5:31 p.m.
Thanks. Could you also point to portions in the codebase where these
functions are called for monitoring file access? The reason I'm asking for
this is that I'm trying to provide auditing for files of a specific type
and I'm trying to understand how would that work. Any help would be
appreciated.
2:08 p.m.
New subject: Comprehensive Documentation on the Linux Audit Framework
On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote:
Thanks. Could you also point to portions in the codebase where these
functions are called for monitoring file access?
I'll let Richard or Paul point to the place in the kernel if that's
necessary. I think there's a fundamental mismatch and it might not matter.
The reason I'm asking for this is that I'm trying to provide
auditing for
files of a specific type and I'm trying to understand how would that work.
The way the audit system works is there is a rule engine in the kernel. User
space loads the rules and and listens for events. The kernel does all the
work. This rule matching can be done by a limited set of attributes which for
a file would be path, kind of access, who is accessing it, program accessing
it, portions of se linux labeling, and a few other things.
You cannot match by type or anything that looks like a glob. You can arrange
them in a directory and watch the whole directory. You can create a script
that looks for files of a certain type and load rules specifically for them
into the kernel (with a specific key so you can find them later). Or you can
plug into auditd as a plugin and filter the events and write them to your own
log.
There might be some other approaches such as using fanotify and filtering
those events yourself.
-Steve
5:01 p.m.
New subject: Comprehensive Documentation on the Linux Audit Framework
On Tue, Jun 6, 2023 at 3:09 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote:
> Thanks. Could you also point to portions in the codebase where these
> functions are called for monitoring file access?
I'll let Richard or Paul point to the place in the kernel if that's
necessary. I think there's a fundamental mismatch and it might not matter.
The audit subsystem in the Linux Kernel is currently found in the core
kernel/ directory:
% ls -1 kernel/audit*
kernel/audit.c
kernel/auditfilter.c
kernel/audit_fsnotify.c
kernel/audit.h
kernel/auditsc.c
kernel/audit_tree.c
kernel/audit_watch.c
... would be path, kind of access, who is accessing it, program
accessing
it, portions of se linux labeling, and a few other things.
FYI for everyone on the thread, the generally accepted way to write to
"SELinux" is as one word (no space between the "SE" and
"Linux") and
with the first three letters capitalized. I know we can be a little
lazy with capitalization, I definitely am, but writing it as one word
is the important part.
--
paul-moore.com
9:31 p.m.
New subject: Comprehensive Documentation on the Linux Audit Framework
On 2023-06-06 18:01, Paul Moore wrote:
On Tue, Jun 6, 2023 at 3:09 PM Steve Grubb <sgrubb(a)redhat.com>
wrote:
> On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote:
> > Thanks. Could you also point to portions in the codebase where these
> > functions are called for monitoring file access?
>
> I'll let Richard or Paul point to the place in the kernel if that's
> necessary. I think there's a fundamental mismatch and it might not matter.
The audit subsystem in the Linux Kernel is currently found in the core
kernel/ directory:
% ls -1 kernel/audit*
kernel/audit.c
kernel/auditfilter.c
kernel/audit_fsnotify.c
kernel/audit.h
kernel/auditsc.c
kernel/audit_tree.c
kernel/audit_watch.c
I could have sworn I'd sent a reply yesterday afternoon with pointers to
three functions to start with, but it didn't make it to the list and I
have no record of it...
Directives from userspace come in here:
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L1542
and are processed here:
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L1204
For file access rules, see
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit_watch.c
For directory access rules, if you dare to tread, see
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit_tree.c
Once rules are in place, there are hooks all over the kernel to monitor
activity in various subsystems.
Have a look at audit_log_start() that generates the log messages:
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L1829
and kauditd_send_queue() which manages the queues:
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L718
> ... would be path, kind of access, who is accessing it, program
accessing
> it, portions of se linux labeling, and a few other things.
FYI for everyone on the thread, the generally accepted way to write to
"SELinux" is as one word (no space between the "SE" and
"Linux") and
with the first three letters capitalized. I know we can be a little
lazy with capitalization, I definitely am, but writing it as one word
is the important part.
--
paul-moore.com
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
563
days inactive
564
days old
linux-audit@lists.linux-audit.osci.io
3 comments
4 participants
participants (4)
-
Paul Moore -
Richard Guy Briggs -
Steve Grubb -
Vincent Abraham