9:47 p.m.
On 16/04/28, Deepika Sundar wrote:
Thank you for all replies and Sorry, I am new to this audit subsystem
field.
I am facing the problem in the initial stage itself that,Where to add the
new field in the source code, as per my work understanding in the below
code,Is it possible to fine tune by adding new field say,*"APPLICATION ID" *in
that structure.
If not possible, What is the impact ? *OR*
Is it possible to add a new member without any impact?
Please Suggest me with some IDEA where new field in audit structure can be
added and It should not break compatibility.Provide Documentation where I
can refer to do.
Once I am clear with the method I can Share the code to review.
There is a list of technical resources at:
http://people.redhat.com/sgrubb/audit/
with a section on "Specs".
In particular, please see:
http://people.redhat.com/sgrubb/audit/audit-events.txt
http://people.redhat.com/sgrubb/audit/audit-parse.txt
I don't understand what this is below...
Kernel/audit.c
void audit_log_task_info
<http://lxr.free-electrons.com/ident?i=audit_log_task_info>(struct
audit_buffer <http://lxr.free-electrons.com/ident?i=audit_buffer> *ab,
struct task_struct <http://lxr.free-electrons.com/ident?i=task_struct>
*tsk <http://lxr.free-electrons.com/ident?i=tsk>)
1873 <http://lxr.free-electrons.com/source/kernel/audit.c#L1873> {1874
<http://lxr.free-electrons.com/source/kernel/audit.c#L1874>
const struct cred <http://lxr.free-electrons.com/ident?i=cred> *cred
<http://lxr.free-electrons.com/ident?i=cred>;1875
<http://lxr.free-electrons.com/source/kernel/audit.c#L1875>
char comm <http://lxr.free-electrons.com/ident?i=comm>[sizeof(tsk
<http://lxr.free-electrons.com/ident?i=tsk>->comm
<http://lxr.free-electrons.com/ident?i=comm>)];1876
<http://lxr.free-electrons.com/source/kernel/audit.c#L1876>
char *tty <http://lxr.free-electrons.com/ident?i=tty>;1877
<http://lxr.free-electrons.com/source/kernel/audit.c#L1877> 1878
<http://lxr.free-electrons.com/source/kernel/audit.c#L1878> if
(!ab)1879 <http://lxr.free-electrons.com/source/kernel/audit.c#L1879>
return;1880
<http://lxr.free-electrons.com/source/kernel/audit.c#L1880> 1881
<http://lxr.free-electrons.com/source/kernel/audit.c#L1881>
*/* tsk == current */*1882
<http://lxr.free-electrons.com/source/kernel/audit.c#L1882>
cred <http://lxr.free-electrons.com/ident?i=cred> = current_cred
<http://lxr.free-electrons.com/ident?i=current_cred>();1883
<http://lxr.free-electrons.com/source/kernel/audit.c#L1883> 1884
<http://lxr.free-electrons.com/source/kernel/audit.c#L1884>
spin_lock_irq <http://lxr.free-electrons.com/ident?i=spin_lock_irq>(&tsk
<http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1885
<http://lxr.free-electrons.com/source/kernel/audit.c#L1885> if
(tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal && tsk
<http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
<http://lxr.free-electrons.com/ident?i=tty> && tsk
<http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
<http://lxr.free-electrons.com/ident?i=tty>->name
<http://lxr.free-electrons.com/ident?i=name>)1886
<http://lxr.free-electrons.com/source/kernel/audit.c#L1886>
tty <http://lxr.free-electrons.com/ident?i=tty> = tsk
<http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
<http://lxr.free-electrons.com/ident?i=tty>->name
<http://lxr.free-electrons.com/ident?i=name>;1887
<http://lxr.free-electrons.com/source/kernel/audit.c#L1887>
else1888 <http://lxr.free-electrons.com/source/kernel/audit.c#L1888>
tty <http://lxr.free-electrons.com/ident?i=tty> =
*"(none)"*;1889
<http://lxr.free-electrons.com/source/kernel/audit.c#L1889>
spin_unlock_irq
<http://lxr.free-electrons.com/ident?i=spin_unlock_irq>(&tsk
<http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1890
<http://lxr.free-electrons.com/source/kernel/audit.c#L1890> 1891
<http://lxr.free-electrons.com/source/kernel/audit.c#L1891>
audit_log_format
<http://lxr.free-electrons.com/ident?i=audit_log_format>(ab,1892
<http://lxr.free-electrons.com/source/kernel/audit.c#L1892>
