public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
* audit more syscalls during boot before auditd starts?
@ 2012-07-20 14:07 Giang Nguyen
  2012-07-20 14:56 ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Giang Nguyen @ 2012-07-20 14:07 UTC (permalink / raw)
  To: linux-audit

Hi,
I am running Ubuntu 12.04 with audit 1.7.18. I notice that if I
specify the kernel boot parameter audit=1 (according to auditd(8)),
then the kernel audits some syscalls to /var/log/syslog before auditd
starts.
However, I am seeing only syscall=1 (write()). I assume there are more
syscalls like fork/clone() and execve() that are not being audited.
Can I make the kernel -- via boot/runtime configuration, not
recompilation -- audit more syscalls before auditd starts?
I googled but did not find the answer or even this exact question.

Jul 19 20:57:53 host kernel: [    0.000000] Command line:
BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-generic ... audit=1
Jul 19 20:57:53 host kernel: [    0.000000] Kernel command line:
BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-generic ... audit=1
Jul 19 20:57:53 host kernel: [    0.000000] audit: enabled (after
initialization)
Jul 19 20:57:53 host kernel: [    0.701807] audit: initializing
netlink socket (enabled)
Jul 19 20:57:53 host kernel: [    0.701813] type=2000
audit(1342731461.540:1): initialized
Jul 19 20:57:53 host kernel: [   10.112334] type=1400
audit(1342745872.190:2): apparmor="STATUS" operation="profile_load"
name="/sbin/dhclient" pid=393 comm="apparmor_parser"
Jul 19 20:57:53 host kernel: [   10.112341] type=1400
audit(1342745872.190:3): apparmor="STATUS" operation="profile_replace"
name="/sbin/dhclient" pid=550 comm="apparmor_parser"
Jul 19 20:57:53 host kernel: [   10.112345] type=1300
audit(1342745872.190:2): arch=c000003e syscall=1 success=yes
exit=70195 ... exe="/sbin/apparmor_parser" key=(null)
Jul 19 20:57:53 host kernel: [   10.112353] type=1300
audit(1342745872.190:3): arch=c000003e syscall=1 success=yes
exit=70195 ... exe="/sbin/apparmor_parser" key=(null)
...
...
Jul 19 20:58:16 host auditd[1217]: Init complete, auditd 1.7.18
listening for events (startup state enable)
Jul 19 20:58:16 host kernel: [   34.614216] auditd (1217):
/proc/1217/oom_adj is deprecated, please use /proc/1217/oom_score_adj
instead.

Thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: audit more syscalls during boot before auditd starts?
  2012-07-20 14:07 audit more syscalls during boot before auditd starts? Giang Nguyen
@ 2012-07-20 14:56 ` Steve Grubb
  2012-07-23 14:42   ` Giang Nguyen
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2012-07-20 14:56 UTC (permalink / raw)
  To: linux-audit

On Friday, July 20, 2012 10:07:33 AM Giang Nguyen wrote:
> Hi,
> I am running Ubuntu 12.04 with audit 1.7.18. I notice that if I
> specify the kernel boot parameter audit=1 (according to auditd(8)),
> then the kernel audits some syscalls to /var/log/syslog before auditd
> starts.

This is not really "normal". There are MAC systems that can cause certain 
events to be audited and perhaps that is what you are seeing. Maybe apparmor 
is triggering the audit events?

There are certain events that are audited during boot and they are hardwired 
so that no rules are needed. These events are audited to prove that certain 
assumptions about the system policy are true, like MAC policy loading or 
changes to its configuration.

But the audit rules that are normally used are discretionary. They need to be 
loaded before a user has access to a system. Just so long as they get loaded 
before a user logs in is all that matters. System security events are usually 
queued in memory and the audit system drains the queue as soon as it starts. 
But the security posture of the system does not mean that rules have to be 
loaded extremely early in the boot process.

That said, there have been attempts to reconstruct the boot using the audit 
system. I think bootchart.org used it and maybe the readahead bootloader. They 
were programs that I think were in the initramfs and loaded hardcoded rules 
into the kernel. But the problem was that they sort of interfere with the 
audit daemon. Their goals are mutually exclusive to security concerns. 
Performance analysis and security don't work together.

But even if you successfully load rules early...you need a daemon to collect 
the results before the internal kernel buffer overflows and forever lose the 
events. So, this means getting the audit daemon running earlier and its main 
requirement is the MAC policy already be loaded and the disk system mounted 
(perhaps networking running if you use remote logging).

Hope this helps...

-Steve


> However, I am seeing only syscall=1 (write()). I assume there are more
> syscalls like fork/clone() and execve() that are not being audited.
> Can I make the kernel -- via boot/runtime configuration, not
> recompilation -- audit more syscalls before auditd starts?
> I googled but did not find the answer or even this exact question.
> 
> Jul 19 20:57:53 host kernel: [    0.000000] Command line:
> BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-generic ... audit=1
> Jul 19 20:57:53 host kernel: [    0.000000] Kernel command line:
> BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-generic ... audit=1
> Jul 19 20:57:53 host kernel: [    0.000000] audit: enabled (after
> initialization)
> Jul 19 20:57:53 host kernel: [    0.701807] audit: initializing
> netlink socket (enabled)
> Jul 19 20:57:53 host kernel: [    0.701813] type=2000
> audit(1342731461.540:1): initialized
> Jul 19 20:57:53 host kernel: [   10.112334] type=1400
> audit(1342745872.190:2): apparmor="STATUS" operation="profile_load"
> name="/sbin/dhclient" pid=393 comm="apparmor_parser"
> Jul 19 20:57:53 host kernel: [   10.112341] type=1400
> audit(1342745872.190:3): apparmor="STATUS" operation="profile_replace"
> name="/sbin/dhclient" pid=550 comm="apparmor_parser"
> Jul 19 20:57:53 host kernel: [   10.112345] type=1300
> audit(1342745872.190:2): arch=c000003e syscall=1 success=yes
> exit=70195 ... exe="/sbin/apparmor_parser" key=(null)
> Jul 19 20:57:53 host kernel: [   10.112353] type=1300
> audit(1342745872.190:3): arch=c000003e syscall=1 success=yes
> exit=70195 ... exe="/sbin/apparmor_parser" key=(null)
> ...
> ...
> Jul 19 20:58:16 host auditd[1217]: Init complete, auditd 1.7.18
> listening for events (startup state enable)
> Jul 19 20:58:16 host kernel: [   34.614216] auditd (1217):
> /proc/1217/oom_adj is deprecated, please use /proc/1217/oom_score_adj
> instead.
> 
> Thanks.
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: audit more syscalls during boot before auditd starts?
  2012-07-20 14:56 ` Steve Grubb
@ 2012-07-23 14:42   ` Giang Nguyen
  0 siblings, 0 replies; 3+ messages in thread
From: Giang Nguyen @ 2012-07-23 14:42 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

> But even if you successfully load rules early...you need a daemon to collect
> the results before the internal kernel buffer overflows and forever lose the
> events. So, this means getting the audit daemon running earlier and its main
> requirement is the MAC policy already be loaded and the disk system mounted
> (perhaps networking running if you use remote logging).

Thanks, Steve.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-07-23 14:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-20 14:07 audit more syscalls during boot before auditd starts? Giang Nguyen
2012-07-20 14:56 ` Steve Grubb
2012-07-23 14:42   ` Giang Nguyen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox