[PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format

[PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format

[Klaus Heinrich Kiwi]

Steve, as we talked earlier through IRC, ausearch/aureport are expecting
the kernel anomalies messages to have auid= uid= gid= fields (in this
order). This quick patch changes the ANOM_PROMISCUOUS message to the
correct format (as already used by ANOM_ABEND).

Applies on 2.6.24-rc7 from the audit.git tree

-- 
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center

--

Fix ANOM_PROMISCUOUS message to the format as expected by
audit userspace: auid=%u uid=%u gid=%u [...]

Signed-off-by: Klaus Heinrich Kiwi <klausk@br.ibm.com>
---
 net/core/dev.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 0848da3..cd49cd0 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
 							       "left");
 		audit_log(current->audit_context, GFP_ATOMIC,
 			AUDIT_ANOM_PROMISCUOUS,
-			"dev=%s prom=%d old_prom=%d auid=%u ses=%u",
+			"auid=%u uid=%u gid=%u dev=%s prom=%d old_prom=%d ses=%u",
+			audit_get_loginuid(current->audit_context),
+			current->uid, current->gid,
 			dev->name, (dev->flags & IFF_PROMISC),
 			(old_flags & IFF_PROMISC),
-			audit_get_loginuid(current->audit_context),
 			audit_get_sessionid(current->audit_context));
 
 		if (dev->change_rx_flags)
-- 
1.5.3.7

Re: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format

[Steve Grubb]

On Thursday 10 January 2008 12:25:23 Klaus Heinrich Kiwi wrote:
> Steve, as we talked earlier through IRC, ausearch/aureport are expecting
> the kernel anomalies messages to have auid= uid= gid= fields (in this
> order). This quick patch changes the ANOM_PROMISCUOUS message to the
> correct format (as already used by ANOM_ABEND).

Thanks, would you mind making 2 changes to this? Add a test for audit_enabled 
being true before calling audit_log...a long standing oversight. And add a 
field at the end "res=1" since this doesn't appear to be able to fail. I'm 
trying to get result fields in all events. 

I'd like to just touch this code one time since its in the network code.

Thanks,
-Steve

Re: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format

[Steve Grubb]

On Thursday 10 January 2008 12:41:00 Steve Grubb wrote:
> And add a field at the end "res=1" since this doesn't appear to be able to
> fail.

Actually, I don't think this one is needed since its an ANOM event. They 
should be true always. I guess we just need a test of audit_enabled added.

Thanks,
-Steve

Re: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format

[Klaus Heinrich Kiwi]

On Thu, 2008-01-10 at 12:41 -0500, Steve Grubb wrote:
> On Thursday 10 January 2008 12:25:23 Klaus Heinrich Kiwi wrote:
> > Steve, as we talked earlier through IRC, ausearch/aureport are expecting
> > the kernel anomalies messages to have auid= uid= gid= fields (in this
> > order). This quick patch changes the ANOM_PROMISCUOUS message to the
> > correct format (as already used by ANOM_ABEND).
> 
> Thanks, would you mind making 2 changes to this? Add a test for audit_enabled 
> being true before calling audit_log...a long standing oversight. And add a 
> field at the end "res=1" since this doesn't appear to be able to fail. I'm 
> trying to get result fields in all events. 
> 
Will do. Would you like something related to disabling this message when
Xen in enabled? Or would you prefer separate patches since those two
things appear to be unrelated?

 Klaus

-- 
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center

Re: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format

[Eric Paris]

On Thu, 2008-01-10 at 15:25 -0200, Klaus Heinrich Kiwi wrote:
> Steve, as we talked earlier through IRC, ausearch/aureport are expecting
> the kernel anomalies messages to have auid= uid= gid= fields (in this
> order). This quick patch changes the ANOM_PROMISCUOUS message to the
> correct format (as already used by ANOM_ABEND).
> 
> Applies on 2.6.24-rc7 from the audit.git tree
> 
> -- 
> Klaus Heinrich Kiwi
> Security Development - IBM Linux Technology Center
> 
> --
> 
> Fix ANOM_PROMISCUOUS message to the format as expected by
> audit userspace: auid=%u uid=%u gid=%u [...]

not that i have a problem with auditing uid and gid in ANOM_PROMISCUOUS
messages but doing it 'just because that's how userspace wants it'
doesn't seem like a good solution (aka if that were it i'd say fix
userspace not the kernel)

anyway, lets stick with conventions of ordering, first is what happened,
second is who-dun-it.

dev=%s prom=%d old_prom=%d auid=%d uid=%u gid=%u ses=%u

I guess i'm ok with adding if(audit_enabled) in the same patch.

I'm not ok with adding some sort of "disable just this message" in the
same patch.

-Eric

> 
> Signed-off-by: Klaus Heinrich Kiwi <klausk@br.ibm.com>
> ---
>  net/core/dev.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 0848da3..cd49cd0 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -2759,10 +2759,11 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
>  							       "left");
>  		audit_log(current->audit_context, GFP_ATOMIC,
>  			AUDIT_ANOM_PROMISCUOUS,
> -			"dev=%s prom=%d old_prom=%d auid=%u ses=%u",
> +			"auid=%u uid=%u gid=%u dev=%s prom=%d old_prom=%d ses=%u",
> +			audit_get_loginuid(current->audit_context),
> +			current->uid, current->gid,
>  			dev->name, (dev->flags & IFF_PROMISC),
>  			(old_flags & IFF_PROMISC),
> -			audit_get_loginuid(current->audit_context),
>  			audit_get_sessionid(current->audit_context));
>  
>  		if (dev->change_rx_flags)

Re: [PATCH] [AUDIT] Fix ANOM_PROMISCUOUS message format

[Steve Grubb]

On Thursday 10 January 2008 12:58:13 Klaus Heinrich Kiwi wrote:
> On Thu, 2008-01-10 at 12:41 -0500, Steve Grubb wrote:
> > On Thursday 10 January 2008 12:25:23 Klaus Heinrich Kiwi wrote:
> > > Steve, as we talked earlier through IRC, ausearch/aureport are
> > > expecting the kernel anomalies messages to have auid= uid= gid= fields
> > > (in this order). This quick patch changes the ANOM_PROMISCUOUS message
> > > to the correct format (as already used by ANOM_ABEND).
> >
> > Thanks, would you mind making 2 changes to this? Add a test for
> > audit_enabled being true before calling audit_log...a long standing
> > oversight. And add a field at the end "res=1" since this doesn't appear
> > to be able to fail. I'm trying to get result fields in all events.
>
> Will do. Would you like something related to disabling this message when
> Xen in enabled?

Let's do that another time. Xen needs a lot of audit work in general.

-Steve

[PATCH v2] [AUDIT] Add uid, gid fields to ANOM_PROMISCUOUS message

[Klaus Heinrich Kiwi]

Changes the ANOM_PROMISCUOUS message to include uid and gid fields,
making it consistent with other AUDIT_ANOM_ messages and in the
format the userspace is expecting.

Signed-off-by: Klaus Heinrich Kiwi <klausk@br.ibm.com>
---
 net/core/dev.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 0848da3..73476be 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2757,13 +2757,15 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
 		printk(KERN_INFO "device %s %s promiscuous mode\n",
 		       dev->name, (dev->flags & IFF_PROMISC) ? "entered" :
 							       "left");
-		audit_log(current->audit_context, GFP_ATOMIC,
-			AUDIT_ANOM_PROMISCUOUS,
-			"dev=%s prom=%d old_prom=%d auid=%u ses=%u",
-			dev->name, (dev->flags & IFF_PROMISC),
-			(old_flags & IFF_PROMISC),
-			audit_get_loginuid(current->audit_context),
-			audit_get_sessionid(current->audit_context));
+		if (audit_enabled)
+			audit_log(current->audit_context, GFP_ATOMIC,
+				AUDIT_ANOM_PROMISCUOUS,
+				"dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u",
+				dev->name, (dev->flags & IFF_PROMISC),
+				(old_flags & IFF_PROMISC),
+				audit_get_loginuid(current->audit_context),
+				current->uid, current->gid,
+				audit_get_sessionid(current->audit_context));
 
 		if (dev->change_rx_flags)
 			dev->change_rx_flags(dev, IFF_PROMISC);
-- 
1.5.3.7


-- 
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center

Re: [PATCH v2] [AUDIT] Add uid, gid fields to ANOM_PROMISCUOUS message

[Eric Paris]

On Thu, 2008-01-10 at 17:44 -0200, Klaus Heinrich Kiwi wrote:
> Changes the ANOM_PROMISCUOUS message to include uid and gid fields,
> making it consistent with other AUDIT_ANOM_ messages and in the
> format the userspace is expecting.

I'll fix up the fact that audit_get_loginuid() and friends now take a
task rather than an audit context and push it along.

Thanks.
-Eric

> 
> Signed-off-by: Klaus Heinrich Kiwi <klausk@br.ibm.com>
> ---
>  net/core/dev.c |   16 +++++++++-------
>  1 files changed, 9 insertions(+), 7 deletions(-)
> 
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 0848da3..73476be 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -2757,13 +2757,15 @@ static void __dev_set_promiscuity(struct net_device *dev, int inc)
>  		printk(KERN_INFO "device %s %s promiscuous mode\n",
>  		       dev->name, (dev->flags & IFF_PROMISC) ? "entered" :
>  							       "left");
> -		audit_log(current->audit_context, GFP_ATOMIC,
> -			AUDIT_ANOM_PROMISCUOUS,
> -			"dev=%s prom=%d old_prom=%d auid=%u ses=%u",
> -			dev->name, (dev->flags & IFF_PROMISC),
> -			(old_flags & IFF_PROMISC),
> -			audit_get_loginuid(current->audit_context),
> -			audit_get_sessionid(current->audit_context));
> +		if (audit_enabled)
> +			audit_log(current->audit_context, GFP_ATOMIC,
> +				AUDIT_ANOM_PROMISCUOUS,
> +				"dev=%s prom=%d old_prom=%d auid=%u uid=%u gid=%u ses=%u",
> +				dev->name, (dev->flags & IFF_PROMISC),
> +				(old_flags & IFF_PROMISC),
> +				audit_get_loginuid(current->audit_context),
> +				current->uid, current->gid,
> +				audit_get_sessionid(current->audit_context));
>  
>  		if (dev->change_rx_flags)
>  			dev->change_rx_flags(dev, IFF_PROMISC);
> -- 
> 1.5.3.7
> 
>