RE: Audit log compression
by Wyatt, Curtis R
Our audit.rules file is governed by requirements, so we cannot reduce the amount of log data being generated.
>logrotate can be configured nicely. First big step is looking at
>what's going into the logs though. Are you logging at INFO level and
>do you need that. I've seen that be 90% or more of the log entries.
6 years, 5 months
[PATCH -next v3] cred: conditionally declare groups-related functions
by Ondrej Mosnacek
The groups-related functions declared in include/linux/cred.h are
defined in kernel/groups.c, which is compiled only when
CONFIG_MULTIUSER=y. Move all these function declarations under #ifdef
CONFIG_MULTIUSER to help avoid accidental usage in contexts where
CONFIG_MULTIUSER might be disabled.
This patch also adds a fallback for groups_search(). Currently this
function is only called from kernel/groups.c itself and
security/keys/permissions.c, where the call is (by coincidence)
optimized away in case CONFIG_MULTIUSER=n. However, the audit subsystem
(which does not depend on CONFIG_MULTIUSER) calls this function in
-next, so the fallback will be needed to avoid compilation errors or
ugly workarounds.
See also:
https://lkml.org/lkml/2018/6/20/670
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git/commit/...
Reported-by: Randy Dunlap <rdunlap(a)infradead.org>
Tested-by: Randy Dunlap <rdunlap(a)infradead.org>
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
Changes:
v2->v3: commit message corrections
v1->v2: change default return value of groups_search() to 1
include/linux/cred.h | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 631286535d0f..7eed6101c791 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -65,6 +65,12 @@ extern void groups_free(struct group_info *);
extern int in_group_p(kgid_t);
extern int in_egroup_p(kgid_t);
+extern int groups_search(const struct group_info *, kgid_t);
+
+extern int set_current_groups(struct group_info *);
+extern void set_groups(struct cred *, struct group_info *);
+extern bool may_setgroups(void);
+extern void groups_sort(struct group_info *);
#else
static inline void groups_free(struct group_info *group_info)
{
@@ -78,12 +84,11 @@ static inline int in_egroup_p(kgid_t grp)
{
return 1;
}
+static inline int groups_search(const struct group_info *group_info, kgid_t grp)
+{
+ return 1;
+}
#endif
-extern int set_current_groups(struct group_info *);
-extern void set_groups(struct cred *, struct group_info *);
-extern int groups_search(const struct group_info *, kgid_t);
-extern bool may_setgroups(void);
-extern void groups_sort(struct group_info *);
/*
* The security context of a task
--
2.17.1
6 years, 5 months
Audit log compression
by Wyatt, Curtis R
What is the best/preferred method for compressing audit logs?
I was thinking logrotate wouldn't work because auditd usually rotates it's own logs and is smarter about rotating logs (I.e., based on log size as opposed to having to wait before log rotate is kicked off).
Thanks
6 years, 5 months
[RFC PATCH ghak10 v2 0/5] audit: Log modifying adjtimex(2) calls
by Ondrej Mosnacek
This patchset adds a new AUDIT_TIME_ADJUSTED record type, which is
associated to the adjtimex(2) syscall record whenever it is invoked in
non-read-only mode.
Changes in v2:
- The audit_adjtime() function has been modified to only log those fields that contain values that are actually used, resulting in more compact records.
- The audit_adjtime() call has been moved to do_adjtimex() in timekeeping.c
- Added an additional patch (for review) that simplifies the detection if the syscall is read-only.
6 years, 5 months
[PATCH -next v2] cred: conditionally declare groups-related functions
by Ondrej Mosnacek
The groups-related functions declared in include/linux/cred.h are
defined in kernel/groups.c, which is compiled only when
CONFIG_MULTIUSER=y. Move all these function declarations under #ifdef
CONFIG_MULTIUSER to help avoid accidental usage in contexts where
CONFIG_MULTIUSER might be disabled.
This patch also adds a fallback for groups_search(). Currently this
function is only called from kernel/groups.c itself and
keys/permissions.c, which depends on CONFIG_MULTIUSER. However, the
audit subsystem (which does not depend on CONFIG_MULTIUSER) calls this
function in -next, so the fallback will be needed to avoid compilation
errors or ugly workarounds.
See also:
https://lkml.org/lkml/2018/6/20/670
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git/commit/...
Reported-by: Randy Dunlap <rdunlap(a)infradead.org>
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
include/linux/cred.h | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 631286535d0f..7eed6101c791 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -65,6 +65,12 @@ extern void groups_free(struct group_info *);
extern int in_group_p(kgid_t);
extern int in_egroup_p(kgid_t);
+extern int groups_search(const struct group_info *, kgid_t);
+
+extern int set_current_groups(struct group_info *);
+extern void set_groups(struct cred *, struct group_info *);
+extern bool may_setgroups(void);
+extern void groups_sort(struct group_info *);
#else
static inline void groups_free(struct group_info *group_info)
{
@@ -78,12 +84,11 @@ static inline int in_egroup_p(kgid_t grp)
{
return 1;
}
+static inline int groups_search(const struct group_info *group_info, kgid_t grp)
+{
+ return 1;
+}
#endif
-extern int set_current_groups(struct group_info *);
-extern void set_groups(struct cred *, struct group_info *);
-extern int groups_search(const struct group_info *, kgid_t);
-extern bool may_setgroups(void);
-extern void groups_sort(struct group_info *);
/*
* The security context of a task
--
2.17.1
6 years, 5 months
unlimit retries for remote plugin restart
by Levin Stanislav
Hello All!
