Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Linux Auditd app for Splunk
@ 2016-03-30 22:34 Douglas Brown
  2016-03-31  0:46 ` Steve Grubb
  0 siblings, 1 reply; 6+ messages in thread
From: Douglas Brown @ 2016-03-30 22:34 UTC (permalink / raw)
  To: linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 208 bytes --]

Hi all,

This week I released version 2 of the Linux Auditd app for Splunk: https://splunkbase.splunk.com/app/2642/

Be sure to let me know if you have any suggestions for improvements.

Cheers,
Doug

[-- Attachment #1.2: Type: text/html, Size: 696 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Linux Auditd app for Splunk
  2016-03-30 22:34 Linux Auditd app for Splunk Douglas Brown
@ 2016-03-31  0:46 ` Steve Grubb
  2016-03-31  5:01   ` F Rafi
  0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2016-03-31  0:46 UTC (permalink / raw)
  To: linux-audit

Hello,

On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/
 
> Be sure to let me know if you have any suggestions for improvements.

Thanks for posting this. Its good to see utilities like this supporting the 
audit daemon.

If anyone else has plugins to logging frameworks, reports, helpful scripts, 
etc...feel free to post a notice about them. We are sort of working on a new 
home for the audit system at github and can probably dedicate a page to 
related and helpful projects.

-Steve

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Linux Auditd app for Splunk
  2016-03-31  0:46 ` Steve Grubb
@ 2016-03-31  5:01   ` F Rafi
  2016-03-31  5:18     ` Douglas Brown
  0 siblings, 1 reply; 6+ messages in thread
From: F Rafi @ 2016-03-31  5:01 UTC (permalink / raw)
  To: doug.brown; +Cc: linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 1168 bytes --]

"I've turned SELinux off ... and as per Dan Walsh that's a bad thing."
Love it.

Some questions.

*1. For the Severe Events panel: *Where is the severity coming from? The
auditd logs don't show a severity rating.

*2. AUID to username mapping: *How are you doing this? Via tty logs or
fetching passwd file contents somehow?

Thanks,
Farhan

On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> Hello,
>
> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> > This week I released version 2 of the Linux Auditd app for Splunk:
> > https://splunkbase.splunk.com/app/2642/
>
> > Be sure to let me know if you have any suggestions for improvements.
>
> Thanks for posting this. Its good to see utilities like this supporting the
> audit daemon.
>
> If anyone else has plugins to logging frameworks, reports, helpful scripts,
> etc...feel free to post a notice about them. We are sort of working on a
> new
> home for the audit system at github and can probably dedicate a page to
> related and helpful projects.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 1934 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Linux Auditd app for Splunk
  2016-03-31  5:01   ` F Rafi
@ 2016-03-31  5:18     ` Douglas Brown
  0 siblings, 0 replies; 6+ messages in thread
From: Douglas Brown @ 2016-03-31  5:18 UTC (permalink / raw)
  To: F Rafi; +Cc: linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 2499 bytes --]

Hi Farhan,

Good question. There’s no source of truth (that I know of) for the severity of auditd event types so I created a lookup based upon my experience. Here it is: https://github.com/doksu/splunk_auditd/blob/master/linux-auditd/appserver/addons/TA_linux-auditd/lookups/audit_types.csv

Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :)

The app has three identities lookups it merges together: local, directory and learnt. The first two you’re meant to populate (see here for more details: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration), but technically you don’t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ‘learnt’ lookup based upon USER_START events.

Cheers,
Doug

From: F Rafi <farhanible@gmail.com<mailto:farhanible@gmail.com>>
Date: Thursday, 31 March 2016 at 3:01 PM
To: Doksu <doug.brown@qut.edu.au<mailto:doug.brown@qut.edu.au>>
Cc: "linux-audit@redhat.com<mailto:linux-audit@redhat.com>" <linux-audit@redhat.com<mailto:linux-audit@redhat.com>>, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>>
Subject: Re: Linux Auditd app for Splunk

"I've turned SELinux off ... and as per Dan Walsh that's a bad thing."   Love it.

Some questions.

1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating.

2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow?

Thanks,
Farhan

On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote:
Hello,

On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/

> Be sure to let me know if you have any suggestions for improvements.

Thanks for posting this. Its good to see utilities like this supporting the
audit daemon.

If anyone else has plugins to logging frameworks, reports, helpful scripts,
etc...feel free to post a notice about them. We are sort of working on a new
home for the audit system at github and can probably dedicate a page to
related and helpful projects.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com<mailto:Linux-audit@redhat.com>
https://www.redhat.com/mailman/listinfo/linux-audit


[-- Attachment #1.2: Type: text/html, Size: 4694 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: Linux Auditd app for Splunk
@ 2016-04-01  7:34 Maupertuis Philippe
  2016-04-01  8:09 ` Douglas Brown
  0 siblings, 1 reply; 6+ messages in thread
From: Maupertuis Philippe @ 2016-04-01  7:34 UTC (permalink / raw)
  To: linux-audit@redhat.com

The splunk app seems very promising.
Is there a way to use it when audit records are sent to a central syslog server before feeding Splunk.
For now, the auditd  record are prefixed by syslog information when received by Splunk.

Regards
Philippe

-----Message d'origine-----
De : linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] De la part de linux-audit-request@redhat.com
Envoyé : jeudi 31 mars 2016 18:00
À : linux-audit@redhat.com
Objet : Linux-audit Digest, Vol 138, Issue 9

Send Linux-audit mailing list submissions to
        linux-audit@redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
        linux-audit-request@redhat.com

You can reach the person managing the list at
        linux-audit-owner@redhat.com

When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..."


Today's Topics:

   1. Linux Auditd app for Splunk (Douglas Brown)
   2. Re: auditd reports port number '0' for connect() system call
      (Steve Grubb)
   3. Re: Linux Auditd app for Splunk (Steve Grubb)
   4. Re: Linux Auditd app for Splunk (F Rafi)
   5. Re: Linux Auditd app for Splunk (Douglas Brown)
   6. Re: auditd reports port number '0' for connect() system call
      (Kangkook Jee)
   7. Re: auditd reports port number '0' for connect() system call
      (Kangkook Jee)
   8. [PATCH] audit: cleanup prune_tree_thread (Jiri Slaby)


----------------------------------------------------------------------

Message: 1
Date: Wed, 30 Mar 2016 22:34:39 +0000
From: Douglas Brown <doug.brown@qut.edu.au>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Linux Auditd app for Splunk
Message-ID: <64E84EA2-7954-4B57-857C-DD3B1009A0CB@qut.edu.au>
Content-Type: text/plain; charset="utf-8"

Hi all,

This week I released version 2 of the Linux Auditd app for Splunk: https://splunkbase.splunk.com/app/2642/

Be sure to let me know if you have any suggestions for improvements.

Cheers,
Doug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/linux-audit/attachments/20160330/5a7aca52/attachment.html>

------------------------------

Message: 2
Date: Wed, 30 Mar 2016 19:29:58 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: auditd reports port number '0' for connect() system call
Message-ID: <1876918.F3mpSQW0Wx@x2>
Content-Type: text/plain; charset="us-ascii"

On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
> If I understood correctly, connect() should return error when sin_port
> field is set with '0'. Would anyone explain this to me or help me with
> fix this problem?

I get 779 as the port from your event.

-Steve



------------------------------

Message: 3
Date: Wed, 30 Mar 2016 20:46:58 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Linux Auditd app for Splunk
Message-ID: <97302213.LyDR1vQNKZ@x2>
Content-Type: text/plain; charset="us-ascii"

Hello,

On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/

> Be sure to let me know if you have any suggestions for improvements.

Thanks for posting this. Its good to see utilities like this supporting the audit daemon.

If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.

-Steve



------------------------------

Message: 4
Date: Thu, 31 Mar 2016 01:01:10 -0400
From: F Rafi <farhanible@gmail.com>
To: doug.brown@qut.edu.au
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Linux Auditd app for Splunk
Message-ID:
        <CABXp1cuoqfJJ=UyWPRnhb6qVPu9tnQNZKSvaFiSXwLGkfSBWLw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

"I've turned SELinux off ... and as per Dan Walsh that's a bad thing."
Love it.

