10:23 a.m.
Hello,
I wanted to start a discussion about an old topic that we last discussed back
in December. The problem basically centers around the audit message type
being too coarse to be of any real use. Right now, we have 3 message types
that the kernel sends to the audit daemon: AUDIT_KERNEL, AUDIT_USER, and
AUDIT_LOGIN.
AUDIT_LOGIN is fine. Its a very specific message. AUDIT_USER can be used for
anything from userspace. Anything means pam going through its various phases
- authentication, account management, session start, credentials set, session
closed, credentials destroyed. It also means any error message that may come
out of pam. Various trusted applications use it to note any kind of change to
user account attributes and any error therein.
We are trying to create an audit system that meets CAPP requirements (Section
FAU_SAR.3). We need to allow the administrator to create searches that, for
example, let them find any failed attempt to change a user's password. What
this means is that we have to search for any record that is of type
AUDIT_USER, then examine each one of those looking for the one that comes
from passwd. (Or maybe they were logging in and login made them change their
passwd since it expired. Two potential message sources for the same action.)
That's way too many messages to parse to find one specific kind of event.
I also feel that the kernel needs to break its packets down a little better
for searching. For example, both of these are KERNEL types:
type=KERNEL msg=audit(1113856292.392:10258978): item=0 name="/usr/bin/kompare"
inode=589078 dev=03:02 mode=0100755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1113856292.392:10258978): syscall=11 arch=40000003
success=yes exit=0 a0=86629c0 a1=865f280 a2=85a6870 a3=805264c items=2
pid=4078 loginuid=525 uid=525 gid=525 euid=525 suid=525 fsuid=525
egid=525 sgid=525 fsgid=525 comm="kompare" exe=/usr/bin/kompare
But the first is a helper (or supplementary info) for the second. It would be
so much easier if the first one was a different message type. For example,
suppose we have to do a search for a specific uid. which one of the above
should we "hit" on? The seocnd one obviously, but it would be better if it
was a different type so the ausearch program has a spot to key on for data
about the event.
Then to top it off, we have SE Linux avc messages in the mix.
I think it would be a tremendous help to add some new message types that can
be filtered on. For example, if we had more kernel message types so SE Linux
avc denials were a differnt message type from syscall auditing, I could
easily add a filter to auditd so that a user can specify what kind of message
types they want logged. This will let them save disk space and improve
performance.
For example, someone writing SE Linux policy may want AUDIT_SELINUX_AVC_DENIAL
messages only. Everything else could be thrown away as far as they are
concerned. Or maybe people want to log only AUDIT_LOGIN messages. Some people
may want to log only failures to log in. Without finer grained message types,
this is not even a possibility.
In addition, if a user has 10 gigabytes of audit messages and they are all
AUDIT_KERNEL and they want to do a search on failed login attempts,
performance is going to suck. The reason, is because we will have to parse
many of the wrong kind of messages just to find the ones we are looking for.
To solve the problem, I would like to propose that AUDIT_KERNEL be used only
for things like adding & deleting rules, changing backlog, failure flag,
enabled/disabled, and message rate limit. We should introduce new message
types that partition the messages into: event, supplementary information
(for example - look at the log snippet above, the first chunk is this type),
SE Linux, authentication, account attribute change, account management,
credentials, session start, session close.
Of these, supplementary information should be subdivided into various types,
AUDIT_FILE_INFO for example. The SE Linux messages should be subdivided into
various message types, too. The rest would have a success and failure
subtype.
The benefits to doing this is: ausearch can better search for the right
information, users can filter what goes to disk, audit records are easier for
people to read, test cases are easier to construct.
Thoughts?
-Steve Grubb
8:47 a.m.
On Tuesday 19 April 2005 11:23, Steve Grubb wrote:
I wanted to start a discussion about an old topic that we last
discussed
back in December. The problem basically centers around the audit message
type being too coarse to be of any real use.
Attached is my current working patch for people to review and comment on. It
is not a final patch. I still need to review all messages to ensure we have
everything that its supposed to be. The patch is against the .31 kernel will
all my previous patches applied.
If there are no objections or concerns, I will finalize this patch and release
matching user space tools.
-Steve
9:07 a.m.
+define AUDIT_SYSCALL 1300 /* Syscall event */
+define AUDIT_IPC 1303 /* IPC record */
Does this mean that on X86_64 a record for semget shows up as a record of
type AUDIT_SYSCALL, but on all platforms, it comes out as AUDIT_IPC record?
Also true for other syscalls including: msgctl, msgget, msgrecv, msgsend,
semctl, semop, semtimedop, shmat, shmctl, shmdt, shmget.
+define AUDIT_SOCKET 1304 /* Socket record */
Would this make the bind syscall generate records of type AUDIT_SOCKET?
-debbie
linux-audit-bounces(a)redhat.com wrote on 05/10/2005 08:47:35 AM:
On Tuesday 19 April 2005 11:23, Steve Grubb wrote:
> I wanted to start a discussion about an old topic that we last
discussed
> back in December. The problem basically centers around the audit
message
> type being too coarse to be of any real use.
Attached is my current working patch for people to review and comment
on.
It
is not a final patch. I still need to review all messages to ensure
we
have
everything that its supposed to be. The patch is against the .31
kernel
will
all my previous patches applied.
If there are no objections or concerns, I will finalize this patch
and
release
matching user space tools.
-Steve
[attachment "linux-2.6.9-audit-types.patch" deleted by Debora
Velarde/Austin/IBM]
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
9:26 a.m.
On Tuesday 10 May 2005 10:07, Debora Velarde wrote:
Does this mean that on X86_64 a record for semget shows up as a
record of
type AUDIT_SYSCALL, but on all platforms, it comes out as AUDIT_IPC record?
Also true for other syscalls including: msgctl, msgget, msgrecv, msgsend,
semctl, semop, semtimedop, shmat, shmctl, shmdt, shmget.
No. They will be the same as they are now - 2 records with same serial number.
One piece will be labelled SYSCALL and include all the normal info for
syscalls. The other piece will have an IPC label. Currently, they both have
KERNEL label.
Incidentally here's a sample from my logs for ipc:
auditctl -a entry,always -S ipc
type=SYSCALL msg=audit(1115734892.933:11104482): syscall=117 arch=40000003
success=yes exit=0 a0=18 a1=9000e a2=100 a3=0 items=0 pid=22636 loginuid=525
uid=525 gid=525 euid=525 suid=525 fsuid=525 egid=525 sgid=525 fsgid=525
comm="firefox-bin" exe=/usr/lib/firefox-1.0.3/firefox-bin
There doesn't seem to be any supplemental records. I'll investigate.
+define AUDIT_SOCKET 1304 /* Socket record */
Would this make the bind syscall generate records of type AUDIT_SOCKET?
That is the plan. bind and connect. Before anyone says connect is not a
security related function...we know. We want to provide extra information for
that call.
Incidentally, I've found one bug in the patch. Wherever AUDIT_USER is, I
needed to add the new user types.
-Steve Grubb
9:36 a.m.
Incidentally here's a sample from my logs for ipc:
auditctl -a entry,always -S ipc
type=SYSCALL msg=audit(1115734892.933:11104482): syscall=117
arch=40000003
success=yes exit=0 a0=18 a1=9000e a2=100 a3=0 items=0 pid=22636
loginuid=525
uid=525 gid=525 euid=525 suid=525 fsuid=525 egid=525 sgid=525
fsgid=525
comm="firefox-bin" exe=/usr/lib/firefox-1.0.3/firefox-bin
There doesn't seem to be any supplemental records. I'll
investigate.
shmctl normally does have at least one supplemental record, is that
what
you
ran to generate this record?
9:57 a.m.
On Tue, 2005-05-10 at 10:26 -0400, Steve Grubb wrote:
type=SYSCALL msg=audit(1115734892.933:11104482): syscall=117
arch=40000003
success=yes exit=0 a0=18 a1=9000e a2=100 a3=0 items=0 pid=22636 loginuid=525
uid=525 gid=525 euid=525 suid=525 fsuid=525 egid=525 sgid=525 fsgid=525
comm="firefox-bin" exe=/usr/lib/firefox-1.0.3/firefox-bin
There doesn't seem to be any supplemental records. I'll investigate.
Decoding the above...
a0 is the real IPC call -- 0x18 is shmctl().
a1 is the shmid (0x9000e).
a2 is the command (IPC_64|IPC_RMID).
That isn't one of the IPC subfunctions which has auxiliary information
to log. Try the attached 'ipcstuff.c', which makes IPC_SET calls.
--
dwmw2
10:12 a.m.
On Tuesday 10 May 2005 08:47, Steve Grubb wrote:
On Tuesday 19 April 2005 11:23, Steve Grubb wrote:
> I wanted to start a discussion about an old topic that we last discussed
> back in December. The problem basically centers around the audit message
> type being too coarse to be of any real use.
Attached is my current working patch for people to review and comment on.
It'd be helpful if you include the "p" flag ("Show which C function
each
change is in") when you RFC a patch.
-tim
7164
days inactive
7186
days old
linux-audit@lists.linux-audit.osci.io
6 comments
4 participants
participants (4)
-
David Woodhouse -
Debora Velarde -
Steve Grubb -
Timothy R. Chavez