From: Richard Guy Briggs <rgb@redhat.com>
To: Eric Paris <eparis@redhat.com>
Cc: Steve Grubb <sgrubb@redhat.com>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org,
pmoore@redhat.com
Subject: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket
Date: Tue, 21 Oct 2014 21:18:36 -0400 [thread overview]
Message-ID: <20141022011836.GO15532@madcap2.tricolour.ca> (raw)
In-Reply-To: <1413930629.30946.68.camel@localhost>
On 14/10/21, Eric Paris wrote:
> On Tue, 2014-10-21 at 17:08 -0400, Richard Guy Briggs wrote:
> > On 14/10/21, Steve Grubb wrote:
> > > On Tuesday, October 07, 2014 03:03:14 PM Eric Paris wrote:
> > > > On Tue, 2014-10-07 at 14:23 -0400, Richard Guy Briggs wrote:
> > > > > Log the event when a client attempts to connect to the netlink audit
> > > > > multicast socket, requiring CAP_AUDIT_READ capability, binding to the
> > > > > AUDIT_NLGRP_READLOG group. Log the disconnect too.
> > > > >
> > > > >
> > > > >
> > > > > Sample output:
> > > > > time->Tue Oct 7 14:15:19 2014
> > > > > type=UNKNOWN[1348] msg=audit(1412705719.316:117): auid=0 uid=0 gid=0 ses=1
> > > > > pid=3552 comm="audit-multicast"
> > > > > exe="/home/rgb/rgb/git/audit-multicast-listen/audit-multicast-listen"
> > > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 group=0
> > > > > op=connect res=1>
> > > > >
> > > > >
> > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > > > ---
> > > > > For some reason unbind isn't being called on disconnect. I suspect
> > > > > missing
> > > > > plumbing in netlink. Investigation needed...
> > > > >
> > > > >
> > > > > include/uapi/linux/audit.h | 1 +
> > > > > kernel/audit.c | 46
> > > > >++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 45
> > > > >insertions(+), 2 deletions(-)
> > > > >
> > > > >
> > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > > > index 4d100c8..7fa6e8f 100644
> > > > > --- a/include/uapi/linux/audit.h
> > > > > +++ b/include/uapi/linux/audit.h
> > > > > @@ -110,6 +110,7 @@
> > > > >
> > > > > #define AUDIT_SECCOMP 1326 /* Secure Computing event */
> > > > > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> > > > > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes
> > > > >*/>
> > > > > +#define AUDIT_EVENT_LISTENER 1348 /* task joined multicast read socket
> > > > > */>
> > > > >
> > > > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> > > > > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> > > > >
> > > > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > > > index 53bb39b..74c81a7 100644
> > > > > --- a/kernel/audit.c
> > > > > +++ b/kernel/audit.c
> > > > > @@ -1108,13 +1108,54 @@ static void audit_receive(struct sk_buff *skb)
> > > > >
> > > > > mutex_unlock(&audit_cmd_mutex);
> > > > > }
> > > > >
> > > > >
> > > > > +static void audit_log_bind(int group, char *op, int err)
> > > > > +{
> > > > > + struct audit_buffer *ab;
> > > > > + char comm[sizeof(current->comm)];
> > > > > + struct mm_struct *mm = current->mm;
> > > > > +
> > > > > + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
> > > > > + if (!ab)
> > > > > + return;
> > > > > +
> > > > > + audit_log_format(ab, "auid=%d",
> > > > > + from_kuid(&init_user_ns,
> > > > > audit_get_loginuid(current))); + audit_log_format(ab, " uid=%d",
> > > > > + from_kuid(&init_user_ns, current_uid()));
> > > > > + audit_log_format(ab, " gid=%d",
> > > > > + from_kgid(&init_user_ns, current_gid()));
> > > > > + audit_log_format(ab, " ses=%d", audit_get_sessionid(current));
> > > > > + audit_log_format(ab, " pid=%d", task_pid_nr(current));
> > > > > + audit_log_format(ab, " comm=");
> > > > > + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> > > > > + if (mm) {
> > > > > + down_read(&mm->mmap_sem);
> > > > > + if (mm->exe_file)
> > > > > + audit_log_d_path(ab, " exe=",
> > > > > &mm->exe_file->f_path);
> > > > > + up_read(&mm->mmap_sem);
> > > > > + } else
> > > > > + audit_log_format(ab, " exe=(null)");
> > > > > + audit_log_task_context(ab); /* subj= */
> > > >
> > > > super crazy yuck. audit_log_task_info() ??
> > >
> > > audit_log_task_info logs too much information for typical use. There are times
> > > when you might want to know everything about what's connecting. But in this
> > > case, we don't need anything about groups, saved uids, fsuid, or ppid.
> > >
> > > Its a shame we don't have a audit_log_task_info_light function which only
> > > records:
> > >
> > > pid= auid= uid= subj= comm= exe= ses= tty=
> >
> > We already have audit_log_task() which gives:
> > auid=
> > uid=
> > gid=
> > ses=
> > subj=
> > pid=
> > comm=
> > exe=
> > This is missing tty=, but has gid=. Can we please use that function
> > instead and add tty=? And while we are at it, refactor
> > audit_log_task_info() to call audit_log_task()?
> >
> > Is this standard set above what should be used for certain classes of
> > log messages?
> >
> > Yes, it will be in a different order because we don't have a canonical
> > order yet. Can we accept two orders of keywords so we can start
> > canonicalizing, please?
>
> I've always hated the fact that we include this in ANY current audit
> message. I truly believe we need two new record types.
>
> AUDIT_PROCESS_INFO
> AUDIT_EXTENDED_PROCESS_INFO
>
> What does my UID have to do with a syscall? Why is it in the record?
> It's a pretty big change, like, RHEL8, but splitting the reporting of
> process info from other records will make all matter of things, in the
> kernel and in userspace so much cleaner...
>
> Nuts:
> type=SYSCALL msg=audit(10/13/2014 03:07:39.919:117953) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x1332f60 a1=0x7fff8749e6d0 a2=0x7fff8749e6d0 a3=0x0 items=1 ppid=28212 pid=30066 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=367 comm=lsof exe=/usr/sbin/lsof subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 key=(null)
>
> Slightly (and yes, just slightly) Less Nuts:
> type=SYSCALL msg=audit(10/13/2014 03:07:39.919:117953) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x1332f60 a1=0x7fff8749e6d0 a2=0x7fff8749e6d0 a3=0x0
> type=AUDIT_PROCESS_INFO msg=audit(10/13/2014 03:07:39.919:117953) : pid=30066 auid=root uid=root gid=root tty=(none) ses=367 comm=lsof exe=/usr/sbin/lsof subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 key=(null)
> type=AUDIT_EXTENDED_PROCESS_INFO msg=audit(10/13/2014 03:07:39.919:117953) : ppid=28212 euid=root suid=root fsuid=root egid=root sgid=root fsgid=root key=(null)
>
> It'd be weird is a syscall record actually only had syscall information....
I am definitely in favour of this approach.
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
next prev parent reply other threads:[~2014-10-22 1:18 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-07 18:23 [RFC][PATCH] audit: log join and part events to the read-only multicast log socket Richard Guy Briggs
2014-10-07 19:03 ` Eric Paris
2014-10-07 19:39 ` Richard Guy Briggs
2014-10-07 22:06 ` Paul Moore
2014-10-11 15:42 ` Steve Grubb
2014-10-11 20:00 ` Paul Moore
2014-10-21 16:41 ` Richard Guy Briggs
2014-10-21 19:56 ` Steve Grubb
2014-10-21 21:08 ` Richard Guy Briggs
2014-10-21 21:40 ` Steve Grubb
2014-10-29 20:23 ` Richard Guy Briggs
2014-10-21 22:30 ` Eric Paris
2014-10-21 23:14 ` Paul Moore
2014-10-22 1:18 ` Richard Guy Briggs [this message]
2014-10-22 14:30 ` Steve Grubb
2014-10-21 22:30 ` Paul Moore
2014-10-22 1:24 ` Richard Guy Briggs
2014-10-22 13:34 ` Paul Moore
2014-10-29 21:09 ` Richard Guy Briggs
2014-10-22 14:34 ` Steve Grubb
2014-10-22 14:25 ` Steve Grubb
2014-10-22 14:30 ` Eric Paris
2014-10-22 14:36 ` Steve Grubb
2014-10-22 15:08 ` Eric Paris
2014-10-22 15:12 ` Eric Paris
2014-10-22 15:51 ` LC Bruzenak
2014-10-22 16:24 ` Steve Grubb
2014-10-22 18:18 ` Eric Paris
2014-10-22 19:36 ` LC Bruzenak
2014-10-22 20:00 ` Steve Grubb
2014-10-22 15:28 ` Paul Moore
2014-10-22 17:56 ` Steve Grubb
2014-10-22 20:06 ` Paul Moore
2014-10-22 20:34 ` LC Bruzenak
2014-10-22 20:44 ` Paul Moore
2014-10-22 21:11 ` LC Bruzenak
2014-10-22 21:29 ` Paul Moore
2014-10-23 14:19 ` LC Bruzenak
2014-10-23 19:08 ` Paul Moore
2014-10-22 20:39 ` Steve Grubb
2014-10-22 21:00 ` Paul Moore
2014-10-22 21:18 ` Steve Grubb
2014-10-23 19:15 ` Paul Moore
2014-10-30 14:55 ` Richard Guy Briggs
2014-10-30 14:48 ` Typo in AUDIT_FEATURE_CHANGE events [was: Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket] Richard Guy Briggs
2014-10-30 15:10 ` Steve Grubb
2014-10-30 15:23 ` Richard Guy Briggs
2014-10-29 21:38 ` [RFC][PATCH] audit: log join and part events to the read-only multicast log socket Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141022011836.GO15532@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox