[PATCH V4] audit: add feature audit_lost reset

[PATCH V4] audit: add feature audit_lost reset

[Richard Guy Briggs]

Add a method to reset the audit_lost value.

An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
will return a positive value repesenting the current audit_lost value
and reset the counter to zero.  If AUDIT_STATUS_LOST is not the
only flag set, the reset command will be ignored.  The value sent with
the command is ignored.  The return value will be the +ve lost value at
reset time.

An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
daemon.  The message will be a standard CONFIG_CHANGE message with the
fields "lost=0" and "old=" with the latter containing the value of
audit_lost at reset time.

See: https://github.com/linux-audit/audit-kernel/issues/3

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
There is a merge conflict anticipated with the exclude filter
FEATURE_BITMAP patch (ghak5)

v2:
   Switch from AUDIT_GET to AUDIT_SET
   Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
   Return +ve lost value, reply AUDIT_LOST_RESET msg to sender

v3:
   Switch, from reply to sender, to queue to audit log

v4:
   Switch from LOST_RESET to CONFIG_CHANGE log msg
   Re-add AUDIT_FEATURE_BITMASK
---
---
 include/uapi/linux/audit.h |    6 +++++-
 kernel/audit.c             |    8 +++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index c8dc97b..3f24110 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -326,15 +326,19 @@ enum {
 #define AUDIT_STATUS_RATE_LIMIT		0x0008
 #define AUDIT_STATUS_BACKLOG_LIMIT	0x0010
 #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
+#define AUDIT_STATUS_LOST		0x0040
 
 #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
 #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
+#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
+
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
 				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
 				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
-				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
+				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
+				  AUDIT_FEATURE_BITMAP_LOST_RESET)
 
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/audit.c b/kernel/audit.c
index 57acf25..25dd70a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -121,7 +121,7 @@ u32		audit_sig_sid = 0;
    3) suppressed due to audit_rate_limit
    4) suppressed due to audit_backlog_limit
 */
-static atomic_t    audit_lost = ATOMIC_INIT(0);
+static atomic_t	audit_lost = ATOMIC_INIT(0);
 
 /* The netlink socket. */
 static struct sock *audit_sock;
@@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 			if (err < 0)
 				return err;
 		}
+		if (s.mask == AUDIT_STATUS_LOST) {
+			u32 lost = atomic_xchg(&audit_lost, 0);
+
+			audit_log_config_change("lost", 0, lost, 1);
+			return lost;
+		}
 		break;
 	}
 	case AUDIT_GET_FEATURE:
-- 
1.7.1

Re: [PATCH V4] audit: add feature audit_lost reset

[Steve Grubb]

On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote:
> Add a method to reset the audit_lost value.
> 
> An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> will return a positive value repesenting the current audit_lost value
> and reset the counter to zero.  If AUDIT_STATUS_LOST is not the
> only flag set, the reset command will be ignored.  The value sent with
> the command is ignored.  The return value will be the +ve lost value at
> reset time.
> 
> An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> daemon.  The message will be a standard CONFIG_CHANGE message with the
> fields "lost=0" and "old=" with the latter containing the value of
> audit_lost at reset time.

This passes testing and event looks good.
Acked-by: Steve Grubb <sgrubb@redhat.com>

This clears the way for audit-2.7.1 release today.

-Steve

> See: https://github.com/linux-audit/audit-kernel/issues/3
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> There is a merge conflict anticipated with the exclude filter
> FEATURE_BITMAP patch (ghak5)
> 
> v2:
>    Switch from AUDIT_GET to AUDIT_SET
>    Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
>    Return +ve lost value, reply AUDIT_LOST_RESET msg to sender
> 
> v3:
>    Switch, from reply to sender, to queue to audit log
> 
> v4:
>    Switch from LOST_RESET to CONFIG_CHANGE log msg
>    Re-add AUDIT_FEATURE_BITMASK
> ---
> ---
>  include/uapi/linux/audit.h |    6 +++++-
>  kernel/audit.c             |    8 +++++++-
>  2 files changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index c8dc97b..3f24110 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -326,15 +326,19 @@ enum {
>  #define AUDIT_STATUS_RATE_LIMIT		0x0008
>  #define AUDIT_STATUS_BACKLOG_LIMIT	0x0010
>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> +#define AUDIT_STATUS_LOST		0x0040
> 
>  #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
>  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
>  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
>  #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> +#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> +
>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
>  				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> -				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> +				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> +				  AUDIT_FEATURE_BITMAP_LOST_RESET)
> 
>  /* deprecated: AUDIT_VERSION_* */
>  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 57acf25..25dd70a 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -121,7 +121,7 @@ u32		audit_sig_sid = 0;
>     3) suppressed due to audit_rate_limit
>     4) suppressed due to audit_backlog_limit
>  */
> -static atomic_t    audit_lost = ATOMIC_INIT(0);
> +static atomic_t	audit_lost = ATOMIC_INIT(0);
> 
>  /* The netlink socket. */
>  static struct sock *audit_sock;
> @@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> struct nlmsghdr *nlh) if (err < 0)
>  				return err;
>  		}
> +		if (s.mask == AUDIT_STATUS_LOST) {
> +			u32 lost = atomic_xchg(&audit_lost, 0);
> +
> +			audit_log_config_change("lost", 0, lost, 1);
> +			return lost;
> +		}
>  		break;
>  	}
>  	case AUDIT_GET_FEATURE:

Re: [PATCH V4] audit: add feature audit_lost reset

[Paul Moore]

On Fri, Jan 13, 2017 at 3:26 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> Add a method to reset the audit_lost value.
>
> An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> will return a positive value repesenting the current audit_lost value
> and reset the counter to zero.  If AUDIT_STATUS_LOST is not the
> only flag set, the reset command will be ignored.  The value sent with
> the command is ignored.  The return value will be the +ve lost value at
> reset time.
>
> An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> daemon.  The message will be a standard CONFIG_CHANGE message with the
> fields "lost=0" and "old=" with the latter containing the value of
> audit_lost at reset time.
>
> See: https://github.com/linux-audit/audit-kernel/issues/3
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> There is a merge conflict anticipated with the exclude filter
> FEATURE_BITMAP patch (ghak5)
>
> v2:
>    Switch from AUDIT_GET to AUDIT_SET
>    Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
>    Return +ve lost value, reply AUDIT_LOST_RESET msg to sender
>
> v3:
>    Switch, from reply to sender, to queue to audit log
>
> v4:
>    Switch from LOST_RESET to CONFIG_CHANGE log msg
>    Re-add AUDIT_FEATURE_BITMASK
> ---
> ---
>  include/uapi/linux/audit.h |    6 +++++-
>  kernel/audit.c             |    8 +++++++-
>  2 files changed, 12 insertions(+), 2 deletions(-)

Merged, thanks.

> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index c8dc97b..3f24110 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -326,15 +326,19 @@ enum {
>  #define AUDIT_STATUS_RATE_LIMIT                0x0008
>  #define AUDIT_STATUS_BACKLOG_LIMIT     0x0010
>  #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
> +#define AUDIT_STATUS_LOST              0x0040
>
>  #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT     0x00000001
>  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
>  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH   0x00000004
>  #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER  0x00000010
> +#define AUDIT_FEATURE_BITMAP_LOST_RESET                0x00000020
> +
>  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
>                                   AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
>                                   AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> -                                 AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> +                                 AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> +                                 AUDIT_FEATURE_BITMAP_LOST_RESET)
>
>  /* deprecated: AUDIT_VERSION_* */
>  #define AUDIT_VERSION_LATEST           AUDIT_FEATURE_BITMAP_ALL
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 57acf25..25dd70a 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -121,7 +121,7 @@ u32         audit_sig_sid = 0;
>     3) suppressed due to audit_rate_limit
>     4) suppressed due to audit_backlog_limit
>  */
> -static atomic_t    audit_lost = ATOMIC_INIT(0);
> +static atomic_t        audit_lost = ATOMIC_INIT(0);
>
>  /* The netlink socket. */
>  static struct sock *audit_sock;
> @@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>                         if (err < 0)
>                                 return err;
>                 }
> +               if (s.mask == AUDIT_STATUS_LOST) {
> +                       u32 lost = atomic_xchg(&audit_lost, 0);
> +
> +                       audit_log_config_change("lost", 0, lost, 1);
> +                       return lost;
> +               }
>                 break;
>         }
>         case AUDIT_GET_FEATURE:
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
paul moore
www.paul-moore.com

Re: [PATCH V4] audit: add feature audit_lost reset

[Richard Guy Briggs]

On 2017-01-13 10:48, Steve Grubb wrote:
> On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote:
> > Add a method to reset the audit_lost value.
> > 
> > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > will return a positive value repesenting the current audit_lost value
> > and reset the counter to zero.  If AUDIT_STATUS_LOST is not the
> > only flag set, the reset command will be ignored.  The value sent with
> > the command is ignored.  The return value will be the +ve lost value at
> > reset time.
> > 
> > An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> > daemon.  The message will be a standard CONFIG_CHANGE message with the
> > fields "lost=0" and "old=" with the latter containing the value of
> > audit_lost at reset time.
> 
> This passes testing and event looks good.

Did you create a formal test for it or just test it manually?

> Acked-by: Steve Grubb <sgrubb@redhat.com>
> 
> This clears the way for audit-2.7.1 release today.
> 
> -Steve
> 
> > See: https://github.com/linux-audit/audit-kernel/issues/3
> > 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > There is a merge conflict anticipated with the exclude filter
> > FEATURE_BITMAP patch (ghak5)
> > 
> > v2:
> >    Switch from AUDIT_GET to AUDIT_SET
> >    Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
> >    Return +ve lost value, reply AUDIT_LOST_RESET msg to sender
> > 
> > v3:
> >    Switch, from reply to sender, to queue to audit log
> > 
> > v4:
> >    Switch from LOST_RESET to CONFIG_CHANGE log msg
> >    Re-add AUDIT_FEATURE_BITMASK
> > ---
> > ---
> >  include/uapi/linux/audit.h |    6 +++++-
> >  kernel/audit.c             |    8 +++++++-
> >  2 files changed, 12 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index c8dc97b..3f24110 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -326,15 +326,19 @@ enum {
> >  #define AUDIT_STATUS_RATE_LIMIT		0x0008
> >  #define AUDIT_STATUS_BACKLOG_LIMIT	0x0010
> >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> > +#define AUDIT_STATUS_LOST		0x0040
> > 
> >  #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> >  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> >  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> >  #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> > +#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> > +
> >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
> >  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> >  				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> > -				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> > +				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> > +				  AUDIT_FEATURE_BITMAP_LOST_RESET)
> > 
> >  /* deprecated: AUDIT_VERSION_* */
> >  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 57acf25..25dd70a 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -121,7 +121,7 @@ u32		audit_sig_sid = 0;
> >     3) suppressed due to audit_rate_limit
> >     4) suppressed due to audit_backlog_limit
> >  */
> > -static atomic_t    audit_lost = ATOMIC_INIT(0);
> > +static atomic_t	audit_lost = ATOMIC_INIT(0);
> > 
> >  /* The netlink socket. */
> >  static struct sock *audit_sock;
> > @@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> > struct nlmsghdr *nlh) if (err < 0)
> >  				return err;
> >  		}
> > +		if (s.mask == AUDIT_STATUS_LOST) {
> > +			u32 lost = atomic_xchg(&audit_lost, 0);
> > +
> > +			audit_log_config_change("lost", 0, lost, 1);
> > +			return lost;
> > +		}
> >  		break;
> >  	}
> >  	case AUDIT_GET_FEATURE:

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH V4] audit: add feature audit_lost reset

[Steve Grubb]

