* [PATCH ghau90 v1] sig_info: use standard template for log messages @ 2019-04-15 13:02 Richard Guy Briggs 2019-04-15 14:58 ` Steve Grubb 0 siblings, 1 reply; 7+ messages in thread From: Richard Guy Briggs @ 2019-04-15 13:02 UTC (permalink / raw) To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs Records that are triggered by an AUDIT_SIGNAL_INFO message including AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1), AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent reporting of signal info and swinging field "state". They also assume that an empty security context implies there is no other useful information in the AUDIT_SIGNAL_INFO message so don't use the information that is there. Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and add the "state" field where missing. Use audit_sig_info values when available, not making assumptions about their availability when the security context is absent. See: https://github.com/linux-audit/audit-userspace/issues/90 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- docs/audit_request_signal_info.3 | 2 +- lib/libaudit.c | 12 +++++++++ lib/libaudit.h | 1 + src/auditd-reconfig.c | 9 +++---- src/auditd.c | 54 ++++++++++++++-------------------------- 5 files changed, 36 insertions(+), 42 deletions(-) diff --git a/docs/audit_request_signal_info.3 b/docs/audit_request_signal_info.3 index 873deb58bef3..b68d7bbefeed 100644 --- a/docs/audit_request_signal_info.3 +++ b/docs/audit_request_signal_info.3 @@ -8,7 +8,7 @@ int audit_request_signal_info(int fd); .SH "DESCRIPTION" -audit_request_signal_info requests that the kernel send information about the sender of a signal to the audit daemon. The sinal info structure is as follows: +audit_request_signal_info requests that the kernel send information about the sender of a signal to the audit daemon. The signal info structure is as follows: .nf struct audit_sig_info { diff --git a/lib/libaudit.c b/lib/libaudit.c index 2af017a0e520..e9c4f9cad6df 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -674,6 +674,18 @@ int audit_request_signal_info(int fd) return rc; } +char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res) +{ + snprintf(buf, len, + "op=%s auid=%u pid=%d subj=%s res=%s", + op, + rep->signal_info->uid, + rep->signal_info->pid, + rep->len == 24 ? "?" : rep->signal_info->ctx, + res); + return buf; +} + int audit_update_watch_perms(struct audit_rule_data *rule, int perms) { unsigned int i, done=0; diff --git a/lib/libaudit.h b/lib/libaudit.h index ca7aa63e354e..63a5e948d00e 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -562,6 +562,7 @@ extern int audit_setloginuid(uid_t uid); extern uint32_t audit_get_session(void); extern int audit_detect_machine(void); extern int audit_determine_machine(const char *arch); +extern char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res); /* Translation functions */ extern int audit_name_to_field(const char *field); diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c index a03e29aa57ab..f5b00e6d1dc7 100644 --- a/src/auditd-reconfig.c +++ b/src/auditd-reconfig.c @@ -115,12 +115,9 @@ static void *config_thread_main(void *arg) } else { // need to send a failed event message char txt[MAX_AUDIT_MESSAGE_LENGTH]; - snprintf(txt, sizeof(txt), - "op=reconfigure state=no-change auid=%u pid=%d subj=%s res=failed", - e->reply.signal_info->uid, - e->reply.signal_info->pid, - (e->reply.len > 24) ? - e->reply.signal_info->ctx : "?"); + audit_format_signal_info(txt, sizeof(txt), + "reconfigure state=no-change", + &e->reply, "failed"); // FIXME: need to figure out sending this //send_audit_event(AUDIT_DAEMON_CONFIG, txt); free_config(&new_config); diff --git a/src/auditd.c b/src/auditd.c index c04a1c9ce93f..5c31583a49c6 100644 --- a/src/auditd.c +++ b/src/auditd.c @@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, struct ev_signal *sig, int revent rc = audit_request_signal_info(fd); if (rc < 0) send_audit_event(AUDIT_DAEMON_CONFIG, - "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=? res=failed"); + "op=reconfigure state=no-change auid=-1 pid=-1 subj=? res=failed"); else hup_info_requested = 1; } @@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, struct ev_signal *sig, rc = audit_request_signal_info(fd); if (rc < 0) send_audit_event(AUDIT_DAEMON_ROTATE, - "op=usr1-info auid=-1 pid=-1 subj=? res=failed"); + "op=rotate-logs auid=-1 pid=-1 subj=? res=failed"); else usr1_info_requested = 1; } @@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, struct ev_signal *sig, int reve if (rc < 0) { resume_logging(); send_audit_event(AUDIT_DAEMON_RESUME, - "op=resume-logging auid=-1 pid=-1 subj=? res=success"); + "op=resume-logging auid=-1 pid=-1 subj=? res=failed"); } else usr2_info_requested = 1; } @@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io, break; case AUDIT_SIGNAL_INFO: if (hup_info_requested) { + char hup[MAX_AUDIT_MESSAGE_LENGTH]; audit_msg(LOG_DEBUG, "HUP detected, starting config manager"); reconfig_ev = cur_event; if (start_config_manager(cur_event)) { - send_audit_event( - AUDIT_DAEMON_CONFIG, - "op=reconfigure state=no-change " - "auid=-1 pid=-1 subj=? res=failed"); + audit_format_signal_info(hup, sizeof(hup), + "reconfigure state=no-change", + &cur_event->reply, + "failed"); + send_audit_event(AUDIT_DAEMON_CONFIG, hup); } cur_event = NULL; hup_info_requested = 0; } else if (usr1_info_requested) { char usr1[MAX_AUDIT_MESSAGE_LENGTH]; - if (cur_event->reply.len == 24) { - snprintf(usr1, sizeof(usr1), - "op=rotate-logs auid=-1 pid=-1 subj=?"); - } else { - snprintf(usr1, sizeof(usr1), - "op=rotate-logs auid=%u pid=%d subj=%s", - cur_event->reply.signal_info->uid, - cur_event->reply.signal_info->pid, - cur_event->reply.signal_info->ctx); - } + audit_format_signal_info(usr1, sizeof(usr1), + "rotate-logs", + &cur_event->reply, + "success"); send_audit_event(AUDIT_DAEMON_ROTATE, usr1); usr1_info_requested = 0; } else if (usr2_info_requested) { char usr2[MAX_AUDIT_MESSAGE_LENGTH]; - if (cur_event->reply.len == 24) { - snprintf(usr2, sizeof(usr2), - "op=resume-logging auid=-1 " - "pid=-1 subj=? res=success"); - } else { - snprintf(usr2, sizeof(usr2), - "op=resume-logging " - "auid=%u pid=%d subj=%s res=success", - cur_event->reply.signal_info->uid, - cur_event->reply.signal_info->pid, - cur_event->reply.signal_info->ctx); - } + audit_format_signal_info(usr2, sizeof(usr2), + "resume-logging", + &cur_event->reply, + "success"); resume_logging(); libdisp_resume(); send_audit_event(AUDIT_DAEMON_RESUME, usr2); @@ -993,12 +981,8 @@ int main(int argc, char *argv[]) rc = get_reply(fd, &trep, rc); if (rc > 0) { char txt[MAX_AUDIT_MESSAGE_LENGTH]; - snprintf(txt, sizeof(txt), - "op=terminate auid=%u " - "pid=%d subj=%s res=success", - trep.signal_info->uid, - trep.signal_info->pid, - trep.signal_info->ctx); + audit_format_signal_info(txt, sizeof(txt), "terminate", + &trep, "success"); send_audit_event(AUDIT_DAEMON_END, txt); } } -- 1.8.3.