* audit releases in recent RHEL releases (eg 6 and 7)
From: Burn Alting @ 2015-07-29 7:43 UTC (permalink / raw)
To: linux-audit
All,
I know this more a question for Red Hat, but before I approach my local
Red Hat rep, does anyone on the list know why RHEL6 only implements up
to a version of 2.3.7 yet RHEL7 goes up to a version of 2.4.1.
Basically, I want to know if RHEL6 can accept some elements from the
2.4[.0] release if I ask really really reeeeeeeeeally nicely.
Rgds
^ permalink raw reply
* Re: Watching over non-existent folder to maintain a generic audit.rules file
From: Florian Crouzat @ 2015-07-29 6:24 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <1438123148.26354.116.camel@swtf.swtf.dyndns.org>
On 07/29/2015 12:39 AM, Burn Alting wrote:
> On Tue, 2015-07-28 at 15:23 -0400, Steve Grubb wrote:
>> On Tuesday, July 28, 2015 05:26:18 PM Florian Crouzat wrote:
>>> Unfortunately, I do not only watch over system-related files and folders
>>> but also applicative ones (eg custom path where some private keys are
>>> stored, etc) ..
>>> My problem is that these folders do not exists on all hosts thus making
>>> it impossible to write a generic audit.rules files.
>>
>> What kernel are you using? And user space package?
>>
>>
>>> As I said, I have thousands of hosts and I can't imagine deploying
>>> different files on every hosts depending on the profile of the host.
>>> I know puppet could help me for this kind of stuff but I don't have it
>>> yet and even though, it would be difficult to configure.
>>
>> As of the 2.3 user space release, there is a utility, augenrules which takes
>> files in /etc/audit/rules.d/ and compiles them into an audit.rules file. So, it
>> would be possible for you to package up some rules for bind and install them
>> when you install bind and have your package install a
>> /etc/audit/rules.d/bind.rules file. You can have a base config, and then one for
>> each kind of daemon or role that the machine serves.
>>
>>
>>> How do you guys usually workaround this issue ? I'm pretty sure I'm not
>>> the first one wanting to deploy a generic hardening across many hosts
>>> (but maybe I'm the only one using auditd to watch over something else
>>> than pure system-related stuff?
>>
>> Others can chime in here.
>
> As Steve suggests, you should base you efforts around augenrules ...
> that why it was written. If you have a project that delivers a new
> capability, then part of the security element of it's transition to
> operations would be to have the project identify the sensitive files and
> have the system administrators deploy project specific .rules files
> in /etc/audit/rules.d to monitor them.
>
> If you have pre 2.3 audit user space deployments, then it is not
> difficult to deploy your own augenrules setup, but don't deploy it in
> the 'production' locations ... it's a bitch to remove when a 2.3 audit
> user space upgrade comes ... lots of rpm clashes.
>
> A word to the wise on file watches. If you have a capability who's
> 'service/process' continually accesses configuration files you will
> typically mask this out by having the service start under the init.d
> regime at boot time and configure auditd to not monitor the 'unset'
> auid. The problem comes when a sustainment staff member, elevates
> privilege, and restarts the service. At this, all file accesses by the
> service/process will be attributed to the sustainment staff members uid,
> not the 'unset' user. This appears to have been addressed by systemd, so
> if your Linux release supports systemd, and you configure your
> application to use it appropriately, it will not have the problem.
> There are workarounds for the init.d based service regime, but that will
> have to be a separate post if ane are interested.
>
Hey,
Thanks for the answers.
I have both up-to-date EL6 and EL7 hosts with latests kernel available
in base channel so I think it means I have >=2.3 auditd package.
I'll definitely have a look into augenrules and how to use it.
I'll probably come back at you with mores questions after that.
Florian
^ permalink raw reply
* Re: Watching over non-existent folder to maintain a generic audit.rules file
From: Burn Alting @ 2015-07-28 22:39 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1795651.WB0YxzRxgh@x2>
On Tue, 2015-07-28 at 15:23 -0400, Steve Grubb wrote:
> On Tuesday, July 28, 2015 05:26:18 PM Florian Crouzat wrote:
> > Unfortunately, I do not only watch over system-related files and folders
> > but also applicative ones (eg custom path where some private keys are
> > stored, etc) ..
> > My problem is that these folders do not exists on all hosts thus making
> > it impossible to write a generic audit.rules files.
>
> What kernel are you using? And user space package?
>
>
> > As I said, I have thousands of hosts and I can't imagine deploying
> > different files on every hosts depending on the profile of the host.
> > I know puppet could help me for this kind of stuff but I don't have it
> > yet and even though, it would be difficult to configure.
>
> As of the 2.3 user space release, there is a utility, augenrules which takes
> files in /etc/audit/rules.d/ and compiles them into an audit.rules file. So, it
> would be possible for you to package up some rules for bind and install them
> when you install bind and have your package install a
> /etc/audit/rules.d/bind.rules file. You can have a base config, and then one for
> each kind of daemon or role that the machine serves.
>
>
> > How do you guys usually workaround this issue ? I'm pretty sure I'm not
> > the first one wanting to deploy a generic hardening across many hosts
> > (but maybe I'm the only one using auditd to watch over something else
> > than pure system-related stuff?
>
> Others can chime in here.
As Steve suggests, you should base you efforts around augenrules ...
that why it was written. If you have a project that delivers a new
capability, then part of the security element of it's transition to
operations would be to have the project identify the sensitive files and
have the system administrators deploy project specific .rules files
in /etc/audit/rules.d to monitor them.
If you have pre 2.3 audit user space deployments, then it is not
difficult to deploy your own augenrules setup, but don't deploy it in
the 'production' locations ... it's a bitch to remove when a 2.3 audit
user space upgrade comes ... lots of rpm clashes.
A word to the wise on file watches. If you have a capability who's
'service/process' continually accesses configuration files you will
typically mask this out by having the service start under the init.d
regime at boot time and configure auditd to not monitor the 'unset'
auid. The problem comes when a sustainment staff member, elevates
privilege, and restarts the service. At this, all file accesses by the
service/process will be attributed to the sustainment staff members uid,
not the 'unset' user. This appears to have been addressed by systemd, so
if your Linux release supports systemd, and you configure your
application to use it appropriately, it will not have the problem.
There are workarounds for the init.d based service regime, but that will
have to be a separate post if ane are interested.
Burn
^ permalink raw reply
* Re: Using audit as extended inotify
From: Steve Grubb @ 2015-07-28 19:30 UTC (permalink / raw)
To: linux-audit; +Cc: Tyler Hardin
In-Reply-To: <CAJwFvsVE2csA1hJoiShDH_mQS0no1n_Fn+DrhjYu2zs6i8PboA@mail.gmail.com>
On Monday, July 27, 2015 07:30:33 PM Tyler Hardin wrote:
> I want to monitor file and directory creation, modification, and deletion
> on some large subtrees (/etc/, /usr/share/, and ~/.config/). And I want the
> name of the executable that caused the event. The purpose will be to
> facilitate cruft detection and removal.
You cannot use globbing in the path.
> Can audit do this? Will using it to do this with such large subtrees become
> a performance issue?
It sort of can. You can monitor directory creation, file creation, and
deletion. Modification is where you start to have an issue. What you can see is
the file is opened with a write flag. But you have no idea if it actually
changed the file. You should be able to see the process doing it. But, I think
you might get a lot of records to process. Give it a try.
-Steve
^ permalink raw reply
* Re: Watching over non-existent folder to maintain a generic audit.rules file
From: Steve Grubb @ 2015-07-28 19:23 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <55B79F1A.1040207@floriancrouzat.net>
On Tuesday, July 28, 2015 05:26:18 PM Florian Crouzat wrote:
> Unfortunately, I do not only watch over system-related files and folders
> but also applicative ones (eg custom path where some private keys are
> stored, etc) ..
> My problem is that these folders do not exists on all hosts thus making
> it impossible to write a generic audit.rules files.
What kernel are you using? And user space package?
> As I said, I have thousands of hosts and I can't imagine deploying
> different files on every hosts depending on the profile of the host.
> I know puppet could help me for this kind of stuff but I don't have it
> yet and even though, it would be difficult to configure.
As of the 2.3 user space release, there is a utility, augenrules which takes
files in /etc/audit/rules.d/ and compiles them into an audit.rules file. So, it
would be possible for you to package up some rules for bind and install them
when you install bind and have your package install a
/etc/audit/rules.d/bind.rules file. You can have a base config, and then one for
each kind of daemon or role that the machine serves.
> How do you guys usually workaround this issue ? I'm pretty sure I'm not
> the first one wanting to deploy a generic hardening across many hosts
> (but maybe I'm the only one using auditd to watch over something else
> than pure system-related stuff?
Others can chime in here.
-Steve
^ permalink raw reply
* Re: Audit Class Lab
From: Steve Grubb @ 2015-07-28 19:03 UTC (permalink / raw)
To: linux-audit; +Cc: Maupertuis Philippe
In-Reply-To: <A35547AE65CDA84F93D4012BDFB5D55574EB8D68A7@FRVDX100.fr01.awl.atosorigin.net>
On Tuesday, July 28, 2015 03:05:06 PM Maupertuis Philippe wrote:
> Hi,
> A little off topic, but maybe the answer is known.
> is there a similar event to 2015 Defense in Depth in Europe.
> I would have a hard time to get approval for a one day session in the US.
Out of curiosity, is there a security conference in Europe that proposing the
audit lab would be a fit for? I don't know the conferences there and would be
willing to entertain suggestions - offlist.
Thanks,
-Steve
^ permalink raw reply
* Re: Error at compiling audit 4.2.2
From: Steve Grubb @ 2015-07-28 18:18 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <23396023F719ED41888885C3B22D602F02684C@WPEXCH2010MR11.bur.hydro.qc.ca>
On Tuesday, July 28, 2015 03:14:26 PM Alarie, Maxime wrote:
> Not sure if you guys provide support for this,
>
> I am trying to compile auditd 4.2.2 and Iam using python 2.6..
I presume you mean 2.4.2. It should work for python 2.6.
> I get this error and I was wondering if it cou;s be fixed. Or If I
> absolutely need to use pythoin 2.7:
>
> Command entered: /configure --sbindir=/sbin --with-python=yes --with-libwrap
> --enable-gssapi-krb5=yes --with-libcap-ng=yes
>
> Error (checking header files section):
> Checking for header files
> checking for ANSI C header files... (cached) yes
> checking whether time.h and sys/time.h may both be included... yes
> checking for an ANSI C-conforming const... yes
> checking for inline... inline
> checking size of unsigned int... 4
> checking size of unsigned long... 8
> checking whether MS_DIRSYNC is declared... yes
> checking whether AUDIT_FEATURE_VERSION is declared... no
> checking whether AUDIT_VERSION_BACKLOG_WAIT_TIME is declared... no
> checking whether to create python bindings... testing
> checking for python... /usr/bin/python
> checking for python version... 2.6
> checking for python platform... linux2
> checking for python script directory...
