[PATCH] Have auditctl check the capability rather than the uid if we were compiled with cap-ng support. Check the euid rather than uid if we were compiled without cap-ng support
2:11 p.m.
This is against the 2.2 release. I wasn't able to get HEAD to compile
(issues with mounttab.h that didn't want to run down because this is
such a small patch).
Signed-off-by: Peter Moody <pmoody(a)google.com>
---
trunk/src/Makefile.am | 2 +-
trunk/src/auditctl.c | 11 +++++++++--
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/trunk/src/Makefile.am b/trunk/src/Makefile.am
index d321233..e36bc9f 100644
--- a/trunk/src/Makefile.am
+++ b/trunk/src/Makefile.am
@@ -25,7 +25,7 @@ AUTOMAKE_OPTIONS = no-dependencies
SUBDIRS = test
INCLUDES = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src/libev
sbin_PROGRAMS = auditd auditctl aureport ausearch autrace
-LIBS = -Lmt -lauditmt -lpthread
+LIBS = -Lmt -lauditmt -lpthread $(CAPNG_LDADD)
AM_LDFLAGS = -pthread
AM_CFLAGS = -D_REENTRANT -D_GNU_SOURCE -pthread
noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h
ausearch-llist.h ausearch-options.h auditctl-llist.h
aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h
ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h
ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index d3643fb..936a1a0 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -36,6 +36,9 @@
#include <errno.h>
#include <libgen.h> /* For basename */
#include <limits.h> /* PATH_MAX */
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#endif
#include "libaudit.h"
#include "private.h"
@@ -1160,9 +1163,13 @@ int main(int argc, char *argv[])
return 1;
}
#ifndef DEBUG
+#ifdef HAVE_LIBCAP_NG
+ /* Make sure we have the approprirate capabilities */
+ if (capng_have_capability(CAPNG_PERMITTED, CAP_AUDIT_CONTROL) != 1) {
+#else
/* Make sure we are root */
- if (getuid() != 0) {
+ if (geteuid() != 0) {
+#endif
fprintf(stderr, "You must be root to run this program.\n");
return 4;
}
--
1.7.7.3
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
4:36 p.m.
New subject: Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>
On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote:
This is against the 2.2 release.
Thanks. I will apply this with probably a small change or two.
I wasn't able to get HEAD to compile (issues with mounttab.h that
didn't want
to run down because this is such a small patch).
For anyone not on Fedora, I would appreciate if you test what's in svn even if
its just a quick build check. I am planning to release a new audit package soon.
The changelog may look small, but there are thousands of lines of code added or
modified. Its better to fix the headers before the release than after.
The next audit release has a new feature that I hope everyone will appreciate.
Ausearch and libauparse now has the ability to interpret the arguments being
passed to certain syscalls. I did this for a little over 40 syscalls:
*chmod
*chown
clock_settime
clone
creat
epoll_ctl
getrlimit
setrlimit
fchmod
fchmodat
fcntl
ipc
kill
mkdir
mkdirat
mknod
mmap
mount
mprotect
open
openat
personality
ptrace
recv
recvfrom
recvmmsg
recvmsg
rt_sigaction
setfsgid
setfsuid
setgid
setregid
setresgid
setresuid
setreuid
setuid
socket
socketcall
tgkill
tkill
So, now you get output like this:
type=SYSCALL msg=audit(04/14/2011 20:18:28.953:3) : arch=x86_64 syscall=mmap
success=yes exit=61440 a0=0xf000 a1=0x502 a2=PROT_READ|PROT_WRITE|PROT_EXEC
a3=MAP_SHARED|MAP_FIXED items=0 ppid=603 pid=618 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=vbetool exe=/usr/sbin/vbetool
subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(04/14/2011 20:13:34.658:3118) : arch=x86_64 syscall=mount
success=yes exit=0 a0=0x405b22 a1=0x405469 a2=0x405b22 a3=MS_REC|MS_PRIVATE
items=1 ppid=3467 pid=3468 auid=sgrubb uid=sgrubb gid=sgrubb euid=root suid=root
fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1 comm=fusermount
exe=/bin/fusermount subj=unconfined_u:unconfined_r:unconfined_t:s0 key=export
type=SYSCALL msg=audit(05/05/2011 19:01:46.559:205) : arch=x86_64 syscall=openat
success=no exit=-13(Permission denied) a0=0x5 a1=0xd93660 a2=O_RDONLY|O_NOCTTY|
O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=3831 pid=3832 auid=sgrubb uid=sgrubb
gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb
fsgid=sgrubb tty=pts2 ses=1 comm=find exe=/bin/find
subj=unconfined_u:unconfined_r:unconfined_t:s0 key=access
The idea is to reduce the need to go digging through header files to see what
arguments were being passed to some common and/or security related syscalls. In
the case where a uid/gid was being passed to the syscall, its now interpretted
to the account name/group name.
-Steve
5:12 p.m.
New subject: Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>
On Wed, Mar 21, 2012 at 2:36 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote:
> This is against the 2.2 release.
Thanks. I will apply this with probably a small change or two.
> I wasn't able to get HEAD to compile (issues with mounttab.h that didn't
want
> to run down because this is such a small patch).
For anyone not on Fedora, I would appreciate if you test what's in svn even if
its just a quick build check. I am planning to release a new audit package soon.
The changelog may look small, but there are thousands of lines of code added or
modified. Its better to fix the headers before the release than after.
ubuntu lucid (10.04, admittedly a little old):
lib/gen_tables.c is missing an include for linux/fs.h
src/ausearch-report.c is missing includes for linux/fs.h and limits.h
refuses to build w/o these includes. builds and appears to work
correctly when they're added.
The next audit release has a new feature that I hope everyone will
appreciate.
Ausearch and libauparse now has the ability to interpret the arguments being
passed to certain syscalls. I did this for a little over 40 syscalls:
So, now you get output like this:
type=SYSCALL msg=audit(04/14/2011 20:18:28.953:3) : arch=x86_64 syscall=mmap
success=yes exit=61440 a0=0xf000 a1=0x502 a2=PROT_READ|PROT_WRITE|PROT_EXEC
a3=MAP_SHARED|MAP_FIXED items=0 ppid=603 pid=618 auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=vbetool exe=/usr/sbin/vbetool
subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(04/14/2011 20:13:34.658:3118) : arch=x86_64 syscall=mount
success=yes exit=0 a0=0x405b22 a1=0x405469 a2=0x405b22 a3=MS_REC|MS_PRIVATE
items=1 ppid=3467 pid=3468 auid=sgrubb uid=sgrubb gid=sgrubb euid=root suid=root
fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1 comm=fusermount
exe=/bin/fusermount subj=unconfined_u:unconfined_r:unconfined_t:s0 key=export
type=SYSCALL msg=audit(05/05/2011 19:01:46.559:205) : arch=x86_64 syscall=openat
success=no exit=-13(Permission denied) a0=0x5 a1=0xd93660 a2=O_RDONLY|O_NOCTTY|
O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=3831 pid=3832 auid=sgrubb uid=sgrubb
gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb
fsgid=sgrubb tty=pts2 ses=1 comm=find exe=/bin/find
subj=unconfined_u:unconfined_r:unconfined_t:s0 key=access
The idea is to reduce the need to go digging through header files to see what
arguments were being passed to some common and/or security related syscalls. In
the case where a uid/gid was being passed to the syscall, its now interpretted
to the account name/group name.
Awesome! I had to implement something like this in post-processing for
signal generation.
Cheers,
peter
-Steve
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
7:55 a.m.
New subject: Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>
On Wednesday, March 21, 2012 06:12:31 PM Peter Moody wrote:
lib/gen_tables.c is missing an include for linux/fs.h
src/ausearch-report.c is missing includes for linux/fs.h and limits.h
refuses to build w/o these includes. builds and appears to work
correctly when they're added.
I think I have these fixed in svn, do you mind pulling a fresh copy and checking
it? The limits.h include is fine. But I made the fs.h inclusion optional because
it sounds like broken headers. It should autodetect the problem, but its needs
checking.
If no one else has any issues to report we should be ready to do a release.
Thanks,
-Steve
10:47 a.m.
New subject: Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>
On Thu, Mar 22, 2012 at 5:55 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday, March 21, 2012 06:12:31 PM Peter Moody wrote:
> lib/gen_tables.c is missing an include for linux/fs.h
> src/ausearch-report.c is missing includes for linux/fs.h and limits.h
>
> refuses to build w/o these includes. builds and appears to work
> correctly when they're added.
I think I have these fixed in svn, do you mind pulling a fresh copy and checking
it? The limits.h include is fine. But I made the fs.h inclusion optional because
it sounds like broken headers. It should autodetect the problem, but its needs
checking.
The build fails with the following error:
In file included from ../lib/gen_tables.c:80:
./mounttab.h:31: error: 'MS_DIRSYNC' undeclared here (not in a function)
./mounttab.h:35: error: 'MS_MOVE' undeclared here (not in a function)
./mounttab.h:36: error: 'MS_REC' undeclared here (not in a function)
./mounttab.h:37: error: 'MS_SILENT' undeclared here (not in a function)
./mounttab.h:38: error: 'MS_POSIXACL' undeclared here (not in a function)
./mounttab.h:39: error: 'MS_UNBINDABLE' undeclared here (not in a function)
./mounttab.h:40: error: 'MS_PRIVATE' undeclared here (not in a function)
./mounttab.h:41: error: 'MS_SLAVE' undeclared here (not in a function)
./mounttab.h:42: error: 'MS_SHARED' undeclared here (not in a function)
./mounttab.h:43: error: 'MS_RELATIME' undeclared here (not in a function)
./mounttab.h:44: error: 'MS_KERNMOUNT' undeclared here (not in a function)
./mounttab.h:45: error: 'MS_I_VERSION' undeclared here (not in a function)
./mounttab.h:49: error: 'MS_ACTIVE' undeclared here (not in a function)
./mounttab.h:50: error: 'MS_NOUSER' undeclared here (not in a function)
make[2]: *** [gen_mounttabs_h-gen_tables.o] Error 1
If no one else has any issues to report we should be ready to do a
release.
Thanks,
-Steve
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
4657
days inactive
4658
days old
linux-audit@lists.linux-audit.osci.io
4 comments
2 participants
participants (2)
-
Peter Moody -
Steve Grubb