midnight
All,
I finally submitted a bug report to the Linux kernel with respect to
invalid audit 'op' values.
The bug is listed as https://bugzilla.kernel.org/show_bug.cgi?id=73511
and is described as ...
Various audit events dealing with adding, removing and updating
rules result in invalid values set for the op keys which result
in embedded spaces in op= values.
The invalid values are
op="add rule" set in kernel/auditfilter.c
op="remove rule" set in kernel/auditfilter.c
op="remove rule" set in kernel/audit_tree.c
op="updated rules" set in kernel/audit_watch.c
op="remove rule" set in kernel/audit_watch.c
The attached patch replaces the space in the above values with
an underscore character ('_').
A patch was also provided.
One assumes the similar issues (cause keys having values with embedded
spaces) pointed out by Steve in the ima code in
https://www.redhat.com/archives/linux-audit/2014-April/msg00014.html
will also get fixed.
For those interested, I have attached the patch.
Rgds
10:59 a.m.
New subject: audit: invalid op= values for rules [was: Re: Linux bug report submitted]
On 14/04/04, Burn Alting wrote:
All,
I finally submitted a bug report to the Linux kernel with respect to
invalid audit 'op' values.
The bug is listed as https://bugzilla.kernel.org/show_bug.cgi?id=73511
and is described as ...
Various audit events dealing with adding, removing and updating
rules result in invalid values set for the op keys which result
in embedded spaces in op= values.
The invalid values are
op="add rule" set in kernel/auditfilter.c
op="remove rule" set in kernel/auditfilter.c
op="remove rule" set in kernel/audit_tree.c
op="updated rules" set in kernel/audit_watch.c
op="remove rule" set in kernel/audit_watch.c
The attached patch replaces the space in the above values with
an underscore character ('_').
A patch was also provided.
One assumes the similar issues (cause keys having values with embedded
spaces) pointed out by Steve in the ima code in
https://www.redhat.com/archives/linux-audit/2014-April/msg00014.html
will also get fixed.
Yes, I have a patch for that.
For those interested, I have attached the patch.
Thanks Burn! I'll add these to my tree and watch for issues raised by
log consumers.
Rgds
diff -Npru linux/kernel/auditfilter.c
linux_burn/kernel/auditfilter.c
--- linux/kernel/auditfilter.c 2014-04-04 10:34:25.378979727 +1100
+++ linux_burn/kernel/auditfilter.c 2014-04-04 10:42:24.782022509 +1100
@@ -1045,7 +1045,7 @@ int audit_rule_change(int type, __u32 po
return PTR_ERR(entry);
err = audit_add_rule(entry);
- audit_log_rule_change("add rule", &entry->rule, !err);
+ audit_log_rule_change("add_rule", &entry->rule, !err);
if (err)
audit_free_rule(entry);
break;
@@ -1055,7 +1055,7 @@ int audit_rule_change(int type, __u32 po
return PTR_ERR(entry);
err = audit_del_rule(entry);
- audit_log_rule_change("remove rule", &entry->rule, !err);
+ audit_log_rule_change("remove_rule", &entry->rule, !err);
audit_free_rule(entry);
break;
default:
diff -Npru linux/kernel/audit_tree.c linux_burn/kernel/audit_tree.c
--- linux/kernel/audit_tree.c 2014-04-04 10:34:25.378979727 +1100
+++ linux_burn/kernel/audit_tree.c 2014-04-04 10:42:47.462777736 +1100
@@ -457,7 +457,7 @@ static void audit_log_remove_rule(struct
if (unlikely(!ab))
return;
audit_log_format(ab, "op=");
- audit_log_string(ab, "remove rule");
+ audit_log_string(ab, "remove_rule");
audit_log_format(ab, " dir=");
audit_log_untrustedstring(ab, rule->tree->pathname);
audit_log_key(ab, rule->filterkey);
diff -Npru linux/kernel/audit_watch.c linux_burn/kernel/audit_watch.c
--- linux/kernel/audit_watch.c 2014-04-04 10:34:25.378979727 +1100
+++ linux_burn/kernel/audit_watch.c 2014-04-04 10:43:24.475304414 +1100
@@ -314,7 +314,7 @@ static void audit_update_watch(struct au
&nentry->rule.list);
}
- audit_watch_log_rule_change(r, owatch, "updated rules");
+ audit_watch_log_rule_change(r, owatch, "updated_rules");
call_rcu(&oentry->rcu, audit_free_rule_rcu);
}
@@ -342,7 +342,7 @@ static void audit_remove_parent_watches(
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
- audit_watch_log_rule_change(r, w, "remove rule");
+ audit_watch_log_rule_change(r, w, "remove_rule");
list_del(&r->rlist);
list_del(&r->list);
list_del_rcu(&e->list);
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
3914
days inactive
3914
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
participants (2)
-
Burn Alting -
Richard Guy Briggs