> ${prefix}/lib64/python2.6/site-packages checking for python extension
> module directory... ${exec_prefix}/lib64/python2.6/site-packages configure:
> error: Python explicitly required and python headers found
Hmm...I see a typo in the output, but its not your problem. What configure is
doing is something like
ls -l `python -c "from distutils import sysconfig;
print(sysconfig.get_config_var('INCLUDEPY'))"`/Python.h.
>
> any tips would help, I can even use an older version if necessary.
You might need a python devel package. Its looking for the Python.h file.
> I just need to upgrade 1.8. (SLES 11)
Well, that is a problem. The audit 1.8 series has a different ABI than the 2.x
series. That means that functions were deprecated and new functions with extra
parameters were added, This means a lot of user space needs patching because
they call the wrong function and its gone. For the 1.8 series, there are no
real upgrades except doing the whole OS.
-Steve
^ permalink raw reply
* Re: [PATCH 1/2] audit: log binding and unbinding to netlink multicast socket
From: Paul Moore @ 2015-07-28 15:39 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2526137.LbuDOm1n06@x2>
On Tuesday, July 28, 2015 10:31:54 AM Steve Grubb wrote:
> On Friday, July 24, 2015 06:54:27 PM Paul Moore wrote:
> > On Thursday, July 23, 2015 04:45:10 PM Steve Grubb wrote:
> > > The audit subsystem could use a function that logs the commonly needed
> > > fields for a typical audit event. This logs less that
> > > audit_log_task_info
> > > and reduces the need to hand code individual fields.
> > >
> > > Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> > > ---
> > >
> > > include/linux/audit.h | 5 +++++
> > > kernel/audit.c | 35 +++++++++++++++++++++++++++++++++++
> > > 2 files changed, 40 insertions(+)
> >
> > Additional comments below, but I'd like to see this patch change
> > audit_log_task_info() to call audit_log_task_simple()
>
> They really can't without messing up parsers. The order is different for a
> reason. The audit_log_task_info records all kinds of stuff that is really
> not needed. It does pids, current credentials, extended uid, extended gid,
> and then tty and session, comm, exe, and then context. This wastes disk
> space.
If we can't use _task_simple() inside of _task_info() then just use
audit_log_task_info(). Yes, it probably wastes a few extra bytes each time
these records are generated, but these records aren't likely to be frequent.
> The new function is what should be used for most cases because it sticks to
> what is necessary for "hardwired" events - those that are not dictated by
> syscall or file watches. It provides pid, uid, auid, tty, session, context,
> comm, exe. Because it jettisons all the stuff that doesn't matter, one
> cannot call the other.
Where can we use _task_simple() beyond these new records? Show me this has
some reuse in the existing code base and I'll reconsider keeping
_task_simple(), but right now it just looks like code duplication to me.
> > ... or, why not just call audit_log_task_info() if the audit bind/unbind
> > is going to be the only one to benefit from audit_log_task_simple()? Yes,
> > I know that audit_log_task_info() records more than you need, but this
> > duplication of code because of the record format mess makes me very
> > grumpy.
>
> I'd rather see us move some other things to audit_log_task_simple over the
> long term than hand code things.
See above; we're not going to hand code things, just use _task_info().
Long term we are going to be ditching this awful fixed string format.
> > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > index 1c13e42..29fb38b 100644
> > > --- a/kernel/audit.c
> > > +++ b/kernel/audit.c
> > > @@ -1100,6 +1100,41 @@ static void audit_receive(struct sk_buff *skb)
> > >
> > > mutex_unlock(&audit_cmd_mutex);
> > >
> > > }
> > >
> > > +/* This function logs the essential information needed to understand
> > > + * what or who is causing the event */
> > > +void audit_log_task_simple(struct audit_buffer *ab, struct task_struct
> > > *tsk)
> >
> > ...
> >
> > > + audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
> > > + task_pid_nr(tsk),
> > > + from_kuid(&init_user_ns, cred->uid),
> > > + from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
> > > + tty, audit_get_sessionid(tsk));
> >
> > You should check the format string against audit_log_task_info(); they
> > don't match.
>
> That is correct. It mostly matches the order of just about everything else.
> For example, user space originating events get this:
I was talking about some of the scalar format specifiers, e.g. "%u" vs "%d",
but it doesn't matter so much anymore as it looks like we'll need to use
_task_info().
--
paul moore
security @ redhat
^ permalink raw reply
* Watching over non-existent folder to maintain a generic audit.rules file
From: Florian Crouzat @ 2015-07-28 15:26 UTC (permalink / raw)
To: linux-audit
Hello,
I'm a bit new with auditd so excuse me if this question has been already
answered but I failed to find answers.
I'm in the process of replacing a FIM tool by auditd which is by far
more powerful but I wanted to describe all possibles files and folders
(or system calls) that I need to watch over in a generic audit.rules
files that I would deploy on thousands of hosts.
Unfortunately, I do not only watch over system-related files and folders
but also applicative ones (eg custom path where some private keys are
stored, etc) ..
My problem is that these folders do not exists on all hosts thus making
it impossible to write a generic audit.rules files.
As I said, I have thousands of hosts and I can't imagine deploying
different files on every hosts depending on the profile of the host.
I know puppet could help me for this kind of stuff but I don't have it
yet and even though, it would be difficult to configure.
How do you guys usually workaround this issue ? I'm pretty sure I'm not
the first one wanting to deploy a generic hardening across many hosts
(but maybe I'm the only one using auditd to watch over something else
than pure system-related stuff?
Thanks,
Florian
^ permalink raw reply
* Error at compiling audit 4.2.2
From: Alarie, Maxime @ 2015-07-28 15:14 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 1402 bytes --]
Not sure if you guys provide support for this,
I am trying to compile auditd 4.2.2 and Iam using python 2.6..
I get this error and I was wondering if it cou;s be fixed. Or If I absolutely need to use pythoin 2.7:
Command entered: /configure --sbindir=/sbin --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes
Error (checking header files section):
Checking for header files
checking for ANSI C header files... (cached) yes
checking whether time.h and sys/time.h may both be included... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking size of unsigned int... 4
checking size of unsigned long... 8
checking whether MS_DIRSYNC is declared... yes
checking whether AUDIT_FEATURE_VERSION is declared... no
checking whether AUDIT_VERSION_BACKLOG_WAIT_TIME is declared... no
checking whether to create python bindings... testing
checking for python... /usr/bin/python
checking for python version... 2.6
checking for python platform... linux2
checking for python script directory... ${prefix}/lib64/python2.6/site-packages
checking for python extension module directory... ${exec_prefix}/lib64/python2.6/site-packages
configure: error: Python explicitly required and python headers found
any tips would help, I can even use an older version if necessary.. I just need to upgrade 1.8. (SLES 11)
MErci
[-- Attachment #1.2: Type: text/html, Size: 5047 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH 1/2] audit: log binding and unbinding to netlink multicast socket
From: Steve Grubb @ 2015-07-28 14:31 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit
In-Reply-To: <6820207.zDq67HbuRl@sifl>
On Friday, July 24, 2015 06:54:27 PM Paul Moore wrote:
> On Thursday, July 23, 2015 04:45:10 PM Steve Grubb wrote:
> > The audit subsystem could use a function that logs the commonly needed
> > fields for a typical audit event. This logs less that audit_log_task_info
> > and reduces the need to hand code individual fields.
> >
> > Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> > ---
> >
> > include/linux/audit.h | 5 +++++
> > kernel/audit.c | 35 +++++++++++++++++++++++++++++++++++
> > 2 files changed, 40 insertions(+)
>
> Additional comments below, but I'd like to see this patch change
> audit_log_task_info() to call audit_log_task_simple()
They really can't without messing up parsers. The order is different for a
reason. The audit_log_task_info records all kinds of stuff that is really not
needed. It does pids, current credentials, extended uid, extended gid, and
then tty and session, comm, exe, and then context. This wastes disk space.
The new function is what should be used for most cases because it sticks to
what is necessary for "hardwired" events - those that are not dictated by
syscall or file watches. It provides pid, uid, auid, tty, session, context,
comm, exe. Because it jettisons all the stuff that doesn't matter, one cannot
call the other.
> ... or, why not just call audit_log_task_info() if the audit bind/unbind is
> going to be the only one to benefit from audit_log_task_simple()? Yes, I
> know that audit_log_task_info() records more than you need, but this
> duplication of code because of the record format mess makes me very grumpy.
I'd rather see us move some other things to audit_log_task_simple over the
long term than hand code things. This is really for "hardwired" events such as
config changes, anomalies, and access decisions by frameworks. Group ids are
only applicable to file access, so it belongs in the syscall event and nowhere
else. Ppid is useless without a mapping back to that process's name. Extended
credentials are used on file access, so we get them in syscall records. We
don't need to waste disk space.
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 1c13e42..29fb38b 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1100,6 +1100,41 @@ static void audit_receive(struct sk_buff *skb)
> >
> > mutex_unlock(&audit_cmd_mutex);
> >
> > }
> >
> > +/* This function logs the essential information needed to understand
> > + * what or who is causing the event */
> > +void audit_log_task_simple(struct audit_buffer *ab, struct task_struct
> > *tsk)
>
> ...
>
> > + audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
> > + task_pid_nr(tsk),
> > + from_kuid(&init_user_ns, cred->uid),
> > + from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
> > + tty, audit_get_sessionid(tsk));
>
> You should check the format string against audit_log_task_info(); they don't
> match.
That is correct. It mostly matches the order of just about everything else.
For example, user space originating events get this:
pid=16430 uid=0 auid=4325 ses=3 subj=unconfined
anom_abend: auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined pid=1680
config_change: auid=4325 ses=1
integrity: pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel
The new order is:
pid=10068 uid=0 auid=4325 tty=pts0 ses=1 subj=unconfined
comm= exe=
This is an easy switch to make in searching and reporting because things are
mostly in the same order but with extra fields or start with a different field
making it easy to decide between old and new order.
-Steve
^ permalink raw reply
* RE: Audit Class Lab
From: Maupertuis Philippe @ 2015-07-28 13:05 UTC (permalink / raw)
To: linux-audit@redhat.com
Hi,
A little off topic, but maybe the answer is known.
is there a similar event to 2015 Defense in Depth in Europe.
I would have a hard time to get approval for a one day session in the US.
Regards
Philippe
-----Message d'origine-----
De : linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] De la part de linux-audit-request@redhat.com
Envoyé : lundi 27 juillet 2015 18:00
À : linux-audit@redhat.com
Objet : Linux-audit Digest, Vol 130, Issue 18
Send Linux-audit mailing list submissions to
linux-audit@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request@redhat.com
You can reach the person managing the list at
linux-audit-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..."
Today's Topics:
1. Re: FTBFS with clang instead of gcc (Zbigniew J?drzejewski-Szmek)
2. Re: Audit class/lab (Steve Grubb)
----------------------------------------------------------------------
Message: 1
Date: Sun, 26 Jul 2015 21:49:50 +0000
From: Zbigniew J?drzejewski-Szmek <zbyszek@in.waw.pl>
To: Laurent Bigonville <bigon@debian.org>
Cc: linux-audit@redhat.com, 787066-forwarded@bugs.debian.org
Subject: Re: FTBFS with clang instead of gcc
Message-ID: <20150726214950.GC27014@in.waw.pl>
Content-Type: text/plain; charset=us-ascii
On Sun, Jul 26, 2015 at 03:58:44PM +0200, Laurent Bigonville wrote:
> Hi,
>
> Apparently audit is FTBFS with clang due to the embedded version of
> libev with the following error (see: [0]):
>
> ../../../../src/libev/ev.c:970:42: error: '_Noreturn' keyword must
> precede function declarator
>
> The bug[0] provides a patch. I don't think this has been fixed
> upstream yet. There was however a small thread [1] about this on
> upstream ML.
>
> Not sure what's the policy regarding patching embedded copy of libev.
The policy is to kill the embedded copy as soon as possible.
Seems like a good time to do that.
Zbyszek
------------------------------
Message: 2
Date: Mon, 27 Jul 2015 09:35:56 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: burn@swtf.dyndns.org
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Audit class/lab
Message-ID: <15980868.FdKdW6R9DX@x2>
Content-Type: text/plain; charset="us-ascii"
On Saturday, July 25, 2015 08:39:22 AM Burn Alting wrote:
> Steve,
>
> The agenda infers that to attend a lab, you must bring a wifi-capable
> laptop with an SSH client installed.
>
> Is this a requirement for your lab or just the Applied SCAP Lab?
Its not my requirement. However, since it will be about Linux auditing and people are requested to have a laptop with a linux image available, ssh client should be there. Again, no plans for ssh right now.
-Steve
> On Thu, 2015-07-16 at 14:12 -0400, Steve Grubb wrote:
> > On Thursday, July 16, 2015 05:03:26 PM Smith, Gary R wrote:
> > > Any chance that your presentation would get recorded for later
> > > viewing by those of us who have no budget for travel at the end of
> > > the fiscal year?
> >
> > This presentation will not be recorded. Slides will be available. I
> > might do something separately from this conference so that there's
> > something people can watch. But I expect the lab to be interactive
> > where people can say, "We have these requirements, what would be the best way to do it?"
> > And sometimes, there isn't a best way and I take notes to look into
> > it more deeply.
> >
> > -Steve
> >
> > > On 07/15/2015 03:22 PM, Steve Grubb wrote:
> > > > Hello,
> > > >
> > > > I normally don't put the word out about speeches I give, or
> > > > things like that. But I am going to be teaching a hands-on audit
> > > > class to demonstrate how to configure, setup rules, and do
> > > > searching and reporting using the native linux audit tools.
> > > >
> > > > The lab will be part of the Defence in Depth conference in
> > > > Washington (Tyson's Cormers, VA) on Sept 1. Its free, you just have to register.
> > > > More info:
> > > >
> > > > http://www.redhat.com/en/about/events/2015-defense-depth
> > > >
> > > > I will be going over new features that aids insider threat
> > > > detection and signs of intrusion in addition to basics. Bring
> > > > your questions and problems, let's talk.
> > > >
> > > > -Steve
> > > >
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
------------------------------
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
End of Linux-audit Digest, Vol 130, Issue 18
********************************************
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
^ permalink raw reply
* Using audit as extended inotify
From: Tyler Hardin @ 2015-07-27 23:30 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 357 bytes --]
I want to monitor file and directory creation, modification, and deletion
on some large subtrees (/etc/, /usr/share/, and ~/.config/). And I want the
name of the executable that caused the event. The purpose will be to
facilitate cruft detection and removal.
Can audit do this? Will using it to do this with such large subtrees become
a performance issue?
[-- Attachment #1.2: Type: text/html, Size: 403 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: FTBFS with clang instead of gcc
From: Steve Grubb @ 2015-07-27 16:50 UTC (permalink / raw)
To: linux-audit; +Cc: 787066-forwarded
In-Reply-To: <20150726155844.3af70ed0@fornost.bigon.be>
On Sunday, July 26, 2015 03:58:44 PM Laurent Bigonville wrote:
> Apparently audit is FTBFS with clang due to the embedded version of
> libev with the following error (see: [0]):
>
> ../../../../src/libev/ev.c:970:42: error: '_Noreturn' keyword must
> precede function declarator
>
> The bug[0] provides a patch. I don't think this has been fixed
> upstream yet. There was however a small thread [1] about this on
> upstream ML.
Actually, it is fixed upstream.
http://cvs.schmorp.de/libev/ev.c?revision=1.476&view=markup#l1087
> Not sure what's the policy regarding patching embedded copy of libev.
It also appears that 4.20 was release back in June. I'll update the embedded
copy. Thanks for pointing this out.
-Steve
^ permalink raw reply
* Re: FTBFS with clang instead of gcc
From: Zbigniew Jędrzejewski-Szmek @ 2015-07-27 16:40 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit, 787066-forwarded
In-Reply-To: <1837827.kIU5ZZHVo5@x2>
On Mon, Jul 27, 2015 at 12:34:38PM -0400, Steve Grubb wrote:
> On Sunday, July 26, 2015 09:49:50 PM Zbigniew Jędrzejewski-Szmek wrote:
> > On Sun, Jul 26, 2015 at 03:58:44PM +0200, Laurent Bigonville wrote:
> > > Apparently audit is FTBFS with clang due to the embedded version of
> > > libev with the following error (see: [0]):
> > >
> > > ../../../../src/libev/ev.c:970:42: error: '_Noreturn' keyword must
> > > precede function declarator
> > >
> > > The bug[0] provides a patch. I don't think this has been fixed
> > > upstream yet. There was however a small thread [1] about this on
> > > upstream ML.
> > >
> > Not sure what's the policy regarding patching embedded copy of libev.
> > The policy is to kill the embedded copy as soon as possible.
> > Seems like a good time to do that.
>
> Not sure if you've ever had any dealings with upstream libev or not. But let's
> just say its not easy. I apply a patch on top of libev to suit audit's needs.
>
> https://fedorahosted.org/audit/changeset/782
>
> Without this, coverity analysis is much harder. Audit is one of those
> subsystems that you really need to be sure of what its doing and that even
> libraries it uses are correct.
You're right, I should have remembered that libev wants to be a copylib.
Zbyszek
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: FTBFS with clang instead of gcc
From: Steve Grubb @ 2015-07-27 16:34 UTC (permalink / raw)
To: linux-audit; +Cc: 787066-forwarded
In-Reply-To: <20150726214950.GC27014@in.waw.pl>
On Sunday, July 26, 2015 09:49:50 PM Zbigniew Jędrzejewski-Szmek wrote:
> On Sun, Jul 26, 2015 at 03:58:44PM +0200, Laurent Bigonville wrote:
> > Apparently audit is FTBFS with clang due to the embedded version of
> > libev with the following error (see: [0]):
> >
> > ../../../../src/libev/ev.c:970:42: error: '_Noreturn' keyword must
> > precede function declarator
> >
> > The bug[0] provides a patch. I don't think this has been fixed
> > upstream yet. There was however a small thread [1] about this on
> > upstream ML.
> >
> Not sure what's the policy regarding patching embedded copy of libev.
> The policy is to kill the embedded copy as soon as possible.
> Seems like a good time to do that.
Not sure if you've ever had any dealings with upstream libev or not. But let's
just say its not easy. I apply a patch on top of libev to suit audit's needs.
https://fedorahosted.org/audit/changeset/782
Without this, coverity analysis is much harder. Audit is one of those
subsystems that you really need to be sure of what its doing and that even
libraries it uses are correct.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: Audit class/lab
From: Steve Grubb @ 2015-07-27 13:35 UTC (permalink / raw)
To: burn; +Cc: linux-audit@redhat.com
In-Reply-To: <1437777562.26354.65.camel@swtf.swtf.dyndns.org>
On Saturday, July 25, 2015 08:39:22 AM Burn Alting wrote:
> Steve,
>
> The agenda infers that to attend a lab, you must bring a wifi-capable
> laptop with an SSH client installed.
>
> Is this a requirement for your lab or just the Applied SCAP Lab?
Its not my requirement. However, since it will be about Linux auditing and
people are requested to have a laptop with a linux image available, ssh client
should be there. Again, no plans for ssh right now.
-Steve
> On Thu, 2015-07-16 at 14:12 -0400, Steve Grubb wrote:
> > On Thursday, July 16, 2015 05:03:26 PM Smith, Gary R wrote:
> > > Any chance that your presentation would get recorded for later viewing
> > > by those of us who have no budget for travel at the end of the fiscal
> > > year?
> >
> > This presentation will not be recorded. Slides will be available. I might
> > do something separately from this conference so that there's something
> > people can watch. But I expect the lab to be interactive where people can
> > say, "We have these requirements, what would be the best way to do it?"
> > And sometimes, there isn't a best way and I take notes to look into it
> > more deeply.
> >
> > -Steve
> >
> > > On 07/15/2015 03:22 PM, Steve Grubb wrote:
> > > > Hello,
> > > >
> > > > I normally don't put the word out about speeches I give, or things
> > > > like
> > > > that. But I am going to be teaching a hands-on audit class to
> > > > demonstrate
> > > > how to configure, setup rules, and do searching and reporting using
> > > > the
> > > > native linux audit tools.
> > > >
> > > > The lab will be part of the Defence in Depth conference in Washington
> > > > (Tyson's Cormers, VA) on Sept 1. Its free, you just have to register.
