1:49 p.m.
Hey all,
I'm not sure if anyone else has seen this, or if its been brought up before
(though I think
not), but I've discovered a problem with trying to have audit filter on
fields with negative
values. I suspect this is due to a difference in kernel space and user
space, given the
results I've seen below, but here are the particulars:
On zSeries and on xSeries, we have noticed that we are incapable (in some
situations) of
filtering messages when the filter value is negative. On zSeries, this
seems to be true for all
fields, while on xSeries, its true if the field is a1,a2,a3.
We have explicity tested -9 and -1, but I believe this code will extend to
all manner of
negative values because seems to be related to the representation of these
values in
the different architectures (32 v 64). I have not tested it on a 32-bit
only platform, if someone
has the ability to that (should take all of 3minutes) that would probably
be useful :)
Below is all of my test information.
Thanks,
Mike
Here are the records we not are seeing (you can trap them without an
special filters):
zSeries:
type=SYSCALL msg=audit(1137516317.334:8619): arch=80000016 syscall=180
success=no exit=-22 a0=ffffffffffffffff a1=ffffffffffffffff
a2=ffffffffffffffff a3=ffffffffffffffff items=0 pid=17427 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="pread_attempt"
exe="/rhcc/lspp/tests/LTP/ltp-merged/testcases/audit/filters/pread_attempt"
xSeries:
type=SYSCALL msg=audit(1137489462.885:205387): arch=c000003e syscall=17
success=no exit=-22 a0=ffffffff a1=ffffffffffffffff a2=ffffffffffffffff
a3=ffffffffffffffff items=0 pid=8121 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 comm="a.out"
exe="/tests/LTP/ltp-merged/testcases/audit/syscalls/a.out"
Here are the auditctl commands we are using:
auditctl -a exit,always -S pread -- works always
auditctl -a exit,always -S pread -F a0=-1 -- works only on xSeries, no
message on zSeries
auditctl -a exit,always -S pread -F a1->a3=-1 -- no record on either
auditctl -a exit,always -S pread -F exit=-22 -- no record on zSeries or
xSeries
Here is the code we are running:
#define _XOPEN_SOURCE 500
#include <fcntl.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
int main(int argc, char **argv)
{
int fd;
ssize_t read;
size_t size = 5;
char buff[size+1];
off_t offset = 1;
memset(buff,0,size+1);
fd = open("test_file",O_RDONLY);
read = pread(-1, -1, -1, -1);
printf("read: %d from fd: %d\n",read,fd);
printf("Contents: %s\n",buff);
close(fd);
}
2:18 p.m.
Hey Mike,
On Wed, 2006-01-18 at 13:49 -0600, Michael C Thompson wrote:
Hey all,
I'm not sure if anyone else has seen this, or if its been brought up
before (though I think
not), but I've discovered a problem with trying to have audit filter
on fields with negative
values. I suspect this is due to a difference in kernel space and user
space, given the
results I've seen below, but here are the particulars:
On zSeries and on xSeries, we have noticed that we are incapable (in
some situations) of
filtering messages when the filter value is negative. On zSeries, this
seems to be true for all
fields, while on xSeries, its true if the field is a1,a2,a3.
We have explicity tested -9 and -1, but I believe this code will
extend to all manner of
negative values because seems to be related to the representation of
these values in
the different architectures (32 v 64). I have not tested it on a
32-bit only platform, if someone
has the ability to that (should take all of 3minutes) that would
probably be useful :)
Below is all of my test information.
Thanks,
Mike
What kernel are you testing on? I just checked the latest kernel
(lspp.6) and this does look like a problem:
struct audit_field {
u32 type;
u32 val;
u32 op;
};
We only allow unsigned val(ues). Eek
-tim
2:21 p.m.
On Wednesday 18 January 2006 15:18, Timothy R. Chavez wrote:
What kernel are you testing on? I just checked the latest kernel
(lspp.6) and this does look like a problem:
struct audit_field {
u32 type;
u32 val;
u32 op;
};
We only allow unsigned val(ues). Eek
Right and that's because this is what the context stores:
129 struct audit_context {
136 unsigned long argv[4]; /* syscall arguments */
-Steve
2:28 p.m.
linux-audit-bounces(a)redhat.com wrote on 01/18/2006 02:21:56 PM:
On Wednesday 18 January 2006 15:18, Timothy R. Chavez wrote:
> What kernel are you testing on? I just checked the latest kernel
> (lspp.6) and this does look like a problem:
>
> struct audit_field {
> u32 type;
> u32 val;
> u32 op;
> };
>
>
> We only allow unsigned val(ues). Eek
Right and that's because this is what the context stores:
129 struct audit_context {
136 unsigned long argv[4]; /* syscall arguments */
So... are we supposed to be able to filter on negative values?
Mike
2:36 p.m.
On Wed, 2006-01-18 at 15:21 -0500, Steve Grubb wrote:
On Wednesday 18 January 2006 15:18, Timothy R. Chavez wrote:
> What kernel are you testing on? I just checked the latest kernel
> (lspp.6) and this does look like a problem:
>
> struct audit_field {
> u32 type;
> u32 val;
> u32 op;
> };
>
>
> We only allow unsigned val(ues). Eek
Right and that's because this is what the context stores:
129 struct audit_context {
136 unsigned long argv[4]; /* syscall arguments */
-Steve
Sorry if I seem a little dense, but I'm not sure what you're getting at.
The context stores:
long return_code;/* syscall return code */
Which is signed and logged as "exit=". This would be a problem when
comparing the u32 audut_field val(ue) against it, right?
-tim
2:49 p.m.
On Wednesday 18 January 2006 15:36, Timothy R. Chavez wrote:
Sorry if I seem a little dense, but I'm not sure what you're
getting at.
His example was for a0:
auditctl -a exit,always -S pread -F a0=-1 -- works only on xSeries,
no
message on zSeries
auditctl -a exit,always -S pread -F a1->a3=-1 -- no record on either
So negative number gets converted to unsigned number. All syscall args are
unsigned.
auditctl -a exit,always -S pread -F exit=-22 -- no record on zSeries
or
xSeries
The context stores:
long return_code;/* syscall return code */
Which is signed and logged as "exit=". This would be a problem when
comparing the u32 audit_field val(ue) against it, right?
Probably. The might need to be a signed comparator function that knows how to
handle those for attributes that are signed in nature.
int audit_comparator(const u32 left, const u32 op, const u32 right)
Which brings up the point that const should be taken off anything passed by
value.
-Steve
6912
days inactive
6912
days old
linux-audit@lists.linux-audit.osci.io
5 comments
3 participants
participants (3)
-
Michael C Thompson -
Steve Grubb -
Timothy R. Chavez