Some questions.

*1. For the Severe Events panel: *Where is the severity coming from? The auditd logs don't show a severity rating.

*2. AUID to username mapping: *How are you doing this? Via tty logs or fetching passwd file contents somehow?

Thanks,
Farhan

On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> Hello,
>
> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> > This week I released version 2 of the Linux Auditd app for Splunk:
> > https://splunkbase.splunk.com/app/2642/
>
> > Be sure to let me know if you have any suggestions for improvements.
>
> Thanks for posting this. Its good to see utilities like this
> supporting the audit daemon.
>
> If anyone else has plugins to logging frameworks, reports, helpful
> scripts, etc...feel free to post a notice about them. We are sort of
> working on a new home for the audit system at github and can probably
> dedicate a page to related and helpful projects.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/45646706/attachment.html>

------------------------------

Message: 5
Date: Thu, 31 Mar 2016 05:18:22 +0000
From: Douglas Brown <doug.brown@qut.edu.au>
To: F Rafi <farhanible@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Linux Auditd app for Splunk
Message-ID: <D3C762FA-9B17-4272-B20F-640DD2EF273C@qut.edu.au>
Content-Type: text/plain; charset="utf-8"

Hi Farhan,

Good question. There?s no source of truth (that I know of) for the severity of auditd event types so I created a lookup based upon my experience. Here it is: https://github.com/doksu/splunk_auditd/blob/master/linux-auditd/appserver/addons/TA_linux-auditd/lookups/audit_types.csv

Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :)

The app has three identities lookups it merges together: local, directory and learnt. The first two you?re meant to populate (see here for more details: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration), but technically you don?t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ?learnt? lookup based upon USER_START events.

Cheers,
Doug

From: F Rafi <farhanible@gmail.com<mailto:farhanible@gmail.com>>
Date: Thursday, 31 March 2016 at 3:01 PM
To: Doksu <doug.brown@qut.edu.au<mailto:doug.brown@qut.edu.au>>
Cc: "linux-audit@redhat.com<mailto:linux-audit@redhat.com>" <linux-audit@redhat.com<mailto:linux-audit@redhat.com>>, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>>
Subject: Re: Linux Auditd app for Splunk

"I've turned SELinux off ... and as per Dan Walsh that's a bad thing."   Love it.

Some questions.

1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating.

2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow?

Thanks,
Farhan

On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote:
Hello,

On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/

> Be sure to let me know if you have any suggestions for improvements.

Thanks for posting this. Its good to see utilities like this supporting the audit daemon.

If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com<mailto:Linux-audit@redhat.com>
https://www.redhat.com/mailman/listinfo/linux-audit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/6f026b8c/attachment.html>

------------------------------

Message: 6
Date: Thu, 31 Mar 2016 07:33:18 -0400
From: Kangkook Jee <aixer77@gmail.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: auditd reports port number '0' for connect() system call
Message-ID: <46420AF1-CBB8-45E2-B0BA-71A788AEEC43@gmail.com>
Content-Type: text/plain; charset="utf-8"

Dear Steve,

Thanks a lot for your quick response.
Would you tell me from what saddr fields that you get the port number value ?779??

This might indicate my code to extract the field might be wrong. Would you also inform me what is the correct way to decode saddr string?

Thanks again!

Regards, Kangkook


> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when
>> sin_port field is set with '0'. Would anyone explain this to me or
>> help me with fix this problem?
>
> I get 779 as the port from your event.
>
> -Steve

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/5ccc071f/attachment.html>

------------------------------

Message: 7
Date: Thu, 31 Mar 2016 08:54:30 -0400
From: Kangkook Jee <aixer77@gmail.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: auditd reports port number '0' for connect() system call

Message-ID: <AE5F3C07-3DA7-4DD9-9B9D-7807518DB4A6@gmail.com>
Content-Type: text/plain; charset=utf-8

I checked out with strings that I provided from the previous email.

The first 3 ones gave me proper port numbers.

$ ~/bin/sock_decode 020000358A0F6C0B0000000000000000
020000358A0F6C0B0000000000000000: sa_family: 2 addr: 191631242, port: 53 (13568) $ ~/bin/sock_decode 0200006F8A0FA5090000000000000000
0200006F8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 111 (28416) $ ~/bin/sock_decode 0200030B8A0FA5090000000000000000
0200030B8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 779 (2819)


but, last three one didn?t

$ ~/bin/sock_decode 0200000036447A640000000000000000
0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0) $ ~/bin/sock_decode 020000003644ECD00000000000000000
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0) $ ~/bin/sock_decode 02000000369520250000000000000000
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)

Would you check this out?

/Kangkook

> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when
>> sin_port field is set with '0'. Would anyone explain this to me or
>> help me with fix this problem?
>
> I get 779 as the port from your event.
>
> -Steve




------------------------------

Message: 8
Date: Thu, 31 Mar 2016 10:49:28 +0200
From: Jiri Slaby <jslaby@suse.cz>
To: paul@paul-moore.com
Cc: linux-audit@redhat.com, Jiri Slaby <jslaby@suse.cz>,
        linux-kernel@vger.kernel.org
Subject: [PATCH] audit: cleanup prune_tree_thread
Message-ID: <1459414168-5010-1-git-send-email-jslaby@suse.cz>

We can use kthread_run instead of kthread_create+wake_up_process for creating the thread.

We do not need to set the task state to TASK_RUNNING after schedule(), the process is in that state already.

And we do not need to set the state to TASK_INTERRUPTIBLE when not doing schedule() as we set the state to TASK_RUNNING immediately afterwards.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: <linux-audit@redhat.com>
---
 kernel/audit_tree.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 5efe9b299a12..25772476fa4a 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -661,10 +661,10 @@ static int tag_mount(struct vfsmount *mnt, void *arg)  static int prune_tree_thread(void *unused)  {
        for (;;) {
-               set_current_state(TASK_INTERRUPTIBLE);
-               if (list_empty(&prune_list))
+               if (list_empty(&prune_list)) {
+                       set_current_state(TASK_INTERRUPTIBLE);
                        schedule();
-               __set_current_state(TASK_RUNNING);
+               }

                mutex_lock(&audit_cmd_mutex);
                mutex_lock(&audit_filter_mutex);
@@ -693,16 +693,14 @@ static int audit_launch_prune(void)  {
        if (prune_thread)
                return 0;
-       prune_thread = kthread_create(prune_tree_thread, NULL,
+       prune_thread = kthread_run(prune_tree_thread, NULL,
                                "audit_prune_tree");
        if (IS_ERR(prune_thread)) {
                pr_err("cannot start thread audit_prune_tree");
                prune_thread = NULL;
                return -ENOMEM;
-       } else {
-               wake_up_process(prune_thread);
-               return 0;
        }
+       return 0;
 }

 /* called with audit_filter_mutex */
--
2.7.4



------------------------------

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

End of Linux-audit Digest, Vol 138, Issue 9
*******************************************

!!!*************************************************************************************
"Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Linux Auditd app for Splunk
  2016-04-01  7:34 Maupertuis Philippe
@ 2016-04-01  8:09 ` Douglas Brown
  0 siblings, 0 replies; 6+ messages in thread
From: Douglas Brown @ 2016-04-01  8:09 UTC (permalink / raw)
  To: Maupertuis Philippe; +Cc: linux-audit@redhat.com


> On 1 Apr 2016, at 5:37 PM, Maupertuis Philippe <philippe.maupertuis@worldline.com> wrote:
> 
> The splunk app seems very promising.
> Is there a way to use it when audit records are sent to a central syslog server before feeding Splunk.
> For now, the auditd  record are prefixed by syslog information when received by Splunk.

Yep, make a 'local' directory in the TA app; copy the TA's default props.conf to the local directory; uncomment the block at the top of the file, then install the TA on the heavy forwarders/indexers that cook your syslogged audit events.

