From mboxrd@z Thu Jan 1 00:00:00 1970 From: Max Timchenko Subject: Running multiple audit service clients Date: Wed, 10 Feb 2016 16:28:26 -0500 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2314975938931094114==" Return-path: Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.25]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u1ALVjEX019483 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 10 Feb 2016 16:31:45 -0500 Received: from relay58.bu.edu (relay58.bu.edu [128.197.228.18]) by mx1.redhat.com (Postfix) with ESMTPS id DCAAB7AE8C for ; Wed, 10 Feb 2016 21:31:43 +0000 (UTC) Received: from mail-ig0-f177.google.com (mail-ig0-f177.google.com [209.85.213.177]) by relay58.bu.edu (8.14.3/8.14.3) with ESMTP id u1ALSQJD020152 for ; Wed, 10 Feb 2016 16:28:27 -0500 Received: by mail-ig0-f177.google.com with SMTP id hb3so23131429igb.0 for ; Wed, 10 Feb 2016 13:28:26 -0800 (PST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2314975938931094114== Content-Type: multipart/alternative; boundary=089e01538d984cd8d8052b711d2f --089e01538d984cd8d8052b711d2f Content-Type: text/plain; charset=UTF-8 Dear all, I have a situation where there are two audit clients on the same machine: one of them is auditd, and another one is an IDS client that uses the audit subsystem directly. By looking at the source ( http://lxr.free-electrons.com/source/kernel/audit.c?v=3.13#L787), I suspect that there might be no provision in the kernel for multiple audit subsystem userland daemons running in parallel (only one pid, only one netlink socket in the kernel). I could not find any documentation confirming or denying that. Has anyone tried that before? What would actually happen if two different audit clients tried to use the same interface to the audit subsystem in the kernel? Yours, -- Max --089e01538d984cd8d8052b711d2f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Dear all,

I have a situation where ther= e are two audit clients on the same machine: one of them is auditd, and ano= ther one is an IDS client that uses the audit subsystem directly. By lookin= g at the source (http://lxr.free-electrons.com/source/= kernel/audit.c?v=3D3.13#L787), I suspect that there might be no provisi= on in the kernel for multiple audit subsystem userland daemons running in p= arallel (only one pid, only one netlink socket in the kernel). I could not = find any documentation confirming or denying that.

Has anyone tried that before? What would actually happen if two different = audit clients tried to use the same interface to the audit subsystem in the= kernel?