On Thursday, February 9, 2017 9:06:57 AM EST Richard Guy Briggs wrote:
> On 2017-01-13 10:48, Steve Grubb wrote:
> > On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote:
> > > Add a method to reset the audit_lost value.
> > > 
> > > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > > will return a positive value repesenting the current audit_lost value
> > > and reset the counter to zero.  If AUDIT_STATUS_LOST is not the
> > > only flag set, the reset command will be ignored.  The value sent with
> > > the command is ignored.  The return value will be the +ve lost value at
> > > reset time.
> > > 
> > > An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> > > daemon.  The message will be a standard CONFIG_CHANGE message with the
> > > fields "lost=0" and "old=" with the latter containing the value of
> > > audit_lost at reset time.
> > 
> > This passes testing and event looks good.
> 
> Did you create a formal test for it or just test it manually?

I tested this by building a kernel and testing it by hand.

-Steve

> > Acked-by: Steve Grubb <sgrubb@redhat.com>
> > 
> > This clears the way for audit-2.7.1 release today.
> > 
> > -Steve
> > 
> > > See: https://github.com/linux-audit/audit-kernel/issues/3
> > > 
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > > There is a merge conflict anticipated with the exclude filter
> > > FEATURE_BITMAP patch (ghak5)
> > > 
> > > v2:
> > >    Switch from AUDIT_GET to AUDIT_SET
> > >    Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
> > >    Return +ve lost value, reply AUDIT_LOST_RESET msg to sender
> > > 
> > > v3:
> > >    Switch, from reply to sender, to queue to audit log
> > > 
> > > v4:
> > >    Switch from LOST_RESET to CONFIG_CHANGE log msg
> > >    Re-add AUDIT_FEATURE_BITMASK
> > > 
> > > ---
> > > ---
> > > 
> > >  include/uapi/linux/audit.h |    6 +++++-
> > >  kernel/audit.c             |    8 +++++++-
> > >  2 files changed, 12 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > index c8dc97b..3f24110 100644
> > > --- a/include/uapi/linux/audit.h
> > > +++ b/include/uapi/linux/audit.h
> > > @@ -326,15 +326,19 @@ enum {
> > > 
> > >  #define AUDIT_STATUS_RATE_LIMIT		0x0008
> > >  #define AUDIT_STATUS_BACKLOG_LIMIT	0x0010
> > >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> > > 
> > > +#define AUDIT_STATUS_LOST		0x0040
> > > 
> > >  #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> > >  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> > >  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> > >  #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> > > 
> > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> > > +
> > > 
> > >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT |
> > >  \
> > >  
> > >  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > >  				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> > > 
> > > -				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> > > +				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> > > +				  AUDIT_FEATURE_BITMAP_LOST_RESET)
> > > 
> > >  /* deprecated: AUDIT_VERSION_* */
> > >  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> > > 
> > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > index 57acf25..25dd70a 100644
> > > --- a/kernel/audit.c
> > > +++ b/kernel/audit.c
> > > @@ -121,7 +121,7 @@ u32		audit_sig_sid = 0;
> > > 
> > >     3) suppressed due to audit_rate_limit
> > >     4) suppressed due to audit_backlog_limit
> > >  
> > >  */
> > > 
> > > -static atomic_t    audit_lost = ATOMIC_INIT(0);
> > > +static atomic_t	audit_lost = ATOMIC_INIT(0);
> > > 
> > >  /* The netlink socket. */
> > >  static struct sock *audit_sock;
> > > 
> > > @@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> > > struct nlmsghdr *nlh) if (err < 0)
> > > 
> > >  				return err;
> > >  		
> > >  		}
> > > 
> > > +		if (s.mask == AUDIT_STATUS_LOST) {
> > > +			u32 lost = atomic_xchg(&audit_lost, 0);
> > > +
> > > +			audit_log_config_change("lost", 0, lost, 1);
> > > +			return lost;
> > > +		}
> > > 
> > >  		break;
> > >  	
> > >  	}
> 
> > >  	case AUDIT_GET_FEATURE:
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH V4] audit: add feature audit_lost reset

[Richard Guy Briggs]

On 2017-02-09 09:50, Steve Grubb wrote:
> On Thursday, February 9, 2017 9:06:57 AM EST Richard Guy Briggs wrote:
> > On 2017-01-13 10:48, Steve Grubb wrote:
> > > On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote:
> > > > Add a method to reset the audit_lost value.
> > > > 
> > > > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > > > will return a positive value repesenting the current audit_lost value
> > > > and reset the counter to zero.  If AUDIT_STATUS_LOST is not the
> > > > only flag set, the reset command will be ignored.  The value sent with
> > > > the command is ignored.  The return value will be the +ve lost value at
> > > > reset time.
> > > > 
> > > > An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> > > > daemon.  The message will be a standard CONFIG_CHANGE message with the
> > > > fields "lost=0" and "old=" with the latter containing the value of
> > > > audit_lost at reset time.
> > > 
> > > This passes testing and event looks good.
> > 
> > Did you create a formal test for it or just test it manually?
> 
> I tested this by building a kernel and testing it by hand.

Ok, this probably deserves a formal audit-testsuite case.  What's the
exact format of the reset command?

> -Steve
> 
> > > Acked-by: Steve Grubb <sgrubb@redhat.com>
> > > 
> > > This clears the way for audit-2.7.1 release today.
> > > 
> > > -Steve
> > > 
> > > > See: https://github.com/linux-audit/audit-kernel/issues/3
> > > > 
> > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > > ---
> > > > There is a merge conflict anticipated with the exclude filter
> > > > FEATURE_BITMAP patch (ghak5)
> > > > 
> > > > v2:
> > > >    Switch from AUDIT_GET to AUDIT_SET
> > > >    Remove AUDIT_FEATURE and AUDIT_FEATURE_BITMAP
> > > >    Return +ve lost value, reply AUDIT_LOST_RESET msg to sender
> > > > 
> > > > v3:
> > > >    Switch, from reply to sender, to queue to audit log
> > > > 
> > > > v4:
> > > >    Switch from LOST_RESET to CONFIG_CHANGE log msg
> > > >    Re-add AUDIT_FEATURE_BITMASK
> > > > 
> > > > ---
> > > > ---
> > > > 
> > > >  include/uapi/linux/audit.h |    6 +++++-
> > > >  kernel/audit.c             |    8 +++++++-
> > > >  2 files changed, 12 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > > index c8dc97b..3f24110 100644
> > > > --- a/include/uapi/linux/audit.h
> > > > +++ b/include/uapi/linux/audit.h
> > > > @@ -326,15 +326,19 @@ enum {
> > > > 
> > > >  #define AUDIT_STATUS_RATE_LIMIT		0x0008
> > > >  #define AUDIT_STATUS_BACKLOG_LIMIT	0x0010
> > > >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
> > > > 
> > > > +#define AUDIT_STATUS_LOST		0x0040
> > > > 
> > > >  #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
> > > >  #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
> > > >  #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
> > > >  #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
> > > > 
> > > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET		0x00000020
> > > > +
> > > > 
> > > >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT |
> > > >  \
> > > >  
> > > >  				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > > >  				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
> > > > 
> > > > -				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
> > > > +				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
> > > > +				  AUDIT_FEATURE_BITMAP_LOST_RESET)
> > > > 
> > > >  /* deprecated: AUDIT_VERSION_* */
> > > >  #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
> > > > 
> > > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > > index 57acf25..25dd70a 100644
> > > > --- a/kernel/audit.c
> > > > +++ b/kernel/audit.c
> > > > @@ -121,7 +121,7 @@ u32		audit_sig_sid = 0;
> > > > 
> > > >     3) suppressed due to audit_rate_limit
> > > >     4) suppressed due to audit_backlog_limit
> > > >  
> > > >  */
> > > > 
> > > > -static atomic_t    audit_lost = ATOMIC_INIT(0);
> > > > +static atomic_t	audit_lost = ATOMIC_INIT(0);
> > > > 
> > > >  /* The netlink socket. */
> > > >  static struct sock *audit_sock;
> > > > 
> > > > @@ -1052,6 +1052,12 @@ static int audit_receive_msg(struct sk_buff *skb,
> > > > struct nlmsghdr *nlh) if (err < 0)
> > > > 
> > > >  				return err;
> > > >  		
> > > >  		}
> > > > 
> > > > +		if (s.mask == AUDIT_STATUS_LOST) {
> > > > +			u32 lost = atomic_xchg(&audit_lost, 0);
> > > > +
> > > > +			audit_log_config_change("lost", 0, lost, 1);
> > > > +			return lost;
> > > > +		}
> > > > 
> > > >  		break;
> > > >  	
> > > >  	}
> > 
> > > >  	case AUDIT_GET_FEATURE:
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Kernel Security Engineering, Base Operating Systems, Red Hat
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635, Internal: (81) 32635
> 
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH V4] audit: add feature audit_lost reset

[Steve Grubb]

On Thursday, February 9, 2017 10:49:08 AM EST Richard Guy Briggs wrote:
> On 2017-02-09 09:50, Steve Grubb wrote:
> > On Thursday, February 9, 2017 9:06:57 AM EST Richard Guy Briggs wrote:
> > > On 2017-01-13 10:48, Steve Grubb wrote:
> > > > On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote:
> > > > > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > > > > will return a positive value repesenting the current audit_lost
> > > > > value and reset the counter to zero.  If AUDIT_STATUS_LOST is not
> > > > > the only flag set, the reset command will be ignored.  The value sent
> > > > > with the command is ignored.  The return value will be the +ve lost
> > > > > value at reset time.
> > > > > 
> > > > > An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> > > > > daemon.  The message will be a standard CONFIG_CHANGE message with
> > > > > the fields "lost=0" and "old=" with the latter containing the value
> > > > > of audit_lost at reset time.
> > > > 
> > > > This passes testing and event looks good.
> > > 
> > > Did you create a formal test for it or just test it manually?
> > 
> > I tested this by building a kernel and testing it by hand.
> 
> Ok, this probably deserves a formal audit-testsuite case.  What's the
> exact format of the reset command?

auditctl --reset-lost

-Steve

Re: [PATCH V4] audit: add feature audit_lost reset

[Richard Guy Briggs]

On 2017-02-09 10:52, Steve Grubb wrote:
> On Thursday, February 9, 2017 10:49:08 AM EST Richard Guy Briggs wrote:
> > On 2017-02-09 09:50, Steve Grubb wrote:
> > > On Thursday, February 9, 2017 9:06:57 AM EST Richard Guy Briggs wrote:
> > > > On 2017-01-13 10:48, Steve Grubb wrote:
> > > > > On Friday, January 13, 2017 3:26:29 AM EST Richard Guy Briggs wrote:
> > > > > > An AUDIT_SET message with the AUDIT_STATUS_LOST flag set by itself
> > > > > > will return a positive value repesenting the current audit_lost
> > > > > > value and reset the counter to zero.  If AUDIT_STATUS_LOST is not
> > > > > > the only flag set, the reset command will be ignored.  The value sent
> > > > > > with the command is ignored.  The return value will be the +ve lost
> > > > > > value at reset time.
> > > > > > 
> > > > > > An AUDIT_CONFIG_CHANGE message will be queued to the listening audit
> > > > > > daemon.  The message will be a standard CONFIG_CHANGE message with
> > > > > > the fields "lost=0" and "old=" with the latter containing the value
> > > > > > of audit_lost at reset time.
> > > > > 
> > > > > This passes testing and event looks good.
> > > > 
> > > > Did you create a formal test for it or just test it manually?
> > > 
> > > I tested this by building a kernel and testing it by hand.
> > 
> > Ok, this probably deserves a formal audit-testsuite case.  What's the
> > exact format of the reset command?
> 
> auditctl --reset-lost

Ok, no wonder I couldn't find it.  This is backwards from what I
proposed in the wiki RFE, so I'll update it...

	https://github.com/linux-audit/audit-kernel/wiki/RFE-Reset-the-Lost-Record-Counter

But even that doesn't appear to work.  When I supply that option, I get
the help text which lists that option (with an extra space before the description).

> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635