creating and inserting audits

creating and inserting audits

[Nestler, Roger - IS]

[-- Attachment #1.1: Type: text/plain, Size: 1101 bytes --]


Using syslog it seems straight forward to insert a new message ,  'syslog (LOG_NOTICE, "Hello This is just a notice")' for instance.

Does this capability exist already in linux audit and I'm just not seeing it???

Is it a bad idea to build and then to insert a custom audit/message, or any standard audit, into the audit.log file?

If so are there any problems to look out for , e.g event id/sequence number collisions, auparse or ausearch problems, formatting issues to adhere to???

Thanks



________________________________
This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

[-- Attachment #1.2: Type: text/html, Size: 3235 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: creating and inserting audits

[Steve Grubb]

On Tuesday, September 07, 2010 04:38:29 pm Nestler, Roger - IS wrote:
> Using syslog it seems straight forward to insert a new message ,  'syslog
> (LOG_NOTICE, "Hello This is just a notice")' for instance.
> 
> Does this capability exist already in linux audit and I'm just not seeing
> it???

The Linux audit system is protected by virtue of apps needing CAP_AUDIT_WRITE 
in order to send an event. Assuming that your app has this, you will want to 
use one of the functions here:

https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L375

 
> Is it a bad idea to build and then to insert a custom audit/message, or any
> standard audit, into the audit.log file?

Yes. Do not do it. It has to be sent to the kernel for timestamping and 
correlation. Not to mention the kernel will collect a few things about the 
sender to be put in the audit trail.

 
> If so are there any problems to look out for , e.g event id/sequence number
> collisions, auparse or ausearch problems, formatting issues to adhere
> to???

You must send to the kernel. Aside from that, events must have a type. If you 
do not see a type that matches what you are doing, then use the 
AUDIT_TRUSTED_APP type which you may do (nearly) anything to. The audit system 
wants name=value fields. You should use the same field name as an existing one 
any time you find one. If you are not using AUDIT_TRUSTED_APP, then you must 
fill in the same fields in the same order as the original source does. The value 
part may not have a space or certain control characters in it. If it does you 
must encode the contents of the value with the audit_encode_value() function.

-Steve

Re: creating and inserting audits

[LC Bruzenak]

On Tue, 2010-09-07 at 16:38 -0400, Nestler, Roger - IS wrote:
>  

> Does this capability exist already in linux audit and I’m just not
> seeing it???
> 

man audit_log_user_message
 
> 
> Is it a bad idea to build and then to insert a custom audit/message,
> or any standard audit, into the audit.log file?

Nope.

> If so are there any problems to look out for , e.g event id/sequence
> number collisions, auparse or ausearch problems, formatting issues to
> adhere to???
> 

The text in the audit_log_user_message is not really freeform-safe, and
it is practically limited to somewhere around 900+ bytes (from a kernel
setting, unless it has been updated since).

The parser will throw away some of your records if the text matches what
it is looking for elsewhere. Maybe Steve can point out the specs. For
example, I had this one:

> > # ausearch -ts this-week -a 22476
> > <no matches>
> >
> > in the raw log:
> > node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
> > uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
> > type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
> > name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644
ouid=ntp
> > ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
> > exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
> > res=success)'
> >
> > Any clues?
> 
> When ausearch finds a malformed record, it discards it as a safety
measure.
> 
> -Steve

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: creating and inserting audits

[Steve Grubb]

On Tuesday, September 07, 2010 05:02:21 pm LC Bruzenak wrote:
> > Is it a bad idea to build and then to insert a custom audit/message,
> > or any standard audit, into the audit.log file?
> 
> Nope.

To make sure we don't give conflicting advice, I was thinking he meant writing 
directly to the file (which you should not do). Events must be sent to the 
kernel. But you are free to make your own audit events as long as you mimic 
the existing events.

-Steve

RE: creating and inserting audits

[Nestler, Roger - IS]

Thanks,

The below sequence of functions seems to do the trick...

int audit_fd = audit_open();
audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL, 1);
audit_close(audit_fd);


Also the executable that I created, then copied to a root area and then ran as root, seemed to have the CAP_AUDIT_WRITE permission by default... how did my app get that permission, is it just because it’s a root app... I didnt explicitly assign it to the app, did I?

Just out of curiosity if I wanted to add a new type, say 'MY_CUSTOM_AUDIT' that would appear as say 'type=HELLOWORLD' in the audit file. Is that possible with a config file or function call?... It looks as if I'd have to modify stuff in maybe libaudit.h and msg_typetab.h, recompile.. etc... in order to add a custom type?

Thanks
Roger


-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Tuesday, September 07, 2010 5:17 PM
To: linux-audit@redhat.com
Cc: LC Bruzenak; Nestler, Roger - IS
Subject: Re: creating and inserting audits

On Tuesday, September 07, 2010 05:02:21 pm LC Bruzenak wrote:
> > Is it a bad idea to build and then to insert a custom audit/message,
> > or any standard audit, into the audit.log file?
>
> Nope.

To make sure we don't give conflicting advice, I was thinking he meant writing
directly to the file (which you should not do). Events must be sent to the
kernel. But you are free to make your own audit events as long as you mimic
the existing events.

-Steve

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: creating and inserting audits

[Steve Grubb]

On Wednesday, September 08, 2010 09:48:44 am Nestler, Roger - IS wrote:
> The below sequence of functions seems to do the trick...
> 
> int audit_fd = audit_open();
> audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL,
> 1); audit_close(audit_fd);

Yes. There are a couple other log functions that may be better suited 
depending on your needs. If you want the program name to show up, use 
audit_log_user_comm_message(). Also, please note this:

#define AUDIT_USER        1005    /* Message from userspace -- deprecated */
 
That type is deprecated, please do not use it.

 
> Also the executable that I created, then copied to a root area and then ran
> as root, seemed to have the CAP_AUDIT_WRITE permission by default... how
> did my app get that permission, is it just because it’s a root app... I
> didnt explicitly assign it to the app, did I?

If your app runs as root, it inherits that capability by virtue of being under 
the root account. If your app ran as a normal user, then you would have a 
problem because normal users do not have CAP_AUDIT_WRITE. You would either 
have to make your app setuid or a helper that is to do the logging. If you 
have a helper, then you have to worry if it can be abused to flood the log. If 
don't go this route, you have to ask if a normal user can do anything that is 
security critical in the first place.

 
> Just out of curiosity if I wanted to add a new type, say 'MY_CUSTOM_AUDIT'
> that would appear as say 'type=HELLOWORLD' in the audit file. Is that
> possible with a config file or function call?...

No. We create types as they are needed for other projects. We have patched 
everything that needs auditing to create audit events. We also created the 
generic AUDIT_TRUSTED_APP type for private use. You can do anything with that 
type you want. If you have types that you think other projects might need, let 
me know and I'll see how we can fit them in.


> It looks as if I'd have to modify stuff in maybe libaudit.h and
> msg_typetab.h, recompile.. etc...in order to add a custom type?

And update aureport/ausearch and libauparse perhaps.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

RE: creating and inserting audits

[Nestler, Roger - IS]

Ok sounds good.. thanks for pointing out the deprecated type... I think I grabbed that from auditctrl.c (v1.7.17...).

Ok, so if we ever wanted to add some new types that would be unique/specific to our app we would submit a request to you/redhat... and then in a future version of audit we'd possible see our new types?

Thanks for all the help,

Roger


--

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Wednesday, September 08, 2010 10:25 AM
To: Nestler, Roger - IS
Cc: linux-audit@redhat.com; LC Bruzenak
Subject: Re: creating and inserting audits

On Wednesday, September 08, 2010 09:48:44 am Nestler, Roger - IS wrote:
> The below sequence of functions seems to do the trick...
>
> int audit_fd = audit_open();
> audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL,
> 1); audit_close(audit_fd);

Yes. There are a couple other log functions that may be better suited
depending on your needs. If you want the program name to show up, use
audit_log_user_comm_message(). Also, please note this:

#define AUDIT_USER        1005    /* Message from userspace -- deprecated */

That type is deprecated, please do not use it.


> Also the executable that I created, then copied to a root area and then ran
> as root, seemed to have the CAP_AUDIT_WRITE permission by default... how
> did my app get that permission, is it just because it’s a root app... I
> didnt explicitly assign it to the app, did I?

If your app runs as root, it inherits that capability by virtue of being under
the root account. If your app ran as a normal user, then you would have a
problem because normal users do not have CAP_AUDIT_WRITE. You would either
have to make your app setuid or a helper that is to do the logging. If you
have a helper, then you have to worry if it can be abused to flood the log. If
don't go this route, you have to ask if a normal user can do anything that is
security critical in the first place.


> Just out of curiosity if I wanted to add a new type, say 'MY_CUSTOM_AUDIT'
> that would appear as say 'type=HELLOWORLD' in the audit file. Is that
> possible with a config file or function call?...

No. We create types as they are needed for other projects. We have patched
everything that needs auditing to create audit events. We also created the
generic AUDIT_TRUSTED_APP type for private use. You can do anything with that
type you want. If you have types that you think other projects might need, let
me know and I'll see how we can fit them in.


> It looks as if I'd have to modify stuff in maybe libaudit.h and
> msg_typetab.h, recompile.. etc...in order to add a custom type?

And update aureport/ausearch and libauparse perhaps.

-Steve

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: creating and inserting audits

[Steve Grubb]

On Wednesday, September 08, 2010 10:56:50 am Nestler, Roger - IS wrote:
> Ok, so if we ever wanted to add some new types that would be
> unique/specific to our app we would submit a request to you/redhat... and
> then in a future version of audit we'd possible see our new types?

Well, if its unique to your app and you don't think anyone else will use it, 
then there is the TRUSTED_APP type. If you think its something that would be 
used in other applications, then send it to this mail list. Currently I'm 
adding event types for service start/stop, virtualization, and crypto. There 
should be a release soon to get those out where apps can use them.

-Steve