Yours,
--=C2=A0
Max
--089e01538d984cd8d8052b711d2f-- --===============2314975938931094114== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2314975938931094114==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: Running multiple audit service clients Date: Wed, 10 Feb 2016 21:30:15 -0500 Message-ID: <20160211023015.GI22138@madcap2.tricolour.ca> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Max Timchenko Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 16/02/10, Max Timchenko wrote: > Dear all, > > I have a situation where there are two audit clients on the same machine: > one of them is auditd, and another one is an IDS client that uses the audit > subsystem directly. By looking at the source ( > http://lxr.free-electrons.com/source/kernel/audit.c?v=3.13#L787), I suspect > that there might be no provision in the kernel for multiple audit subsystem > userland daemons running in parallel (only one pid, only one netlink socket > in the kernel). I could not find any documentation confirming or denying > that. > > Has anyone tried that before? What would actually happen if two different > audit clients tried to use the same interface to the audit subsystem in the > kernel? With recent changes upstream, the second would be denied with -EEXIST. Before that, the older one would be starved out. And versions even older might actually have the newer one orphaned in the very occasional race where the older one shuts down after the second one starts. To quote Highlander, "There Can Be Only One". There is also planning to be done to allow one auditd per user namespace to support containers, but we aren't there yet. > Max - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: Running multiple audit service clients Date: Thu, 11 Feb 2016 03:16:58 -0500 Message-ID: References: <20160211023015.GI22138@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.30]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u1B8H074026600 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 11 Feb 2016 03:17:00 -0500 Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) by mx1.redhat.com (Postfix) with ESMTPS id 43A0535416C for ; Thu, 11 Feb 2016 08:16:59 +0000 (UTC) Received: by mail-ob0-f169.google.com with SMTP id ba1so63514505obb.3 for ; Thu, 11 Feb 2016 00:16:59 -0800 (PST) In-Reply-To: <20160211023015.GI22138@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Max Timchenko , Richard Guy Briggs Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs wrote: > There is also planning to be done to allow one auditd per user > namespace to support containers, but we aren't there yet. To add to that, we will also provide better support for containers with a single auditd instance (the microservices case) by providing better marking of audit records to help indicate which namespace set (what the kernel would consider a container) generated the audit event. -- paul moore www.paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: Max Timchenko Subject: Re: Running multiple audit service clients Date: Thu, 11 Feb 2016 15:19:27 -0500 Message-ID: References: <20160211023015.GI22138@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0041418070136230272==" Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u1BKJvHW027916 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 11 Feb 2016 15:19:57 -0500 Received: from relay54.bu.edu (relay54.bu.edu [128.197.228.14]) by mx1.redhat.com (Postfix) with ESMTPS id E64511392F for ; Thu, 11 Feb 2016 20:19:55 +0000 (UTC) Received: from mail-ig0-f169.google.com (mail-ig0-f169.google.com [209.85.213.169]) by relay54.bu.edu (8.14.3/8.14.3) with ESMTP id u1BKJRv8026331 for ; Thu, 11 Feb 2016 15:19:28 -0500 Received: by mail-ig0-f169.google.com with SMTP id hb3so43238117igb.0 for ; Thu, 11 Feb 2016 12:19:27 -0800 (PST) In-Reply-To: <20160211023015.GI22138@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs , Paul Moore Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0041418070136230272== Content-Type: multipart/alternative; boundary=001a1136713871467d052b8444a8 --001a1136713871467d052b8444a8 Content-Type: text/plain; charset=UTF-8 On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs wrote: > On 16/02/10, Max Timchenko wrote: > > Has anyone tried that before? What would actually happen if two different > > audit clients tried to use the same interface to the audit subsystem in > the > > kernel? > > With recent changes upstream, the second would be denied with -EEXIST. > > Before that, the older one would be starved out. And versions even > older might actually have the newer one orphaned in the very occasional > race where the older one shuts down after the second one starts. > > To quote Highlander, "There Can Be Only One". > Thanks Richard and Paul for your quick responses. It's great to hear that support for containers is being worked on. I have read the docs on audispd(8) - is it something auditd and the other client could use to enable multiple access? It sounds like audispd does support multiple clients, but I would guess all clients would have to use the audispd plugin interface instead of the usual kernel API. What is missing from the documentation for me is the relationship between audispd and auditd - whether audispd is an optional component of auditd that can run concurrently, or audispd is a replacement of auditd when configured (and then auditd cannot run on the same machine without running into the same multi-client issues). Yours, -- Max --001a1136713871467d052b8444a8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs = <rgb@redhat.com&= gt; wrote:
On 16/02/10, Max Timchenko wrote:
> = Has anyone tried that before? What would actually happen if two different > audit clients tried to use the same interface to the audit subsystem i= n the
> kernel?

With recent changes upstream, the second would be denied with -EEXIS= T.

Before that, the older one would be starved out.=C2=A0 And versions even older might actually have the newer one orphaned in the very occasional
race where the older one shuts down after the second one starts.

To quote Highlander, "There Can Be Only One".

Thanks Richard and = Paul for your quick responses. It's great to hear that support for
containers is being worked on.

I have read the docs = on audispd(8) - is it something auditd and the other=C2=A0
client could use to enable multiple access? It sounds like= audispd does support=C2=A0
multiple client= s, but I would guess all clients would have to use the audispd plugin=C2=A0=
interface instead of the usual kernel API.=

What = is missing from the documentation for me is the relationship between audisp= d=C2=A0
and auditd - whether audispd is an = optional component of auditd that can run=C2=A0
concurrently, or audispd is a replacement of auditd when configured=C2= =A0
(and then auditd cannot run on the same= machine=C2=A0
without running into the sam= e multi-client issues).

Yours,
--
Max
--001a1136713871467d052b8444a8-- --===============0041418070136230272== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0041418070136230272==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: Running multiple audit service clients Date: Thu, 11 Feb 2016 23:39:39 -0500 Message-ID: <20160212043939.GC4517@madcap2.tricolour.ca> References: <20160211023015.GI22138@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Max Timchenko Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 16/02/11, Max Timchenko wrote: > On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs wrote: > > > On 16/02/10, Max Timchenko wrote: > > > Has anyone tried that before? What would actually happen if two different > > > audit clients tried to use the same interface to the audit subsystem in > > the > > > kernel? > > > > With recent changes upstream, the second would be denied with -EEXIST. > > > > Before that, the older one would be starved out. And versions even > > older might actually have the newer one orphaned in the very occasional > > race where the older one shuts down after the second one starts. > > > > To quote Highlander, "There Can Be Only One". > > Thanks Richard and Paul for your quick responses. It's great to hear > that support for containers is being worked on. > > I have read the docs on audispd(8) - is it something auditd and the > other client could use to enable multiple access? It sounds like > audispd does support multiple clients, but I would guess all clients > would have to use the audispd plugin interface instead of the usual > kernel API. > > What is missing from the documentation for me is the relationship > between audispd and auditd - whether audispd is an optional component > of auditd that can run concurrently, or audispd is a replacement of > auditd when configured (and then auditd cannot run on the same machine > without running into the same multi-client issues). I will defer to Steve Grubb on this quesition as the userspace tools are his domain of expertise. > Yours, > -- > Max - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Running multiple audit service clients Date: Fri, 12 Feb 2016 13:50:48 -0500 Message-ID: <7953921.jdcWDAgg56@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Max Timchenko List-Id: linux-audit@redhat.com On Wednesday, February 10, 2016 04:28:26 PM Max Timchenko wrote: > I have a situation where there are two audit clients on the same machine: > one of them is auditd, and another one is an IDS client that uses the audit > subsystem directly. It should not be designed that way. For compliance purposes many people have to save the audit logs. I have given several speeches on how to do this so that everyone has a correct model to work from. The latest speech on audit+IDS is here: http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf The main idea is that auditd has a builtin facility for sharing events, auditspd. The IDS system can clip into it and get the event stream. If it wants events as they come "off the wire" they should set the format option to BINARY and they will get it exactly as it was handed to auditd. More typical is to use STRING format so that they can use auparse to dissect the event for processing. > By looking at the source ( > http://lxr.free-electrons.com/source/kernel/audit.c?v=3.13#L787), I suspect > that there might be no provision in the kernel for multiple audit subsystem > userland daemons running in parallel (only one pid, only one netlink socket > in the kernel). I could not find any documentation confirming or denying > that. There is not. Nor should there be. With the ease in which analysis programs can get the audit stream, they should not have to resort to exclusive access. For example, setroubleshooter plugin puts something in /etc/audisp/plugins.d/ so that it can see events in realtime. Its a good example of "doing it right". > Has anyone tried that before? What would actually happen if two different > audit clients tried to use the same interface to the audit subsystem in the > kernel? Last one wins. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Running multiple audit service clients Date: Fri, 12 Feb 2016 14:13:28 -0500 Message-ID: <1517388.eVATBq3Yqu@x2> References: <20160211023015.GI22138@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Richard Guy Briggs , Max Timchenko List-Id: linux-audit@redhat.com On Thursday, February 11, 2016 03:19:27 PM Max Timchenko wrote: > I have read the docs on audispd(8) - is it something auditd and the other > client could use to enable multiple access? It sounds like audispd does > support multiple clients, but I would guess all clients would have to use > the audispd plugin interface instead of the usual kernel API. Yes. This is intentional and has existed for about 10 years. > What is missing from the documentation for me is the relationship between > audispd and auditd - whether audispd is an optional component of auditd that > can run concurrently Yes. If you look in auditd.conf, you will see that there is a configuration option, dispatcher, which allows you to select another consumer of audit events. Normally the selection of /sbin/audispd is the best because it allows "unlimited" multiplexing of the audit stream. You can send events to syslog, setroubleshoot, and remotely log events in an aggregator all at the same time. > , or audispd is a replacement of auditd when configured > (and then auditd cannot run on the same machine > without running into the same multi-client issues). No. The audispd man page says, "audispd is an audit event multiplexor. It has to be started by the audit daemon in order to get events." HTH... -Steve