*" ppid=%d pid=%d auid=%u uid=%u gid=%u"*1893
<http://lxr.free-electrons.com/source/kernel/audit.c#L1893>
*" euid=%u suid=%u fsuid=%u"*1894
<http://lxr.free-electrons.com/source/kernel/audit.c#L1894>
*" egid=%u sgid=%u fsgid=%u tty=%s ses=%u"*,1895
<http://lxr.free-electrons.com/source/kernel/audit.c#L1895>
task_ppid_nr
<http://lxr.free-electrons.com/ident?i=task_ppid_nr>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>),1896
<http://lxr.free-electrons.com/source/kernel/audit.c#L1896>
task_pid_nr
<http://lxr.free-electrons.com/ident?i=task_pid_nr>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>),1897
<http://lxr.free-electrons.com/source/kernel/audit.c#L1897>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>;,
audit_get_loginuid
<http://lxr.free-electrons.com/ident?i=audit_get_loginuid>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>)),1898
<http://lxr.free-electrons.com/source/kernel/audit.c#L1898>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>;, cred
<http://lxr.free-electrons.com/ident?i=cred>->uid
<http://lxr.free-electrons.com/ident?i=uid>),1899
<http://lxr.free-electrons.com/source/kernel/audit.c#L1899>
from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>;, cred
<http://lxr.free-electrons.com/ident?i=cred>->gid
<http://lxr.free-electrons.com/ident?i=gid>),1900
<http://lxr.free-electrons.com/source/kernel/audit.c#L1900>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>;, cred
<http://lxr.free-electrons.com/ident?i=cred>->euid),1901
<http://lxr.free-electrons.com/source/kernel/audit.c#L1901>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>;, cred
<http://lxr.free-electrons.com/ident?i=cred>->suid),1902
<http://lxr.free-electrons.com/source/kernel/audit.c#L1902>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>;, cred
<http://lxr.free-electrons.com/ident?i=cred>->fsuid),1903
<http://lxr.free-electrons.com/source/kernel/audit.c#L1903>
from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>;, cred
<http://lxr.free-electrons.com/ident?i=cred>->egid),1904
<http://lxr.free-electrons.com/source/kernel/audit.c#L1904>
from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>;, cred
<http://lxr.free-electrons.com/ident?i=cred>->sgid),1905
<http://lxr.free-electrons.com/source/kernel/audit.c#L1905>
from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>;, cred
<http://lxr.free-electrons.com/ident?i=cred>->fsgid),1906
<http://lxr.free-electrons.com/source/kernel/audit.c#L1906> +
tty <http://lxr.free-electrons.com/ident?i=tty>;,
audit_get_sessionid
<http://lxr.free-electrons.com/ident?i=audit_get_sessionid>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>),*ApplicationID............);
*1907 <http://lxr.free-electrons.com/source/kernel/audit.c#L1907> 1908
<http://lxr.free-electrons.com/source/kernel/audit.c#L1908>
audit_log_format
<http://lxr.free-electrons.com/ident?i=audit_log_format>*(ab, **"
comm="**);
*1909 <http://lxr.free-electrons.com/source/kernel/audit.c#L1909>
audit_log_untrustedstring
<http://lxr.free-electrons.com/ident?i=audit_log_untrustedstring>*(ab,
*get_task_comm <http://lxr.free-electrons.com/ident?i=get_task_comm>*(*comm
<http://lxr.free-electrons.com/ident?i=comm>*, *tsk
<http://lxr.free-electrons.com/ident?i=tsk>*));
*1910 <http://lxr.free-electrons.com/source/kernel/audit.c#L1910> 1911
<http://lxr.free-electrons.com/source/kernel/audit.c#L1911>
audit_log_d_path_exe
<http://lxr.free-electrons.com/ident?i=audit_log_d_path_exe>*(ab, *tsk
<http://lxr.free-electrons.com/ident?i=tsk>*->mm);
*1912 <http://lxr.free-electrons.com/source/kernel/audit.c#L1912>
audit_log_task_context
<http://lxr.free-electrons.com/ident?i=audit_log_task_context>*(ab);
*1913 <http://lxr.free-electrons.com/source/kernel/audit.c#L1913>* }*
On Tue, Apr 26, 2016 at 6:07 AM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
> On 16/04/25, Deepika Sundar wrote:
> > I wanted to add the namespace information in the audit record for example
> > pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside
> > Audit structure?
>
> We've been looking at this issue for several years now and don't have an
> obvious solution yet. There has been discussion on this list. It is on
> the radar:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1045666
>
>
> > On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore(a)redhat.com> wrote:
> > > As we've already mentioned several times, we can make no guarantees
> > > regarding functionality or compatibility without seeing your code.
> > > While it may be frustrating, this is how Open Source development
> > > works.
> > >
> > > If you are interested in our help you will need to describe, in
> > > detail, what you are trying to do and ideally post your existing code
> > > so it can be reviewed.
> > >
> > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
> > > <sundar.deepika18(a)gmail.com> wrote:
> > > > Okay,If I update the Ausearch/aureport in order to aware of the new
> > > field in
> > > > the audit log structure can it be feasible one?
> > > >
> > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb
<sgrubb(a)redhat.com>
> wrote:
> > > >>
> > > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> > > >> > In general way,Is there any compatibility issues if audit
log
> > > structure
> > > >> > gets modified?
> > > >>
> > > >> Yes, there can be problems if the log structure gets modified.
> > > >> Ausearch/report
> > > >> are highly optimized for an exact format.
> > > >>
> > > >> -Steve
> > > >>
> > > >>
> > > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb
<sgrubb(a)redhat.com>
> > > wrote:
> > > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar
wrote:
> > > >> > > > As per my understanding audit log structure can be
extendible
> > > based
> > > >> > > > on
> > > >> > > > requirements and in my project I need to add the
identifier
> field
> > > >> > > > for
> > > >> > > > the
> > > >> > > > application and as of now I couldn't able to
revel the What
> > > >> > > > application
> > > >> > > > trying to develop to update.So,Is there any
possibility that
> > > without
> > > >> > > > breaking any Compatibility issues I can do it ?
> > > >> > >
> > > >> > > I have no idea what you are doing so there is no
guarantee that
> it
> > > >> > > won't
> > > >> > > break
> > > >> > > something. If your project is going to be released as
open
> source
> > > its
> > > >> > > generally best to collaborate with people so that
problems can
> be
> > > >> > > pointed
> > > >> > > out.
> > > >> > > Otherwise you risk spending a lot of time on something
only to
> have
> > > it
> > > >> > > rejected.
> > > >> > >
> > > >> > > -Steve
> > > >> > >
> > > >> > > > OR If any compatibility issues please specify .
> > > >> > > >
> > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <
> paul(a)paul-moore.com>
> > > >> > > > wrote:
> > > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika
Sundar
> > > >> > > > >
> > > >> > > > > <sundar.deepika18(a)gmail.com> wrote:
> > > >> > > > > > In the same way, in the kernel side
> > > >> > > > > > Can I able to add one new field to the
audit log structure
> > > >> > > > > > without
> > > >> > > > >
> > > >> > > > > breaking
> > > >> > > > >
> > > >> > > > > > Compatibility? If so,
> > > >> > > > > >
> > > >> > > > > > 1.How can I add new field without
breaking
> compatibility?
> > > >> > > > > >
> > > >> > > > > > or
> > > >> > > > > >
> > > >> > > > > > 2.Is there any reserve field in audit
log structure so
> that
> > > I
> > > >> > > > > > can
> > > >> > >
> > > >> > > make
> > > >> > >
> > > >> > > > > use
> > > >> > > > >
> > > >> > > > > > of it?
> > > >> > > > >
> > > >> > > > > You need to be more specific about what you
are trying to
> do.
> > > >> > > > > Speaking generally, unless you work to get
your changed
> merged
> > > >> > > > > into
> > > >> > > > > the upstream kernel and userspace tools we
cannot guarantee
> > > >> > > > > present or
> > > >> > > > > future compatibility.
> > > >> > > > >
> > > >> > > > > www.paul-moore.com
> > >
> > > paul moore
>
> - RGB
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635