From: Richard Guy Briggs <rgb@redhat.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH V4 0/4] audit by executable name
Date: Tue, 23 Sep 2014 00:32:33 -0400 [thread overview]
Message-ID: <20140923043233.GE26201@madcap2.tricolour.ca> (raw)
In-Reply-To: <1410204333.3185.0.camel@redhat.com>
On 14/09/08, Eric Paris wrote:
> On Mon, 2014-09-08 at 14:53 -0400, Steve Grubb wrote:
> > Hell Richard,
> >
> > On Sunday, August 24, 2014 06:34:04 PM Richard Guy Briggs wrote:
> > > This is a part of Peter Moody, my and Eric Paris' work to implement
> > > audit by executable name.
> >
> > So, what's the status on this? Is it scheduled for the next upstream kernel?
> > This is a feature that's been missing for a long time. Many people will find
> > this useful.
> >
> > Also, has anyone beside Richard been testing this?
>
> I tested it when I wrote it. But don't know about this patch series.
> Is that worth anything? :)
Do you still have the test procedure and the results?
> > Thanks,
> > -Steve
> >
> > > Please see the accompanying userspace patch:
> > > https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
> > > The userspace interface is not expected to change appreciably unless
> > > something important has been overlooked. Setting and deleting rules works
> > > as expected.
> > >
> > > If the path does not exist at rule creation time, it will be re-evaluated
> > > every time there is a change to the parent directory at which point the
> > > change in device and inode will be noted.
> > >
> > >
> > > Here's a test run:
> > >
> > > # /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F exe=/bin/touch -F
> > > key=touch_tmp # /usr/local/sbin/ausearch --start recent -k touch_tmp
> > > time->Mon Jun 30 14:15:06 2014
> > > type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1
> > > subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule"
> > > key="touch_tmp" list=4 res =1
> > >
> > > # /usr/local/sbin/auditctl -l
> > > -a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
> > >
> > > # touch /tmp/test
> > >
> > > # /usr/local/sbin/ausearch --start recent -k touch_tmp
> > > time->Wed Jul 2 12:18:47 2014
> > > type=UNKNOWN[1327] msg=audit(1404317927.319:132):
> > > proctitle=746F756368002F746D702F74657374 type=PATH
> > > msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997
> > > dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00
> > > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
> > > msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144 dev=00:20
> > > mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
> > > nametype=PARENT type=CWD msg=audit(1404317927.319:132): cwd="/root"
> > > type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2
> > > success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2
> > > ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
> > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="touch_tmp"
> > >
> > >
> > > Revision history:
> > > v4: Re-order and squash down fixups
> > > Fix audit_dup_exe() to copy pathname string before calling
> > > audit_alloc_mark().
> > >
> > > v3: Rationalize and rename some function names and clean up get/put and free
> > > code. Rename several "watch" references to "mark".
> > > Rename audit_remove_rule() to audit_remove_mark_rule().
> > > Let audit_free_rule() take care of calling audit_remove_mark().
> > > Put audit_alloc_mark() arguments in same order as watch, tree and inode.
> > > Move the access to the entry for audit_match_signal() to the beginning of
> > > the function in case the entry found is the same one passed in. This will
> > > enable it to be used by audit_remove_mark_rule().
> > > https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
> > >
> > > v2: Misguided attempt to add in audit_exe similar to watches
> > > https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
> > >
> > > v1.5: eparis' switch to fsnotify
> > > https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
> > > https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
> > >
> > > v1: Change to path interface instead of inode
> > > https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
> > >
> > > v0: Peter Moodie's original patches
> > > https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
> > >
> > >
> > > Next step:
> > > Get full-path notify working.
> > >
> > >
> > > Eric Paris (3):
> > > audit: implement audit by executable
> > > audit: clean simple fsnotify implementation
> > > audit: convert audit_exe to audit_fsnotify
> > >
> > > Richard Guy Briggs (1):
> > > audit: avoid double copying the audit_exe path string
> > >
> > > include/linux/audit.h | 1 +
> > > include/uapi/linux/audit.h | 2 +
> > > kernel/Makefile | 2 +-
> > > kernel/audit.h | 39 +++++++
> > > kernel/audit_exe.c | 49 +++++++++
> > > kernel/audit_fsnotify.c | 237
> > > ++++++++++++++++++++++++++++++++++++++++++++ kernel/auditfilter.c |
> > > 51 +++++++++-
> > > kernel/auditsc.c | 16 +++
> > > 8 files changed, 394 insertions(+), 3 deletions(-)
> > > create mode 100644 kernel/audit_exe.c
> > > create mode 100644 kernel/audit_fsnotify.c
> >
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
next prev parent reply other threads:[~2014-09-23 4:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-24 22:34 [PATCH V4 0/4] audit by executable name Richard Guy Briggs
2014-08-24 22:34 ` [PATCH V4 1/4] audit: implement audit by executable Richard Guy Briggs
2014-08-24 22:34 ` [PATCH V4 2/4] audit: clean simple fsnotify implementation Richard Guy Briggs
2014-08-24 22:34 ` [PATCH V4 3/4] audit: convert audit_exe to audit_fsnotify Richard Guy Briggs
2014-08-24 22:34 ` [PATCH V4 4/4] audit: avoid double copying the audit_exe path string Richard Guy Briggs
2014-09-08 18:53 ` [PATCH V4 0/4] audit by executable name Steve Grubb
2014-09-08 19:25 ` Eric Paris
2014-09-23 4:32 ` Richard Guy Briggs [this message]
2014-09-23 22:11 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140923043233.GE26201@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox