On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
This is a part of Peter Moody, my and Eric Paris' work to
implement
audit by executable name.
Does this patch set define an AUDIT_VERSION_SOMETHING and then set
AUDIT_VERSION_LATEST to it? If not, I need one to tell if the kernel supports
it when issuing commands. Also, if its conceivable that kernels may pick and
choose what features could be backported to a curated kernel, should
AUDIT_VERSION_ be a number that is incremented or a bit mask?
-Steve
Please see the accompanying userspace patch:
https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
The userspace interface is not expected to change appreciably unless
something important has been overlooked. Setting and deleting rules works
as expected.
If the path does not exist at rule creation time, it will be re-evaluated
every time there is a change to the parent directory at which point the
change in device and inode will be noted.
Here's a sample run:
# /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F exe=/bin/touch -F
key=touch_tmp # /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Mon Jun 30 14:15:06 2014
type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1
subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add_rule"
key="touch_tmp" list=4 res =1
# /usr/local/sbin/auditctl -l
-a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
# touch /tmp/test
# /usr/local/sbin/ausearch --start recent -k touch_tmp
time->Wed Jul 2 12:18:47 2014
type=UNKNOWN[1327] msg=audit(1404317927.319:132):
proctitle=746F756368002F746D702F74657374 type=PATH
msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997
dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144 dev=00:20
mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
nametype=PARENT type=CWD msg=audit(1404317927.319:132): cwd="/root"
type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2
success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2
ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="touch_tmp"
Revision history:
v5: Revert patch "Let audit_free_rule() take care of calling
audit_remove_mark()." since it caused a group mark deadlock.
v4: Re-order and squash down fixups
Fix audit_dup_exe() to copy pathname string before calling
audit_alloc_mark().
v3: Rationalize and rename some function names and clean up get/put and free
code. Rename several "watch" references to "mark".
Rename audit_remove_rule() to audit_remove_mark_rule().
Let audit_free_rule() take care of calling audit_remove_mark().
Put audit_alloc_mark() arguments in same order as watch, tree and inode.
Move the access to the entry for audit_match_signal() to the beginning of
the function in case the entry found is the same one passed in. This will
enable it to be used by audit_remove_mark_rule().
https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
v2: Misguided attempt to add in audit_exe similar to watches
https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
v1.5: eparis' switch to fsnotify
https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
v1: Change to path interface instead of inode
https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
v0: Peter Moodie's original patches
https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
Next step:
Get full-path notify working.
Eric Paris (3):
audit: implement audit by executable
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
Richard Guy Briggs (2):
audit: avoid double copying the audit_exe path string
Revert "fixup! audit: clean simple fsnotify implementation"
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 2 +
kernel/Makefile | 2 +-
kernel/audit.h | 39 +++++++
kernel/audit_exe.c | 49 +++++++++
kernel/audit_fsnotify.c | 237
++++++++++++++++++++++++++++++++++++++++++++ kernel/auditfilter.c |
52 +++++++++-
kernel/auditsc.c | 16 +++
8 files changed, 395 insertions(+), 3 deletions(-)
create mode 100644 kernel/audit_exe.c
create mode 100644 kernel/audit_fsnotify.c