I have a question.
Let's assume we have client's audit service and audit gatherer placed on
a remote host.
Using au-remote plugin client sends logs to remote.
Let's stop (do not start then) remote's audit service and restart
client's one.
After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.
Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").
How can i solve this issue without client's audit service
restart? Is it possible by any settings/configs?
Any help would be appreciated.
Thank you in advance.
6 years, 5 months
[PATCH] kernel: audit_tree: Fix a sleep-in-atomic-context bug
by Jia-Ju Bai
The kernel may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16.7 are:
[FUNC] kmem_cache_alloc(GFP_KERNEL)
fs/notify/mark.c, 439:
kmem_cache_alloc in fsnotify_attach_connector_to_object
fs/notify/mark.c, 520:
fsnotify_attach_connector_to_object in fsnotify_add_mark_list
fs/notify/mark.c, 590:
fsnotify_add_mark_list in fsnotify_add_mark_locked
kernel/audit_tree.c, 437:
fsnotify_add_mark_locked in tag_chunk
kernel/audit_tree.c, 423:
spin_lock in tag_chunk
[FUNC] kmem_cache_alloc(GFP_KERNEL)
fs/notify/mark.c, 439:
kmem_cache_alloc in fsnotify_attach_connector_to_object
fs/notify/mark.c, 520:
fsnotify_attach_connector_to_object in fsnotify_add_mark_list
fs/notify/mark.c, 590:
fsnotify_add_mark_list in fsnotify_add_mark_locked
kernel/audit_tree.c, 291:
fsnotify_add_mark_locked in untag_chunk
kernel/audit_tree.c, 258:
spin_lock in untag_chunk
To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool (DSAC-2) and checked by my
code review.
Signed-off-by: Jia-Ju Bai <baijiaju1990(a)gmail.com>
---
fs/notify/mark.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/notify/mark.c b/fs/notify/mark.c
index e9191b416434..c664853b8585 100644
--- a/fs/notify/mark.c
+++ b/fs/notify/mark.c
@@ -436,7 +436,7 @@ static int fsnotify_attach_connector_to_object(
{
struct fsnotify_mark_connector *conn;
- conn = kmem_cache_alloc(fsnotify_mark_connector_cachep, GFP_KERNEL);
+ conn = kmem_cache_alloc(fsnotify_mark_connector_cachep, GFP_ATOMIC);
if (!conn)
return -ENOMEM;
spin_lock_init(&conn->lock);
--
2.17.0
6 years, 6 months
Re: linux-next: Tree for Jun 20 (kernel/auditsc.c)
by Randy Dunlap
On 06/19/2018 09:42 PM, Stephen Rothwell wrote:
> Hi all,
>
> Changes since 20180619:
>
on x86_64:
kernel/auditsc.o: In function `audit_filter_rules.isra.20':
auditsc.c:(.text+0x8c5): undefined reference to `groups_search'
auditsc.c:(.text+0x909): undefined reference to `groups_search'
Reported-by: Randy Dunlap <rdunlap(a)infradead.org>
Full randconfig file is attached.
--
~Randy
6 years, 6 months
[RFC PATCH ghak10 1/3] audit: Add AUDIT_TIME_ADJUSTED record type
by Ondrej Mosnacek
This auxiliary record type will be used to annotate the adjtimex SYSCALL
records with the information that the clock has been adjusted. This
record shall be emitted only when the clock is modified (including
changes that have no effect, e.g. adjust by zero offset, etc.).
Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
---
include/uapi/linux/audit.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 04f9bd249094..d7dab9e94932 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -114,6 +114,7 @@
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
#define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
+#define AUDIT_TIME_ADJUSTED 1332 /* Clock adjustment event (aux for SYSCALL) */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
--
2.17.1
6 years, 6 months
audit 2.8.4 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Generate checkpoint file even when not results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad
Glagolev)
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Hide lru symbols in auparse
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth
size
This is a bugfix release from the audit-2.8 maintenance branch. It is
entirely cherry picked bugfixes from the audit master branch. This might be
the last release for the 2.8 code base. We'll just have to see. Work on the
audit-3.0 release is moving along and is due for release around late summer.
SHA256: a410694d09fc5708d980a61a5abcb9633a591364f1ecc7e97ad5daef9c898c38
Please let me know if you run across any problems with this release.
-Steve
6 years, 6 months