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH ghau90 v1] sig_info: use standard template for log messages 2019-04-15 13:02 [PATCH ghau90 v1] sig_info: use standard template for log messages Richard Guy Briggs @ 2019-04-15 14:58 ` Steve Grubb 2019-04-15 16:21 ` Richard Guy Briggs 0 siblings, 1 reply; 7+ messages in thread From: Steve Grubb @ 2019-04-15 14:58 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: Linux-Audit Mailing List On Monday, April 15, 2019 9:02:36 AM EDT Richard Guy Briggs wrote: > Records that are triggered by an AUDIT_SIGNAL_INFO message including > AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1), > AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent > reporting of signal info and swinging field "state". This is crusty old code that has things in it that were for migrations with very old kernels. It's not readily obvious because those kernel transitions were quite some time ago. There was also a fake > They also assume that an empty security context implies there is no > other useful information in the AUDIT_SIGNAL_INFO message so don't use > the information that is there. How are you generating the events that trigger this? If this is based on reading the source code, I think its because of an ancient kernel change. If you can generate this condition, then I'd like to replicate the problem on my system to see what's happening. > Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and add the > "state" field where missing. > > Use audit_sig_info values when available, not making assumptions about > their availability when the security context is absent. > > See: https://github.com/linux-audit/audit-userspace/issues/90 I had made changes to the git repo Saturday. I suspect this patch does not apply. I like the op value changes. That part I can go along with. Shall I just make that adjustment in the upstream repo and we can talk more about how you are creating these events? Thanks, -Steve > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > docs/audit_request_signal_info.3 | 2 +- > lib/libaudit.c | 12 +++++++++ > lib/libaudit.h | 1 + > src/auditd-reconfig.c | 9 +++---- > src/auditd.c | 54 > ++++++++++++++-------------------------- 5 files changed, 36 > insertions(+), 42 deletions(-) > > diff --git a/docs/audit_request_signal_info.3 > b/docs/audit_request_signal_info.3 index 873deb58bef3..b68d7bbefeed 100644 > --- a/docs/audit_request_signal_info.3 > +++ b/docs/audit_request_signal_info.3 > @@ -8,7 +8,7 @@ int audit_request_signal_info(int fd); > > .SH "DESCRIPTION" > > -audit_request_signal_info requests that the kernel send information about > the sender of a signal to the audit daemon. The sinal info structure is as > follows: +audit_request_signal_info requests that the kernel send > information about the sender of a signal to the audit daemon. The signal > info structure is as follows: > > .nf > struct audit_sig_info { > diff --git a/lib/libaudit.c b/lib/libaudit.c > index 2af017a0e520..e9c4f9cad6df 100644 > --- a/lib/libaudit.c > +++ b/lib/libaudit.c > @@ -674,6 +674,18 @@ int audit_request_signal_info(int fd) > return rc; > } > > +char *audit_format_signal_info(char *buf, int len, char *op, struct > audit_reply *rep, char *res) +{ > + snprintf(buf, len, > + "op=%s auid=%u pid=%d subj=%s res=%s", > + op, > + rep->signal_info->uid, > + rep->signal_info->pid, > + rep->len == 24 ? "?" : rep->signal_info->ctx, > + res); > + return buf; > +} > + > int audit_update_watch_perms(struct audit_rule_data *rule, int perms) > { > unsigned int i, done=0; > diff --git a/lib/libaudit.h b/lib/libaudit.h > index ca7aa63e354e..63a5e948d00e 100644 > --- a/lib/libaudit.h > +++ b/lib/libaudit.h > @@ -562,6 +562,7 @@ extern int audit_setloginuid(uid_t uid); > extern uint32_t audit_get_session(void); > extern int audit_detect_machine(void); > extern int audit_determine_machine(const char *arch); > +extern char *audit_format_signal_info(char *buf, int len, char *op, struct > audit_reply *rep, char *res); > > /* Translation functions */ > extern int audit_name_to_field(const char *field); > diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c > index a03e29aa57ab..f5b00e6d1dc7 100644 > --- a/src/auditd-reconfig.c > +++ b/src/auditd-reconfig.c > @@ -115,12 +115,9 @@ static void *config_thread_main(void *arg) > } else { > // need to send a failed event message > char txt[MAX_AUDIT_MESSAGE_LENGTH]; > - snprintf(txt, sizeof(txt), > - "op=reconfigure state=no-change auid=%u pid=%d subj=%s res=failed", > - e->reply.signal_info->uid, > - e->reply.signal_info->pid, > - (e->reply.len > 24) ? > - e->reply.signal_info->ctx : "?"); > + audit_format_signal_info(txt, sizeof(txt), > + "reconfigure state=no-change", > + &e->reply, "failed"); > // FIXME: need to figure out sending this > //send_audit_event(AUDIT_DAEMON_CONFIG, txt); > free_config(&new_config); > diff --git a/src/auditd.c b/src/auditd.c > index c04a1c9ce93f..5c31583a49c6 100644 > --- a/src/auditd.c > +++ b/src/auditd.c > @@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, struct > ev_signal *sig, int revent rc = audit_request_signal_info(fd); > if (rc < 0) > send_audit_event(AUDIT_DAEMON_CONFIG, > - "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=? res=failed"); > + "op=reconfigure state=no-change auid=-1 pid=-1 subj=? res=failed"); > else > hup_info_requested = 1; > } > @@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, struct > ev_signal *sig, rc = audit_request_signal_info(fd); > if (rc < 0) > send_audit_event(AUDIT_DAEMON_ROTATE, > - "op=usr1-info auid=-1 pid=-1 subj=? res=failed"); > + "op=rotate-logs auid=-1 pid=-1 subj=? res=failed"); > else > usr1_info_requested = 1; > } > @@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, struct > ev_signal *sig, int reve if (rc < 0) { > resume_logging(); > send_audit_event(AUDIT_DAEMON_RESUME, > - "op=resume-logging auid=-1 pid=-1 subj=? res=success"); > + "op=resume-logging auid=-1 pid=-1 subj=? res=failed"); > } else > usr2_info_requested = 1; > } > @@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop, > struct ev_io *io, break; > case AUDIT_SIGNAL_INFO: > if (hup_info_requested) { > + char hup[MAX_AUDIT_MESSAGE_LENGTH]; > audit_msg(LOG_DEBUG, > "HUP detected, starting config manager"); > reconfig_ev = cur_event; > if (start_config_manager(cur_event)) { > - send_audit_event( > - AUDIT_DAEMON_CONFIG, > - "op=reconfigure state=no-change " > - "auid=-1 pid=-1 subj=? res=failed"); > + audit_format_signal_info(hup, sizeof(hup), > + "reconfigure state=no-change", > + &cur_event->reply, > + "failed"); > + send_audit_event(AUDIT_DAEMON_CONFIG, hup); > } > cur_event = NULL; > hup_info_requested = 0; > } else if (usr1_info_requested) { > char usr1[MAX_AUDIT_MESSAGE_LENGTH]; > - if (cur_event->reply.len == 24) { > - snprintf(usr1, sizeof(usr1), > - "op=rotate-logs auid=-1 pid=-1 subj=?"); > - } else { > - snprintf(usr1, sizeof(usr1), > - "op=rotate-logs auid=%u pid=%d subj=%s", > - cur_event->reply.signal_info->uid, > - cur_event->reply.signal_info->pid, > - cur_event->reply.signal_info->ctx); > - } > + audit_format_signal_info(usr1, sizeof(usr1), > + "rotate-logs", > + &cur_event->reply, > + "success"); > send_audit_event(AUDIT_DAEMON_ROTATE, usr1); > usr1_info_requested = 0; > } else if (usr2_info_requested) { > char usr2[MAX_AUDIT_MESSAGE_LENGTH]; > - if (cur_event->reply.len == 24) { > - snprintf(usr2, sizeof(usr2), > - "op=resume-logging auid=-1 " > - "pid=-1 subj=? res=success"); > - } else { > - snprintf(usr2, sizeof(usr2), > - "op=resume-logging " > - "auid=%u pid=%d subj=%s res=success", > - cur_event->reply.signal_info->uid, > - cur_event->reply.signal_info->pid, > - cur_event->reply.signal_info->ctx); > - } > + audit_format_signal_info(usr2, sizeof(usr2), > + "resume-logging", > + &cur_event->reply, > + "success"); > resume_logging(); > libdisp_resume(); > send_audit_event(AUDIT_DAEMON_RESUME, usr2); > @@ -993,12 +981,8 @@ int main(int argc, char *argv[]) > rc = get_reply(fd, &trep, rc); > if (rc > 0) { > char txt[MAX_AUDIT_MESSAGE_LENGTH]; > - snprintf(txt, sizeof(txt), > - "op=terminate auid=%u " > - "pid=%d subj=%s res=success", > - trep.signal_info->uid, > - trep.signal_info->pid, > - trep.signal_info->ctx); > + audit_format_signal_info(txt, sizeof(txt), "terminate", > + &trep, "success"); > send_audit_event(AUDIT_DAEMON_END, txt); > } > } ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghau90 v1] sig_info: use standard template for log messages 2019-04-15 14:58 ` Steve Grubb @ 2019-04-15 16:21 ` Richard Guy Briggs 2019-04-15 21:10 ` Steve Grubb 0 siblings, 1 reply; 7+ messages in thread From: Richard Guy Briggs @ 2019-04-15 16:21 UTC (permalink / raw) To: Steve Grubb; +Cc: Linux-Audit Mailing List On 2019-04-15 10:58, Steve Grubb wrote: > On Monday, April 15, 2019 9:02:36 AM EDT Richard Guy Briggs wrote: > > Records that are triggered by an AUDIT_SIGNAL_INFO message including > > AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1), > > AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent > > reporting of signal info and swinging field "state". > > This is crusty old code that has things in it that were for migrations with > very old kernels. It's not readily obvious because those kernel transitions > were quite some time ago. There was also a fake > > > They also assume that an empty security context implies there is no > > other useful information in the AUDIT_SIGNAL_INFO message so don't use > > the information that is there. > > How are you generating the events that trigger this? If this is based on > reading the source code, I think its because of an ancient kernel change. If > you can generate this condition, then I'd like to replicate the problem on my > system to see what's happening. I used a current audit/next kernel, compiled with AUDIT_CONFIG, but with and without AUDIT_CONFIGSYSCALL and simply signalled the audit daemon with the four signals and then ran ausearch on the most recent messages. I did not generate errors, but I could have by creating a custom kernel that returned errors upon request for AUDIT_SIGNAL_INFO. > > Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and add the > > "state" field where missing. > > > > Use audit_sig_info values when available, not making assumptions about > > their availability when the security context is absent. > > > > See: https://github.com/linux-audit/audit-userspace/issues/90 > > I had made changes to the git repo Saturday. I suspect this patch does not > apply. I like the op value changes. That part I can go along with. Shall I > just make that adjustment in the upstream repo and we can talk more about how > you are creating these events? This patch was rebased on your patch so it is current. I wanted it all in one function so that the format was consistent rather than open coded for anything that could use the AUDIT_SIGNAL_INFO contents. This will also help once there is also a cid (contid) to report. > -Steve > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > --- > > docs/audit_request_signal_info.3 | 2 +- > > lib/libaudit.c | 12 +++++++++ > > lib/libaudit.h | 1 + > > src/auditd-reconfig.c | 9 +++---- > > src/auditd.c | 54 > > ++++++++++++++-------------------------- 5 files changed, 36 > > insertions(+), 42 deletions(-) > > > > diff --git a/docs/audit_request_signal_info.3 > > b/docs/audit_request_signal_info.3 index 873deb58bef3..b68d7bbefeed 100644 > > --- a/docs/audit_request_signal_info.3 > > +++ b/docs/audit_request_signal_info.3 > > @@ -8,7 +8,7 @@ int audit_request_signal_info(int fd); > > > > .SH "DESCRIPTION" > > > > -audit_request_signal_info requests that the kernel send information about > > the sender of a signal to the audit daemon. The sinal info structure is as > > follows: +audit_request_signal_info requests that the kernel send > > information about the sender of a signal to the audit daemon. The signal > > info structure is as follows: > > > > .nf > > struct audit_sig_info { > > diff --git a/lib/libaudit.c b/lib/libaudit.c > > index 2af017a0e520..e9c4f9cad6df 100644 > > --- a/lib/libaudit.c > > +++ b/lib/libaudit.c > > @@ -674,6 +674,18 @@ int audit_request_signal_info(int fd) > > return rc; > > } > > > > +char *audit_format_signal_info(char *buf, int len, char *op, struct > > audit_reply *rep, char *res) +{ > > + snprintf(buf, len, > > + "op=%s auid=%u pid=%d subj=%s res=%s", > > + op, > > + rep->signal_info->uid, > > + rep->signal_info->pid, > > + rep->len == 24 ? "?" : rep->signal_info->ctx, > > + res); > > + return buf; > > +} > > + > > int audit_update_watch_perms(struct audit_rule_data *rule, int perms) > > { > > unsigned int i, done=0; > > diff --git a/lib/libaudit.h b/lib/libaudit.h > > index ca7aa63e354e..63a5e948d00e 100644 > > --- a/lib/libaudit.h > > +++ b/lib/libaudit.h > > @@ -562,6 +562,7 @@ extern int audit_setloginuid(uid_t uid); > > extern uint32_t audit_get_session(void); > > extern int audit_detect_machine(void); > > extern int audit_determine_machine(const char *arch); > > +extern char *audit_format_signal_info(char *buf, int len, char *op, struct > > audit_reply *rep, char *res); > > > > /* Translation functions */ > > extern int audit_name_to_field(const char *field); > > diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c > > index a03e29aa57ab..f5b00e6d1dc7 100644 > > --- a/src/auditd-reconfig.c > > +++ b/src/auditd-reconfig.c > > @@ -115,12 +115,9 @@ static void *config_thread_main(void *arg) > > } else { > > // need to send a failed event message > > char txt[MAX_AUDIT_MESSAGE_LENGTH]; > > - snprintf(txt, sizeof(txt), > > - "op=reconfigure state=no-change auid=%u pid=%d subj=%s > res=failed", > > - e->reply.signal_info->uid, > > - e->reply.signal_info->pid, > > - (e->reply.len > 24) ? > > - e->reply.signal_info->ctx : "?"); > > + audit_format_signal_info(txt, sizeof(txt), > > + "reconfigure state=no-change", > > + &e->reply, "failed"); > > // FIXME: need to figure out sending this > > //send_audit_event(AUDIT_DAEMON_CONFIG, txt); > > free_config(&new_config); > > diff --git a/src/auditd.c b/src/auditd.c > > index c04a1c9ce93f..5c31583a49c6 100644 > > --- a/src/auditd.c > > +++ b/src/auditd.c > > @@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, struct > > ev_signal *sig, int revent rc = audit_request_signal_info(fd); > > if (rc < 0) > > send_audit_event(AUDIT_DAEMON_CONFIG, > > - "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=? > res=failed"); > > + "op=reconfigure state=no-change auid=-1 pid=-1 subj=? res=failed"); > > else > > hup_info_requested = 1; > > } > > @@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, struct > > ev_signal *sig, rc = audit_request_signal_info(fd); > > if (rc < 0) > > send_audit_event(AUDIT_DAEMON_ROTATE, > > - "op=usr1-info auid=-1 pid=-1 subj=? res=failed"); > > + "op=rotate-logs auid=-1 pid=-1 subj=? res=failed"); > > else > > usr1_info_requested = 1; > > } > > @@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, struct > > ev_signal *sig, int reve if (rc < 0) { > > resume_logging(); > > send_audit_event(AUDIT_DAEMON_RESUME, > > - "op=resume-logging auid=-1 pid=-1 subj=? > res=success"); > > + "op=resume-logging auid=-1 pid=-1 subj=? res=failed"); > > } else > > usr2_info_requested = 1; > > } > > @@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop, > > struct ev_io *io, break; > > case AUDIT_SIGNAL_INFO: > > if (hup_info_requested) { > > + char hup[MAX_AUDIT_MESSAGE_LENGTH]; > > audit_msg(LOG_DEBUG, > > "HUP detected, starting config manager"); > > reconfig_ev = cur_event; > > if (start_config_manager(cur_event)) { > > - send_audit_event( > > - AUDIT_DAEMON_CONFIG, > > - "op=reconfigure state=no-change " > > - "auid=-1 pid=-1 subj=? res=failed"); > > + audit_format_signal_info(hup, sizeof(hup), > > + "reconfigure > state=no-change", > > + &cur_event->reply, > > + "failed"); > > + send_audit_event(AUDIT_DAEMON_CONFIG, > hup); > > } > > cur_event = NULL; > > hup_info_requested = 0; > > } else if (usr1_info_requested) { > > char usr1[MAX_AUDIT_MESSAGE_LENGTH]; > > - if (cur_event->reply.len == 24) { > > - snprintf(usr1, sizeof(usr1), > > - "op=rotate-logs auid=-1 pid=-1 subj=?"); > > - } else { > > - snprintf(usr1, sizeof(usr1), > > - "op=rotate-logs auid=%u pid=%d subj=%s", > > - cur_event->reply.signal_info->uid, > > - cur_event->reply.signal_info->pid, > > - cur_event->reply.signal_info->ctx); > > - } > > + audit_format_signal_info(usr1, sizeof(usr1), > > + "rotate-logs", > > + &cur_event->reply, > > + "success"); > > send_audit_event(AUDIT_DAEMON_ROTATE, usr1); > > usr1_info_requested = 0; > > } else if (usr2_info_requested) { > > char usr2[MAX_AUDIT_MESSAGE_LENGTH]; > > - if (cur_event->reply.len == 24) { > > - snprintf(usr2, sizeof(usr2), > > - "op=resume-logging auid=-1 " > > - "pid=-1 subj=? res=success"); > > - } else { > > - snprintf(usr2, sizeof(usr2), > > - "op=resume-logging " > > - "auid=%u pid=%d subj=%s res=success", > > - cur_event->reply.signal_info->uid, > > - cur_event->reply.signal_info->pid, > > - cur_event->reply.signal_info->ctx); > > - } > > + audit_format_signal_info(usr2, sizeof(usr2), > > + "resume-logging", > > + &cur_event->reply, > > + "success"); > > resume_logging(); > > libdisp_resume(); > > send_audit_event(AUDIT_DAEMON_RESUME, usr2); > > @@ -993,12 +981,8 @@ int main(int argc, char *argv[]) > > rc = get_reply(fd, &trep, rc); > > if (rc > 0) { > > char txt[MAX_AUDIT_MESSAGE_LENGTH]; > > - snprintf(txt, sizeof(txt), > > - "op=terminate auid=%u " > > - "pid=%d subj=%s res=success", > > - trep.signal_info->uid, > > - trep.signal_info->pid, > > - trep.signal_info->ctx); > > + audit_format_signal_info(txt, sizeof(txt), "terminate", > > + &trep, "success"); > > send_audit_event(AUDIT_DAEMON_END, txt); > > } > > } > > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghau90 v1] sig_info: use standard template for log messages 2019-04-15 16:21 ` Richard Guy Briggs @ 2019-04-15 21:10 ` Steve Grubb 2019-04-16 19:57 ` Richard Guy Briggs 0 siblings, 1 reply; 7+ messages in thread From: Steve Grubb @ 2019-04-15 21:10 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: Linux-Audit Mailing List On Monday, April 15, 2019 12:21:49 PM EDT Richard Guy Briggs wrote: > On 2019-04-15 10:58, Steve Grubb wrote: > > On Monday, April 15, 2019 9:02:36 AM EDT Richard Guy Briggs wrote: > > > Records that are triggered by an AUDIT_SIGNAL_INFO message including > > > AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1), > > > AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have > > > inconsistent reporting of signal info and swinging field "state". > > > > This is crusty old code that has things in it that were for migrations > > with very old kernels. It's not readily obvious because those kernel > > transitions were quite some time ago. There was also a fake > > > > > They also assume that an empty security context implies there is no > > > other useful information in the AUDIT_SIGNAL_INFO message so don't use > > > the information that is there. > > > > How are you generating the events that trigger this? If this is based on > > reading the source code, I think its because of an ancient kernel change. > > If you can generate this condition, then I'd like to replicate the > > problem on my system to see what's happening. > > I used a current audit/next kernel, compiled with AUDIT_CONFIG, but with > and without AUDIT_CONFIGSYSCALL Is this a configuration that we really want to support? :-) This really will not work as anything except for gathering AVC's or other LSM events. And I think those go to syslog anyways. I'd say that with this kernel configuration, they likely would not run auditd as there's no point in it. > and simply signalled the audit daemon with the four signals and then ran > ausearch on the most recent messages. > > I did not generate errors, but I could have by creating a custom kernel > that returned errors upon request for AUDIT_SIGNAL_INFO. > > > > Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and add > > > the "state" field where missing. > > > > > > Use audit_sig_info values when available, not making assumptions about > > > their availability when the security context is absent. > > > > > > See: https://github.com/linux-audit/audit-userspace/issues/90 > > > > I had made changes to the git repo Saturday. I suspect this patch does > > not apply. I like the op value changes. That part I can go along with. > > Shall I just make that adjustment in the upstream repo and we can talk > > more about how you are creating these events? > > This patch was rebased on your patch so it is current. One thing I should mention, the audit events are created with and without the subj field because for common criteria, a DAC based system should have no notion of MAC fields. This is why we alway branch on the "ctx" variables and create the event with or without subj. > I wanted it all in one function so that the format was consistent rather > than open coded for anything that could use the AUDIT_SIGNAL_INFO > contents. This will also help once there is also a cid (contid) to > report. OK. -Steve > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > --- > > > > > > docs/audit_request_signal_info.3 | 2 +- > > > lib/libaudit.c | 12 +++++++++ > > > lib/libaudit.h | 1 + > > > src/auditd-reconfig.c | 9 +++---- > > > src/auditd.c | 54 > > > > > > ++++++++++++++-------------------------- 5 files changed, 36 > > > insertions(+), 42 deletions(-) > > > > > > diff --git a/docs/audit_request_signal_info.3 > > > b/docs/audit_request_signal_info.3 index 873deb58bef3..b68d7bbefeed > > > 100644 > > > --- a/docs/audit_request_signal_info.3 > > > +++ b/docs/audit_request_signal_info.3 > > > @@ -8,7 +8,7 @@ int audit_request_signal_info(int fd); > > > > > > .SH "DESCRIPTION" > > > > > > -audit_request_signal_info requests that the kernel send information > > > about > > > the sender of a signal to the audit daemon. The sinal info structure is > > > as > > > follows: +audit_request_signal_info requests that the kernel send > > > information about the sender of a signal to the audit daemon. The > > > signal > > > > > > info structure is as follows: > > > .nf > > > struct audit_sig_info { > > > > > > diff --git a/lib/libaudit.c b/lib/libaudit.c > > > index 2af017a0e520..e9c4f9cad6df 100644 > > > --- a/lib/libaudit.c > > > +++ b/lib/libaudit.c > > > @@ -674,6 +674,18 @@ int audit_request_signal_info(int fd) > > > > > > return rc; > > > > > > } > > > > > > +char *audit_format_signal_info(char *buf, int len, char *op, struct > > > audit_reply *rep, char *res) +{ > > > + snprintf(buf, len, > > > + "op=%s auid=%u pid=%d subj=%s res=%s", > > > + op, > > > + rep->signal_info->uid, > > > + rep->signal_info->pid, > > > + rep->len == 24 ? "?" : rep->signal_info->ctx, > > > + res); > > > + return buf; > > > +} > > > + > > > > > > int audit_update_watch_perms(struct audit_rule_data *rule, int perms) > > > { > > > > > > unsigned int i, done=0; > > > > > > diff --git a/lib/libaudit.h b/lib/libaudit.h > > > index ca7aa63e354e..63a5e948d00e 100644 > > > --- a/lib/libaudit.h > > > +++ b/lib/libaudit.h > > > @@ -562,6 +562,7 @@ extern int audit_setloginuid(uid_t uid); > > > > > > extern uint32_t audit_get_session(void); > > > extern int audit_detect_machine(void); > > > extern int audit_determine_machine(const char *arch); > > > > > > +extern char *audit_format_signal_info(char *buf, int len, char *op, > > > struct audit_reply *rep, char *res); > > > > > > /* Translation functions */ > > > extern int audit_name_to_field(const char *field); > > > > > > diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c > > > index a03e29aa57ab..f5b00e6d1dc7 100644 > > > --- a/src/auditd-reconfig.c > > > +++ b/src/auditd-reconfig.c > > > @@ -115,12 +115,9 @@ static void *config_thread_main(void *arg) > > > > > > } else { > > > > > > // need to send a failed event message > > > char txt[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > - snprintf(txt, sizeof(txt), > > > - "op=reconfigure state=no-change auid=%u pid=%d subj=%s > > > > res=failed", > > > > > - e->reply.signal_info->uid, > > > - e->reply.signal_info->pid, > > > - (e->reply.len > 24) ? > > > - e->reply.signal_info->ctx : "?"); > > > + audit_format_signal_info(txt, sizeof(txt), > > > + "reconfigure state=no-change", > > > + &e->reply, "failed"); > > > > > > // FIXME: need to figure out sending this > > > //send_audit_event(AUDIT_DAEMON_CONFIG, txt); > > > free_config(&new_config); > > > > > > diff --git a/src/auditd.c b/src/auditd.c > > > index c04a1c9ce93f..5c31583a49c6 100644 > > > --- a/src/auditd.c > > > +++ b/src/auditd.c > > > @@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, > > > struct > > > ev_signal *sig, int revent rc = audit_request_signal_info(fd); > > > > > > if (rc < 0) > > > > > > send_audit_event(AUDIT_DAEMON_CONFIG, > > > > > > - "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=? > > > > res=failed"); > > > > > + "op=reconfigure state=no-change auid=-1 pid=-1 subj=? res=failed"); > > > > > > else > > > > > > hup_info_requested = 1; > > > > > > } > > > > > > @@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, > > > struct > > > ev_signal *sig, rc = audit_request_signal_info(fd); > > > > > > if (rc < 0) > > > > > > send_audit_event(AUDIT_DAEMON_ROTATE, > > > > > > - "op=usr1-info auid=-1 pid=-1 subj=? res=failed"); > > > + "op=rotate-logs auid=-1 pid=-1 subj=? res=failed"); > > > > > > else > > > > > > usr1_info_requested = 1; > > > > > > } > > > > > > @@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, > > > struct ev_signal *sig, int reve if (rc < 0) { > > > > > > resume_logging(); > > > send_audit_event(AUDIT_DAEMON_RESUME, > > > > > > - "op=resume-logging auid=-1 pid=-1 subj=? > > > > res=success"); > > > > > + "op=resume-logging auid=-1 pid=-1 subj=? res=failed"); > > > > > > } else > > > > > > usr2_info_requested = 1; > > > > > > } > > > > > > @@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop, > > > struct ev_io *io, break; > > > > > > case AUDIT_SIGNAL_INFO: > > > if (hup_info_requested) { > > > > > > + char hup[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > audit_msg(LOG_DEBUG, > > > > > > "HUP detected, starting config manager"); > > > > > > reconfig_ev = cur_event; > > > if (start_config_manager(cur_event)) { > > > > > > - send_audit_event( > > > - AUDIT_DAEMON_CONFIG, > > > - "op=reconfigure state=no-change " > > > - "auid=-1 pid=-1 subj=? res=failed"); > > > + audit_format_signal_info(hup, sizeof(hup), > > > + "reconfigure > > > > state=no-change", > > > > > + &cur_event->reply, > > > + "failed"); > > > + send_audit_event(AUDIT_DAEMON_CONFIG, > > > > hup); > > > > > } > > > cur_event = NULL; > > > hup_info_requested = 0; > > > > > > } else if (usr1_info_requested) { > > > > > > char usr1[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > - if (cur_event->reply.len == 24) { > > > - snprintf(usr1, sizeof(usr1), > > > - "op=rotate-logs auid=-1 pid=-1 subj=?"); > > > - } else { > > > - snprintf(usr1, sizeof(usr1), > > > - "op=rotate-logs auid=%u pid=%d subj=%s", > > > - cur_event->reply.signal_info->uid, > > > - cur_event->reply.signal_info->pid, > > > - cur_event->reply.signal_info->ctx); > > > - } > > > + audit_format_signal_info(usr1, sizeof(usr1), > > > + "rotate-logs", > > > + &cur_event->reply, > > > + "success"); > > > > > > send_audit_event(AUDIT_DAEMON_ROTATE, usr1); > > > usr1_info_requested = 0; > > > > > > } else if (usr2_info_requested) { > > > > > > char usr2[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > - if (cur_event->reply.len == 24) { > > > - snprintf(usr2, sizeof(usr2), > > > - "op=resume-logging auid=-1 " > > > - "pid=-1 subj=? res=success"); > > > - } else { > > > - snprintf(usr2, sizeof(usr2), > > > - "op=resume-logging " > > > - "auid=%u pid=%d subj=%s res=success", > > > - cur_event->reply.signal_info->uid, > > > - cur_event->reply.signal_info->pid, > > > - cur_event->reply.signal_info->ctx); > > > - } > > > + audit_format_signal_info(usr2, sizeof(usr2), > > > + "resume-logging", > > > + &cur_event->reply, > > > + "success"); > > > > > > resume_logging(); > > > libdisp_resume(); > > > send_audit_event(AUDIT_DAEMON_RESUME, usr2); > > > > > > @@ -993,12 +981,8 @@ int main(int argc, char *argv[]) > > > > > > rc = get_reply(fd, &trep, rc); > > > if (rc > 0) { > > > > > > char txt[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > - snprintf(txt, sizeof(txt), > > > - "op=terminate auid=%u " > > > - "pid=%d subj=%s res=success", > > > - trep.signal_info->uid, > > > - trep.signal_info->pid, > > > - trep.signal_info->ctx); > > > + audit_format_signal_info(txt, sizeof(txt), "terminate", > > > + &trep, "success"); > > > > > > send_audit_event(AUDIT_DAEMON_END, txt); > > > > > > } > > > > > > } > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > - RGB > > -- > Richard Guy Briggs <rgb@redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghau90 v1] sig_info: use standard template for log messages 2019-04-15 21:10 ` Steve Grubb @ 2019-04-16 19:57 ` Richard Guy Briggs 2019-04-16 20:18 ` Steve Grubb 0 siblings, 1 reply; 7+ messages in thread From: Richard Guy Briggs @ 2019-04-16 19:57 UTC (permalink / raw) To: Steve Grubb; +Cc: Linux-Audit Mailing List On 2019-04-15 17:10, Steve Grubb wrote: > On Monday, April 15, 2019 12:21:49 PM EDT Richard Guy Briggs wrote: > > On 2019-04-15 10:58, Steve Grubb wrote: > > > On Monday, April 15, 2019 9:02:36 AM EDT Richard Guy Briggs wrote: > > > > Records that are triggered by an AUDIT_SIGNAL_INFO message including > > > > AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1), > > > > AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have > > > > inconsistent reporting of signal info and swinging field "state". > > > > > > This is crusty old code that has things in it that were for migrations > > > with very old kernels. It's not readily obvious because those kernel > > > transitions were quite some time ago. There was also a fake > > > > > > > They also assume that an empty security context implies there is no > > > > other useful information in the AUDIT_SIGNAL_INFO message so don't use > > > > the information that is there. > > > > > > How are you generating the events that trigger this? If this is based on > > > reading the source code, I think its because of an ancient kernel change. > > > If you can generate this condition, then I'd like to replicate the > > > problem on my system to see what's happening. > > > > I used a current audit/next kernel, compiled with AUDIT_CONFIG, but with > > and without AUDIT_CONFIGSYSCALL > > Is this a configuration that we really want to support? :-) This really will > not work as anything except for gathering AVC's or other LSM events. And I > think those go to syslog anyways. I'd say that with this kernel configuration, > they likely would not run auditd as there's no point in it. Audit still works without CONFIGSYSCALL but is more limited. > > and simply signalled the audit daemon with the four signals and then ran > > ausearch on the most recent messages. > > > > I did not generate errors, but I could have by creating a custom kernel > > that returned errors upon request for AUDIT_SIGNAL_INFO. > > > > > > Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and add > > > > the "state" field where missing. > > > > > > > > Use audit_sig_info values when available, not making assumptions about > > > > their availability when the security context is absent. > > > > > > > > See: https://github.com/linux-audit/audit-userspace/issues/90 > > > > > > I had made changes to the git repo Saturday. I suspect this patch does > > > not apply. I like the op value changes. That part I can go along with. > > > Shall I just make that adjustment in the upstream repo and we can talk > > > more about how you are creating these events? > > > > This patch was rebased on your patch so it is current. > > One thing I should mention, the audit events are created with and without the > subj field because for common criteria, a DAC based system should have no > notion of MAC fields. This is why we alway branch on the "ctx" variables and > create the event with or without subj. The only branch is whether or not to print "?" for the subj field, so the field is still always there. > > I wanted it all in one function so that the format was consistent rather > > than open coded for anything that could use the AUDIT_SIGNAL_INFO > > contents. This will also help once there is also a cid (contid) to > > report. > > OK. > > -Steve > > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > > > --- > > > > > > > > docs/audit_request_signal_info.3 | 2 +- > > > > lib/libaudit.c | 12 +++++++++ > > > > lib/libaudit.h | 1 + > > > > src/auditd-reconfig.c | 9 +++---- > > > > src/auditd.c | 54 > > > > > > > > ++++++++++++++-------------------------- 5 files changed, 36 > > > > insertions(+), 42 deletions(-) > > > > > > > > diff --git a/docs/audit_request_signal_info.3 > > > > b/docs/audit_request_signal_info.3 index 873deb58bef3..b68d7bbefeed > > > > 100644 > > > > --- a/docs/audit_request_signal_info.3 > > > > +++ b/docs/audit_request_signal_info.3 > > > > @@ -8,7 +8,7 @@ int audit_request_signal_info(int fd); > > > > > > > > .SH "DESCRIPTION" > > > > > > > > -audit_request_signal_info requests that the kernel send information > > > > about > > > > the sender of a signal to the audit daemon. The sinal info structure is > > > > as > > > > follows: +audit_request_signal_info requests that the kernel send > > > > information about the sender of a signal to the audit daemon. The > > > > signal > > > > > > > > info structure is as follows: > > > > .nf > > > > struct audit_sig_info { > > > > > > > > diff --git a/lib/libaudit.c b/lib/libaudit.c > > > > index 2af017a0e520..e9c4f9cad6df 100644 > > > > --- a/lib/libaudit.c > > > > +++ b/lib/libaudit.c > > > > @@ -674,6 +674,18 @@ int audit_request_signal_info(int fd) > > > > > > > > return rc; > > > > > > > > } > > > > > > > > +char *audit_format_signal_info(char *buf, int len, char *op, struct > > > > audit_reply *rep, char *res) +{ > > > > + snprintf(buf, len, > > > > + "op=%s auid=%u pid=%d subj=%s res=%s", > > > > + op, > > > > + rep->signal_info->uid, > > > > + rep->signal_info->pid, > > > > + rep->len == 24 ? "?" : rep->signal_info->ctx, > > > > + res); > > > > + return buf; > > > > +} > > > > + > > > > > > > > int audit_update_watch_perms(struct audit_rule_data *rule, int perms) > > > > { > > > > > > > > unsigned int i, done=0; > > > > > > > > diff --git a/lib/libaudit.h b/lib/libaudit.h > > > > index ca7aa63e354e..63a5e948d00e 100644 > > > > --- a/lib/libaudit.h > > > > +++ b/lib/libaudit.h > > > > @@ -562,6 +562,7 @@ extern int audit_setloginuid(uid_t uid); > > > > > > > > extern uint32_t audit_get_session(void); > > > > extern int audit_detect_machine(void); > > > > extern int audit_determine_machine(const char *arch); > > > > > > > > +extern char *audit_format_signal_info(char *buf, int len, char *op, > > > > struct audit_reply *rep, char *res); > > > > > > > > /* Translation functions */ > > > > extern int audit_name_to_field(const char *field); > > > > > > > > diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c > > > > index a03e29aa57ab..f5b00e6d1dc7 100644 > > > > --- a/src/auditd-reconfig.c > > > > +++ b/src/auditd-reconfig.c > > > > @@ -115,12 +115,9 @@ static void *config_thread_main(void *arg) > > > > > > > > } else { > > > > > > > > // need to send a failed event message > > > > char txt[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > > > - snprintf(txt, sizeof(txt), > > > > - "op=reconfigure state=no-change auid=%u pid=%d subj=%s > > > > > > res=failed", > > > > > > > - e->reply.signal_info->uid, > > > > - e->reply.signal_info->pid, > > > > - (e->reply.len > 24) ? > > > > - e->reply.signal_info->ctx : "?"); > > > > + audit_format_signal_info(txt, sizeof(txt), > > > > + "reconfigure state=no-change", > > > > + &e->reply, "failed"); > > > > > > > > // FIXME: need to figure out sending this > > > > //send_audit_event(AUDIT_DAEMON_CONFIG, txt); > > > > free_config(&new_config); > > > > > > > > diff --git a/src/auditd.c b/src/auditd.c > > > > index c04a1c9ce93f..5c31583a49c6 100644 > > > > --- a/src/auditd.c > > > > +++ b/src/auditd.c > > > > @@ -131,7 +131,7 @@ static void hup_handler( struct ev_loop *loop, > > > > struct > > > > ev_signal *sig, int revent rc = audit_request_signal_info(fd); > > > > > > > > if (rc < 0) > > > > > > > > send_audit_event(AUDIT_DAEMON_CONFIG, > > > > > > > > - "op=hup-info state=request-siginfo auid=-1 pid=-1 subj=? > > > > > > res=failed"); > > > > > > > + "op=reconfigure state=no-change auid=-1 pid=-1 subj=? res=failed"); > > > > > > > > else > > > > > > > > hup_info_requested = 1; > > > > > > > > } > > > > > > > > @@ -147,7 +147,7 @@ static void user1_handler(struct ev_loop *loop, > > > > struct > > > > ev_signal *sig, rc = audit_request_signal_info(fd); > > > > > > > > if (rc < 0) > > > > > > > > send_audit_event(AUDIT_DAEMON_ROTATE, > > > > > > > > - "op=usr1-info auid=-1 pid=-1 subj=? res=failed"); > > > > + "op=rotate-logs auid=-1 pid=-1 subj=? res=failed"); > > > > > > > > else > > > > > > > > usr1_info_requested = 1; > > > > > > > > } > > > > > > > > @@ -163,7 +163,7 @@ static void user2_handler( struct ev_loop *loop, > > > > struct ev_signal *sig, int reve if (rc < 0) { > > > > > > > > resume_logging(); > > > > send_audit_event(AUDIT_DAEMON_RESUME, > > > > > > > > - "op=resume-logging auid=-1 pid=-1 subj=? > > > > > > res=success"); > > > > > > > + "op=resume-logging auid=-1 pid=-1 subj=? > res=failed"); > > > > > > > > } else > > > > > > > > usr2_info_requested = 1; > > > > > > > > } > > > > > > > > @@ -515,45 +515,33 @@ static void netlink_handler(struct ev_loop *loop, > > > > struct ev_io *io, break; > > > > > > > > case AUDIT_SIGNAL_INFO: > > > > if (hup_info_requested) { > > > > > > > > + char hup[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > > > audit_msg(LOG_DEBUG, > > > > > > > > "HUP detected, starting config manager"); > > > > > > > > reconfig_ev = cur_event; > > > > if (start_config_manager(cur_event)) { > > > > > > > > - send_audit_event( > > > > - AUDIT_DAEMON_CONFIG, > > > > - "op=reconfigure state=no-change " > > > > - "auid=-1 pid=-1 subj=? res=failed"); > > > > + audit_format_signal_info(hup, > sizeof(hup), > > > > + "reconfigure > > > > > > state=no-change", > > > > > > > + &cur_event->reply, > > > > + "failed"); > > > > + send_audit_event(AUDIT_DAEMON_CONFIG, > > > > > > hup); > > > > > > > } > > > > cur_event = NULL; > > > > hup_info_requested = 0; > > > > > > > > } else if (usr1_info_requested) { > > > > > > > > char usr1[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > > > - if (cur_event->reply.len == 24) { > > > > - snprintf(usr1, sizeof(usr1), > > > > - "op=rotate-logs auid=-1 pid=-1 subj=?"); > > > > - } else { > > > > - snprintf(usr1, sizeof(usr1), > > > > - "op=rotate-logs auid=%u pid=%d subj=%s", > > > > - cur_event->reply.signal_info->uid, > > > > - cur_event->reply.signal_info->pid, > > > > - cur_event->reply.signal_info->ctx); > > > > - } > > > > + audit_format_signal_info(usr1, sizeof(usr1), > > > > + "rotate-logs", > > > > + &cur_event->reply, > > > > + "success"); > > > > > > > > send_audit_event(AUDIT_DAEMON_ROTATE, usr1); > > > > usr1_info_requested = 0; > > > > > > > > } else if (usr2_info_requested) { > > > > > > > > char usr2[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > > > - if (cur_event->reply.len == 24) { > > > > - snprintf(usr2, sizeof(usr2), > > > > - "op=resume-logging auid=-1 " > > > > - "pid=-1 subj=? res=success"); > > > > - } else { > > > > - snprintf(usr2, sizeof(usr2), > > > > - "op=resume-logging " > > > > - "auid=%u pid=%d subj=%s res=success", > > > > - cur_event->reply.signal_info->uid, > > > > - cur_event->reply.signal_info->pid, > > > > - cur_event->reply.signal_info->ctx); > > > > - } > > > > + audit_format_signal_info(usr2, sizeof(usr2), > > > > + "resume-logging", > > > > + &cur_event->reply, > > > > + "success"); > > > > > > > > resume_logging(); > > > > libdisp_resume(); > > > > send_audit_event(AUDIT_DAEMON_RESUME, usr2); > > > > > > > > @@ -993,12 +981,8 @@ int main(int argc, char *argv[]) > > > > > > > > rc = get_reply(fd, &trep, rc); > > > > if (rc > 0) { > > > > > > > > char txt[MAX_AUDIT_MESSAGE_LENGTH]; > > > > > > > > - snprintf(txt, sizeof(txt), > > > > - "op=terminate auid=%u " > > > > - "pid=%d subj=%s res=success", > > > > - trep.signal_info->uid, > > > > - trep.signal_info->pid, > > > > - trep.signal_info->ctx); > > > > + audit_format_signal_info(txt, sizeof(txt), > "terminate", > > > > + &trep, "success"); > > > > > > > > send_audit_event(AUDIT_DAEMON_END, txt); > > > > > > > > } > > > > > > > > } > > > > > > -- > > > Linux-audit mailing list > > > Linux-audit@redhat.com > > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > - RGB > > > > -- > > Richard Guy Briggs <rgb@redhat.com> > > Sr. S/W Engineer, Kernel Security, Base Operating Systems > > Remote, Ottawa, Red Hat Canada > > IRC: rgb, SunRaycer > > Voice: +1.647.777.2635, Internal: (81) 32635 > > > > - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghau90 v1] sig_info: use standard template for log messages 2019-04-16 19:57 ` Richard Guy Briggs @ 2019-04-16 20:18 ` Steve Grubb 2019-04-16 20:51 ` Richard Guy Briggs 0 siblings, 1 reply; 7+ messages in thread From: Steve Grubb @ 2019-04-16 20:18 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: Linux-Audit Mailing List On Tuesday, April 16, 2019 3:57:51 PM EDT Richard Guy Briggs wrote: > On 2019-04-15 17:10, Steve Grubb wrote: > > On Monday, April 15, 2019 12:21:49 PM EDT Richard Guy Briggs wrote: > > > On 2019-04-15 10:58, Steve Grubb wrote: > > > > On Monday, April 15, 2019 9:02:36 AM EDT Richard Guy Briggs wrote: > > > > > Records that are triggered by an AUDIT_SIGNAL_INFO message > > > > > including > > > > > AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1), > > > > > AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have > > > > > inconsistent reporting of signal info and swinging field "state". > > > > > > > > This is crusty old code that has things in it that were for > > > > migrations with very old kernels. It's not readily obvious because > > > > those kernel transitions were quite some time ago. There was also a > > > > fake > > > > > > > > > They also assume that an empty security context implies there is no > > > > > other useful information in the AUDIT_SIGNAL_INFO message so don't > > > > > use the information that is there. > > > > > > > > How are you generating the events that trigger this? If this is based > > > > on reading the source code, I think its because of an ancient kernel > > > > change. If you can generate this condition, then I'd like to > > > > replicate the problem on my system to see what's happening. > > > > > > I used a current audit/next kernel, compiled with AUDIT_CONFIG, but > > > with and without AUDIT_CONFIGSYSCALL > > > > Is this a configuration that we really want to support? :-) This really > > will not work as anything except for gathering AVC's or other LSM > > events. And I think those go to syslog anyways. I'd say that with this > > kernel configuration, they likely would not run auditd as there's no > > point in it. > > Audit still works without CONFIGSYSCALL but is more limited. I really don't think we should cater to that use case. I am willing to go with a consolidated logging function. With the caveat below. > > > and simply signalled the audit daemon with the four signals and then > > > ran ausearch on the most recent messages. > > > > > > I did not generate errors, but I could have by creating a custom kernel > > > that returned errors upon request for AUDIT_SIGNAL_INFO. > > > > > > > > Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and > > > > > add the "state" field where missing. > > > > > > > > > > Use audit_sig_info values when available, not making assumptions > > > > > about their availability when the security context is absent. > > > > > > > > > > See: https://github.com/linux-audit/audit-userspace/issues/90 > > > > > > > > I had made changes to the git repo Saturday. I suspect this patch > > > > does not apply. I like the op value changes. That part I can go along > > > > with. Shall I just make that adjustment in the upstream repo and we > > > > can talk more about how you are creating these events? > > > > > > This patch was rebased on your patch so it is current. > > > > One thing I should mention, the audit events are created with and without > > the subj field because for common criteria, a DAC based system should > > have no notion of MAC fields. This is why we alway branch on the "ctx" > > variables and create the event with or without subj. > > The only branch is whether or not to print "?" for the subj field, so > the field is still always there. But we don't want subj there at all if its a DAC only system. -Steve ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH ghau90 v1] sig_info: use standard template for log messages 2019-04-16 20:18 ` Steve Grubb @ 2019-04-16 20:51 ` Richard Guy Briggs 0 siblings, 0 replies; 7+ messages in thread From: Richard Guy Briggs @ 2019-04-16 20:51 UTC (permalink / raw) To: Steve Grubb; +Cc: Linux-Audit Mailing List On 2019-04-16 16:18, Steve Grubb wrote: > On Tuesday, April 16, 2019 3:57:51 PM EDT Richard Guy Briggs wrote: > > On 2019-04-15 17:10, Steve Grubb wrote: > > > On Monday, April 15, 2019 12:21:49 PM EDT Richard Guy Briggs wrote: > > > > On 2019-04-15 10:58, Steve Grubb wrote: > > > > > On Monday, April 15, 2019 9:02:36 AM EDT Richard Guy Briggs wrote: > > > > > > Records that are triggered by an AUDIT_SIGNAL_INFO message > > > > > > including > > > > > > AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1), > > > > > > AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have > > > > > > inconsistent reporting of signal info and swinging field "state". > > > > > > > > > > This is crusty old code that has things in it that were for > > > > > migrations with very old kernels. It's not readily obvious because > > > > > those kernel transitions were quite some time ago. There was also a > > > > > fake > > > > > > > > > > > They also assume that an empty security context implies there is no > > > > > > other useful information in the AUDIT_SIGNAL_INFO message so don't > > > > > > use the information that is there. > > > > > > > > > > How are you generating the events that trigger this? If this is based > > > > > on reading the source code, I think its because of an ancient kernel > > > > > change. If you can generate this condition, then I'd like to > > > > > replicate the problem on my system to see what's happening. > > > > > > > > I used a current audit/next kernel, compiled with AUDIT_CONFIG, but > > > > with and without AUDIT_CONFIGSYSCALL > > > > > > Is this a configuration that we really want to support? :-) This really > > > will not work as anything except for gathering AVC's or other LSM > > > events. And I think those go to syslog anyways. I'd say that with this > > > kernel configuration, they likely would not run auditd as there's no > > > point in it. > > > > Audit still works without CONFIGSYSCALL but is more limited. > > I really don't think we should cater to that use case. I am willing to go > with a consolidated logging function. With the caveat below. There are still 8 arches or so that are in this case. > > > > and simply signalled the audit daemon with the four signals and then > > > > ran ausearch on the most recent messages. > > > > > > > > I did not generate errors, but I could have by creating a custom kernel > > > > that returned errors upon request for AUDIT_SIGNAL_INFO. > > > > > > > > > > Normalize AUDIT_DAEMON_CONFIG to use the value "reconfigure" and > > > > > > add the "state" field where missing. > > > > > > > > > > > > Use audit_sig_info values when available, not making assumptions > > > > > > about their availability when the security context is absent. > > > > > > > > > > > > See: https://github.com/linux-audit/audit-userspace/issues/90 > > > > > > > > > > I had made changes to the git repo Saturday. I suspect this patch > > > > > does not apply. I like the op value changes. That part I can go along > > > > > with. Shall I just make that adjustment in the upstream repo and we > > > > > can talk more about how you are creating these events? > > > > > > > > This patch was rebased on your patch so it is current. > > > > > > One thing I should mention, the audit events are created with and without > > > the subj field because for common criteria, a DAC based system should > > > have no notion of MAC fields. This is why we alway branch on the "ctx" > > > variables and create the event with or without subj. > > > > The only branch is whether or not to print "?" for the subj field, so > > the field is still always there. > > But we don't want subj there at all if its a DAC only system. Ok, so all of these messages I am fixing were needlessly printing the subj field anyways? This is easy to fix with this patch. > -Steve - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-04-16 20:51 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-04-15 13:02 [PATCH ghau90 v1] sig_info: use standard template for log messages Richard Guy Briggs 2019-04-15 14:58 ` Steve Grubb 2019-04-15 16:21 ` Richard Guy Briggs 2019-04-15 21:10 ` Steve Grubb 2019-04-16 19:57 ` Richard Guy Briggs 2019-04-16 20:18 ` Steve Grubb 2019-04-16 20:51 ` Richard Guy Briggs
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox