Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records
Date: Mon, 12 Mar 2018 16:17:35 +0100	[thread overview]
Message-ID: <20180312161735.3447ad56@ivy-bridge> (raw)
In-Reply-To: <cover.1520835596.git.rgb@redhat.com>

On Mon, 12 Mar 2018 02:31:16 -0400
Richard Guy Briggs <rgb@redhat.com> wrote:

> Audit link denied events were being unexpectedly produced in a
> disjoint way when audit was disabled, and when they were expected,
> there were duplicate PATH records.  This patchset addresses both
> issues for symlinks and hardlinks.
> 
> This was introduced with
> 	commit b24a30a7305418ff138ff51776fc555ec57c011a
> 	("audit: fix event coverage of AUDIT_ANOM_LINK")
> 	commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc
> 	("fs: add link restriction audit reporting")
> 
> Here are the resulting events:
> 
> symlink:
> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) :
> proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018
> 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27
> mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018
> 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27
> mode=link,777 ouid=rgb ogid=rgb rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018
> 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018
> 02:21:49.578:310) : arch=x86_64 syscall=stat success=no
> exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8
> a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) :
> op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1
> comm=ls exe=/usr/bin/ls

So, if we now only emit the ANOM_LINK event when audit is enabled, we
should get rid of all the duplicate information in that record. The
SYSCALL record has all that information.

-Steve

> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
> ---- hardlink: type=PROCTITLE msg=audit(03/12/2018
> 02:24:39.813:314) : proctitle=ln test test-ln type=PATH
> msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp inode=13529
> dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018
> 02:24:39.813:314) : item=0 name=test inode=18112 dev=00:27
> mode=file,700 ouid=root ogid=root rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018
> 02:24:39.813:314) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018
> 02:24:39.813:314) : arch=x86_64 syscall=linkat success=no
> exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffccba77629
> a2=0xffffff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 auid=rgb
> uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb
> fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat
> ppid=605 pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb
> egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no 
> 
> See: https://github.com/linux-audit/audit-kernel/issues/21
> See also: https://github.com/linux-audit/audit-kernel/issues/51
> 
> Richard Guy Briggs (4):
>   audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
>   audit: link denied should not directly generate PATH record
>   audit: add refused symlink to audit_names
>   audit: add parent of refused symlink to audit_names
> 
>  fs/namei.c            |  5 +++--
>  include/linux/audit.h |  9 +++++----
>  kernel/audit.c        | 43
> ++++++++++++++++++++++++++++++++----------- 3 files changed, 40
> insertions(+), 17 deletions(-)
>

next prev parent reply	other threads:[~2018-03-12 15:17 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-12  6:31 [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records Richard Guy Briggs
2018-03-12  6:31 ` [PATCH ghak21 V2 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context Richard Guy Briggs
2018-03-12 15:01   ` Paul Moore
2018-03-12  6:31 ` [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record Richard Guy Briggs
2018-03-12 15:05   ` Paul Moore
2018-03-12 15:30     ` Richard Guy Briggs
2018-03-12 15:56       ` Paul Moore
2018-03-12 18:22   ` kbuild test robot
2018-03-13  4:21     ` Richard Guy Briggs
2018-03-12  6:31 ` [PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names Richard Guy Briggs
2018-03-12 15:12   ` Paul Moore
2018-03-12 15:26     ` Richard Guy Briggs
2018-03-12 15:53       ` Paul Moore
2018-03-12 15:52         ` Richard Guy Briggs
2018-03-12 16:08           ` Paul Moore
2018-03-13  8:35           ` Steve Grubb
2018-03-13 10:11             ` Richard Guy Briggs
2018-03-13 10:38               ` Steve Grubb
2018-03-13 10:52                 ` Richard Guy Briggs
2018-03-13 12:13                   ` Steve Grubb
2018-03-13 20:24                   ` Paul Moore
2018-03-14  5:23                     ` Richard Guy Briggs
2018-03-12  6:31 ` [PATCH ghak21 V2 4/4] audit: add parent of " Richard Guy Briggs
2018-03-12 15:45   ` Paul Moore
2018-03-12  8:08 ` [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records Richard Guy Briggs
2018-03-12 15:17 ` Steve Grubb [this message]
2018-03-12 15:49   ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180312161735.3447ad56@ivy-bridge \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox