audit 1.7.4 released

audit 1.7.4 released

[Steve Grubb]

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
tomorrow. The Changelog is:

- Fix interpreting of keys in syscall records
- Interpret audit rule config change list fields
- Don't error on name=(null) PATH records in ausearch/report
- Add key report to aureport
- Fix --end today to be now
- Added python bindings for auparse_goto_record_num
- Update system-config-audit to 0.4.7 (Miloslav Trmac)
- Add support for the filetype field option in auditctl
- In audispd boost priority after starting children

This release is a mix of bug fixes and new features. The bug fixes are what is 
driving the release earlier than what I'd like. I was doing some testing and 
found that a lot of keys were not being interpreted correctly. I think many 
were coming back as (null) which looks pretty normal if you don't use the 
keys. Anyways, this is fixed. 

I also found that ausearch/report were not processing some events correctly 
when the PATH record's name field was (null). The result of this was that the 
event was being discarded in search results.

With the new interest in keys, I added a key report to aureport. This presents 
a listing of what keys & quantities have been found in a given time frame. 
During testing of that, I found that "--end today" was not behaving as I 
expected. I really think that when you do aureport --start yesterday --end 
today, you should see events from yesterday at midnight until now.

I added an interpretation for the list in audit watch add/delete events. This 
will now print the list's name like exit,entry, user, etc.

This release also adds support for a new rule field in he 2.6.26 kernel. If 
you wanted to audit setting the execute bit via the chmod syscal, you would 
normally write a rule something like this:

-a always,exit -S chmod -F a1&0111

but the problem is that this will trigger on chmod 0755 of directories which 
is pretty common if you want the directory to be searchable. So we added a 
new option to let you specify what the object's type is, filetype. The new 
rule would look like this:

-a always,exit -S chmod -F a1&0111 -F filetype=file

filetype can be file, dir, socket, symlink, char, block, or fifo.

And last item I wanted to comment on was the change in priority boost for 
audispd. I moved the call to nice() until after the child processes were 
started. This is because audispd should not have to fight with its children 
for time slices at the higher priority. It has an internal queue that can be 
extended by admin configurable parameters. The children are now started with 
the priority inherited from auditd.

Please let me know if you run across any problems with this release.

-Steve

Re: audit 1.7.4 released

[LC Bruzenak]

Steve,

I am testing 1.7.4 (with mls permissive policy):
audit-viewer-0.2-2.fc9.x86_64
audit-libs-python-1.7.4-1.fc9.x86_64
system-config-audit-0.4.7-1.fc9.x86_64
audit-1.7.4-1.fc9.x86_64
audit-libs-devel-1.7.4-1.fc9.x86_64
audit-debuginfo-1.7.3-1.fc9.x86_64
audit-libs-1.7.4-1.fc9.x86_64
audit-libs-1.7.4-1.fc9.i386

I moved all the old audit out of the way, so all records would be new,
and see this after reboot:

[root@hugo ~]# aureport -h -i --summary

Host Summary Report
===========================
total  host
===========================
223  ?
12  homeserver
8  127.0.0.1
6  0.0.0.0

The "?" entries are application audits - I am going to look, maybe they
have an error on the way we are sending those in.

The ones I don't understand are the "0.0.0.0" entries. Here is an
example of one of those:

[root@hugo ~]# ausearch -hn 0.0.0.0 -i --just-one
----
type=SOCKADDR msg=audit(05/27/2008 10:30:22.163:13193) : saddr=inet
host:0.0.0.0 serv:711 
type=SYSCALL msg=audit(05/27/2008 10:30:22.163:13193) : arch=x86_64
syscall=bind success=yes exit=0 a0=5 a1=7fff63dbb220 a2=10 a3=89ea70
items=0 ppid=1 pid=2647 auid=unset uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295
comm=rpc.rquotad exe=/usr/sbin/rpc.rquotad
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(05/27/2008 10:30:22.163:13193) : avc:  denied
{ name_bind } for  pid=2647 comm=rpc.rquotad src=711
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket 

Is the host "0.0.0.0" field here a bug? 
Once we aggregate these would be tough to separate. Also the localhost
ones I guess:

[root@hugo ~]# ausearch -hn 127.0.0.1 -i --just-one
----
type=SOCKADDR msg=audit(05/27/2008 10:30:22.022:13190) : saddr=inet
host:127.0.0.1 serv:750 
type=SYSCALL msg=audit(05/27/2008 10:30:22.022:13190) : arch=x86_64
syscall=sendto success=yes exit=28 a0=6 a1=7f56310606e0 a2=1c a3=0
items=0 ppid=1 pid=2189 auid=unset uid=rpc gid=root euid=rpc suid=rpc
fsuid=rpc egid=root sgid=root fsgid=root tty=(none) ses=4294967295
comm=rpcbind exe=/sbin/rpcbind
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(05/27/2008 10:30:22.022:13190) : avc:  denied
{ recvfrom } for  pid=2189 comm=rpcbind saddr=127.0.0.1 src=111
daddr=127.0.0.1 dest=750 netif=lo
scontext=system_u:system_r:nfsd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=association 

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: audit 1.7.4 released

[Eric Paris]

On Tue, 2008-05-27 at 10:50 -0500, LC Bruzenak wrote:
> Steve,
> 
> I am testing 1.7.4 (with mls permissive policy):
> audit-viewer-0.2-2.fc9.x86_64
> audit-libs-python-1.7.4-1.fc9.x86_64
> system-config-audit-0.4.7-1.fc9.x86_64
> audit-1.7.4-1.fc9.x86_64
> audit-libs-devel-1.7.4-1.fc9.x86_64
> audit-debuginfo-1.7.3-1.fc9.x86_64
> audit-libs-1.7.4-1.fc9.x86_64
> audit-libs-1.7.4-1.fc9.i386
> 
> I moved all the old audit out of the way, so all records would be new,
> and see this after reboot:
> 
> [root@hugo ~]# aureport -h -i --summary
> 
> Host Summary Report
> ===========================
> total  host
> ===========================
> 223  ?
> 12  homeserver
> 8  127.0.0.1
> 6  0.0.0.0
> 
> The "?" entries are application audits - I am going to look, maybe they
> have an error on the way we are sending those in.
> 
> The ones I don't understand are the "0.0.0.0" entries. Here is an
> example of one of those:
> 
> [root@hugo ~]# ausearch -hn 0.0.0.0 -i --just-one
> ----
> type=SOCKADDR msg=audit(05/27/2008 10:30:22.163:13193) : saddr=inet
> host:0.0.0.0 serv:711 
> type=SYSCALL msg=audit(05/27/2008 10:30:22.163:13193) : arch=x86_64
> syscall=bind success=yes exit=0 a0=5 a1=7fff63dbb220 a2=10 a3=89ea70
> items=0 ppid=1 pid=2647 auid=unset uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295
> comm=rpc.rquotad exe=/usr/sbin/rpc.rquotad
> subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
> type=AVC msg=audit(05/27/2008 10:30:22.163:13193) : avc:  denied
> { name_bind } for  pid=2647 comm=rpc.rquotad src=711
> scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket 
> 
> Is the host "0.0.0.0" field here a bug?

Isn't this telling up that they are calling bind on any interface not a
specific address?

the const struct sockaddr *addr part of the bind(2) call is IN_ADDRANY
what whatever the semantics are...

-Eric

Re: audit 1.7.4 released

[LC Bruzenak]

On Tue, 2008-05-27 at 11:59 -0400, Eric Paris wrote:
...
> > ----
> > type=SOCKADDR msg=audit(05/27/2008 10:30:22.163:13193) : saddr=inet
> > host:0.0.0.0 serv:711 
> > type=SYSCALL msg=audit(05/27/2008 10:30:22.163:13193) : arch=x86_64
> > syscall=bind success=yes exit=0 a0=5 a1=7fff63dbb220 a2=10 a3=89ea70
> > items=0 ppid=1 pid=2647 auid=unset uid=root gid=root euid=root suid=root
> > fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295
> > comm=rpc.rquotad exe=/usr/sbin/rpc.rquotad
> > subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
> > type=AVC msg=audit(05/27/2008 10:30:22.163:13193) : avc:  denied
> > { name_bind } for  pid=2647 comm=rpc.rquotad src=711
> > scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> > tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket 
> > 
> > Is the host "0.0.0.0" field here a bug?
> 
> Isn't this telling up that they are calling bind on any interface not a
> specific address?
> 
> the const struct sockaddr *addr part of the bind(2) call is IN_ADDRANY
> what whatever the semantics are...
> 
> -Eric
> 

I understand; thanks.
Semantically this is probably the intended use of the "host" field.

When audit data is examined on one host this isn't a problem. But when
aggregated with other host audit data, this record as standalone is
indistinguishable from a similar one on a different host ... unless I'm
missing something in the above record.

Or if we separate the aggregated data by filename/whatever which the
search tools can use to differentiate audit hosts.

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: audit 1.7.4 released

[Steve Grubb]

On Tuesday 27 May 2008 11:50:31 LC Bruzenak wrote:
> Is the host "0.0.0.0" field here a bug?

No, Eric's explanation sounds right.

> Once we aggregate these would be tough to separate.

That is why we added the node field. :)  You should probably enable it with 
the name_format option.

-Steve

Re: audit 1.7.4 released

[LC Bruzenak]

On Tue, 2008-05-27 at 12:10 -0400, Steve Grubb wrote:
...
> > Once we aggregate these would be tough to separate.
> 
> That is why we added the node field. :)  You should probably enable it with 
> the name_format option.

I think I do have it:

[root@hugo audit]# grep name_format /etc/audit/auditd.conf
name_format = hostname

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: audit 1.7.4 released

[Steve Grubb]

On Tuesday 27 May 2008 12:16:18 LC Bruzenak wrote:
> > That is why we added the node field. :)  You should probably enable it
> > with the name_format option.
>
> I think I do have it:
>
> [root@hugo audit]# grep name_format /etc/audit/auditd.conf
> name_format = hostname

You may also need to make the same change in 
/etc/audisp/audispd.conf.

-Steve

Re: audit 1.7.4 released

[Klaus Heinrich Kiwi]

On Tue, 2008-05-27 at 11:16 -0500, LC Bruzenak wrote:
> On Tue, 2008-05-27 at 12:10 -0400, Steve Grubb wrote:
> ...
> > > Once we aggregate these would be tough to separate.
> > 
> > That is why we added the node field. :)  You should probably enable it with 
> > the name_format option.
> 
> I think I do have it:
> 
> [root@hugo audit]# grep name_format /etc/audit/auditd.conf
> name_format = hostname

Isn't the audit dispatcher's role of adding the node name in the record?
If so, only records going through the audispd would have this field.

 -K

-- 
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center

Re: audit 1.7.4 released

[Steve Grubb]

On Tuesday 27 May 2008 12:57:28 Klaus Heinrich Kiwi wrote:
> On Tue, 2008-05-27 at 11:16 -0500, LC Bruzenak wrote:
> > On Tue, 2008-05-27 at 12:10 -0400, Steve Grubb wrote:
> > ...
> >
> > > > Once we aggregate these would be tough to separate.
> > >
> > > That is why we added the node field. :)  You should probably enable it
> > > with the name_format option.
> >
> > I think I do have it:
> >
> > [root@hugo audit]# grep name_format /etc/audit/auditd.conf
> > name_format = hostname
>
> Isn't the audit dispatcher's role of adding the node name in the record?
> If so, only records going through the audispd would have this field.

People may want the node name on disk as well as associated with events in the 
real time stream. So, there are separate enablers.

-Steve

Re: audit 1.7.4 released

[LC Bruzenak]

On Tue, 2008-05-27 at 12:25 -0400, Steve Grubb wrote:
> On Tuesday 27 May 2008 12:16:18 LC Bruzenak wrote:
> > > That is why we added the node field. :)  You should probably enable it
> > > with the name_format option.
> >
> > I think I do have it:
> >
> > [root@hugo audit]# grep name_format /etc/audit/auditd.conf
> > name_format = hostname
> 
> You may also need to make the same change in 
> /etc/audisp/audispd.conf.
> 
> -Steve

I thought this would solve it since for some reason I had "HOSTNAME"
vice "hostname". I thought I had copied your instructions in the HOWTO,
but when I checked, it is lower case. I rotated the logs, removed the
old one, restarted audit, rebooted and still see nothing unique:

[root@hugo ~]# grep name_format /etc/audi*/*.conf
/etc/audisp/audispd.conf:name_format = hostname
/etc/audit/auditd.conf:name_format = hostname

[root@hugo ~]# ausearch -hn 0.0.0.0 -i --just-one
----
type=SOCKADDR msg=audit(05/27/2008 12:05:12.483:1299) : saddr=inet
host:0.0.0.0 serv:708 
type=SYSCALL msg=audit(05/27/2008 12:05:12.483:1299) : arch=x86_64
syscall=bind success=no exit=-98(Address already in use) a0=5
a1=7fff0d16b6c0 a2=10 a3=89ea70 items=0 ppid=1 pid=2645 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=4294967295 comm=rpc.rquotad
exe=/usr/sbin/rpc.rquotad
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(05/27/2008 12:05:12.483:1299) : avc:  denied
{ name_bind } for  pid=2645 comm=rpc.rquotad src=708
scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket 

[root@hugo ~]# ausearch -hn 127.0.0.1 -i --just-one
----
type=SOCKADDR msg=audit(05/27/2008 12:05:12.359:1296) : saddr=inet
host:127.0.0.1 serv:748 
type=SYSCALL msg=audit(05/27/2008 12:05:12.359:1296) : arch=x86_64
syscall=sendto success=yes exit=28 a0=6 a1=7f16f44936e0 a2=1c a3=0
items=0 ppid=1 pid=2187 auid=unset uid=rpc gid=root euid=rpc suid=rpc
fsuid=rpc egid=root sgid=root fsgid=root tty=(none) ses=4294967295
comm=rpcbind exe=/sbin/rpcbind
subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(05/27/2008 12:05:12.359:1296) : avc:  denied
{ recvfrom } for  pid=2187 comm=rpcbind saddr=127.0.0.1 src=111
daddr=127.0.0.1 dest=748 netif=lo
scontext=system_u:system_r:nfsd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=association 

[root@hugo ~]# ausearch -hn 127.0.0.1 -i --just-one | grep host
type=SOCKADDR msg=audit(05/27/2008 12:05:12.359:1296) : saddr=inet
host:127.0.0.1 serv:748 
[root@hugo ~]# ausearch -hn 0.0.0.0 -i --just-one | grep host
type=SOCKADDR msg=audit(05/27/2008 12:05:12.483:1299) : saddr=inet
host:0.0.0.0 serv:708 

Appreciate the help; got more?
:)

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com