> > > > More info:
> > > >
> > > > http://www.redhat.com/en/about/events/2015-defense-depth
> > > >
> > > > I will be going over new features that aids insider threat detection
> > > > and
> > > > signs of intrusion in addition to basics. Bring your questions and
> > > > problems, let's talk.
> > > >
> > > > -Steve
> > > >
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: FTBFS with clang instead of gcc
From: Zbigniew Jędrzejewski-Szmek @ 2015-07-26 21:49 UTC (permalink / raw)
To: Laurent Bigonville; +Cc: linux-audit, 787066-forwarded
In-Reply-To: <20150726155844.3af70ed0@fornost.bigon.be>
On Sun, Jul 26, 2015 at 03:58:44PM +0200, Laurent Bigonville wrote:
> Hi,
>
> Apparently audit is FTBFS with clang due to the embedded version of
> libev with the following error (see: [0]):
>
> ../../../../src/libev/ev.c:970:42: error: '_Noreturn' keyword must
> precede function declarator
>
> The bug[0] provides a patch. I don't think this has been fixed
> upstream yet. There was however a small thread [1] about this on
> upstream ML.
>
> Not sure what's the policy regarding patching embedded copy of libev.
The policy is to kill the embedded copy as soon as possible.
Seems like a good time to do that.
Zbyszek
^ permalink raw reply
* FTBFS with clang instead of gcc
From: Laurent Bigonville @ 2015-07-26 13:58 UTC (permalink / raw)
To: linux-audit; +Cc: 787066-forwarded
Hi,
Apparently audit is FTBFS with clang due to the embedded version of
libev with the following error (see: [0]):
../../../../src/libev/ev.c:970:42: error: '_Noreturn' keyword must
precede function declarator
The bug[0] provides a patch. I don't think this has been fixed
upstream yet. There was however a small thread [1] about this on
upstream ML.
Not sure what's the policy regarding patching embedded copy of libev.
Cheers,
Laurent Bigonville
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787066
[1] http://lists.schmorp.de/pipermail/libev/2015q1/002480.html
^ permalink raw reply
* Re: [PATCH 2/2] audit: log binding and unbinding to netlink multicast socket
From: Paul Moore @ 2015-07-24 22:58 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <8611875.W95Jo5o7mj@x2>
On Thursday, July 23, 2015 04:45:19 PM Steve Grubb wrote:
> Log information about programs connecting and disconnecting to the audit
> netlink multicast socket. This is needed so that during investigations a
> security officer can tell who or what had access to the audit trail. This
> helps to meet the FAU_SAR.2 requirement for Common Criteria.
>
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 30 ++++++++++++++++++++++++++++--
> 2 files changed, 29 insertions(+), 2 deletions(-)
...
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 29fb38b..3253f1b 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1135,13 +1135,36 @@ void audit_log_task_simple(struct audit_buffer *ab,
> struct task_struct *tsk) }
> EXPORT_SYMBOL(audit_log_task_simple);
>
> +static void audit_log_bind(int group, const char *op, int err)
> +{
Hmmm, how about a name tweak to indicate multicast? How about
audit_log_multicast_bind()?
> + struct audit_buffer *ab;
> +
> + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
> + if (!ab)
> + return;
> +
> + audit_log_task_simple(ab, current);
> + audit_log_format(ab, " nlnk-grp=%d", group);
> + audit_log_format(ab, " op=%s", op);
> + audit_log_format(ab, " res=%d", !err);
> + audit_log_end(ab);
Any reason we can't do this with one audit_log_format() call?
audit_log_format(ab, "nlnk-grp=%d op=%s res=%d", group, op, !err);
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [PATCH 1/2] audit: log binding and unbinding to netlink multicast socket
From: Paul Moore @ 2015-07-24 22:54 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <5155977.UeYF2qVy20@x2>
On Thursday, July 23, 2015 04:45:10 PM Steve Grubb wrote:
> The audit subsystem could use a function that logs the commonly needed
> fields for a typical audit event. This logs less that audit_log_task_info
> and reduces the need to hand code individual fields.
>
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> ---
> include/linux/audit.h | 5 +++++
> kernel/audit.c | 35 +++++++++++++++++++++++++++++++++++
> 2 files changed, 40 insertions(+)
Additional comments below, but I'd like to see this patch change
audit_log_task_info() to call audit_log_task_simple() ... or, why not just
call audit_log_task_info() if the audit bind/unbind is going to be the only
one to benefit from audit_log_task_simple()? Yes, I know that
audit_log_task_info() records more than you need, but this duplication of code
because of the record format mess makes me very grumpy.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 1c13e42..29fb38b 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1100,6 +1100,41 @@ static void audit_receive(struct sk_buff *skb)
> mutex_unlock(&audit_cmd_mutex);
> }
>
> +/* This function logs the essential information needed to understand
> + * what or who is causing the event */
> +void audit_log_task_simple(struct audit_buffer *ab, struct task_struct
> *tsk)
...
> + audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
> + task_pid_nr(tsk),
> + from_kuid(&init_user_ns, cred->uid),
> + from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
> + tty, audit_get_sessionid(tsk));
You should check the format string against audit_log_task_info(); they don't
match.
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [PATCH 0/2] audit: log binding and unbinding to netlink multicast socket
From: Paul Moore @ 2015-07-24 22:42 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1470011.Rp6MUNe0GI@x2>
On Thu, Jul 23, 2015 at 4:45 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> I am resurrecting this old patch. Its been cleaned up by adding a simple task
> logging function which should, in the future, serve almost all kernel logging
> needs. The cleaned up bind and unbind functions call it to create the preamble
> and then finish with specific data items for bind/unbinding.
>
> In essence, this patch logs connecting and unconnecting to the audit netlink
> multicast socket. This is needed so that during investigations a security
> officer can tell who or what had access to the audit trail. This helps to meet
> the FAU_SAR.2 SFR for Common Criteria.
Hi Steve,
I knew we would get you writing kernel patches eventually ;)
A little birdie mentioned to me offlist that there are issues with
application bind/unbind events not being audited based on how they do
the audit, have you run into this in your testing of this patch?
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: Audit class/lab
From: Burn Alting @ 2015-07-24 22:39 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit@redhat.com
In-Reply-To: <4053185.x93bYvJEbu@x2>
Steve,
The agenda infers that to attend a lab, you must bring a wifi-capable
laptop with an SSH client installed.
Is this a requirement for your lab or just the Applied SCAP Lab?
Regards
On Thu, 2015-07-16 at 14:12 -0400, Steve Grubb wrote:
> On Thursday, July 16, 2015 05:03:26 PM Smith, Gary R wrote:
> > Any chance that your presentation would get recorded for later viewing
> > by those of us who have no budget for travel at the end of the fiscal year?
>
> This presentation will not be recorded. Slides will be available. I might do
> something separately from this conference so that there's something people can
> watch. But I expect the lab to be interactive where people can say, "We have
> these requirements, what would be the best way to do it?" And sometimes,
> there isn't a best way and I take notes to look into it more deeply.
>
> -Steve
>
>
> > On 07/15/2015 03:22 PM, Steve Grubb wrote:
> > > Hello,
> > >
> > > I normally don't put the word out about speeches I give, or things like
> > > that. But I am going to be teaching a hands-on audit class to demonstrate
> > > how to configure, setup rules, and do searching and reporting using the
> > > native linux audit tools.
> > >
> > > The lab will be part of the Defence in Depth conference in Washington
> > > (Tyson's Cormers, VA) on Sept 1. Its free, you just have to register.
> > > More info:
> > >
> > > http://www.redhat.com/en/about/events/2015-defense-depth
> > >
> > > I will be going over new features that aids insider threat detection and
> > > signs of intrusion in addition to basics. Bring your questions and
> > > problems, let's talk.
> > >
> > > -Steve
> > >
> > > --
> > > Linux-audit mailing list
> > > Linux-audit@redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] Missed cross compile fixes
From: Steve Grubb @ 2015-07-23 21:18 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <1437576762-32343-1-git-send-email-clayton.shotwell@rockwellcollins.com>
On Wednesday, July 22, 2015 09:52:42 AM Clayton Shotwell wrote:
> My previous patch set attempted to fix the building of the gen_tables.c
> applications so they can run on the build machine when cross compiling.
> I failed to realize that automake would still attempt to insert the
> CFLAGS and CPPFLAGS variables even when they should be CFLAGS_FOR_BUILD
> and CPPFLAGS_FOR_BUILD. This change set should override those FLAGS
> variables properly.
Applied in commit 1117. Thanks!
-Steve
^ permalink raw reply
* [PATCH 2/2] audit: log binding and unbinding to netlink multicast socket
From: Steve Grubb @ 2015-07-23 20:45 UTC (permalink / raw)
To: linux-audit
Log information about programs connecting and disconnecting to the audit
netlink multicast socket. This is needed so that during investigations a
security officer can tell who or what had access to the audit trail. This
helps to meet the FAU_SAR.2 requirement for Common Criteria.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 30 ++++++++++++++++++++++++++++--
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d3475e1..bb4555a 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -110,6 +110,7 @@
#define AUDIT_SECCOMP 1326 /* Secure Computing event */
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
+#define AUDIT_EVENT_LISTENER 1329 /* task joined multicast read socket */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 29fb38b..3253f1b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1135,13 +1135,36 @@ void audit_log_task_simple(struct audit_buffer *ab, struct task_struct *tsk)
}
EXPORT_SYMBOL(audit_log_task_simple);
+static void audit_log_bind(int group, const char *op, int err)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
+ if (!ab)
+ return;
+
+ audit_log_task_simple(ab, current);
+ audit_log_format(ab, " nlnk-grp=%d", group);
+ audit_log_format(ab, " op=%s", op);
+ audit_log_format(ab, " res=%d", !err);
+ audit_log_end(ab);
+}
+
/* Run custom bind function on netlink socket group connect or bind requests. */
static int audit_bind(struct net *net, int group)
{
+ int err = 0;
+
if (!capable(CAP_AUDIT_READ))
- return -EPERM;
+ err = -EPERM;
+ audit_log_bind(group, "connect", err);
- return 0;
+ return err;
+}
+
+static void audit_unbind(struct net *net, int group)
+{
+ audit_log_bind(group, "disconnect", 0);
}
static int __net_init audit_net_init(struct net *net)
@@ -1151,6 +1176,7 @@ static int __net_init audit_net_init(struct net *net)
.bind = audit_bind,
.flags = NL_CFG_F_NONROOT_RECV,
.groups = AUDIT_NLGRP_MAX,
+ .unbind = audit_unbind,
};
struct audit_net *aunet = net_generic(net, audit_net_id);
--
2.4.3
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox