3:38 p.m.
Using syslog it seems straight forward to insert a new message , 'syslog (LOG_NOTICE,
"Hello This is just a notice")' for instance.
Does this capability exist already in linux audit and I'm just not seeing it???
Is it a bad idea to build and then to insert a custom audit/message, or any standard
audit, into the audit.log file?
If so are there any problems to look out for , e.g event id/sequence number collisions,
auparse or ausearch problems, formatting issues to adhere to???
Thanks
________________________________
This e-mail and any files transmitted with it may be proprietary and are intended solely
for the use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the
author and do not necessarily represent those of ITT Corporation. The recipient should
check this e-mail and any attachments for the presence of viruses. ITT accepts no
liability for any damage caused by any virus transmitted by this e-mail.
4 p.m.
On Tuesday, September 07, 2010 04:38:29 pm Nestler, Roger - IS wrote:
Using syslog it seems straight forward to insert a new message ,
'syslog
(LOG_NOTICE, "Hello This is just a notice")' for instance.
Does this capability exist already in linux audit and I'm just not seeing
it???
The Linux audit system is protected by virtue of apps needing CAP_AUDIT_WRITE
in order to send an event. Assuming that your app has this, you will want to
use one of the functions here:
https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L375
Is it a bad idea to build and then to insert a custom audit/message,
or any
standard audit, into the audit.log file?
Yes. Do not do it. It has to be sent to the kernel for timestamping and
correlation. Not to mention the kernel will collect a few things about the
sender to be put in the audit trail.
If so are there any problems to look out for , e.g event id/sequence
number
collisions, auparse or ausearch problems, formatting issues to adhere
to???
You must send to the kernel. Aside from that, events must have a type. If you
do not see a type that matches what you are doing, then use the
AUDIT_TRUSTED_APP type which you may do (nearly) anything to. The audit system
wants name=value fields. You should use the same field name as an existing one
any time you find one. If you are not using AUDIT_TRUSTED_APP, then you must
fill in the same fields in the same order as the original source does. The value
part may not have a space or certain control characters in it. If it does you
must encode the contents of the value with the audit_encode_value() function.
-Steve
4:02 p.m.
On Tue, 2010-09-07 at 16:38 -0400, Nestler, Roger - IS wrote:
Does this capability exist already in linux audit and I’m just not
seeing it???
man audit_log_user_message
Is it a bad idea to build and then to insert a custom audit/message,
or any standard audit, into the audit.log file?
Nope.
If so are there any problems to look out for , e.g event id/sequence
number collisions, auparse or ausearch problems, formatting issues to
adhere to???
The text in the audit_log_user_message is not really freeform-safe, and
it is practically limited to somewhere around 900+ bytes (from a kernel
setting, unless it has been updated since).
The parser will throw away some of your records if the text matches what
it is looking for elsewhere. Maybe Steve can point out the specs. For
example, I had this one:
> # ausearch -ts this-week -a 22476
> <no matches>
>
> in the raw log:
> node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
> uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
> type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
> name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644
ouid=ntp
> ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
> exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
> res=success)'
>
> Any clues?
When ausearch finds a malformed record, it discards it as a safety
measure.
-Steve
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
4:17 p.m.
On Tuesday, September 07, 2010 05:02:21 pm LC Bruzenak wrote:
> Is it a bad idea to build and then to insert a custom
audit/message,
> or any standard audit, into the audit.log file?
Nope.
To make sure we don't give conflicting advice, I was thinking he meant writing
directly to the file (which you should not do). Events must be sent to the
kernel. But you are free to make your own audit events as long as you mimic
the existing events.
-Steve
8:48 a.m.
Thanks,
The below sequence of functions seems to do the trick...
int audit_fd = audit_open();
audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL, 1);
audit_close(audit_fd);
Also the executable that I created, then copied to a root area and then ran as root,
seemed to have the CAP_AUDIT_WRITE permission by default... how did my app get that
permission, is it just because it’s a root app... I didnt explicitly assign it to the app,
did I?
Just out of curiosity if I wanted to add a new type, say 'MY_CUSTOM_AUDIT' that
would appear as say 'type=HELLOWORLD' in the audit file. Is that possible with a
config file or function call?... It looks as if I'd have to modify stuff in maybe
libaudit.h and msg_typetab.h, recompile.. etc... in order to add a custom type?
Thanks
Roger
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Tuesday, September 07, 2010 5:17 PM
To: linux-audit(a)redhat.com
Cc: LC Bruzenak; Nestler, Roger - IS
Subject: Re: creating and inserting audits
On Tuesday, September 07, 2010 05:02:21 pm LC Bruzenak wrote:
> Is it a bad idea to build and then to insert a custom
audit/message,
> or any standard audit, into the audit.log file?
Nope.
To make sure we don't give conflicting advice, I was thinking he meant writing
directly to the file (which you should not do). Events must be sent to the
kernel. But you are free to make your own audit events as long as you mimic
the existing events.
-Steve
This e-mail and any files transmitted with it may be proprietary and are intended solely
for the use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the
author and do not necessarily represent those of ITT Corporation. The recipient should
check this e-mail and any attachments for the presence of viruses. ITT accepts no
liability for any damage caused by any virus transmitted by this e-mail.
9:25 a.m.
On Wednesday, September 08, 2010 09:48:44 am Nestler, Roger - IS wrote:
The below sequence of functions seems to do the trick...
int audit_fd = audit_open();
audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL,
1); audit_close(audit_fd);
Yes. There are a couple other log functions that may be better suited
depending on your needs. If you want the program name to show up, use
audit_log_user_comm_message(). Also, please note this:
#define AUDIT_USER 1005 /* Message from userspace -- deprecated */
That type is deprecated, please do not use it.
Also the executable that I created, then copied to a root area and
then ran
as root, seemed to have the CAP_AUDIT_WRITE permission by default... how
did my app get that permission, is it just because it’s a root app... I
didnt explicitly assign it to the app, did I?
If your app runs as root, it inherits that capability by virtue of being under
the root account. If your app ran as a normal user, then you would have a
problem because normal users do not have CAP_AUDIT_WRITE. You would either
have to make your app setuid or a helper that is to do the logging. If you
have a helper, then you have to worry if it can be abused to flood the log. If
don't go this route, you have to ask if a normal user can do anything that is
security critical in the first place.
Just out of curiosity if I wanted to add a new type, say
'MY_CUSTOM_AUDIT'
that would appear as say 'type=HELLOWORLD' in the audit file. Is that
possible with a config file or function call?...
No. We create types as they are needed for other projects. We have patched
everything that needs auditing to create audit events. We also created the
generic AUDIT_TRUSTED_APP type for private use. You can do anything with that
type you want. If you have types that you think other projects might need, let
me know and I'll see how we can fit them in.
It looks as if I'd have to modify stuff in maybe libaudit.h and
msg_typetab.h, recompile.. etc...in order to add a custom type?
And update aureport/ausearch and libauparse perhaps.
-Steve
9:56 a.m.
Ok sounds good.. thanks for pointing out the deprecated type... I think I grabbed that
from auditctrl.c (v1.7.17...).
Ok, so if we ever wanted to add some new types that would be unique/specific to our app we
would submit a request to you/redhat... and then in a future version of audit we'd
possible see our new types?
Thanks for all the help,
Roger
--
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Wednesday, September 08, 2010 10:25 AM
To: Nestler, Roger - IS
Cc: linux-audit(a)redhat.com; LC Bruzenak
Subject: Re: creating and inserting audits
On Wednesday, September 08, 2010 09:48:44 am Nestler, Roger - IS wrote:
The below sequence of functions seems to do the trick...
int audit_fd = audit_open();
audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL,
1); audit_close(audit_fd);
Yes. There are a couple other log functions that may be better suited
depending on your needs. If you want the program name to show up, use
audit_log_user_comm_message(). Also, please note this:
#define AUDIT_USER 1005 /* Message from userspace -- deprecated */
That type is deprecated, please do not use it.
Also the executable that I created, then copied to a root area and
then ran
as root, seemed to have the CAP_AUDIT_WRITE permission by default... how
did my app get that permission, is it just because it’s a root app... I
didnt explicitly assign it to the app, did I?
If your app runs as root, it inherits that capability by virtue of being under
the root account. If your app ran as a normal user, then you would have a
problem because normal users do not have CAP_AUDIT_WRITE. You would either
have to make your app setuid or a helper that is to do the logging. If you
have a helper, then you have to worry if it can be abused to flood the log. If
don't go this route, you have to ask if a normal user can do anything that is
security critical in the first place.
Just out of curiosity if I wanted to add a new type, say
'MY_CUSTOM_AUDIT'
that would appear as say 'type=HELLOWORLD' in the audit file. Is that
possible with a config file or function call?...
No. We create types as they are needed for other projects. We have patched
everything that needs auditing to create audit events. We also created the
generic AUDIT_TRUSTED_APP type for private use. You can do anything with that
type you want. If you have types that you think other projects might need, let
me know and I'll see how we can fit them in.
It looks as if I'd have to modify stuff in maybe libaudit.h and
msg_typetab.h, recompile.. etc...in order to add a custom type?
And update aureport/ausearch and libauparse perhaps.
-Steve
This e-mail and any files transmitted with it may be proprietary and are intended solely
for the use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the
author and do not necessarily represent those of ITT Corporation. The recipient should
check this e-mail and any attachments for the presence of viruses. ITT accepts no
liability for any damage caused by any virus transmitted by this e-mail.
3:34 p.m.
On Wednesday, September 08, 2010 10:56:50 am Nestler, Roger - IS wrote:
Ok, so if we ever wanted to add some new types that would be
unique/specific to our app we would submit a request to you/redhat... and
then in a future version of audit we'd possible see our new types?
Well, if its unique to your app and you don't think anyone else will use it,
then there is the TRUSTED_APP type. If you think its something that would be
used in other applications, then send it to this mail list. Currently I'm
adding event types for service start/stop, virtualization, and crypto. There
should be a release soon to get those out where apps can use them.
-Steve
5218
days inactive
5219
days old
linux-audit@lists.linux-audit.osci.io
7 comments
3 participants
participants (3)
-
LC Bruzenak -
Nestler, Roger - IS -
Steve Grubb