On Mon, 2014-09-08 at 14:53 -0400, Steve Grubb wrote:
Hell Richard,
On Sunday, August 24, 2014 06:34:04 PM Richard Guy Briggs wrote:
> This is a part of Peter Moody, my and Eric Paris' work to implement
> audit by executable name.
So, what's the status on this? Is it scheduled for the next upstream kernel?
This is a feature that's been missing for a long time. Many people will find
this useful.
Also, has anyone beside Richard been testing this?
I tested it when I wrote it. But don't know about this patch series.
Is that worth anything? :)
Thanks,
-Steve
> Please see the accompanying userspace patch:
>
https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
> The userspace interface is not expected to change appreciably unless
> something important has been overlooked. Setting and deleting rules works
> as expected.
>
> If the path does not exist at rule creation time, it will be re-evaluated
> every time there is a change to the parent directory at which point the
> change in device and inode will be noted.
>
>
> Here's a test run:
>
> # /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F exe=/bin/touch -F
> key=touch_tmp # /usr/local/sbin/ausearch --start recent -k touch_tmp
> time->Mon Jun 30 14:15:06 2014
> type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1
> subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule"
> key="touch_tmp" list=4 res =1
>
> # /usr/local/sbin/auditctl -l
> -a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
>
> # touch /tmp/test
>
> # /usr/local/sbin/ausearch --start recent -k touch_tmp
> time->Wed Jul 2 12:18:47 2014
> type=UNKNOWN[1327] msg=audit(1404317927.319:132):
> proctitle=746F756368002F746D702F74657374 type=PATH
> msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997
> dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
> msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144 dev=00:20
> mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
> nametype=PARENT type=CWD msg=audit(1404317927.319:132): cwd="/root"
> type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2
> success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2
> ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="touch_tmp"
>
>
> Revision history:
> v4: Re-order and squash down fixups
> Fix audit_dup_exe() to copy pathname string before calling
> audit_alloc_mark().
>
> v3: Rationalize and rename some function names and clean up get/put and free
> code. Rename several "watch" references to "mark".
> Rename audit_remove_rule() to audit_remove_mark_rule().
> Let audit_free_rule() take care of calling audit_remove_mark().
> Put audit_alloc_mark() arguments in same order as watch, tree and inode.
> Move the access to the entry for audit_match_signal() to the beginning of
> the function in case the entry found is the same one passed in. This will
> enable it to be used by audit_remove_mark_rule().
>
https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
>
> v2: Misguided attempt to add in audit_exe similar to watches
>
https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
>
> v1.5: eparis' switch to fsnotify
>
https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
>
https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
>
> v1: Change to path interface instead of inode
>
https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
>
> v0: Peter Moodie's original patches
>
https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
>
>
> Next step:
> Get full-path notify working.
>
>
> Eric Paris (3):
> audit: implement audit by executable
> audit: clean simple fsnotify implementation
> audit: convert audit_exe to audit_fsnotify
>
> Richard Guy Briggs (1):
> audit: avoid double copying the audit_exe path string
>
> include/linux/audit.h | 1 +
> include/uapi/linux/audit.h | 2 +
> kernel/Makefile | 2 +-
> kernel/audit.h | 39 +++++++
> kernel/audit_exe.c | 49 +++++++++
> kernel/audit_fsnotify.c | 237
> ++++++++++++++++++++++++++++++++++++++++++++ kernel/auditfilter.c |
> 51 +++++++++-
> kernel/auditsc.c | 16 +++
> 8 files changed, 394 insertions(+), 3 deletions(-)
> create mode 100644 kernel/audit_exe.c
> create mode 100644 kernel/audit_fsnotify.c