Cheers,
Doug

> -----Message d'origine-----
> De : linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] De la part de linux-audit-request@redhat.com
> Envoyé : jeudi 31 mars 2016 18:00
> À : linux-audit@redhat.com
> Objet : Linux-audit Digest, Vol 138, Issue 9
> 
> Send Linux-audit mailing list submissions to
>        linux-audit@redhat.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://www.redhat.com/mailman/listinfo/linux-audit
> or, via email, send a message with subject or body 'help' to
>        linux-audit-request@redhat.com
> 
> You can reach the person managing the list at
>        linux-audit-owner@redhat.com
> 
> When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..."
> 
> 
> Today's Topics:
> 
>   1. Linux Auditd app for Splunk (Douglas Brown)
>   2. Re: auditd reports port number '0' for connect() system call
>      (Steve Grubb)
>   3. Re: Linux Auditd app for Splunk (Steve Grubb)
>   4. Re: Linux Auditd app for Splunk (F Rafi)
>   5. Re: Linux Auditd app for Splunk (Douglas Brown)
>   6. Re: auditd reports port number '0' for connect() system call
>      (Kangkook Jee)
>   7. Re: auditd reports port number '0' for connect() system call
>      (Kangkook Jee)
>   8. [PATCH] audit: cleanup prune_tree_thread (Jiri Slaby)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 30 Mar 2016 22:34:39 +0000
> From: Douglas Brown <doug.brown@qut.edu.au>
> To: "linux-audit@redhat.com" <linux-audit@redhat.com>
> Subject: Linux Auditd app for Splunk
> Message-ID: <64E84EA2-7954-4B57-857C-DD3B1009A0CB@qut.edu.au>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi all,
> 
> This week I released version 2 of the Linux Auditd app for Splunk: https://splunkbase.splunk.com/app/2642/
> 
> Be sure to let me know if you have any suggestions for improvements.
> 
> Cheers,
> Doug
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160330/5a7aca52/attachment.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 30 Mar 2016 19:29:58 -0400
> From: Steve Grubb <sgrubb@redhat.com>
> To: linux-audit@redhat.com
> Subject: Re: auditd reports port number '0' for connect() system call
> Message-ID: <1876918.F3mpSQW0Wx@x2>
> Content-Type: text/plain; charset="us-ascii"
> 
>> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when sin_port
>> field is set with '0'. Would anyone explain this to me or help me with
>> fix this problem?
> 
> I get 779 as the port from your event.
> 
> -Steve
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 30 Mar 2016 20:46:58 -0400
> From: Steve Grubb <sgrubb@redhat.com>
> To: linux-audit@redhat.com
> Subject: Re: Linux Auditd app for Splunk
> Message-ID: <97302213.LyDR1vQNKZ@x2>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hello,
> 
>> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
>> This week I released version 2 of the Linux Auditd app for Splunk:
>> https://splunkbase.splunk.com/app/2642/
> 
>> Be sure to let me know if you have any suggestions for improvements.
> 
> Thanks for posting this. Its good to see utilities like this supporting the audit daemon.
> 
> If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.
> 
> -Steve
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 31 Mar 2016 01:01:10 -0400
> From: F Rafi <farhanible@gmail.com>
> To: doug.brown@qut.edu.au
> Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
> Subject: Re: Linux Auditd app for Splunk
> Message-ID:
>        <CABXp1cuoqfJJ=UyWPRnhb6qVPu9tnQNZKSvaFiSXwLGkfSBWLw@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> "I've turned SELinux off ... and as per Dan Walsh that's a bad thing."
> Love it.
> 
> Some questions.
> 
> *1. For the Severe Events panel: *Where is the severity coming from? The auditd logs don't show a severity rating.
> 
> *2. AUID to username mapping: *How are you doing this? Via tty logs or fetching passwd file contents somehow?
> 
> Thanks,
> Farhan
> 
>> On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> 
>> Hello,
>> 
>>> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
>>> This week I released version 2 of the Linux Auditd app for Splunk:
>>> https://splunkbase.splunk.com/app/2642/
>> 
>>> Be sure to let me know if you have any suggestions for improvements.
>> 
>> Thanks for posting this. Its good to see utilities like this
>> supporting the audit daemon.
>> 
>> If anyone else has plugins to logging frameworks, reports, helpful
>> scripts, etc...feel free to post a notice about them. We are sort of
>> working on a new home for the audit system at github and can probably
>> dedicate a page to related and helpful projects.
>> 
>> -Steve
>> 
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/45646706/attachment.html>
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 31 Mar 2016 05:18:22 +0000
> From: Douglas Brown <doug.brown@qut.edu.au>
> To: F Rafi <farhanible@gmail.com>
> Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
> Subject: Re: Linux Auditd app for Splunk
> Message-ID: <D3C762FA-9B17-4272-B20F-640DD2EF273C@qut.edu.au>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi Farhan,
> 
> Good question. There?s no source of truth (that I know of) for the severity of auditd event types so I created a lookup based upon my experience. Here it is: https://github.com/doksu/splunk_auditd/blob/master/linux-auditd/appserver/addons/TA_linux-auditd/lookups/audit_types.csv
> 
> Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :)
> 
> The app has three identities lookups it merges together: local, directory and learnt. The first two you?re meant to populate (see here for more details: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration), but technically you don?t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ?learnt? lookup based upon USER_START events.
> 
> Cheers,
> Doug
> 
> From: F Rafi <farhanible@gmail.com<mailto:farhanible@gmail.com>>
> Date: Thursday, 31 March 2016 at 3:01 PM
> To: Doksu <doug.brown@qut.edu.au<mailto:doug.brown@qut.edu.au>>
> Cc: "linux-audit@redhat.com<mailto:linux-audit@redhat.com>" <linux-audit@redhat.com<mailto:linux-audit@redhat.com>>, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>>
> Subject: Re: Linux Auditd app for Splunk
> 
> "I've turned SELinux off ... and as per Dan Walsh that's a bad thing."   Love it.
> 
> Some questions.
> 
> 1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating.
> 
> 2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow?
> 
> Thanks,
> Farhan
> 
> On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote:
> Hello,
> 
>> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
>> This week I released version 2 of the Linux Auditd app for Splunk:
>> https://splunkbase.splunk.com/app/2642/
> 
>> Be sure to let me know if you have any suggestions for improvements.
> 
> Thanks for posting this. Its good to see utilities like this supporting the audit daemon.
> 
> If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com<mailto:Linux-audit@redhat.com>
> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/6f026b8c/attachment.html>
> 
> ------------------------------
> 
> Message: 6
> Date: Thu, 31 Mar 2016 07:33:18 -0400
> From: Kangkook Jee <aixer77@gmail.com>
> To: Steve Grubb <sgrubb@redhat.com>
> Cc: linux-audit@redhat.com
> Subject: Re: auditd reports port number '0' for connect() system call
> Message-ID: <46420AF1-CBB8-45E2-B0BA-71A788AEEC43@gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Dear Steve,
> 
> Thanks a lot for your quick response.
> Would you tell me from what saddr fields that you get the port number value ?779??
> 
> This might indicate my code to extract the field might be wrong. Would you also inform me what is the correct way to decode saddr string?
> 
> Thanks again!
> 
> Regards, Kangkook
> 
> 
>> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> 
>> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>>> If I understood correctly, connect() should return error when
>>> sin_port field is set with '0'. Would anyone explain this to me or
>>> help me with fix this problem?
>> 
>> I get 779 as the port from your event.
>> 
>> -Steve
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/5ccc071f/attachment.html>
> 
> ------------------------------
> 
> Message: 7
> Date: Thu, 31 Mar 2016 08:54:30 -0400
> From: Kangkook Jee <aixer77@gmail.com>
> To: Steve Grubb <sgrubb@redhat.com>
> Cc: linux-audit@redhat.com
> Subject: Re: auditd reports port number '0' for connect() system call
> 
> Message-ID: <AE5F3C07-3DA7-4DD9-9B9D-7807518DB4A6@gmail.com>
> Content-Type: text/plain; charset=utf-8
> 
> I checked out with strings that I provided from the previous email.
> 
> The first 3 ones gave me proper port numbers.
> 
> $ ~/bin/sock_decode 020000358A0F6C0B0000000000000000
> 020000358A0F6C0B0000000000000000: sa_family: 2 addr: 191631242, port: 53 (13568) $ ~/bin/sock_decode 0200006F8A0FA5090000000000000000
> 0200006F8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 111 (28416) $ ~/bin/sock_decode 0200030B8A0FA5090000000000000000
> 0200030B8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 779 (2819)
> 
> 
> but, last three one didn?t
> 
> $ ~/bin/sock_decode 0200000036447A640000000000000000
> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0) $ ~/bin/sock_decode 020000003644ECD00000000000000000
> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0) $ ~/bin/sock_decode 02000000369520250000000000000000
> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
> 
> Would you check this out?
> 
> /Kangkook
> 
>> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> 
>> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>>> If I understood correctly, connect() should return error when
>>> sin_port field is set with '0'. Would anyone explain this to me or
>>> help me with fix this problem?
>> 
>> I get 779 as the port from your event.
>> 
>> -Steve
> 
> 
> 
> 
> ------------------------------
> 
> Message: 8
> Date: Thu, 31 Mar 2016 10:49:28 +0200
> From: Jiri Slaby <jslaby@suse.cz>
> To: paul@paul-moore.com
> Cc: linux-audit@redhat.com, Jiri Slaby <jslaby@suse.cz>,
>        linux-kernel@vger.kernel.org
> Subject: [PATCH] audit: cleanup prune_tree_thread
> Message-ID: <1459414168-5010-1-git-send-email-jslaby@suse.cz>
> 
> We can use kthread_run instead of kthread_create+wake_up_process for creating the thread.
> 
> We do not need to set the task state to TASK_RUNNING after schedule(), the process is in that state already.
> 
> And we do not need to set the state to TASK_INTERRUPTIBLE when not doing schedule() as we set the state to TASK_RUNNING immediately afterwards.
> 
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: <linux-audit@redhat.com>
> ---
> kernel/audit_tree.c | 12 +++++-------
> 1 file changed, 5 insertions(+), 7 deletions(-)
> 
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 5efe9b299a12..25772476fa4a 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -661,10 +661,10 @@ static int tag_mount(struct vfsmount *mnt, void *arg)  static int prune_tree_thread(void *unused)  {
>        for (;;) {
> -               set_current_state(TASK_INTERRUPTIBLE);
> -               if (list_empty(&prune_list))
> +               if (list_empty(&prune_list)) {
> +                       set_current_state(TASK_INTERRUPTIBLE);
>                        schedule();
> -               __set_current_state(TASK_RUNNING);
> +               }
> 
>                mutex_lock(&audit_cmd_mutex);
>                mutex_lock(&audit_filter_mutex);
> @@ -693,16 +693,14 @@ static int audit_launch_prune(void)  {
>        if (prune_thread)
>                return 0;
> -       prune_thread = kthread_create(prune_tree_thread, NULL,
> +       prune_thread = kthread_run(prune_tree_thread, NULL,
>                                "audit_prune_tree");
>        if (IS_ERR(prune_thread)) {
>                pr_err("cannot start thread audit_prune_tree");
>                prune_thread = NULL;
>                return -ENOMEM;
> -       } else {
> -               wake_up_process(prune_thread);
> -               return 0;
>        }
> +       return 0;
> }
> 
> /* called with audit_filter_mutex */
> --
> 2.7.4
> 
> 
> 
> ------------------------------
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> End of Linux-audit Digest, Vol 138, Issue 9
> *******************************************
> 
> !!!*************************************************************************************
> "Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
> 
> This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-04-01  8:09 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-30 22:34 Linux Auditd app for Splunk Douglas Brown
2016-03-31  0:46 ` Steve Grubb
2016-03-31  5:01   ` F Rafi
2016-03-31  5:18     ` Douglas Brown
  -- strict thread matches above, loose matches on Subject: below --
2016-04-01  7:34 Maupertuis Philippe
2016-04-01  8:09 ` Douglas Brown

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox