @@ -1473,11 +1473,11 @@ COMPAT_SYSCALL_DEFINE4(mq_open, const char __user *, u_name, > } > > static int compat_prepare_timeout(const struct compat_timespec __user *p, > - struct timespec *ts) > + struct timespec64 *ts) > { > - if (compat_get_timespec(ts, p)) > + if (compat_get_timespec64(ts, p)) > return -EFAULT; > - if (!timespec_valid(ts)) > + if (!timespec64_valid(ts)) > return -EINVAL; > return 0; > } > @@ -1487,7 +1487,7 @@ COMPAT_SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, > compat_size_t, msg_len, unsigned int, msg_prio, > const struct compat_timespec __user *, u_abs_timeout) > { > - struct timespec ts, *p = NULL; > + struct timespec64 ts, *p = NULL; > if (u_abs_timeout) { > int res = compat_prepare_timeout(u_abs_timeout, &ts); > if (res) > @@ -1502,7 +1502,7 @@ COMPAT_SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, > compat_size_t, msg_len, unsigned int __user *, u_msg_prio, > const struct compat_timespec __user *, u_abs_timeout) > { > - struct timespec ts, *p = NULL; > + struct timespec64 ts, *p = NULL; > if (u_abs_timeout) { > int res = compat_prepare_timeout(u_abs_timeout, &ts); > if (res) > diff --git a/kernel/audit.h b/kernel/audit.h > index b331d9b83f63..9b110ae17ee3 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -182,7 +182,7 @@ struct audit_context { > mqd_t mqdes; > size_t msg_len; > unsigned int msg_prio; > - struct timespec abs_timeout; > + struct timespec64 abs_timeout; > } mq_sendrecv; > struct { > int oflag; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 3260ba2312a9..d0870f8e3656 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1235,11 +1235,11 @@ static void show_special(struct audit_context *context, int *call_panic) > case AUDIT_MQ_SENDRECV: > audit_log_format(ab, > "mqdes=%d msg_len=%zd msg_prio=%u " > - "abs_timeout_sec=%ld abs_timeout_nsec=%ld", > + "abs_timeout_sec=%lld abs_timeout_nsec=%ld", > context->mq_sendrecv.mqdes, > context->mq_sendrecv.msg_len, > context->mq_sendrecv.msg_prio, > - context->mq_sendrecv.abs_timeout.tv_sec, > + (long long) context->mq_sendrecv.abs_timeout.tv_sec, > context->mq_sendrecv.abs_timeout.tv_nsec); > break; > case AUDIT_MQ_NOTIFY: > @@ -2083,15 +2083,15 @@ void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr) > * > */ > void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, > - const struct timespec *abs_timeout) > + const struct timespec64 *abs_timeout) > { > struct audit_context *context = current->audit_context; > - struct timespec *p = &context->mq_sendrecv.abs_timeout; > + struct timespec64 *p = &context->mq_sendrecv.abs_timeout; > > if (abs_timeout) > - memcpy(p, abs_timeout, sizeof(struct timespec)); > + memcpy(p, abs_timeout, sizeof(struct timespec64)); > else > - memset(p, 0, sizeof(struct timespec)); > + memset(p, 0, sizeof(struct timespec64)); > > context->mq_sendrecv.mqdes = mqdes; > context->mq_sendrecv.msg_len = msg_len; > -- > 2.11.0 > - RGB -- Richard Guy Briggs <rgb(a)redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635

7 years, 11 months

1
0
0 / 0

[PATCH] audit: update the audit info in MAINTAINERS

by Paul Moore

From: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> --- MAINTAINERS | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 38d3e4ed7208..31154f312596 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2312,9 +2312,10 @@ AUDIT SUBSYSTEM M: Paul Moore <paul(a)paul-moore.com> M: Eric Paris <eparis(a)redhat.com> L: linux-audit(a)redhat.com (moderated for non-subscribers) -W: http://people.redhat.com/sgrubb/audit/ -T: git git://git.infradead.org/users/pcmoore/audit -S: Maintained +W: https://github.com/linux-audit +W: https://people.redhat.com/sgrubb/audit +T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git +S: Supported F: include/linux/audit.h F: include/uapi/linux/audit.h F: kernel/audit*

7 years, 11 months

1
0
0 / 0

Audit kernel repository moving to kernel.org

by Paul Moore

Hello, A quick note that I'm moving the audit kernel repository from infradead.org to kernel.org, please update your trees accordingly (hint: "git remote set-url ..."). * git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git * https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git -- paul moore www.paul-moore.com

7 years, 11 months

1
0
0 / 0

[RFC PATCH] specs: update message dictionary with source column

by Richard Guy Briggs

Add a column to indicate the source of the message, including indicating whether or not it is related to syscalls. Column name: SOURCE Key: CTL Control messages, usually initiated by audit daemon. DEP Deprecated message types IND Independent kernel message USR User message SC System-call related kernel message Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- specs/messages/message-dictionary.csv | 393 +++++++++++++++++---------------- 1 files changed, 197 insertions(+), 196 deletions(-) diff --git a/specs/messages/message-dictionary.csv b/specs/messages/message-dictionary.csv index 9831236..a0f8983 100644 --- a/specs/messages/message-dictionary.csv +++ b/specs/messages/message-dictionary.csv @@ -1,196 +1,197 @@ -MACRO NAME,VALUE,DESCRIPITON -AUDIT_GET,1000,Get status -AUDIT_SET,1001,Set status (enable/disable/auditd) -AUDIT_LIST,1002,List syscall rules -- deprecated -AUDIT_ADD,1003,Add syscall rule -- deprecated -AUDIT_DEL,1004,Delete syscall rule -- deprecated -AUDIT_USER,1005,Message from userspace -- deprecated -AUDIT_LOGIN,1006,Define the login ID and information -AUDIT_WATCH_INS,1007,Insert file/dir watch entry -AUDIT_WATCH_REM,1008,Remove file/dir watch entry -AUDIT_WATCH_LIST,1009,List all file/dir watches -AUDIT_SIGNAL_INFO,1010,Get info about sender of signal to auditd -AUDIT_ADD_RULE,1011,Add syscall filtering rule -AUDIT_DEL_RULE,1012,Delete syscall filtering rule -AUDIT_LIST_RULES,1013,List syscall filtering rules -AUDIT_TRIM,1014,Trim junk from watched tree -AUDIT_MAKE_EQUIV,1015,Append to watched tree -AUDIT_TTY_GET,1016,Get TTY auditing status -AUDIT_TTY_SET,1017,Set TTY auditing status -AUDIT_SET_FEATURE,1018,Turn an audit feature on or off -AUDIT_GET_FEATURE,1019,Get which features are enabled -AUDIT_USER_AUTH,1100,User system access authentication -AUDIT_USER_ACCT,1101,User system access authorization -AUDIT_USER_MGMT,1102,User account attribute change -AUDIT_CRED_ACQ,1103,User credential acquired -AUDIT_CRED_DISP,1104,User credential disposed -AUDIT_USER_START,1105,User session start -AUDIT_USER_END,1106,User session end -AUDIT_USER_AVC,1107,User space AVC (Access Vector Cache) message -AUDIT_USER_CHAUTHTOK,1108,User account password or PIN changed -AUDIT_USER_ERR,1109,User account state error -AUDIT_CRED_REFR,1110,User credential refreshed -AUDIT_USYS_CONFIG,1111,User space system config change -AUDIT_USER_LOGIN,1112,User has logged in -AUDIT_USER_LOGOUT,1113,User has logged out -AUDIT_ADD_USER,1114,User account added -AUDIT_DEL_USER,1115,User account deleted -AUDIT_ADD_GROUP,1116,Group account added -AUDIT_DEL_GROUP,1117,Group account deleted -AUDIT_DAC_CHECK,1118,User space DAC check results -AUDIT_CHGRP_ID,1119,User space group ID changed -AUDIT_TEST,1120,Used for test success messages -AUDIT_TRUSTED_APP,1121,Trusted app msg - freestyle text -AUDIT_USER_SELINUX_ERR,1122,SELinux user space error -AUDIT_USER_CMD,1123,User shell command and args -AUDIT_USER_TTY,1124,Non-ICANON TTY input meaning -AUDIT_CHUSER_ID,1125,Changed user ID supplemental data -AUDIT_GRP_AUTH,1126,Authentication for group password -AUDIT_SYSTEM_BOOT,1127,System boot -AUDIT_SYSTEM_SHUTDOWN,1128,System shutdown -AUDIT_SYSTEM_RUNLEVEL,1129,System runlevel change -AUDIT_SERVICE_START,1130,Service (daemon) start -AUDIT_SERVICE_STOP,1131,Service (daemon) stop -AUDIT_GRP_MGMT,1132,Group account attribute was modified -AUDIT_GRP_CHAUTHTOK,1133,Group account password or PIN changed -AUDIT_MAC_CHECK,1134,User space MAC (Mandatory Access Control) decision results -AUDIT_ACCT_LOCK,1135,User's account locked by admin -AUDIT_ACCT_UNLOCK,1136,User's account unlocked by admin -AUDIT_DAEMON_START,1200,Daemon startup record -AUDIT_DAEMON_END,1201,Daemon normal stop record -AUDIT_DAEMON_ABORT,1202,Daemon error stop record -AUDIT_DAEMON_CONFIG,1203,Daemon config change -AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure -AUDIT_DAEMON_ROTATE,1205,Auditd should rotate logs -AUDIT_DAEMON_RESUME,1206,Auditd should resume logging -AUDIT_DAEMON_ACCEPT,1207,Auditd accepted remote connection -AUDIT_DAEMON_CLOSE,1208,Auditd closed remote connection -AUDIT_DAEMON_ERR,1209,Auditd internal error -AUDIT_SYSCALL,1300,System call event information -AUDIT_FS_WATCH,1301,Deprecated -AUDIT_PATH,1302,Filename path information -AUDIT_IPC,1303,System call IPC (Inter-Process Communication) object -AUDIT_SOCKETCALL,1304,System call socketcall arguments -AUDIT_CONFIG_CHANGE,1305,Audit system configuration change -AUDIT_SOCKADDR,1306,System call socket address argument information -AUDIT_CWD,1307,Current working directory -AUDIT_EXECVE,1309,Arguments supplied to the execve system call -AUDIT_IPC_SET_PERM,1311,IPC new permissions record type -AUDIT_MQ_OPEN,1312,POSIX MQ open record type -AUDIT_MQ_SENDRECV,1313,POSIX MQ send/receive record type -AUDIT_MQ_NOTIFY,1314,POSIX MQ notify record type -AUDIT_MQ_GETSETATTR,1315,POSIX MQ get/set attribute record type -AUDIT_KERNEL_OTHER,1316,For use by 3rd party modules -AUDIT_FD_PAIR,1317,Information for pipe and socketpair system calls -AUDIT_OBJ_PID,1318,ptrace target -AUDIT_TTY,1319,Input on an administrative TTY -AUDIT_EOE,1320,End of multi-record event -AUDIT_BPRM_FCAPS,1321,Information about file system capabilities increasing permissions -AUDIT_CAPSET,1322,Record showing argument to sys_capset setting process-based capabilities -AUDIT_MMAP,1323,Mmap system call file descriptor and flags -AUDIT_NETFILTER_PKT,1324,Packets traversing netfilter chains -AUDIT_NETFILTER_CFG,1325,Netfilter chain modifications -AUDIT_SECCOMP,1326,Secure Computing event -AUDIT_PROCTITLE,1327,Process Title info -AUDIT_FEATURE_CHANGE,1328,Audit feature changed value -AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd -AUDIT_KERN_MODULE,1330,Kernel Module events -AUDIT_AVC,1400,SELinux AVC (Access Vector Cache) denial or grant -AUDIT_SELINUX_ERR,1401,Internal SELinux errors -AUDIT_AVC_PATH,1402,"dentry, vfsmount pair from AVC" -AUDIT_MAC_POLICY_LOAD,1403,SELinux Policy file load -AUDIT_MAC_STATUS,1404,"SELinux mode (enforcing, permissive, off) changed" -AUDIT_MAC_CONFIG_CHANGE,1405,SELinux Boolean value modification -AUDIT_MAC_UNLBL_ALLOW,1406,NetLabel: allow unlabeled traffic -AUDIT_MAC_CIPSOV4_ADD,1407,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry -AUDIT_MAC_CIPSOV4_DEL,1408,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry -AUDIT_MAC_MAP_ADD,1409,NetLabel: add LSM (Linux Security Module) domain mapping -AUDIT_MAC_MAP_DEL,1410,NetLabel: del LSM (Linux Security Module) domain mapping -AUDIT_MAC_IPSEC_ADDSA,1411,Not used -AUDIT_MAC_IPSEC_DELSA,1412,Not used -AUDIT_MAC_IPSEC_ADDSPD,1413,Not used -AUDIT_MAC_IPSEC_DELSPD,1414,Not used -AUDIT_MAC_IPSEC_EVENT,1415,Audit an IPsec event -AUDIT_MAC_UNLBL_STCADD,1416,NetLabel: add a static label -AUDIT_MAC_UNLBL_STCDEL,1417,NetLabel: del a static label -AUDIT_MAC_CALIPSO_ADD,1418,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry -AUDIT_MAC_CALIPSO_DEL,1419,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry -AUDIT_AA,1500, -AUDIT_APPARMOR_AUDIT,1501, -AUDIT_APPARMOR_ALLOWED,1502, -AUDIT_APPARMOR_DENIED,1503, -AUDIT_APPARMOR_HINT,1504, -AUDIT_APPARMOR_STATUS,1505, -AUDIT_APPARMOR_ERROR,1506, -AUDIT_ANOM_PROMISCUOUS,1700,Device changed promiscuous mode -AUDIT_ANOM_ABEND,1701,Process ended abnormally -AUDIT_ANOM_LINK,1702,Suspicious use of file links -AUDIT_INTEGRITY_DATA,1800,Data integrity verification -AUDIT_INTEGRITY_METADATA,1801,Metadata integrity verification -AUDIT_INTEGRITY_STATUS,1802,Integrity enable status -AUDIT_INTEGRITY_HASH,1803,Integrity HASH type -AUDIT_INTEGRITY_PCR,1804,PCR (Platform Configuration Register) invalidation messages -AUDIT_INTEGRITY_RULE,1805,Policy rule -AUDIT_KERNEL,2000,Kernel audit status -AUDIT_ANOM_LOGIN_FAILURES,2100,Failed login limit reached -AUDIT_ANOM_LOGIN_TIME,2101,Login attempted at bad time -AUDIT_ANOM_LOGIN_SESSIONS,2102,Maximum concurrent sessions reached -AUDIT_ANOM_LOGIN_ACCT,2103,Login attempted to watched account -AUDIT_ANOM_LOGIN_LOCATION,2104,Login from forbidden location -AUDIT_ANOM_MAX_DAC,2105,Max DAC (Discretionary Access Control) failures reached -AUDIT_ANOM_MAX_MAC,2106,Max MAC (Mandatory Access Control) failures reached -AUDIT_ANOM_AMTU_FAIL,2107,AMTU (Abstract Machine Test Utility) failure -AUDIT_ANOM_RBAC_FAIL,2108,RBAC (Role-Based Access Control) self test failure -AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,RBAC (Role-Based Access Control) file integrity test failure -AUDIT_ANOM_CRYPTO_FAIL,2110,Crypto system test failure -AUDIT_ANOM_ACCESS_FS,2111,Access of file or directory ended abnormally -AUDIT_ANOM_EXEC,2112,Execution of file ended abnormally -AUDIT_ANOM_MK_EXEC,2113,Make an executable -AUDIT_ANOM_ADD_ACCT,2114,Adding a user account ended abnormally -AUDIT_ANOM_DEL_ACCT,2115,Deleting a user account ended abnormally -AUDIT_ANOM_MOD_ACCT,2116,Changing an account ended abnormally -AUDIT_ANOM_ROOT_TRANS,2117,User became root -AUDIT_RESP_ANOMALY,2200,Anomaly not reacted to -AUDIT_RESP_ALERT,2201,Alert email was sent -AUDIT_RESP_KILL_PROC,2202,Kill program -AUDIT_RESP_TERM_ACCESS,2203,Terminate session -AUDIT_RESP_ACCT_REMOTE,2204,User account locked from remote access -AUDIT_RESP_ACCT_LOCK_TIMED,2205,User account locked for time -AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,User account unlocked from time -AUDIT_RESP_ACCT_LOCK,2207,User account was locked -AUDIT_RESP_TERM_LOCK,2208,Terminal was locked -AUDIT_RESP_SEBOOL,2209,Set an SELinux boolean -AUDIT_RESP_EXEC,2210,Execute a script -AUDIT_RESP_SINGLE,2211,Go to single user mode -AUDIT_RESP_HALT,2212,Take the system down -AUDIT_USER_ROLE_CHANGE,2300,User changed to a new SELinux role -AUDIT_ROLE_ASSIGN,2301,Administrator assigned user to SELinux role -AUDIT_ROLE_REMOVE,2302,Administrator removed user from SELinux role -AUDIT_LABEL_OVERRIDE,2303,Administrator is overriding a SELinux label -AUDIT_LABEL_LEVEL_CHANGE,2304,Object level SELinux label modified -AUDIT_USER_LABELED_EXPORT,2305,Object exported with SELinux label -AUDIT_USER_UNLABELED_EXPORT,2306,Object exported without SELinux label -AUDIT_DEV_ALLOC,2307,Device was allocated -AUDIT_DEV_DEALLOC,2308,Device was deallocated -AUDIT_FS_RELABEL,2309,Filesystem relabeled -AUDIT_USER_MAC_POLICY_LOAD,2310,Usersapce daemon loaded SELinux policy -AUDIT_ROLE_MODIFY,2311,Administrator modified an SELinux role -AUDIT_USER_MAC_CONFIG_CHANGE,2312,Change made to MAC (Mandatory Access Control) policy -AUDIT_CRYPTO_TEST_USER,2400,Cryptographic test results -AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,Cryptographic attribute change -AUDIT_CRYPTO_LOGIN,2402,Cryptographic officer login -AUDIT_CRYPTO_LOGOUT,2403,Cryptographic officer logout -AUDIT_CRYPTO_KEY_USER,2404,"Create, delete, negotiate cryptographic key identifier" -AUDIT_CRYPTO_FAILURE_USER,2405,"Fail decrypt, encrypt or randomize operation" -AUDIT_CRYPTO_REPLAY_USER,2406,Cryptographic replay attack detected -AUDIT_CRYPTO_SESSION,2407,Parameters set during TLS session establishment -AUDIT_CRYPTO_IKE_SA,2408,Parameters related to IKE SA -AUDIT_CRYPTO_IPSEC_SA,2409,Parameters related to IPSEC SA -AUDIT_VIRT_CONTROL,2500,"Start, Pause, Stop VM" -AUDIT_VIRT_RESOURCE,2501,Resource assignment -AUDIT_VIRT_MACHINE_ID,2502,Binding of label to VM -AUDIT_VIRT_INTEGRITY_CHECK,2503,Guest integrity results -AUDIT_VIRT_CREATE,2504,Creation of guest image -AUDIT_VIRT_DESTROY,2505,Destruction of guest image -AUDIT_VIRT_MIGRATE_IN,2506,Inbound guest migration info -AUDIT_VIRT_MIGRATE_OUT,2507,Outbound guest migration info +MACRO NAME,VALUE,SOURCE,DESCRIPITON +AUDIT_GET,1000,CTL,Get status +AUDIT_SET,1001,CTL,Set status (enable/disable/auditd) +AUDIT_LIST,1002,DEP,List syscall rules -- deprecated +AUDIT_ADD,1003,DEP,Add syscall rule -- deprecated +AUDIT_DEL,1004,DEP,Delete syscall rule -- deprecated +AUDIT_USER,1005,DEP,Message from userspace -- deprecated +AUDIT_LOGIN,1006,IND,Define the login ID and information +AUDIT_WATCH_INS,1007,DEP,Insert file/dir watch entry +AUDIT_WATCH_REM,1008,DEP,Remove file/dir watch entry +AUDIT_WATCH_LIST,1009,DEP,List all file/dir watches +AUDIT_SIGNAL_INFO,1010,CTL,Get info about sender of signal to auditd +AUDIT_ADD_RULE,1011,CTL,Add syscall filtering rule +AUDIT_DEL_RULE,1012,CTL,Delete syscall filtering rule +AUDIT_LIST_RULES,1013,CTL,List syscall filtering rules +AUDIT_TRIM,1014,CTL,Trim junk from watched tree +AUDIT_MAKE_EQUIV,1015,CTL,Append to watched tree +AUDIT_TTY_GET,1016,CTL,Get TTY auditing status +AUDIT_TTY_SET,1017,CTL,Set TTY auditing status +AUDIT_SET_FEATURE,1018,CTL,Turn an audit feature on or off +AUDIT_GET_FEATURE,1019,CTL,Get which features are enabled +AUDIT_USER_AUTH,1100,USR,User system access authentication +AUDIT_USER_ACCT,1101,USR,User system access authorization +AUDIT_USER_MGMT,1102,USR,User account attribute change +AUDIT_CRED_ACQ,1103,USR,User credential acquired +AUDIT_CRED_DISP,1104,USR,User credential disposed +AUDIT_USER_START,1105,USR,User session start +AUDIT_USER_END,1106,USR,User session end +AUDIT_USER_AVC,1107,USR,User space AVC (Access Vector Cache) message +AUDIT_USER_CHAUTHTOK,1108,USR,User account password or PIN changed +AUDIT_USER_ERR,1109,USR,User account state error +AUDIT_CRED_REFR,1110,USR,User credential refreshed +AUDIT_USYS_CONFIG,1111,USR,User space system config change +AUDIT_USER_LOGIN,1112,USR,User has logged in +AUDIT_USER_LOGOUT,1113,USR,User has logged out +AUDIT_ADD_USER,1114,USR,User account added +AUDIT_DEL_USER,1115,USR,User account deleted +AUDIT_ADD_GROUP,1116,USR,Group account added +AUDIT_DEL_GROUP,1117,USR,Group account deleted +AUDIT_DAC_CHECK,1118,USR,User space DAC check results +AUDIT_CHGRP_ID,1119,USR,User space group ID changed +AUDIT_TEST,1120,USR,Used for test success messages +AUDIT_TRUSTED_APP,1121,USR,Trusted app msg - freestyle text +AUDIT_USER_SELINUX_ERR,1122,USR,SELinux user space error +AUDIT_USER_CMD,1123,USR,User shell command and args +AUDIT_USER_TTY,1124,USR,Non-ICANON TTY input meaning +AUDIT_CHUSER_ID,1125,USR,Changed user ID supplemental data +AUDIT_GRP_AUTH,1126,USR,Authentication for group password +AUDIT_SYSTEM_BOOT,1127,USR,System boot +AUDIT_SYSTEM_SHUTDOWN,1128,USR,System shutdown +AUDIT_SYSTEM_RUNLEVEL,1129,USR,System runlevel change +AUDIT_SERVICE_START,1130,USR,Service (daemon) start +AUDIT_SERVICE_STOP,1131,USR,Service (daemon) stop +AUDIT_GRP_MGMT,1132,USR,Group account attribute was modified +AUDIT_GRP_CHAUTHTOK,1133,USR,Group account password or PIN changed +AUDIT_MAC_CHECK,1134,USR,User space MAC (Mandatory Access Control) decision results +AUDIT_ACCT_LOCK,1135,USR,User's account locked by admin +AUDIT_ACCT_UNLOCK,1136,USR,User's account unlocked by admin +AUDIT_DAEMON_START,1200,USR,Daemon startup record +AUDIT_DAEMON_END,1201,USR,Daemon normal stop record +AUDIT_DAEMON_ABORT,1202,USR,Daemon error stop record +AUDIT_DAEMON_CONFIG,1203,USR,Daemon config change +AUDIT_DAEMON_RECONFIG,1204,USR,Auditd should reconfigure +AUDIT_DAEMON_ROTATE,1205,USR,Auditd should rotate logs +AUDIT_DAEMON_RESUME,1206,USR,Auditd should resume logging +AUDIT_DAEMON_ACCEPT,1207,USR,Auditd accepted remote connection +AUDIT_DAEMON_CLOSE,1208,USR,Auditd closed remote connection +AUDIT_DAEMON_ERR,1209,USR,Auditd internal error +AUDIT_SYSCALL,1300,SC,System call event information +AUDIT_FS_WATCH,1301,DEP,Deprecated +AUDIT_PATH,1302,SC,Filename path information +AUDIT_IPC,1303,SC,System call IPC (Inter-Process Communication) object +AUDIT_SOCKETCALL,1304,SC,System call socketcall arguments +AUDIT_CONFIG_CHANGE,1305,IND,Audit system configuration change +AUDIT_SOCKADDR,1306,SC,System call socket address argument information +AUDIT_CWD,1307,SC,Current working directory +AUDIT_EXECVE,1309,SC,Arguments supplied to the execve system call +AUDIT_IPC_SET_PERM,1311,SC,IPC new permissions record type +AUDIT_MQ_OPEN,1312,SC,POSIX MQ open record type +AUDIT_MQ_SENDRECV,1313,SC,POSIX MQ send/receive record type +AUDIT_MQ_NOTIFY,1314,SC,POSIX MQ notify record type +AUDIT_MQ_GETSETATTR,1315,SC,POSIX MQ get/set attribute record type +AUDIT_KERNEL_OTHER,1316,IND,For use by 3rd party modules +AUDIT_FD_PAIR,1317,SC,Information for pipe and socketpair system calls +AUDIT_OBJ_PID,1318,SC,ptrace target +AUDIT_TTY,1319,IND,Input on an administrative TTY +AUDIT_EOE,1320,CTL,End of multi-record event +AUDIT_BPRM_FCAPS,1321,SC,Information about file system capabilities increasing permissions +AUDIT_CAPSET,1322,SC,Record showing argument to sys_capset setting process-based capabilities +AUDIT_MMAP,1323,SC,Mmap system call file descriptor and flags +AUDIT_NETFILTER_PKT,1324,IND,Packets traversing netfilter chains +AUDIT_NETFILTER_CFG,1325,IND/SC,Netfilter chain modifications +AUDIT_SECCOMP,1326,IND,Secure Computing event +AUDIT_PROCTITLE,1327,SC,Process Title info +AUDIT_FEATURE_CHANGE,1328,IND,Audit feature changed value +AUDIT_REPLACE,1329,CTL,Replace auditd if this probe unanswerd +AUDIT_KERN_MODULE,1330,SC,Kernel Module events +AUDIT_AVC,1400,SC,SELinux AVC (Access Vector Cache) denial or grant +AUDIT_SELINUX_ERR,1401,SC,Internal SELinux errors +AUDIT_AVC_PATH,1402,SC,"dentry, vfsmount pair from AVC" +AUDIT_MAC_POLICY_LOAD,1403,SC,SELinux Policy file load +AUDIT_MAC_STATUS,1404,SC,"SELinux mode (enforcing, permissive, off) changed" +AUDIT_MAC_CONFIG_CHANGE,1405,SC,SELinux Boolean value modification +AUDIT_MAC_UNLBL_ALLOW,1406,SC,NetLabel: allow unlabeled traffic +AUDIT_MAC_CIPSOV4_ADD,1407,SC,NetLabel: add CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry +AUDIT_MAC_CIPSOV4_DEL,1408,SC,NetLabel: del CIPSOv4 (Commercial Internet Protocol Security Option) DOI (Domain of Interpretation) entry +AUDIT_MAC_MAP_ADD,1409,SC,NetLabel: add LSM (Linux Security Module) domain mapping +AUDIT_MAC_MAP_DEL,1410,SC,NetLabel: del LSM (Linux Security Module) domain mapping +AUDIT_MAC_IPSEC_ADDSA,1411,DEP,Not used +AUDIT_MAC_IPSEC_DELSA,1412,DEP,Not used +AUDIT_MAC_IPSEC_ADDSPD,1413,DEP,Not used +AUDIT_MAC_IPSEC_DELSPD,1414,DEP,Not used +AUDIT_MAC_IPSEC_EVENT,1415,SC,Audit an IPsec event +AUDIT_MAC_UNLBL_STCADD,1416,SC,NetLabel: add a static label +AUDIT_MAC_UNLBL_STCDEL,1417,SC,NetLabel: del a static label +AUDIT_MAC_CALIPSO_ADD,1418,SC,NetLabel: add CALIPSO DOI (Domain of Interpretation) entry +AUDIT_MAC_CALIPSO_DEL,1419,SC,NetLabel: delete CALIPSO DOI (Domain of Interpretation) entry +AUDIT_AA,1500,, +AUDIT_APPARMOR_AUDIT,1501,SC, +AUDIT_APPARMOR_ALLOWED,1502,SC, +AUDIT_APPARMOR_DENIED,1503,SC, +AUDIT_APPARMOR_HINT,1504,SC, +AUDIT_APPARMOR_STATUS,1505,SC, +AUDIT_APPARMOR_ERROR,1506,SC, +AUDIT_APPARMOR_KILL,enum1507,SC, +AUDIT_ANOM_PROMISCUOUS,1700,SC/IND,Device changed promiscuous mode +AUDIT_ANOM_ABEND,1701,IND,Process ended abnormally +AUDIT_ANOM_LINK,1702,SC?,Suspicious use of file links +AUDIT_INTEGRITY_DATA,1800,SC,Data integrity verification +AUDIT_INTEGRITY_METADATA,1801,SC,Metadata integrity verification +AUDIT_INTEGRITY_STATUS,1802,SC,Integrity enable status +AUDIT_INTEGRITY_HASH,1803,SC,Integrity HASH type +AUDIT_INTEGRITY_PCR,1804,SC,PCR (Platform Configuration Register) invalidation messages +AUDIT_INTEGRITY_RULE,1805,SC/IND,Policy rule +AUDIT_KERNEL,2000,IND,Kernel audit status +AUDIT_ANOM_LOGIN_FAILURES,2100,USR,Failed login limit reached +AUDIT_ANOM_LOGIN_TIME,2101,USR,Login attempted at bad time +AUDIT_ANOM_LOGIN_SESSIONS,2102,USR,Maximum concurrent sessions reached +AUDIT_ANOM_LOGIN_ACCT,2103,USR,Login attempted to watched account +AUDIT_ANOM_LOGIN_LOCATION,2104,USR,Login from forbidden location +AUDIT_ANOM_MAX_DAC,2105,USR,Max DAC (Discretionary Access Control) failures reached +AUDIT_ANOM_MAX_MAC,2106,USR,Max MAC (Mandatory Access Control) failures reached +AUDIT_ANOM_AMTU_FAIL,2107,USR,AMTU (Abstract Machine Test Utility) failure +AUDIT_ANOM_RBAC_FAIL,2108,USR,RBAC (Role-Based Access Control) self test failure +AUDIT_ANOM_RBAC_INTEGRITY_FAIL,2109,USR,RBAC (Role-Based Access Control) file integrity test failure +AUDIT_ANOM_CRYPTO_FAIL,2110,USR,Crypto system test failure +AUDIT_ANOM_ACCESS_FS,2111,USR,Access of file or directory ended abnormally +AUDIT_ANOM_EXEC,2112,USR,Execution of file ended abnormally +AUDIT_ANOM_MK_EXEC,2113,USR,Make an executable +AUDIT_ANOM_ADD_ACCT,2114,USR,Adding a user account ended abnormally +AUDIT_ANOM_DEL_ACCT,2115,USR,Deleting a user account ended abnormally +AUDIT_ANOM_MOD_ACCT,2116,USR,Changing an account ended abnormally +AUDIT_ANOM_ROOT_TRANS,2117,USR,User became root +AUDIT_RESP_ANOMALY,2200,USR,Anomaly not reacted to +AUDIT_RESP_ALERT,2201,USR,Alert email was sent +AUDIT_RESP_KILL_PROC,2202,USR,Kill program +AUDIT_RESP_TERM_ACCESS,2203,USR,Terminate session +AUDIT_RESP_ACCT_REMOTE,2204,USR,User account locked from remote access +AUDIT_RESP_ACCT_LOCK_TIMED,2205,USR,User account locked for time +AUDIT_RESP_ACCT_UNLOCK_TIMED,2206,USR,User account unlocked from time +AUDIT_RESP_ACCT_LOCK,2207,USR,User account was locked +AUDIT_RESP_TERM_LOCK,2208,USR,Terminal was locked +AUDIT_RESP_SEBOOL,2209,USR,Set an SELinux boolean +AUDIT_RESP_EXEC,2210,USR,Execute a script +AUDIT_RESP_SINGLE,2211,USR,Go to single user mode +AUDIT_RESP_HALT,2212,USR,Take the system down +AUDIT_USER_ROLE_CHANGE,2300,USR,User changed to a new SELinux role +AUDIT_ROLE_ASSIGN,2301,USR,Administrator assigned user to SELinux role +AUDIT_ROLE_REMOVE,2302,USR,Administrator removed user from SELinux role +AUDIT_LABEL_OVERRIDE,2303,USR,Administrator is overriding a SELinux label +AUDIT_LABEL_LEVEL_CHANGE,2304,USR,Object level SELinux label modified +AUDIT_USER_LABELED_EXPORT,2305,USR,Object exported with SELinux label +AUDIT_USER_UNLABELED_EXPORT,2306,USR,Object exported without SELinux label +AUDIT_DEV_ALLOC,2307,USR,Device was allocated +AUDIT_DEV_DEALLOC,2308,USR,Device was deallocated +AUDIT_FS_RELABEL,2309,USR,Filesystem relabeled +AUDIT_USER_MAC_POLICY_LOAD,2310,USR,Usersapce daemon loaded SELinux policy +AUDIT_ROLE_MODIFY,2311,USR,Administrator modified an SELinux role +AUDIT_USER_MAC_CONFIG_CHANGE,2312,USR,Change made to MAC (Mandatory Access Control) policy +AUDIT_CRYPTO_TEST_USER,2400,USR,Cryptographic test results +AUDIT_CRYPTO_PARAM_CHANGE_USER,2401,USR,Cryptographic attribute change +AUDIT_CRYPTO_LOGIN,2402,USR,Cryptographic officer login +AUDIT_CRYPTO_LOGOUT,2403,USR,Cryptographic officer logout +AUDIT_CRYPTO_KEY_USER,2404,USR,"Create, delete, negotiate cryptographic key identifier" +AUDIT_CRYPTO_FAILURE_USER,2405,USR,"Fail decrypt, encrypt or randomize operation" +AUDIT_CRYPTO_REPLAY_USER,2406,USR,Cryptographic replay attack detected +AUDIT_CRYPTO_SESSION,2407,USR,Parameters set during TLS session establishment +AUDIT_CRYPTO_IKE_SA,2408,USR,Parameters related to IKE SA +AUDIT_CRYPTO_IPSEC_SA,2409,USR,Parameters related to IPSEC SA +AUDIT_VIRT_CONTROL,2500,USR,"Start, Pause, Stop VM" +AUDIT_VIRT_RESOURCE,2501,USR,Resource assignment +AUDIT_VIRT_MACHINE_ID,2502,USR,Binding of label to VM +AUDIT_VIRT_INTEGRITY_CHECK,2503,USR,Guest integrity results +AUDIT_VIRT_CREATE,2504,USR,Creation of guest image +AUDIT_VIRT_DESTROY,2505,USR,Destruction of guest image +AUDIT_VIRT_MIGRATE_IN,2506,USR,Inbound guest migration info +AUDIT_VIRT_MIGRATE_OUT,2507,USR,Outbound guest migration info -- 1.7.1

7 years, 11 months

3
7
0 / 0

ANOM_ABEND events are missing

by Steve Grubb

Hello Richard & Paul, I have been noticing something lately. I have applications that crash and I get a notification from abrtd but when I go looking, there is no matching ANOM_ABEND records. This is one a 4.11.11 kernel. The purpose of the ANOM_ABEND record is to indicate that a program has crashed and receieved a SIGSEGV or any other signal that results in termination. By any chance has something changed where our hook is placed? I also can't tell you when this started, I have a feeling this has been happening for over a year. -Steve

7 years, 11 months

2
1
0 / 0

[GIT PULL] Audit fix for v4.13 (#1)

by Paul Moore

Hi Linus, A small audit fix, just a single line, to plug a memory leak in some audit error handling code. Please merge for the next 4.13-rcX release. Thanks, -Paul --- The following changes since commit cd33f5f2cbfaadc21270f3ddac7c3c33e0a1a28c: audit: make sure we never skip the multicast broadcast (2017-06-16 11:51:00 -0400) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.13 for you to fetch changes up to b0659ae5e30074ede1dc08f2c6d64f0c11d64e0f: audit: fix memleak in auditd_send_unicast_skb. (2017-07-19 10:28:54 -0400) ---------------------------------------------------------------- Shu Wang (1): audit: fix memleak in auditd_send_unicast_skb. kernel/audit.c | 1 + 1 file changed, 1 insertion(+) -- paul moore www.paul-moore.com

7 years, 12 months

2
2
0 / 0

ENRICHED log_format not encoding all parameters

by Peter KRIVANSKY

Hello together, I am writing to this mailing list as I have not found any working solution online. We use the audit with ENRICHED log_format, but we see lots of parameters not being decoded from HEX, Here are the auditd settings: log_file = /var/log/audit/audit.log log_format = ENRICHED log_group = root priority_boost = 4 flush = incremental freq = 6000 num_logs = 10 disp_qos = lossy dispatcher = /sbin/audispd name_format = hostname max_log_file = 30 max_log_file_action = ROTATE space_left = 150 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 100 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND tcp_listen_queue = 5 tcp_max_per_addr = 1 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd Installed audit Version: 2.6.5-3.el7_3.1 Here the problem parts of the Audit log (parameter a2): node=hostname.domain.tld type=EXECVE msg=audit(1500536092.301:232170298): argc=3 a0="/bin/sh" a1="-c" a2=2F7573722F6C6F63616C2F6E6167696F732F6C6962657865632F636865636B5F6E727065202D32202D482031302E3130302E3135302E313732202D702035363636202D6320436865636B46696C6573202D74203230202D6120706174683D463A2F636C656172696E672F6D6366742F706F736569646F6E2F206D61782D6469722D64657074683D30207061747465726E3D2A33335F303535305F4C5F2A2E434B38202266696C7465723D7772697474656E206C74202D33306D20414E442073697A652067742031306222204D6178437269743D31 not decoded parameter (a14) in the middle: node= hostname.domain.tld type=EXECVE msg=audit(1500536092.303:232170300): argc=16 a0="/usr/local/nagios/libexec/check_nrpe" a1="-2" a2="-H" a3="10.100.0.0" a4="-p" a5="5666" a6="-c" a7="CheckFiles" a8="-t" a9="20" a10="-a" a11="path=F:/clearing/mcft/poseidon/" a12="max-dir-depth=0" a13="pattern=*33_0550_L_*.CK8" a14=66696C7465723D7772697474656E206C74202D33306D20414E442073697A6520677420313062 a15="MaxCrit=1" We need ENRICHED log_formad so we can analyze audit logs on a central Log server. I tried to increase the „priority_boost“ parameter to 6, and increased the „freq“ param. to 6000 to give the auditd more time for decoding. None of the mentioned helped. What I don’t understand is that sometimes it’s the last parameters which is not decoded, and sometimes it one in the middle. See example above Any kind of advice is welcome With kind regards Peter This email and its content belong to Ingenico Group. The enclosed information is confidential and may not be disclosed to any unauthorized person. If you have received it by mistake do not forward it and delete it from your system. Cet email et son contenu sont la propriété du Groupe Ingenico. L’information qu’il contient est confidentielle et ne peut être communiquée à des personnes non autorisées. Si vous l’avez reçu par erreur ne le transférez pas et supprimez-le.

7 years, 12 months

2
1
0 / 0

[PATCH] audit: fix memleak in auditd_send_unicast_skb.

by shuwang＠redhat.com

From: Shu Wang <shuwang(a)redhat.com> Found this issue by kmemleak report, auditd_send_unicast_skb did not free skb if rcu_dereference(auditd_conn) returns null. unreferenced object 0xffff88082568ce00 (size 256): comm "auditd", pid 1119, jiffies 4294708499 backtrace: [<ffffffff8176166a>] kmemleak_alloc+0x4a/0xa0 [<ffffffff8121820c>] kmem_cache_alloc_node+0xcc/0x210 [<ffffffff8161b99d>] __alloc_skb+0x5d/0x290 [<ffffffff8113c614>] audit_make_reply+0x54/0xd0 [<ffffffff8113dfa7>] audit_receive_msg+0x967/0xd70 ---------------- (gdb) list *audit_receive_msg+0x967 0xffffffff8113dff7 is in audit_receive_msg (kernel/audit.c:1133). 1132 skb = audit_make_reply(0, AUDIT_REPLACE, 0, 0, &pvnr, sizeof(pvnr)); --------------- [<ffffffff8113e402>] audit_receive+0x52/0xa0 [<ffffffff8166c561>] netlink_unicast+0x181/0x240 [<ffffffff8166c8e2>] netlink_sendmsg+0x2c2/0x3b0 [<ffffffff816112e8>] sock_sendmsg+0x38/0x50 [<ffffffff816117a2>] SYSC_sendto+0x102/0x190 [<ffffffff81612f4e>] SyS_sendto+0xe/0x10 [<ffffffff8176d337>] entry_SYSCALL_64_fastpath+0x1a/0xa5 [<ffffffffffffffff>] 0xffffffffffffffff Signed-off-by: Shu Wang <shuwang(a)redhat.com> --- kernel/audit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/audit.c b/kernel/audit.c index 833267b..6dd5569 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -641,6 +641,7 @@ static int auditd_send_unicast_skb(struct sk_buff *skb) ac = rcu_dereference(auditd_conn); if (!ac) { rcu_read_unlock(); + kfree_skb(skb); rc = -ECONNREFUSED; goto err; } -- 2.5.0

8 years

3
3
0 / 0

[PATCH] Free skb at error context in auditd_send_unicast_skb().

by Masami Ichikawa

I got following memory leak reports by kmemleak. unreferenced object 0xffff965962fa0600 (size 256): comm "auditd", pid 401, jiffies 4294671604 (age 62.331s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffffb8859baa>] kmemleak_alloc+0x4a/0xa0 [<ffffffffb8238a96>] kmem_cache_alloc_node+0x146/0x1f0 [<ffffffffb870e52b>] __alloc_skb+0x5b/0x1e0 [<ffffffffb814fc5c>] audit_make_reply+0x5c/0xd0 [<ffffffffb815160a>] audit_receive_msg+0xa1a/0xe60 [<ffffffffb8151aa3>] audit_receive+0x53/0xa0 [<ffffffffb875e95b>] netlink_unicast+0x18b/0x220 [<ffffffffb875ecb5>] netlink_sendmsg+0x2c5/0x3c0 [<ffffffffb8705008>] sock_sendmsg+0x38/0x50 [<ffffffffb870558f>] SYSC_sendto+0x13f/0x180 [<ffffffffb870608e>] SyS_sendto+0xe/0x10 [<ffffffffb8003a57>] do_syscall_64+0x67/0x140 [<ffffffffb8865ca7>] return_from_SYSCALL_64+0x0/0x6a [<ffffffffffffffff>] 0xffffffffffffffff unreferenced object 0xffff96595a9da600 (size 512): comm "auditd", pid 401, jiffies 4294671604 (age 62.331s) hex dump (first 32 bytes): 14 00 00 00 31 05 00 00 00 00 00 00 00 00 00 00 ....1........... 91 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffffb8859baa>] kmemleak_alloc+0x4a/0xa0 [<ffffffffb823c8a3>] __kmalloc_node_track_caller+0x233/0x2f0 [<ffffffffb870d9d1>] __kmalloc_reserve.isra.38+0x31/0x90 [<ffffffffb870e557>] __alloc_skb+0x87/0x1e0 [<ffffffffb814fc5c>] audit_make_reply+0x5c/0xd0 [<ffffffffb815160a>] audit_receive_msg+0xa1a/0xe60 [<ffffffffb8151aa3>] audit_receive+0x53/0xa0 [<ffffffffb875e95b>] netlink_unicast+0x18b/0x220 [<ffffffffb875ecb5>] netlink_sendmsg+0x2c5/0x3c0 [<ffffffffb8705008>] sock_sendmsg+0x38/0x50 [<ffffffffb870558f>] SYSC_sendto+0x13f/0x180 [<ffffffffb870608e>] SyS_sendto+0xe/0x10 [<ffffffffb8003a57>] do_syscall_64+0x67/0x140 [<ffffffffb8865ca7>] return_from_SYSCALL_64+0x0/0x6a [<ffffffffffffffff>] 0xffffffffffffffff These skb objects have been allocated in audit_replace(). If some error happened in auditd_send_unicast_skb(), skb is needed to be freed. Signed-off-by: Masami Ichikawa <masami256(a)gmail.com> --- kernel/audit.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/audit.c b/kernel/audit.c index 833267bbd80b..789f4cc1f481 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -659,6 +659,7 @@ static int auditd_send_unicast_skb(struct sk_buff *skb) err: if (ac && rc == -ECONNREFUSED) auditd_reset(ac); + kfree_skb(skb); return rc; } -- 2.13.0

8 years

2
1
0 / 0

[PATCH 00/15] v3 kernel core pieces refcount conversions

by Elena Reshetova

Changes in v3: * SoB chain corrected * minor corrections based on v2 feedback * rebase on linux-next/master as of today Changes in v2: * dropped already merged patches * rebase on top of linux-next/master * Now by default refcount_t = atomic_t (*) and uses all atomic standard operations unless CONFIG_REFCOUNT_FULL is enabled. This is a compromise for the systems that are critical on performance (such as net) and cannot accept even slight delay on the refcounter operations. This series, for core kernel components, replaces atomic_t reference counters with the new refcount_t type and API (see include/linux/refcount.h). By doing this we prevent intentional or accidental underflows or overflows that can led to use-after-free vulnerabilities. The patches are fully independent and can be cherry-picked separately. If there are no objections to the patches, please merge them via respective trees. If you want to test with refcount_t protection enabled, CONFIG_REFCOUNT_FULL must be enabled. * The respective change is currently merged into -next as "locking/refcount: Create unchecked atomic_t implementation". Elena Reshetova (15): kernel: convert sighand_struct.count from atomic_t to refcount_t kernel: convert signal_struct.sigcnt from atomic_t to refcount_t kernel: convert user_struct.__count from atomic_t to refcount_t kernel: convert task_struct.usage from atomic_t to refcount_t kernel: convert task_struct.stack_refcount from atomic_t to refcount_t kernel: convert perf_event_context.refcount from atomic_t to refcount_t kernel: convert ring_buffer.refcount from atomic_t to refcount_t kernel: convert ring_buffer.aux_refcount from atomic_t to refcount_t kernel: convert uprobe.ref from atomic_t to refcount_t kernel: convert nsproxy.count from atomic_t to refcount_t kernel: convert group_info.usage from atomic_t to refcount_t kernel: convert cred.usage from atomic_t to refcount_t sched: convert numa_group.refcount from atomic_t to refcount_t kernel: convert futex_pi_state.refcount from atomic_t to refcount_t kernel: convert kcov.refcount from atomic_t to refcount_t fs/exec.c | 4 ++-- fs/proc/task_nommu.c | 2 +- include/linux/cred.h | 13 ++++++------ include/linux/init_task.h | 7 +++--- include/linux/nsproxy.h | 6 +++--- include/linux/perf_event.h | 3 ++- include/linux/sched.h | 5 +++-- include/linux/sched/signal.h | 5 +++-- include/linux/sched/task.h | 4 ++-- include/linux/sched/task_stack.h | 2 +- include/linux/sched/user.h | 5 +++-- kernel/cred.c | 46 ++++++++++++++++++++-------------------- kernel/events/core.c | 18 ++++++++-------- kernel/events/internal.h | 5 +++-- kernel/events/ring_buffer.c | 8 +++---- kernel/events/uprobes.c | 8 +++---- kernel/fork.c | 24 ++++++++++----------- kernel/futex.c | 13 ++++++------ kernel/groups.c | 2 +- kernel/kcov.c | 9 ++++---- kernel/nsproxy.c | 6 +++--- kernel/sched/fair.c | 8 +++---- kernel/user.c | 8 +++---- 23 files changed, 110 insertions(+), 101 deletions(-) -- 2.7.4

8 years

3
19
0 / 0

AUDITs needed

by warron.french

This may be faster and also a better way to summarize and share with others. I will list the AUDIT(test#letter) and then below it place *Method of implementation:* and if the field is marked in green, it is validated by someone from linux-audit(a)redhat.com (Steve Grubb for example) and the text provided will answer the question for other sysadmins with similar requirements (on a per test#letter basis). I am presenting what I need to know how to audit, in hopes to illicit a response of "BUILTIN" or a link or some text that clarifies what to do: *AUDIT(A): Logons/Logoffs (success/failure)* Method of implementation: Builtin to AUDITD (enable auditd) *AUDIT(B): User {additions, deletions, modifications, suspensions and lockings}* Method of implementation: Builtin to AUDITD (enable auditd) *AUDIT(C): Group and Role {additions, deletions and modifications}* Method of implementation: Builtin to AUDITD (enable auditd) *AUDITD(D): Security or Audit Policies* Method of implementation: *AUDIT(E): Configuration Changes* (please be patient with me, as I believe this is way too broad a definition from my security people; however, there is a field from aureport called "*Number of changes in configuration:*" too. Method of implementation: can this be done by; *-w /etc/ -p raw -k config_changes* even this seems too broad a solution and I don't believe it will capture the essence of *AUDIT(E).* *AUDIT(F): Admin/Root-level accesses* Method of implementation: can this be done by; *-w /bin/su -p x -k running_as_root -w /bin/sudo -p x -k running_as_root -w /sbin/runuser -p x -k running_as_root* *AUDIT(G): Privilege/Role Escalation *(I need to ask how this differs from AUDIT(F) from my management/security people) Method of implementation: *AUDIT(H): System reboot/shutdown/change run-state*Method of implementation: can this be done by; *-w /sbin/init -p x -k run_state -w /sbin/telinit -p x -k run_state* *-w /sbin/shutdown -p x -k run_state -w /sbin/reboot -p x -k run_state etc.. etc.. etc..* *AUDIT(I): Application Initialization* (seems way to vague to me, don't you all agree?) Method of implementation: *AUDIT(J): Writes/Downloads to external devices (thumdrives,media *(like DvDs/CD), etc.. *)*Method of implementation: can this be done by -a .... -F arch=b64 -S mount -S umount2 -F auid>=1000 -F auid!=4294967295 -k mount_datawrite_operations? No, what do I use? *AUDIT(K): Print to a device or file*Method of implementation: *AUDIT(L): Audit data and log data access *(nevremind, this would kill a system - correct, unless I limit monitoring to audit.log.*) Method of implementation: *AUDIT(M): Device attach/detach mount/dismount *(Perhaps this would catch 1 or more than 1 individual doing something devious as a team in conjunction with *AUDIT(J)*?) Method of implementation: Thank you for your vast patience and cooperation. -------------------------- Warron French

8 years

1
1
0 / 0

Re: Auditing Logons/Logoffs

by Steve Grubb

On Friday, July 14, 2017 5:18:13 PM EDT warron.french wrote: > OK, so no rules to be found specifically/explicitly in audit.rules (for > RHEL6 nor RHEL7) because it is hardwired/embedded in the code of auditd > already? Not auditd. In whatever observes the event. Pam observes the login for sshd and it creates/sends the event. > Looks like if I run an aureport and see the summary it might imply what is > tracked by default and then I can deduce beyond that reasonably that: It would be a fraction of what is hardwired since its based on system activity. If you never run newgrp, then you will never see that event. > 1. I either have a rule for something in audit.rules that is being > summarized by aureport, and > 2. can then attempt an ausearch of some appropriate context against the > "test" that I need to validate. > > For example, User account modification, creation, deletion, suspensions and > lockings might be covered as summarized by aureport under the category > of - *Number of changes to accounts, groups, or roles:* Locking would be under the anomaly category. Please see the explanation in "User Login Lifecycle Events" > Is that an appropriate assessment? > > If not, what do I need to do to address AUDIT(B) and AUDIT(C) tests? They are generated automatically. You don't need to do anything for them. > Thank you again, in advance. If you have something definitive I will read > it, I just don't know how to look for these concepts apparently. I already pointed you to the reading material. The specifications are written to explain when certain hardwired event should be sent and what they mean. Hardwired events mostly come from user space and never have a syscall record attached. They also never have a key field. -Steve > On Fri, Jul 14, 2017 at 4:46 PM, Steve Grubb <sgrubb(a)redhat.com> wrote: > > On Friday, July 14, 2017 3:51:16 PM EDT warron.french wrote: > > > Back to this again, as I thought my coworker had addressed it months > > > ago, > > > but he did not as I cannot find anything. > > > > > > *THE_SUBJECT*: Auditing Logons and Logoffs (success/failures) > > > > > > I am aware of the following files: > > > /var/log/faillog, and > > > /var/log/lastlog > > > > > > The following link is relevant to RHEL5 (maybe 6 and 7??): > > > https://www.stigviewer.com/stig/oracle_linux_5/2015-12-07/finding/V-818 > > > > > > Is there an appropriate syscall for handling *THE_SUBJECT*? > > > > Nope. This is hardwired into the applications. There is a specification > > here: > > > > https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-> > Lifecycle-Events > > > > That explains each event that is part of the login and logout and its > > meaning. > > > > > Do I use the syntax as advised in the link provided at stigviewer.com? > > > > Nope. Its hardwired. As long as audit is enabled, you'll get them. > > > > -Steve > > > > > We are dealing with systems that do tie into IPA, but have to ensure > > > *THE_SUBJECT* is being addressed and forwarded. > > > > > > I have to support both RHEL6 and RHEL7. > > > > > > > > > Thanks in advance, > > > -------------------------- > > > Warron French

8 years

1
0
0 / 0

AUDIT(C) - Group/Role addition, deletion modification

by warron.french

Same as AUDIT(B) only for roles and groups? Simply put a watch rule on /etc/group and /etc/gshadow? Is that really enough? Do I also monitor the executables for /bin/passwd, /sbin/{groupadd, groupdel, groupmod, usermod}? Usermod, because technically, you can affect memberships of a user with this command and also useradd? Is *that *suitable? Is there an appropriate syscall for AUDIT(C)? -------------------------- Warron French

8 years

2
2
0 / 0

AUDIT(B) - USER add, delete, modify, suspend and lock

by warron.french

Similar idea to the prior email: I need to monitor local user account *creation, modification, deletion, suspension and locking.* I know that I can monitor: */etc/passwd, /etc/group, /etc/shadow* and */etc/gshadow*, but how do I monitor who modified wfrench inside /etc/passwd? Is: *-w /etc/passwd -k monitor_account_manipulations* Good enough? -------------------------- Warron French

8 years

2
2
0 / 0

Auditing Logons/Logoffs

by warron.french

Back to this again, as I thought my coworker had addressed it months ago, but he did not as I cannot find anything. *THE_SUBJECT*: Auditing Logons and Logoffs (success/failures) I am aware of the following files: /var/log/faillog, and /var/log/lastlog The following link is relevant to RHEL5 (maybe 6 and 7??): https://www.stigviewer.com/stig/oracle_linux_5/2015-12-07/finding/V-818 Is there an appropriate syscall for handling *THE_SUBJECT*? Do I use the syntax as advised in the link provided at stigviewer.com? We are dealing with systems that do tie into IPA, but have to ensure *THE_SUBJECT* is being addressed and forwarded. I have to support both RHEL6 and RHEL7. Thanks in advance, -------------------------- Warron French

8 years

2
1
0 / 0

message type dictionary clarifications

by Richard Guy Briggs

Hi, In the process of updating the audit message type dictionary, I came across a couple of differences I wanted to clear up. The descriptions in the userspace header file don't obviously line up with another source. Can I get a clarification on these two messages: AUDIT_USER_ACCT 1101 User system access authorization Alt: User account modification AUDIT_USER_MGMT 1102 User account attribute change Alt: Userspace management data Similarly, these weren't clear to me as to whether they were active or passive reports. Do these records say that the RESPonse happenned, or that the RESPonse should happen? AUDIT_RESP_ALERT 2201 Alert email was sent AUDIT_RESP_ANOMALY 2200 Anomaly not reacted to AUDIT_RESP_EXEC 2210 Execute a script AUDIT_RESP_HALT 2212 take the system down AUDIT_RESP_KILL_PROC 2202 Kill program AUDIT_RESP_SEBOOL 2209 Set an SELinux boolean AUDIT_RESP_SINGLE 2211 Go to single user mode AUDIT_RESP_TERM_ACCESS 2203 Terminate session AUDIT_RESP_TERM_LOCK 2208 Terminal was locked In particular, does AUDIT_RESP_EXEC mean something as simple as a script was executed in response to some detected event, or intrusion detection program responds to a threat originating from the execution of a program? I suspect they are all active and this EXEC one means a script was executed in response. Thanks! - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

8 years

3
2
0 / 0

ausearch message type omissions

by Richard Guy Briggs

Hi, In the process of creating/updating the audit message/record type dictionary, I stumbled on the following two message types missing from ausearch -m text: This one is in the userspace header file. What is its meaning and is it a printable record? AUDIT_DAEMON_RECONFIG,1204,Auditd should reconfigure This was added to test if a daemon was still listening and should be logged that an attempt was made to replace it. AUDIT_REPLACE,1329,Replace auditd if this probe unanswerd Thanks! - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

8 years

3
2
0 / 0

Audit message dictionary

by Richard Guy Briggs

Hi, I've created an audit message dictionary along the lines of the existing audit field dictionary to add to the github audit documentation repository. It is checked in to: https://github.com/linux-audit/audit-documentation/blob/master/specs/mess... related to issue: https://github.com/linux-audit/audit-documentation/issues/21 This is a preliminary commit that was created from userspace' lib/libaudit.h and kernel's include/uapi/linux/audit.h, merging, sorting and removing duplicates and verifying I've not missed anything obvious from ausearch. It might be useful to find a way to add the message range descriptions to this CSV file, or to add them to another file in the same directory. Comments, fixes and additions welcome. - RGB -- Richard Guy Briggs <rgb(a)redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635

8 years

1
0
0 / 0

Re: [PATCH] audit: Reduce overhead using a coarse clock

by Paul Moore

On Tue, Jul 4, 2017 at 3:41 PM, Deepa Dinamani <deepa.kernel(a)gmail.com> wrote: > On Tue, Jul 4, 2017 at 12:20 PM, Arnd Bergmann <arnd(a)arndb.de> wrote: >> On Tue, Jul 4, 2017 at 2:11 PM, Mel Gorman <mgorman(a)techsingularity.net> wrote: >>> >>> Signed-off-by: Mel Gorman <mgorman(a)techsingularity.net> >> >> Acked-by: Arnd Bergmann <arnd(a)arndb.de> > > Acked-by: Deepa Dinamani <deepa.kernel(a)gmail.com> > > As already Arnd pointed out, your patch should be fine as that is how > it was before my patch. Since nobody saw any problems before my patch, > lower granularity should be fine. Agreed. Mel's patch basically restores the previous behavior while keeping the 64-bit timestamp size. Considering where we are at with the merge window, I'm going to merge this into the audit/next branch and not send this up to Linus during the current window; while the patch is small, I like to give things some time in linux-next before sending them up. -- paul moore www.paul-moore.com

8 years

3
2
0 / 0

[PATCH 00/15] v2 kernel core refcount conversions

by Elena Reshetova

Changes in v2: * dropped already merged patches * rebase on top of linux-next/master * Now by default refcount_t = atomic_t (*) and uses all atomic standard operations unless CONFIG_REFCOUNT_FULL is enabled. This is a compromise for the systems that are critical on performance (such as net) and cannot accept even slight delay on the refcounter operations. This series, for core kernel components, replaces atomic_t reference counters with the new refcount_t type and API (see include/linux/refcount.h). By doing this we prevent intentional or accidental underflows or overflows that can led to use-after-free vulnerabilities. The patches are fully independent and can be cherry-picked separately. If there are no objections to the patches, please merge them via respective trees. If you want to test with refcount_t protection enabled, CONFIG_REFCOUNT_FULL must be enabled. * The respective change is currently merged into -next as "locking/refcount: Create unchecked atomic_t implementation". Elena Reshetova (15): kernel: convert sighand_struct.count from atomic_t to refcount_t kernel: convert signal_struct.sigcnt from atomic_t to refcount_t kernel: convert user_struct.__count from atomic_t to refcount_t kernel: convert task_struct.usage from atomic_t to refcount_t kernel: convert task_struct.stack_refcount from atomic_t to refcount_t kernel: convert perf_event_context.refcount from atomic_t to refcount_t kernel: convert ring_buffer.refcount from atomic_t to refcount_t kernel: convert ring_buffer.aux_refcount from atomic_t to refcount_t kernel: convert uprobe.ref from atomic_t to refcount_t kernel: convert nsproxy.count from atomic_t to refcount_t kernel: convert group_info.usage from atomic_t to refcount_t kernel: convert cred.usage from atomic_t to refcount_t kernel: convert numa_group.refcount from atomic_t to refcount_t kernel: convert futex_pi_state.refcount from atomic_t to refcount_t kernel: convert kcov.refcount from atomic_t to refcount_t fs/exec.c | 4 ++-- fs/proc/task_nommu.c | 2 +- include/linux/cred.h | 13 ++++++------ include/linux/init_task.h | 7 +++--- include/linux/nsproxy.h | 6 +++--- include/linux/perf_event.h | 3 ++- include/linux/sched.h | 5 +++-- include/linux/sched/signal.h | 5 +++-- include/linux/sched/task.h | 4 ++-- include/linux/sched/task_stack.h | 2 +- include/linux/sched/user.h | 5 +++-- kernel/cred.c | 46 ++++++++++++++++++++-------------------- kernel/events/core.c | 18 ++++++++-------- kernel/events/internal.h | 5 +++-- kernel/events/ring_buffer.c | 8 +++---- kernel/events/uprobes.c | 8 +++---- kernel/fork.c | 24 ++++++++++----------- kernel/futex.c | 13 ++++++------ kernel/groups.c | 2 +- kernel/kcov.c | 9 ++++---- kernel/nsproxy.c | 6 +++--- kernel/sched/fair.c | 8 +++---- kernel/user.c | 8 +++---- 23 files changed, 110 insertions(+), 101 deletions(-) -- 2.7.4

8 years

5
25
0 / 0

A note on the audit kernel next branch

by Paul Moore

Hello all, Since I think there is a reasonable chance we are going to see more capability auditing patches hit the audit/next branch during the upcoming development cycle I'm going to refrain from the usual rebase of the audit/next branch. Since the branch is currently based on v4.11 I doubt this will have a significant impact, but if it does we can reevaluate the base of the branch at a later date. -- paul moore www.paul-moore.com

8 years

1
0
0 / 0

[GIT PULL] Audit patches for v4.13

by Paul Moore

Hi Linus, Things are relatively quiet on the audit front for v4.13, just five patches for a total diffstat of 102 lines. There are two patches from Richard to consistently record the POSIX capabilities and add the ambient capability information as well. I also chipped in two patches to fix a race condition with the auditd tracking code and ensure we don't skip sending any records to the audit multicast group. Finally a single style fix that I accepted because I must have been in a good mood that day. Everything passes our test suite, and should be relatively harmless, please merge for v4.13. Thanks, -Paul --- The following changes since commit 48d0e023af9799cd7220335baf8e3ba61eeafbeb: audit: fix the RCU locking for the auditd_connection structure (2017-05-02 10: 16:05 -0400) are available in the git repository at: git://git.infradead.org/users/pcmoore/audit stable-4.13 for you to fetch changes up to cd33f5f2cbfaadc21270f3ddac7c3c33e0a1a28c: audit: make sure we never skip the multicast broadcast (2017-06-16 11:51:00 -0400) ---------------------------------------------------------------- Derek Robson (1): audit: style fix Paul Moore (2): audit: fix a race condition with the auditd tracking code audit: make sure we never skip the multicast broadcast Richard Guy Briggs (2): audit: unswing cap_* fields in PATH records audit: add ambient capabilities to CAPSET and BPRM_FCAPS records kernel/audit.c | 61 +++++++++++++++++++++++++--------------------------- kernel/audit.h | 29 ++++++++++++++------------- kernel/auditsc.c | 12 ++++++++--- 3 files changed, 53 insertions(+), 49 deletions(-) -- paul moore www.paul-moore.com

8 years

1
0
0 / 0

AUDIT YUM

by warron.french

Is there an audit system call associated with the use of rpm or yum? Or is it best to setup a watch rule for both executables? -------------------------- Warron French

8 years

3
2
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit July 2017