12:08 p.m.
Hi,
This patch set adds a restricted capability read-only netlink multicast socket
to kaudit to enable userspace clients such as systemd to consume audit logs, in
addition to the existing bidirectional auditd userspace client.
Currently, auditd has the CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE capabilities
(both use CAP_NET_ADMIN). The CAP_AUDIT_READ capability will be added for use
by read-only AUDIT_NLGRP_READLOG multicast group clients to the kaudit
subsystem.
This is accomplished by modifying the optional netlink per-protocol bind
function to return an error code.
https://bugzilla.redhat.com/show_bug.cgi?id=887992
It needs a bit of massage to get past checkpatch.pl...
First posted: https://www.redhat.com/archives/linux-audit/2013-January/msg00008.html
https://lkml.org/lkml/2013/1/27/279
Richard Guy Briggs (5):
audit: move kaudit thread start from auditd registration to kaudit
init
netlink: have netlink per-protocol bind function return an error
code.
audit: add netlink audit protocol bind to check capabilities on
multicast join
audit: add netlink multicast group for log read
audit: send multicast messages only if there are listeners
include/linux/netlink.h | 2 +-
include/uapi/linux/audit.h | 8 ++++
include/uapi/linux/capability.h | 7 +++-
kernel/audit.c | 66 +++++++++++++++++++++++++++++-----
net/netfilter/nfnetlink.c | 6 ++-
net/netlink/af_netlink.c | 30 +++++++++-------
net/netlink/af_netlink.h | 4 +-
security/selinux/include/classmap.h | 2 +-
8 files changed, 95 insertions(+), 30 deletions(-)
12:08 p.m.
New subject: [PATCH 1/5] audit: move kaudit thread start from auditd registration to kaudit init
The kauditd_thread() task was started only after the auditd userspace daemon
registers itself with kaudit. This was fine when only auditd consumed messages
from the kaudit netlink unicast socket. With the addition of a multicast group
to that socket it is more convenient to have the thread start on init of the
kaudit kernel subsystem.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 15 +++++----------
1 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 34c5a23..b5b2f72 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -768,16 +768,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr
*nlh)
if (err)
return err;
- /* As soon as there's any sign of userspace auditd,
- * start kauditd to talk to it */
- if (!kauditd_task) {
- kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
- if (IS_ERR(kauditd_task)) {
- err = PTR_ERR(kauditd_task);
- kauditd_task = NULL;
- return err;
- }
- }
seq = nlh->nlmsg_seq;
data = nlmsg_data(nlh);
@@ -1116,6 +1106,11 @@ static int __init audit_init(void)
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
+ kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
+ if (IS_ERR(kauditd_task))
+ printk(KERN_ERR "audit: error starting kauditd_thread (%ld)\n",
+ PTR_ERR(kauditd_task));
+
audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
--
1.7.1
12:08 p.m.
New subject: [PATCH 2/5] netlink: have netlink per-protocol bind function return an error code.
Have the netlink per-protocol optional bind function return an error code
rather than void to signal a failure.
This will enable netlink protocols to perform extra checks including
capabilities and permissions verifications when updating memberships in
multicast groups.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/netlink.h | 2 +-
net/netfilter/nfnetlink.c | 6 ++++--
net/netlink/af_netlink.c | 30 +++++++++++++++++-------------
net/netlink/af_netlink.h | 4 ++--
4 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index 7a6c396..4402653 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -45,7 +45,7 @@ struct netlink_kernel_cfg {
unsigned int flags;
void (*input)(struct sk_buff *skb);
struct mutex *cb_mutex;
- void (*bind)(int group);
+ int (*bind)(int group);
bool (*compare)(struct net *net, struct sock *sk);
};
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 046aa13..0edc4d6 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -392,7 +392,7 @@ static void nfnetlink_rcv(struct sk_buff *skb)
}
#ifdef CONFIG_MODULES
-static void nfnetlink_bind(int group)
+static int nfnetlink_bind(int group)
{
const struct nfnetlink_subsystem *ss;
int type = nfnl_group2type[group];
@@ -402,9 +402,11 @@ static void nfnetlink_bind(int group)
if (!ss) {
rcu_read_unlock();
request_module("nfnetlink-subsys-%d", type);
- return;
+ return 0;
}
rcu_read_unlock();
+
+ return 0;
}
#endif
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index bca50b9..755912f 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1198,7 +1198,7 @@ static int netlink_create(struct net *net, struct socket *sock, int
protocol,
struct module *module = NULL;
struct mutex *cb_mutex;
struct netlink_sock *nlk;
- void (*bind)(int group);
+ int (*bind)(int group);
int err = 0;
sock->state = SS_UNCONNECTED;
@@ -1441,6 +1441,17 @@ static int netlink_bind(struct socket *sock, struct sockaddr
*addr,
if (!nladdr->nl_groups && (nlk->groups == NULL ||
!(u32)nlk->groups[0]))
return 0;
+ if (nlk->netlink_bind && nladdr->nl_groups) {
+ int i;
+
+ for (i=0; i<nlk->ngroups; i++)
+ if (test_bit(i, (long unsigned int *)&nladdr->nl_groups)) {
+ err = nlk->netlink_bind(i);
+ if (err)
+ return err;
+ }
+ }
+
netlink_table_grab();
netlink_update_subscriptions(sk, nlk->subscriptions +
hweight32(nladdr->nl_groups) -
@@ -1449,15 +1460,6 @@ static int netlink_bind(struct socket *sock, struct sockaddr
*addr,
netlink_update_listeners(sk);
netlink_table_ungrab();
- if (nlk->netlink_bind && nlk->groups[0]) {
- int i;
-
- for (i=0; i<nlk->ngroups; i++) {
- if (test_bit(i, nlk->groups))
- nlk->netlink_bind(i);
- }
- }
-
return 0;
}
@@ -2095,14 +2097,16 @@ static int netlink_setsockopt(struct socket *sock, int level, int
optname,
return err;
if (!val || val - 1 >= nlk->ngroups)
return -EINVAL;
+ if (nlk->netlink_bind) {
+ err = nlk->netlink_bind(val);
+ if (err)
+ return err;
+ }
netlink_table_grab();
netlink_update_socket_mc(nlk, val,
optname == NETLINK_ADD_MEMBERSHIP);
netlink_table_ungrab();
- if (nlk->netlink_bind)
- nlk->netlink_bind(val);
-
err = 0;
break;
}
diff --git a/net/netlink/af_netlink.h b/net/netlink/af_netlink.h
index acbd774..0edb8d5 100644
--- a/net/netlink/af_netlink.h
+++ b/net/netlink/af_netlink.h
@@ -37,7 +37,7 @@ struct netlink_sock {
struct mutex *cb_mutex;
struct mutex cb_def_mutex;
void (*netlink_rcv)(struct sk_buff *skb);
- void (*netlink_bind)(int group);
+ int (*netlink_bind)(int group);
struct module *module;
#ifdef CONFIG_NETLINK_MMAP
struct mutex pg_vec_lock;
@@ -73,7 +73,7 @@ struct netlink_table {
unsigned int groups;
struct mutex *cb_mutex;
struct module *module;
- void (*bind)(int group);
+ int (*bind)(int group);
bool (*compare)(struct net *net, struct sock *sock);
int registered;
};
--
1.7.1
12:08 p.m.
New subject: [PATCH 3/5] audit: add netlink audit protocol bind to check capabilities on multicast join
Register a netlink per-protocol bind fuction for audit to check userspace
process capabilities before allowing a multicast group connection.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index b5b2f72..f2d2d61 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1050,10 +1050,20 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
+/* Run custom bind function on netlink socket group connect or bind requests. */
+static int audit_bind(int group)
+{
+ if (!capable(CAP_AUDIT_READ))
+ return -EPERM;
+
+ return 0;
+}
+
static int __net_init audit_net_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
+ .bind = audit_bind,
};
struct audit_net *aunet = net_generic(net, audit_net_id);
--
1.7.1
1:15 p.m.
New subject: [PATCH 3/5] audit: add netlink audit protocol bind to check capabilities on multicast join
On Wed, 2014-02-19 at 13:08 -0500, Richard Guy Briggs wrote:
Register a netlink per-protocol bind fuction for audit to check
userspace
process capabilities before allowing a multicast group connection.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index b5b2f72..f2d2d61 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1050,10 +1050,20 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
+/* Run custom bind function on netlink socket group connect or bind requests. */
+static int audit_bind(int group)
+{
+ if (!capable(CAP_AUDIT_READ))
Not a great idea to use CAP_AUDIT_READ before you define it in patch4
+ return -EPERM;
+
+ return 0;
+}
+
static int __net_init audit_net_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
+ .bind = audit_bind,
};
struct audit_net *aunet = net_generic(net, audit_net_id);
1:41 p.m.
New subject: [PATCH 3/5] audit: add netlink audit protocol bind to check capabilities on multicast join
On 14/02/19, Eric Paris wrote:
On Wed, 2014-02-19 at 13:08 -0500, Richard Guy Briggs wrote:
> Register a netlink per-protocol bind fuction for audit to check userspace
> process capabilities before allowing a multicast group connection.
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/audit.c | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b5b2f72..f2d2d61 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1050,10 +1050,20 @@ static void audit_receive(struct sk_buff *skb)
> mutex_unlock(&audit_cmd_mutex);
> }
>
> +/* Run custom bind function on netlink socket group connect or bind requests. */
> +static int audit_bind(int group)
> +{
> + if (!capable(CAP_AUDIT_READ))
Not a great idea to use CAP_AUDIT_READ before you define it in patch4
<blush>
> + return -EPERM;
> +
> + return 0;
> +}
> +
> static int __net_init audit_net_init(struct net *net)
> {
> struct netlink_kernel_cfg cfg = {
> .input = audit_receive,
> + .bind = audit_bind,
> };
>
> struct audit_net *aunet = net_generic(net, audit_net_id);
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
12:08 p.m.
New subject: [PATCH 4/5] audit: add netlink multicast group for log read
Add a netlink multicast socket with one group to kaudit for "best-effort"
delivery to read-only userspace clients such as systemd, in addition to the
existing bidirectional unicast auditd userspace client.
Currently, auditd is intended to use the CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE
capabilities, but actually uses CAP_NET_ADMIN. The CAP_AUDIT_READ capability
is added for use by read-only AUDIT_NLGRP_READLOG netlink multicast group
clients to the kaudit subsystem.
This will safely give access to services such as systemd to consume audit logs
while ensuring write access remains restricted for integrity.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 8 +++++++
include/uapi/linux/capability.h | 7 +++++-
kernel/audit.c | 39 +++++++++++++++++++++++++++++++++++
security/selinux/include/classmap.h | 2 +-
4 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 2d48fe1..8aba976 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -372,6 +372,14 @@ enum {
*/
#define AUDIT_MESSAGE_TEXT_MAX 8560
+/* Multicast Netlink socket groups (default up to 32) */
+enum audit_nlgrps {
+ AUDIT_NLGRP_NONE, /* Group 0 not used */
+ AUDIT_NLGRP_READLOG, /* "best effort" read only socket */
+ __AUDIT_NLGRP_MAX
+};
+#define AUDIT_NLGRP_MAX (__AUDIT_NLGRP_MAX - 1)
+
struct audit_status {
__u32 mask; /* Bit mask for valid entries */
__u32 enabled; /* 1 = enabled, 0 = disabled */
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 154dd6d..12c37a1 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -347,7 +347,12 @@ struct vfs_cap_data {
#define CAP_BLOCK_SUSPEND 36
-#define CAP_LAST_CAP CAP_BLOCK_SUSPEND
+/* Allow reading the audit log via multicast netlink socket */
+
+#define CAP_AUDIT_READ 37
+
+
+#define CAP_LAST_CAP CAP_AUDIT_READ
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/kernel/audit.c b/kernel/audit.c
index f2d2d61..0da57b6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -424,6 +424,37 @@ static void kauditd_send_skb(struct sk_buff *skb)
}
/*
+ * kauditd_send_multicast_skb - send the skb to multicast userspace listeners
+ *
+ * This function doesn't consume an skb as might be expected since it has to
+ * copy it anyways.
+ */
+static void kauditd_send_multicast_skb(struct sk_buff *skb)
+{
+ struct sk_buff *copy;
+ struct nlmsghdr *nlh;
+
+ /*
+ * The seemingly wasteful skb_copy() is necessary because the original
+ * kaudit unicast socket sends up messages with nlmsg_len set to the
+ * payload length rather than the entire message length. This breaks
+ * the standard set by netlink. The existing auditd daemon assumes
+ * this breakage. Fixing this would require co-ordinating a change in
+ * the established protocol between the kaudit kernel subsystem and
+ * the auditd userspace code. There is no reason for new multicast
+ * clients to continue with this non-compliance.
+ */
+ copy = skb_copy(skb, GFP_KERNEL);
+ if (!copy)
+ return;
+
+ nlh = nlmsg_hdr(copy);
+ nlh->nlmsg_len = copy->len;
+
+ nlmsg_multicast(audit_sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL);
+}
+
+/*
* flush_hold_queue - empty the hold queue if auditd appears
*
* If auditd just started, drain the queue of messages already
@@ -474,6 +505,12 @@ static int kauditd_thread(void *dummy)
skb = skb_dequeue(&audit_skb_queue);
if (skb) {
+ /* Don't bump skb refcount for multicast send since
+ * kauditd_send_multicast_skb() copies the skb anyway
+ * due to audit unicast netlink protocol
+ * non-compliance.
+ */
+ kauditd_send_multicast_skb(skb);
if (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit)
wake_up(&audit_backlog_wait);
if (audit_pid)
@@ -1064,6 +1101,8 @@ static int __net_init audit_net_init(struct net *net)
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
.bind = audit_bind,
+ .flags = NL_CFG_F_NONROOT_RECV,
+ .groups = AUDIT_NLGRP_MAX,
};
struct audit_net *aunet = net_generic(net, audit_net_id);
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 14d04e6..be491a7 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -147,7 +147,7 @@ struct security_class_mapping secclass_map[] = {
{ "peer", { "recv", NULL } },
{ "capability2",
{ "mac_override", "mac_admin", "syslog",
"wake_alarm", "block_suspend",
- NULL } },
+ "audit_read", NULL } },
{ "kernel_service", { "use_as_override",
"create_files_as", NULL } },
{ "tun_socket",
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
--
1.7.1
7:55 a.m.
New subject: [PATCH 4/5] audit: add netlink multicast group for log read
On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote:
Add a netlink multicast socket with one group to kaudit for
"best-effort"
delivery to read-only userspace clients such as systemd, in addition to the
existing bidirectional unicast auditd userspace client.
One question...we do have to have the ability to separate of secadm_r and
sysadm_r. By allowing this we will leak to a sysadmin that he is being audited
by the security officer. In a lot of cases, they are one in the same person. But
for others, they are not. I have a feeling this will cause problems for MLS
systems.
-Steve
Currently, auditd is intended to use the CAP_AUDIT_CONTROL and
CAP_AUDIT_WRITE capabilities, but actually uses CAP_NET_ADMIN. The
CAP_AUDIT_READ capability is added for use by read-only AUDIT_NLGRP_READLOG
netlink multicast group clients to the kaudit subsystem.
This will safely give access to services such as systemd to consume audit
logs while ensuring write access remains restricted for integrity.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 8 +++++++
include/uapi/linux/capability.h | 7 +++++-
kernel/audit.c | 39
+++++++++++++++++++++++++++++++++++ security/selinux/include/classmap.h |
2 +-
4 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 2d48fe1..8aba976 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -372,6 +372,14 @@ enum {
*/
#define AUDIT_MESSAGE_TEXT_MAX 8560
+/* Multicast Netlink socket groups (default up to 32) */
+enum audit_nlgrps {
+ AUDIT_NLGRP_NONE, /* Group 0 not used */
+ AUDIT_NLGRP_READLOG, /* "best effort" read only socket */
+ __AUDIT_NLGRP_MAX
+};
+#define AUDIT_NLGRP_MAX (__AUDIT_NLGRP_MAX - 1)
+
struct audit_status {
__u32 mask; /* Bit mask for valid entries */
__u32 enabled; /* 1 = enabled, 0 = disabled */
diff --git a/include/uapi/linux/capability.h
b/include/uapi/linux/capability.h index 154dd6d..12c37a1 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -347,7 +347,12 @@ struct vfs_cap_data {
#define CAP_BLOCK_SUSPEND 36
-#define CAP_LAST_CAP CAP_BLOCK_SUSPEND
+/* Allow reading the audit log via multicast netlink socket */
+
+#define CAP_AUDIT_READ 37
+
+
+#define CAP_LAST_CAP CAP_AUDIT_READ
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/kernel/audit.c b/kernel/audit.c
index f2d2d61..0da57b6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -424,6 +424,37 @@ static void kauditd_send_skb(struct sk_buff *skb)
}
/*
+ * kauditd_send_multicast_skb - send the skb to multicast userspace
listeners + *
+ * This function doesn't consume an skb as might be expected since it has
to + * copy it anyways.
+ */
+static void kauditd_send_multicast_skb(struct sk_buff *skb)
+{
+ struct sk_buff *copy;
+ struct nlmsghdr *nlh;
+
+ /*
+ * The seemingly wasteful skb_copy() is necessary because the original
+ * kaudit unicast socket sends up messages with nlmsg_len set to the
+ * payload length rather than the entire message length. This breaks
+ * the standard set by netlink. The existing auditd daemon assumes
+ * this breakage. Fixing this would require co-ordinating a change in
+ * the established protocol between the kaudit kernel subsystem and
+ * the auditd userspace code. There is no reason for new multicast
+ * clients to continue with this non-compliance.
+ */
+ copy = skb_copy(skb, GFP_KERNEL);
+ if (!copy)
+ return;
+
+ nlh = nlmsg_hdr(copy);
+ nlh->nlmsg_len = copy->len;
+
+ nlmsg_multicast(audit_sock, copy, 0, AUDIT_NLGRP_READLOG, GFP_KERNEL);
+}
+
+/*
* flush_hold_queue - empty the hold queue if auditd appears
*
* If auditd just started, drain the queue of messages already
@@ -474,6 +505,12 @@ static int kauditd_thread(void *dummy)
skb = skb_dequeue(&audit_skb_queue);
if (skb) {
+ /* Don't bump skb refcount for multicast send since
+ * kauditd_send_multicast_skb() copies the skb anyway
+ * due to audit unicast netlink protocol
+ * non-compliance.
+ */
+ kauditd_send_multicast_skb(skb);
if (skb_queue_len(&audit_skb_queue) <= audit_backlog_limit)
wake_up(&audit_backlog_wait);
if (audit_pid)
@@ -1064,6 +1101,8 @@ static int __net_init audit_net_init(struct net *net)
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
.bind = audit_bind,
+ .flags = NL_CFG_F_NONROOT_RECV,
+ .groups = AUDIT_NLGRP_MAX,
};
struct audit_net *aunet = net_generic(net, audit_net_id);
diff --git a/security/selinux/include/classmap.h
b/security/selinux/include/classmap.h index 14d04e6..be491a7 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -147,7 +147,7 @@ struct security_class_mapping secclass_map[] = {
{ "peer", { "recv", NULL } },
{ "capability2",
{ "mac_override", "mac_admin", "syslog",
"wake_alarm", "block_suspend",
- NULL } },
+ "audit_read", NULL } },
{ "kernel_service", { "use_as_override",
"create_files_as", NULL } },
{ "tun_socket",
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
8:18 a.m.
New subject: [PATCH 4/5] audit: add netlink multicast group for log read
On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote:
On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs
wrote:
> Add a netlink multicast socket with one group to kaudit for "best-effort"
> delivery to read-only userspace clients such as systemd, in addition to the
> existing bidirectional unicast auditd userspace client.
One question...we do have to have the ability to separate of secadm_r and
sysadm_r. By allowing this we will leak to a sysadmin that he is being audited
by the security officer. In a lot of cases, they are one in the same person. But
for others, they are not. I have a feeling this will cause problems for MLS
systems.
A good question. But easily solved in policy. Don't give
CAP_AUDIT_READ to sysadm_t if you don't want sysadm_t to be able to read
from the multicast socket.
As to what others who read from the journal I guess we can just make
sure it is a config option whether to collect or not. Most everyone
would want to collect, but some configs might obviously not.
I'll roll around in the back of my head the ability for auditctl to
disable the multicasting, but CAP_AUDIT_READ takes care of that a whole
lot more nicely...
8:35 a.m.
New subject: [PATCH 4/5] audit: add netlink multicast group for log read
On Wednesday, March 12, 2014 09:18:14 AM Eric Paris wrote:
On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote:
> On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote:
> > Add a netlink multicast socket with one group to kaudit for
> > "best-effort"
> > delivery to read-only userspace clients such as systemd, in addition to
> > the
> > existing bidirectional unicast auditd userspace client.
>
> One question...we do have to have the ability to separate of secadm_r and
> sysadm_r. By allowing this we will leak to a sysadmin that he is being
> audited by the security officer. In a lot of cases, they are one in the
> same person. But for others, they are not. I have a feeling this will
> cause problems for MLS systems.
A good question. But easily solved in policy. Don't give
CAP_AUDIT_READ to sysadm_t if you don't want sysadm_t to be able to read
from the multicast socket.
That also means that we probably want an audit event for any successful and
unsuccessful attempts to connect for _reading_ audit events.
-Steve
As to what others who read from the journal I guess we can just make
sure it is a config option whether to collect or not. Most everyone
would want to collect, but some configs might obviously not.
I'll roll around in the back of my head the ability for auditctl to
disable the multicasting, but CAP_AUDIT_READ takes care of that a whole
lot more nicely...
10:25 a.m.
New subject: [PATCH 4/5] audit: add netlink multicast group for log read
On 14/03/12, Steve Grubb wrote:
On Wednesday, March 12, 2014 09:18:14 AM Eric Paris wrote:
> On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote:
> > On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote:
> > > Add a netlink multicast socket with one group to kaudit for
> > > "best-effort"
> > > delivery to read-only userspace clients such as systemd, in addition to
> > > the
> > > existing bidirectional unicast auditd userspace client.
> >
> > One question...we do have to have the ability to separate of secadm_r and
> > sysadm_r. By allowing this we will leak to a sysadmin that he is being
> > audited by the security officer. In a lot of cases, they are one in the
> > same person. But for others, they are not. I have a feeling this will
> > cause problems for MLS systems.
At first I had no idea what you were talking about but Eric's reply
helps to understand the context.
> A good question. But easily solved in policy. Don't give
> CAP_AUDIT_READ to sysadm_t if you don't want sysadm_t to be able to read
> from the multicast socket.
This seems like an easy one.
That also means that we probably want an audit event for any
successful and
unsuccessful attempts to connect for _reading_ audit events.
That could easily be added to the new custom netlink bind function.
-Steve
> As to what others who read from the journal I guess we can just make
> sure it is a config option whether to collect or not. Most everyone
> would want to collect, but some configs might obviously not.
This would be easy to add as a "feature", I'm guessing...
> I'll roll around in the back of my head the ability for
auditctl to
> disable the multicasting, but CAP_AUDIT_READ takes care of that a whole
> lot more nicely...
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
12:08 p.m.
New subject: [PATCH 5/5] audit: send multicast messages only if there are listeners
Test first to see if there are any userspace multicast listeners bound to the
socket before starting the multicast send work.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 0da57b6..6e8d137 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -434,6 +434,8 @@ static void kauditd_send_multicast_skb(struct sk_buff *skb)
struct sk_buff *copy;
struct nlmsghdr *nlh;
+ if (!netlink_has_listeners(audit_sock, AUDIT_NLGRP_READLOG))
+ return;
/*
* The seemingly wasteful skb_copy() is necessary because the original
* kaudit unicast socket sends up messages with nlmsg_len set to the
--
1.7.1
3937
days inactive
3958
days old
linux-audit@lists.linux-audit.osci.io
11 comments
3 participants
participants (3)
-
Eric Paris -
Richard Guy Briggs -
Steve Grubb