3:53 p.m.
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Add some syslog messages for a couple exits
- Add some unlinks of the pid file in a couple error exits
- Make some options of auditctl not expect a reply
- Update support for user and watch filter lists
This is another bug fix update. Notable in this release is a change to a
couple options that were trying to get a netlink response when clearly they
shouldn't. Some examples were -v & -D. This version also corrects user &
watch list filtering.
Please let me know if there are any problems.
-Steve
8:51 p.m.
Steve Grubb wrote:
This version also corrects user &
watch list filtering.
Please let me know if there are any problems.
when adding auid filters on watches .. and executing "auditclt -l" I
don't see a list of the newly added filter rules ... Is that the
behavior you intended?
(I am on kernel.65 on i386 system)
example
# auditctl watch,always -F auid=something
# auditctl watch,never -F auid=something
# auditctl -l
No rules
No watches
Also .. the above commands don't seem to be actually filtering .. so I
don't know if that is because the mechanism might not be working, or
maybe the filters aren't getting inserted since I don't see them in the
listing ..
Thanks,
- Loulwa
6:19 a.m.
On Wednesday 22 June 2005 21:51, Loulwa Salem wrote:
Steve Grubb wrote:
> This version also corrects user &
> watch list filtering.
>
> Please let me know if there are any problems.
when adding auid filters on watches .. and executing "auditclt -l" I
don't see a list of the newly added filter rules ... Is that the
behavior you intended?
[root@endeavor ~]# auditctl -a watch,never -F loginuid=500
[root@endeavor ~]# auditctl -l
AUDIT_LIST: watch,never auid=500 (0x1f4) syscall=
No watches
[root@endeavor ~]# auditctl -D
No rules
No watches
Works for me. ??
Also .. the above commands don't seem to be actually filtering ..
so I
don't know if that is because the mechanism might not be working, or
maybe the filters aren't getting inserted since I don't see them in the
listing ..
Not sure. David, have you played with the latest auditctl and checked
everything out? For example, I just tried this and hung the machine:
auditctl -a watch,never -F loginuid=-1
auditctl -a entry,always -S all
It locked up the machine solid. No flashing disk lights and caps lock key
didn't toggle light.
-Steve
8:49 a.m.
On Thu, 2005-06-23 at 07:19 -0400, Steve Grubb wrote:
Not sure. David, have you played with the latest auditctl and checked
everything out? For example, I just tried this and hung the machine:
auditctl -a watch,never -F loginuid=-1
auditctl -a entry,always -S all
It locked up the machine solid. No flashing disk lights and caps lock
key didn't toggle light.
I've reproduced something similar, although the machine is far from
'hung'. It seems there was still a case where auditd could still be
audited. So all userspace processes will be waiting a minute for every
syscall they make, because the backlog timeout happens.
If you're running X, that would explain the lack of caps lock. Don't
test with X running unless you have a serial console.
I'm testing a fix for this now...
--
dwmw2
12:38 p.m.
On Thu, 2005-06-23 at 14:49 +0100, David Woodhouse wrote:
--
dwmw2
I'm testing a fix for this now...
Appears to work. Building audit.67 now...
--- kernel/auditsc.c~ 2005-06-21 16:30:59.000000000 +0100
+++ kernel/auditsc.c 2005-06-23 14:45:43.000000000 +0100
@@ -573,7 +584,7 @@ static inline struct audit_context *audi
context->return_valid = return_valid;
context->return_code = return_code;
- if (context->in_syscall && !context->auditable) {
+ if (context->in_syscall && !context->auditable && tsk->pid !=
audit_pid) {
enum audit_state state;
state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
if (state == AUDIT_RECORD_CONTEXT)
12:47 p.m.
I don't seem to get the filtering on auid to work ...
I am attaching a test case so you can see how I am testing this ..
I am on kernel.65 and audit 0.9.12
Test strategy:
1- add filter rules for a user
2- add a watch on a file
3- create two temp users (my users have to be in Wheel trusted group in
4- order to ssh into the system .. may not apply to everybody).
5- spawn ssh session user1@localhost and touch the watched file
6- Remove the file(so other user can touch it again)
7- spawn ssh session user2@localhost and touch the watched file
8- stop auditd and copy the audit.log to a temp file (/tmp/loginuid_logs)
For Step 1 above, I tried the following scenarios:
auditctl -a watch,always -F auid=uid1
auditctl -a watch,never -F auid!=uid1
or
auditctl -a watch,always -F auid=uid1
auditctl -a watch,never -F auid=uid2
Neither seems to work .. in the log I still see watch records for open
on the watched file generated by both users!!
- Loulwa
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/utsname.h>
int uid1=580;
int uid2=650;
char user1[] = "tmp-user1";
char user2[] = "tmp-user2";
char* password = "eal";
char* encryptedpassword = "42VmxaOByKwlA";
static const char* tempname = "/tmp/testXXXXXX\0";
int rc;
int fd1, fd2; /* file descriptor */
char script_cmd1[1000], script_cmd2[1000], exec_cmd[1000];
char *filename1, *filename2;
int main(int ac, char **av)
{
char command[256];
system("/etc/rc.d/init.d/auditd stop");
system("rm -f /var/log/audit/audit.log");
system("rm /tmp/loginuid_logs -f");
system("/etc/rc.d/init.d/auditd start");
/* Create expect script file to execute ftp session */
filename1 = (char *) malloc(strlen(tempname));
strcpy(filename1, tempname);
if ((fd1 = mkstemp(filename1)) == -1) {
printf("File creation error\n");
}
filename2 = (char *) malloc(strlen(tempname));
strcpy(filename2, tempname);
if ((fd2 = mkstemp(filename2)) == -1) {
printf("File creation error\n");
}
/* create test users */
sprintf(command, "/usr/sbin/useradd -u %d -m -G wheel -p %s
%s",uid1,encryptedpassword,user1);
system(command);
sprintf(command, "/usr/sbin/useradd -u %d -m -G wheel -p %s
%s",uid2,encryptedpassword,user2);
system(command);
/* insert watches and filters on loginuid "uid1" */
system("auditctl -w /tmp/file1 -k loginuid-key");
sprintf(command, "auditctl -a watch,always -F auid=%d", uid1);
system(command);
sprintf(command, "auditctl -a watch,never -F auid!=%d", uid1);
//sprintf(command, "auditctl -a watch,never -F auid=%d", uid2);
system(command);
sprintf(script_cmd1, "expect -c \"spawn /usr/bin/ssh %s@localhost
\nsleep 1 \nexpect -re \\\"password: \\\" \nsleep 1 \nsend
\\\"%s\\r\\n\\\" \nsleep 1 \nexpect -re \\\"> \\\" \nsleep 1 \nsend
\\\"touch /tmp/file1\\r\\n\\\" \nsleep 1 \nsend \\\"exit\\\"
\nsend_user \\\"exit\\n\\\"\"", user1, password);
sprintf(script_cmd2, "expect -c \"spawn /usr/bin/ssh %s@localhost
\nsleep 1 \nexpect -re \\\"password: \\\" \nsleep 1 \nsend
\\\"%s\\r\\n\\\" \nsleep 1 \nexpect -re \\\"> \\\" \nsleep 1 \nsend
\\\"touch /tmp/file1\\r\\n\\\" \nsleep 1 \nsend \\\"exit\\\"
\nsend_user \\\"exit\\n\\\"\"", user2, password);
write(fd1, script_cmd1, strlen(script_cmd1));
fchmod(fd1, S_IRWXU | S_IRWXG | S_IRWXO);
close(fd1);
sprintf(exec_cmd, "/bin/sh -f %s", filename1);
system(exec_cmd);
system("rm -f /tmp/file1");
sleep(1);
write(fd2, script_cmd2, strlen(script_cmd2));
fchmod(fd2, S_IRWXU | S_IRWXG | S_IRWXO);
close(fd2);
sprintf(exec_cmd, "/bin/sh -f %s", filename2);
system(exec_cmd);
/* Stop auditd to prevent more log entries. */
sleep(2);
system("auditctl -W /tmp/file1");
system("/etc/rc.d/init.d/auditd stop");
system("cat /var/log/audit/audit.log >> /tmp/loginuid_logs");
system("rm -f /tmp/file1");
/* cleanup users and files */
if (filename1 != NULL) {
unlink(filename1);
free(filename1);
}
if (filename2 != NULL) {
unlink(filename2);
free(filename2);
}
sprintf(command, "/usr/sbin/userdel -r %s", user1);
system(command);
sprintf(command, "/usr/sbin/userdel -r %s", user2);
system(command);
}
1:09 p.m.
On Thu, 2005-06-23 at 12:47 -0500, Loulwa Salem wrote:
auditctl -a watch,always -F auid=uid1
auditctl -a watch,never -F auid=uid2
Neither seems to work .. in the log I still see watch records for open
on the watched file generated by both users!!
Watch filters should have a syscall. If you didn't specify any, then I'd
guess that neither of those rules are matching, so you're getting the
default behaviour.
--
dwmw2
2:16 p.m.
On Thursday 23 June 2005 14:09, David Woodhouse wrote:
Watch filters should have a syscall. If you didn't specify any,
then I'd
guess that neither of those rules are matching, so you're getting the
default behaviour.
I fixed auditctl so that if you do not specify a syscall, it will default to
all. I use the following and confirmed that it works (will be in 0.9.13):
auditctl -a watch,never -F auid=500
auditctl -w /etc/passwd -k test -p rwxa
cat /etc/passwd >/dev/null
However...I looked at the user filtering and it is not working. I think I know
why. netlink is an async interface. This means that the task may not be alive
when the user message is processed. It currently detects the and returns
-ESRCH, but the sender is long gone.
This means that the generic audit_filter_rules() cannot be used. You can only
filter based on the credentials that netlink gathered from the caller at
reception of message, or move the filtering to the message entry point after
permission checks.
-Steve
4:08 p.m.
On Thu, 2005-06-23 at 15:16 -0400, Steve Grubb wrote:
However...I looked at the user filtering and it is not working. I
think I know
why. netlink is an async interface. This means that the task may not be alive
when the user message is processed. It currently detects the and returns
-ESRCH, but the sender is long gone.
The sender isn't long gone; if it has disappeared without waiting for
the ack (as libaudit does) then the -ESRCH will mean that the message
isn't logged.
If you send a message and disappear without waiting for the ack, then
your message may or may not get logged. If it _is_ logged, then it'll be
logged with the correct credentials.
I think it's OK to declare that sending a message without waiting for
the ack is not guaranteed to work.
I'm more interested in finding the real reason why it didn't work. Were
you setting the syscall bitmask to all ones in auditctl?
--
dwmw2
4:25 p.m.
On Thursday 23 June 2005 17:08, David Woodhouse wrote:
If you send a message and disappear without waiting for the ack,
then
your message may or may not get logged. If it _is_ logged, then it'll be
logged with the correct credentials.
uid, pid, and loginuid are the only things collected by netlink for the
sender's credentials. Another app could reuse the pid by the time the netlink
message is processed. The lookup will succeed, but the check is against the
wrong process.
I think it's OK to declare that sending a message without waiting
for
the ack is not guaranteed to work.
We make no requirements for this anywhere else. We just need to filter against
the netlink credentials since that is all we know to be true.
I'm more interested in finding the real reason why it didn't
work. Were
you setting the syscall bitmask to all ones in auditctl?
Yes.
-Steve
2:19 a.m.
On Thu, 2005-06-23 at 17:25 -0400, Steve Grubb wrote:
> I'm more interested in finding the real reason why it
didn't work. Were
> you setting the syscall bitmask to all ones in auditctl?
Yes.
You pointed out the problem on IRC -- well spotted. Once I'd added the
task refcounting to audit_filter_user() it became more of a problem that
the function was violating the "only one return from each function"
rule. I fixed it to use a variable for the return code and always reach
the end, but in a fit of stupidity I left the 'return 1' at the end :)
audit.68 building now...
Index: kernel/auditsc.c
===================================================================
--- b75da428ad7067959b24a0e2e6b64094750025b9/kernel/auditsc.c (mode:100644)
+++ uncommitted/kernel/auditsc.c (mode:100644)
@@ -557,7 +557,7 @@
rcu_read_unlock();
put_task_struct(tsk);
- return 1; /* Audit by default */
+ return ret; /* Audit by default */
}
--
dwmw2
8:09 a.m.
On Thu, 2005-06-23 at 15:16 -0400, Steve Grubb wrote:
However...I looked at the user filtering and it is not working. I
think I know
why. netlink is an async interface. This means that the task may not be alive
when the user message is processed. It currently detects the and returns
-ESRCH, but the sender is long gone.
This means that the generic audit_filter_rules() cannot be used. You can only
filter based on the credentials that netlink gathered from the caller at
reception of message, or move the filtering to the message entry point after
permission checks.
Although this is never actually a problem in practice, it turns out that
to 'fix' it is actually also a cleanup of the code, because it means we
don't have to find the task by its pid. I was concerned about
duplicating audit_filter_rules() but in fact we don't have to copy much
of it because there are so few criteria we can filter on. So here
goes...
--- linux-2.6.9/include/linux/audit.h.p20054 2005-06-24 14:04:23.000000000 +0100
+++ linux-2.6.9/include/linux/audit.h 2005-06-24 14:05:17.000000000 +0100
@@ -205,6 +205,7 @@ struct audit_sig_info {
struct audit_buffer;
struct audit_context;
struct inode;
+struct netlink_skb_parms;
#define AUDITSC_INVALID 0
#define AUDITSC_SUCCESS 1
@@ -236,7 +237,7 @@ extern int audit_socketcall(int nargs, u
extern int audit_sockaddr(int len, void *addr);
extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
extern void audit_signal_info(int sig, struct task_struct *t);
-extern int audit_filter_user(int pid, int type);
+extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
#else
#define audit_alloc(t) ({ 0; })
#define audit_free(t) do { ; } while (0)
@@ -252,7 +253,7 @@ extern int audit_filter_user(int pid, in
#define audit_sockaddr(len, addr) ({ 0; })
#define audit_avc_path(dentry, mnt) ({ 0; })
#define audit_signal_info(s,t) do { ; } while (0)
-#define audit_filter_user(p,t) ({ 1; })
+#define audit_filter_user(cb,t) ({ 1; })
#endif
#ifdef CONFIG_AUDIT
--- linux-2.6.9/kernel/audit.c 2005-06-24 12:41:15.000000000 +0100
+++ linux-2.6.9/kernel/audit.c 2005-06-24 12:31:13.000000000 +0100
@@ -465,7 +465,7 @@ static int audit_receive_msg(struct sk_b
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
return 0;
- err = audit_filter_user(pid, msg_type);
+ err = audit_filter_user(&NETLINK_CB(skb), msg_type);
if (err == 1) {
err = 0;
ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
--- linux-2.6.9/kernel/auditsc.c 2005-06-24 12:41:15.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-06-24 12:41:59.000000000 +0100
@@ -40,6 +40,7 @@
#include <linux/personality.h>
#include <linux/time.h>
#include <linux/kthread.h>
+#include <linux/netlink.h>
#include <asm/unistd.h>
/* 0 = no checking
@@ -541,35 +542,62 @@ static enum audit_state audit_filter_sys
return AUDIT_BUILD_CONTEXT;
}
-int audit_filter_user(int pid, int type)
+static int audit_filter_user_rules(struct netlink_skb_parms *cb,
+ struct audit_rule *rule,
+ enum audit_state *state)
+{
+ int i;
+
+ for (i = 0; i < rule->field_count; i++) {
+ u32 field = rule->fields[i] & ~AUDIT_NEGATE;
+ u32 value = rule->values[i];
+ int result = 0;
+
+ switch (field) {
+ case AUDIT_PID:
+ result = (cb->creds.pid == value);
+ break;
+ case AUDIT_UID:
+ result = (cb->creds.uid == value);
+ break;
+ case AUDIT_GID:
+ result = (cb->creds.gid == value);
+ break;
+ case AUDIT_LOGINUID:
+ result = (cb->loginuid == value);
+ break;
+ }
+
+ if (rule->fields[i] & AUDIT_NEGATE)
+ result = !result;
+ if (!result)
+ return 0;
+ }
+ switch (rule->action) {
+ case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
+ case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break;
+ case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
+ }
+ return 1;
+}
+
+int audit_filter_user(struct netlink_skb_parms *cb, int type)
{
- struct task_struct *tsk;
struct audit_entry *e;
enum audit_state state;
int ret = 1;
- read_lock(&tasklist_lock);
- tsk = find_task_by_pid(pid);
- if (tsk)
- get_task_struct(tsk);
- read_unlock(&tasklist_lock);
-
- if (!tsk)
- return -ESRCH;
-
rcu_read_lock();
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
- if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
+ if (audit_filter_user_rules(cb, &e->rule, &state)) {
if (state == AUDIT_DISABLED)
ret = 0;
break;
}
}
rcu_read_unlock();
- put_task_struct(tsk);
return ret; /* Audit by default */
-
}
/* This should be called with task_lock() held. */
--
dwmw2
8:19 a.m.
Thanks David!
+ switch (rule->action) {
+ case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
+ case AUDIT_POSSIBLE: *state = AUDIT_BUILD_CONTEXT; break;
+ case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
+ }
I don't think we even need the state code. We just need a yes/no answer. This
reduces even more by deleting the above and not passing the state var.
-Steve
8:34 a.m.
On Fri, 2005-06-24 at 09:19 -0400, Steve Grubb wrote:
I don't think we even need the state code. We just need a yes/no
answer. This reduces even more by deleting the above and not passing
the state var.
Actually we need a 'yes/no/unmatched' answer. We could change it as you
suggest, and if we do that we should probably also change
audit_filter_rules() in the same fashion -- but let's not bother.
--
dwmw2
9:12 a.m.
On Friday 24 June 2005 09:34, David Woodhouse wrote:
Actually we need a 'yes/no/unmatched' answer.
I think unmatched means allow the message. I would err on the side of sending
messages and let the admin suppress them.
We could change it as you suggest, and if we do that we should
probably also
change audit_filter_rules() in the same fashion -- but let's not bother.
I think this one we leave alone. User message filtering is not related to
syscalls, so its different.
-Steve
9:50 a.m.
On Fri, 2005-06-24 at 10:12 -0400, Steve Grubb wrote:
I think unmatched means allow the message. I would err on the side
of
sending messages and let the admin suppress them.
That's already implemented. Each _rule_ gives yes/no/unmatched, and what
you're saying is that audit_filter_user() should return 1 if all calls
to audit_filter_user_rules() have returned 'unmatched'.
I think this one we leave alone. User message filtering is not
related
to syscalls, so its different.
It's not particularly different at the moment. Changing the prototype
for one but not the other would make it gratuitously so, which isn't
really an improvement.
--
dwmw2
7120
days inactive
7122
days old
linux-audit@lists.linux-audit.osci.io
15 comments
3 participants
participants (3)
-
David Woodhouse -
Loulwa Salem -
Steve Grubb