Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Re: auditd reports port number '0' for connect() system call
From: Kangkook Jee @ 2016-04-04 18:32 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <18729284.EaRmKyajcD@x2>

Thanks a lot Steve! I really helps. 


Regards, Kangkook

> On Apr 1, 2016, at 8:13 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Thursday, March 31, 2016 06:11:26 PM Kangkook Jee wrote:
>> Here an event directly from auditd for connect() system call (syscall=42)
>> with port number 0. Do you think connect() system call still can be called
>> with port number 0?
> 
> 
> Hello,
> 
> I got the full events. Below is the explanation...
> 
> type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720094) : arch=x86_64 
> syscall=socket success=yes exit=44 a0=inet a1=SOCK_DGRAM a2=ip a3=0x0 items=0 
> ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001) 
> euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001) 
> sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er 
> #465 exe=/usr/lib/firefox/firefox key=(null) 
> 
> So, here ^^^ we are creating a DGRAM socket. This is important because they 
> follow slightly different rules than tcp.
> 
> 
> type=SOCKADDR msg=audit(03/29/2016 21:33:27.178:35720095) : saddr=inet 
> host:54.68.122.100 serv:0 
> type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720095) : arch=x86_64 
> syscall=connect success=yes exit=0 a0=0x2c a1=0x7f1fbe8f81f0 a2=0x10 a3=0x0 
> items=0 ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001) 
> euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001) 
> sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er 
> #465 exe=/usr/lib/firefox/firefox key=(null)
> 
> 
> http://man7.org/linux/man-pages/man2/connect.2.html
> If the socket sockfd is of type SOCK_DGRAM, then addr is the address to which 
> datagrams are sent by default, and the only address from which datagrams are 
> received.
> 
> So, this is just setting up a connectionless socket to a specific server. 
> Judging by the thread name, this is for DNS resolution for Firefox. So, I 
> would say that without a doubt, this is normal system operation.
> 
> -Steve
> 
> 
>> type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42
>> success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779
>> pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271
>> egid=5001 sgid=500# type=SOCKADDR msg=audit(1459301607.178:35720095):
>> saddr=0200000036447A640000000000000000
>> 
>> If it is bind() it makes but I’m not sure we can still do this with
>> connect().
>> 
>> Thanks!
>> 
>> /Kangkook
> 


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: [PATCH] audit: cleanup prune_tree_thread
From: Paul Moore @ 2016-04-04 14:06 UTC (permalink / raw)
  To: Jiri Slaby; +Cc: linux-audit, linux-kernel
In-Reply-To: <1459414168-5010-1-git-send-email-jslaby@suse.cz>

On Thursday, March 31, 2016 10:49:28 AM Jiri Slaby wrote:
> We can use kthread_run instead of kthread_create+wake_up_process for
> creating the thread.
> 
> We do not need to set the task state to TASK_RUNNING after schedule(),
> the process is in that state already.
> 
> And we do not need to set the state to TASK_INTERRUPTIBLE when not
> doing schedule() as we set the state to TASK_RUNNING immediately
> afterwards.
> 
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: <linux-audit@redhat.com>
> ---
>  kernel/audit_tree.c | 12 +++++-------
>  1 file changed, 5 insertions(+), 7 deletions(-)

Thanks, it looks good to me; merged.

> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
> index 5efe9b299a12..25772476fa4a 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -661,10 +661,10 @@ static int tag_mount(struct vfsmount *mnt, void *arg)
>  static int prune_tree_thread(void *unused)
>  {
>  	for (;;) {
> -		set_current_state(TASK_INTERRUPTIBLE);
> -		if (list_empty(&prune_list))
> +		if (list_empty(&prune_list)) {
> +			set_current_state(TASK_INTERRUPTIBLE);
>  			schedule();
> -		__set_current_state(TASK_RUNNING);
> +		}
> 
>  		mutex_lock(&audit_cmd_mutex);
>  		mutex_lock(&audit_filter_mutex);
> @@ -693,16 +693,14 @@ static int audit_launch_prune(void)
>  {
>  	if (prune_thread)
>  		return 0;
> -	prune_thread = kthread_create(prune_tree_thread, NULL,
> +	prune_thread = kthread_run(prune_tree_thread, NULL,
>  				"audit_prune_tree");
>  	if (IS_ERR(prune_thread)) {
>  		pr_err("cannot start thread audit_prune_tree");
>  		prune_thread = NULL;
>  		return -ENOMEM;
> -	} else {
> -		wake_up_process(prune_thread);
> -		return 0;
>  	}
> +	return 0;
>  }
> 
>  /* called with audit_filter_mutex */

-- 
paul moore
www.paul-moore.com

^ permalink raw reply

* Re: [RFC] Create an audit record of USB specific details
From: Greg KH @ 2016-04-04 12:56 UTC (permalink / raw)
  To: wmealing; +Cc: linux-audit, linux-kernel, linux-usb
In-Reply-To: <1459742562-22803-1-git-send-email-wmail@redhat.com>

On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> From: Wade Mealing <wmealing@redhat.com>
> 
> Gday,
> 
> I'm looking to create an audit trail for when devices are added or removed
> from the system.

Then please do it in userspace, as I suggested before, that way you
catch all types of devices, not just USB ones.

Also I don't think you realize that USB interfaces are what are bound to
drivers, not USB devices, so that is going to mess with any attempted
audit trails here.  How are you going to distinguish between the 5
different devices that just got plugged in that all have 0000/0000 as
vid/pid for them because they are "cheap" devices from China, yet do
totally different things because they are different _types_ of devices?

Again, do this in userspace please, that is where it belongs.

greg k-h

^ permalink raw reply

* Re: [RFC] Create an audit record of USB specific details
From: Bjørn Mork @ 2016-04-04  7:47 UTC (permalink / raw)
  To: Oliver Neukum
  Cc: wmealing, linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-usb-u79uwXL29TY76Z2rM5mHXA
In-Reply-To: <1459752519.24025.5.camel-IBi9RG/b67k@public.gmane.org>

Oliver Neukum <oneukum-IBi9RG/b67k@public.gmane.org> writes:
> On Mon, 2016-04-04 at 00:02 -0400, wmealing wrote:
>
>> I'm looking to create an audit trail for when devices are added or removed
>> from the system.
>> 
>> The audit subsystem is a logging subsystem in kernel space that can be
>> used to create advanced filters on generated events.  It has partnered userspace
>> utilities ausearch, auditd, aureport, auditctl which work exclusively on audit
>> records.
>> 
>> These tools are able to set filters to "trigger" on specific in-kernel events
>> specified by privileged users.  While the userspace tools can create audit 
>> events these are not able to be handled intelligently (decoded,filtered or 
>> ignored) as kernel generated audit events are.
>
> That is a goal that should be debated in general.

Yes.

And I think it would make this proposal appear a lot less fishy if it
included links and summaries of previous discussions on the subject. Is
there an assumption that people on this list remember every discussion
for weeks?  Or the opposite maybe?

AFAICS, Greg has already asked the obvious questions and made the
obvious "do this in userspace using the existing uevents" proposal. I
did not see any followup to his last message, so I assumed this audit
thing would return to the drawing board with a userspace implementation:
http://www.spinics.net/lists/linux-usb/msg137671.html

It was quite suprising to instead see a USB specific kernel
implemenation duplicating exisiting device add/remove functionality.
Why?  The provided reason makes absolutely no sense at all. Userspace
tools are as intelligent as you make them. And "decoded,filtered or
ignored" implies policy, which IMHO has no place in the kernel in any
case.

>> I have this working at the moment with the USB subsystem (as an example).
>> Its been suggested that I use systemd-udev however this means that the audit
>> tools (ausearch) will not be able to index these records.
>
> Chaining this so tightly to the USB subsystem makes no sense.
> If you do this, then please hook into the generic layer, that
> is add_device(), and provide a method in the generic device structure
> for providing information to the audit subsystem.

I think the generic layer implementation is already there.  The proposed
USB specific solution adds nothing, as pointed out by Greg the last time
this was discussed.


Bjørn
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply

* Re: [RFC] Create an audit record of USB specific details
From: Oliver Neukum @ 2016-04-04  6:48 UTC (permalink / raw)
  To: wmealing
  Cc: linux-audit-H+wXaHxf7aLQT0dZR+AlfA,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-usb-u79uwXL29TY76Z2rM5mHXA
In-Reply-To: <1459742562-22803-1-git-send-email-wmail-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

On Mon, 2016-04-04 at 00:02 -0400, wmealing wrote:
> From: Wade Mealing <wmealing-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> 
> Gday,
> 
> I'm looking to create an audit trail for when devices are added or removed
> from the system.
> 
> The audit subsystem is a logging subsystem in kernel space that can be
> used to create advanced filters on generated events.  It has partnered userspace
> utilities ausearch, auditd, aureport, auditctl which work exclusively on audit
> records.
> 
> These tools are able to set filters to "trigger" on specific in-kernel events
> specified by privileged users.  While the userspace tools can create audit 
> events these are not able to be handled intelligently (decoded,filtered or 
> ignored) as kernel generated audit events are.

That is a goal that should be debated in general.

> I have this working at the moment with the USB subsystem (as an example).
> Its been suggested that I use systemd-udev however this means that the audit
> tools (ausearch) will not be able to index these records.

Chaining this so tightly to the USB subsystem makes no sense.
If you do this, then please hook into the generic layer, that
is add_device(), and provide a method in the generic device structure
for providing information to the audit subsystem.

	Regards
		Oliver


--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply

* [RFC] Create an audit record of USB specific details
From: wmealing @ 2016-04-04  4:02 UTC (permalink / raw)
  To: linux-audit; +Cc: linux-kernel, linux-usb, Wade Mealing

From: Wade Mealing <wmealing@redhat.com>

Gday,

I'm looking to create an audit trail for when devices are added or removed
from the system.

The audit subsystem is a logging subsystem in kernel space that can be
used to create advanced filters on generated events.  It has partnered userspace
utilities ausearch, auditd, aureport, auditctl which work exclusively on audit
records.

These tools are able to set filters to "trigger" on specific in-kernel events
specified by privileged users.  While the userspace tools can create audit 
events these are not able to be handled intelligently (decoded,filtered or 
ignored) as kernel generated audit events are.

I have this working at the moment with the USB subsystem (as an example).
Its been suggested that I use systemd-udev however this means that the audit
tools (ausearch) will not be able to index these records.

Here is an example of picking out the AUDIT_DEVICE record type for example.

> # ausearch -l -i -ts today -m AUDIT_DEVICE
> ----
> type=AUDIT_DEVICE msg=audit(31/03/16 16:37:15.642:2) : action=add
> manufacturer=Linux 4.4.0-ktest ehci_hcd product=EHCI Host Controller
> serial=0000:00:06.7 major=189 minor=0 bus="usb"

Admittedly this is only the USB device type at the moment, but I'd like to break
this
out into other bus types at some time in the future, gotta start somewhere.

Thanks,

Wade Mealing

---
 include/uapi/linux/audit.h |  1 +
 init/Kconfig               | 10 ++++++
 kernel/Makefile            |  1 +
 kernel/audit_device.c      | 90 ++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 102 insertions(+)
 create mode 100644 kernel/audit_device.c

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..344c97b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -110,6 +110,7 @@
 #define AUDIT_SECCOMP		1326	/* Secure Computing event */
 #define AUDIT_PROCTITLE		1327	/* Proctitle emit event */
 #define AUDIT_FEATURE_CHANGE	1328	/* audit log listing feature changes */
+#define AUDIT_DEVICE_CHANGE     1330    /* Device added/removed to the system */
 
 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
diff --git a/init/Kconfig b/init/Kconfig
index 2232080..e171f74 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -309,6 +309,16 @@ config AUDITSYSCALL
 	def_bool y
 	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
 
+config DEVICE_AUDIT
+        bool "Create audit records for devices added to the systems"
+        depends on AUDIT && USB
+       default y
+       help
+         Generate audit events in the system for USB devices that
+         are added or removed from the system from boot time onwards.
+         Records the manufacturer, product serial number, device major
+         and minor number and bus which the device was added to.
+
 config AUDIT_WATCH
 	def_bool y
 	depends on AUDITSYSCALL
diff --git a/kernel/Makefile b/kernel/Makefile
index 53abf00..909c869 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -68,6 +68,7 @@ obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
 obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
 obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o audit_fsnotify.o
 obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
+obj-$(CONFIG_DEVICE_AUDIT) += audit_device.o
 obj-$(CONFIG_GCOV_KERNEL) += gcov/
 obj-$(CONFIG_KPROBES) += kprobes.o
 obj-$(CONFIG_KGDB) += debug/
diff --git a/kernel/audit_device.c b/kernel/audit_device.c
new file mode 100644
index 0000000..8dfdf04
--- /dev/null
+++ b/kernel/audit_device.c
@@ -0,0 +1,90 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/usb.h>
+#include <linux/usb/hcd.h>
+#include <linux/slab.h>
+#include <linux/notifier.h>
+#include <linux/mutex.h>
+#include <linux/device.h>
+#include <linux/usb.h>
+#include <linux/audit.h>
+#include <linux/kdev_t.h>
+
+static void log_string(struct audit_buffer *ab, char *key, char *val)
+{
+       if (val) {
+               audit_log_format(ab, " %s=", key);
+               audit_log_untrustedstring(ab, val);
+       }
+       else {
+              audit_log_format(ab, " %s=%s", key, "?");
+       } 
+
+}
+
+static void log_major_minor(struct audit_buffer *ab, struct device *dev)
+{
+       if (dev && dev->devt) {
+               audit_log_format(ab, " major=%d", MAJOR(dev->devt));
+               audit_log_format(ab, " minor=%d", MINOR(dev->devt));
+       }
+}
+
+/* Blocking call when device has reference and will keep reference until
+ * all notifiers are done, no usb_dev_get/ usb_dev_put required.
+ */
+static int audit_notify(struct notifier_block *self,
+       unsigned long action, void *d)
+{
+       struct usb_device *usbdev = (struct usb_device *)d;
+       char *op;
+       struct audit_buffer *ab;
+
+       switch (action) {
+       case USB_DEVICE_ADD:
+               op = "add";
+               break;
+       case USB_DEVICE_REMOVE:
+               op =  "remove";
+               break;
+       default: /* ignore any other USB events */ 
+	       return NOTIFY_DONE;
+       }
+
+       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_DEVICE_CHANGE);
+
+       if (ab) {
+               audit_log_format(ab, "action=%s", op);
+               log_string(ab, "manufacturer", usbdev->manufacturer);
+               log_string(ab, "product", usbdev->product);
+               log_string(ab, "serial", usbdev->serial);
+               log_major_minor(ab, &usbdev->dev);
+               log_string(ab, "bus", "usb");
+               audit_log_end(ab);
+       }
+
+       return NOTIFY_DONE;
+}
+
+static struct notifier_block audit_nb = {
+       .notifier_call = audit_notify,
+       .priority = INT_MIN
+};
+
+static int __init audit_device_init(void)
+{
+       pr_info("Registering usb audit notification callback\n");
+       usb_register_notify(&audit_nb);
+       return 0;
+}
+
+static void __exit audit_device_exit(void)
+{
+       pr_info("Unregistering usb audit notification callback\n");
+       usb_unregister_notify(&audit_nb);
+}
+
+module_init(audit_device_init);
+module_exit(audit_device_exit);
+
+MODULE_LICENSE("GPL");
-- 
1.8.3.1

^ permalink raw reply related

* Re: auditd reports port number '0' for connect() system call
From: Steve Grubb @ 2016-04-01 12:13 UTC (permalink / raw)
  To: Kangkook Jee; +Cc: linux-audit
In-Reply-To: <58B1DB4D-2C44-4A0F-8576-E5AE9E655D05@gmail.com>

On Thursday, March 31, 2016 06:11:26 PM Kangkook Jee wrote:
> Here an event directly from auditd for connect() system call (syscall=42)
> with port number 0. Do you think connect() system call still can be called
> with port number 0?


Hello,

I got the full events. Below is the explanation...

type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720094) : arch=x86_64 
syscall=socket success=yes exit=44 a0=inet a1=SOCK_DGRAM a2=ip a3=0x0 items=0 
ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001) 
euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001) 
sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er 
#465 exe=/usr/lib/firefox/firefox key=(null) 

So, here ^^^ we are creating a DGRAM socket. This is important because they 
follow slightly different rules than tcp.


type=SOCKADDR msg=audit(03/29/2016 21:33:27.178:35720095) : saddr=inet 
host:54.68.122.100 serv:0 
type=SYSCALL msg=audit(03/29/2016 21:33:27.178:35720095) : arch=x86_64 
syscall=connect success=yes exit=0 a0=0x2c a1=0x7f1fbe8f81f0 a2=0x10 a3=0x0 
items=0 ppid=2779 pid=31713 auid=unset uid=unknown(8271) gid=unknown(5001) 
euid=unknown(8271) suid=unknown(8271) fsuid=unknown(8271) egid=unknown(5001) 
sgid=unknown(5001) fsgid=unknown(5001) tty=(none) ses=unset comm=DNS Res~er 
#465 exe=/usr/lib/firefox/firefox key=(null)


http://man7.org/linux/man-pages/man2/connect.2.html
If the socket sockfd is of type SOCK_DGRAM, then addr is the address to which 
datagrams are sent by default, and the only address from which datagrams are 
received.

So, this is just setting up a connectionless socket to a specific server. 
Judging by the thread name, this is for DNS resolution for Firefox. So, I 
would say that without a doubt, this is normal system operation.

-Steve


> type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42
> success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779
> pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271
> egid=5001 sgid=500# type=SOCKADDR msg=audit(1459301607.178:35720095):
> saddr=0200000036447A640000000000000000
> 
> If it is bind() it makes but I’m not sure we can still do this with
> connect().
> 
> Thanks!
> 
> /Kangkook


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: Linux Auditd app for Splunk
From: Douglas Brown @ 2016-04-01  8:09 UTC (permalink / raw)
  To: Maupertuis Philippe; +Cc: linux-audit@redhat.com
In-Reply-To: <3D2AB1326AB2974190FCE3F69401F790DB1ED7B8BA@FRVDX103.fr01.awl.atosorigin.net>


> On 1 Apr 2016, at 5:37 PM, Maupertuis Philippe <philippe.maupertuis@worldline.com> wrote:
> 
> The splunk app seems very promising.
> Is there a way to use it when audit records are sent to a central syslog server before feeding Splunk.
> For now, the auditd  record are prefixed by syslog information when received by Splunk.

Yep, make a 'local' directory in the TA app; copy the TA's default props.conf to the local directory; uncomment the block at the top of the file, then install the TA on the heavy forwarders/indexers that cook your syslogged audit events.

Cheers,
Doug

> -----Message d'origine-----
> De : linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] De la part de linux-audit-request@redhat.com
> Envoyé : jeudi 31 mars 2016 18:00
> À : linux-audit@redhat.com
> Objet : Linux-audit Digest, Vol 138, Issue 9
> 
> Send Linux-audit mailing list submissions to
>        linux-audit@redhat.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://www.redhat.com/mailman/listinfo/linux-audit
> or, via email, send a message with subject or body 'help' to
>        linux-audit-request@redhat.com
> 
> You can reach the person managing the list at
>        linux-audit-owner@redhat.com
> 
> When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..."
> 
> 
> Today's Topics:
> 
>   1. Linux Auditd app for Splunk (Douglas Brown)
>   2. Re: auditd reports port number '0' for connect() system call
>      (Steve Grubb)
>   3. Re: Linux Auditd app for Splunk (Steve Grubb)
>   4. Re: Linux Auditd app for Splunk (F Rafi)
>   5. Re: Linux Auditd app for Splunk (Douglas Brown)
>   6. Re: auditd reports port number '0' for connect() system call
>      (Kangkook Jee)
>   7. Re: auditd reports port number '0' for connect() system call
>      (Kangkook Jee)
>   8. [PATCH] audit: cleanup prune_tree_thread (Jiri Slaby)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 30 Mar 2016 22:34:39 +0000
> From: Douglas Brown <doug.brown@qut.edu.au>
> To: "linux-audit@redhat.com" <linux-audit@redhat.com>
> Subject: Linux Auditd app for Splunk
> Message-ID: <64E84EA2-7954-4B57-857C-DD3B1009A0CB@qut.edu.au>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi all,
> 
> This week I released version 2 of the Linux Auditd app for Splunk: https://splunkbase.splunk.com/app/2642/
> 
> Be sure to let me know if you have any suggestions for improvements.
> 
> Cheers,
> Doug
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160330/5a7aca52/attachment.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 30 Mar 2016 19:29:58 -0400
> From: Steve Grubb <sgrubb@redhat.com>
> To: linux-audit@redhat.com
> Subject: Re: auditd reports port number '0' for connect() system call
> Message-ID: <1876918.F3mpSQW0Wx@x2>
> Content-Type: text/plain; charset="us-ascii"
> 
>> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when sin_port
>> field is set with '0'. Would anyone explain this to me or help me with
>> fix this problem?
> 
> I get 779 as the port from your event.
> 
> -Steve
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 30 Mar 2016 20:46:58 -0400
> From: Steve Grubb <sgrubb@redhat.com>
> To: linux-audit@redhat.com
> Subject: Re: Linux Auditd app for Splunk
> Message-ID: <97302213.LyDR1vQNKZ@x2>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hello,
> 
>> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
>> This week I released version 2 of the Linux Auditd app for Splunk:
>> https://splunkbase.splunk.com/app/2642/
> 
>> Be sure to let me know if you have any suggestions for improvements.
> 
> Thanks for posting this. Its good to see utilities like this supporting the audit daemon.
> 
> If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.
> 
> -Steve
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 31 Mar 2016 01:01:10 -0400
> From: F Rafi <farhanible@gmail.com>
> To: doug.brown@qut.edu.au
> Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
> Subject: Re: Linux Auditd app for Splunk
> Message-ID:
>        <CABXp1cuoqfJJ=UyWPRnhb6qVPu9tnQNZKSvaFiSXwLGkfSBWLw@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> "I've turned SELinux off ... and as per Dan Walsh that's a bad thing."
> Love it.
> 
> Some questions.
> 
> *1. For the Severe Events panel: *Where is the severity coming from? The auditd logs don't show a severity rating.
> 
> *2. AUID to username mapping: *How are you doing this? Via tty logs or fetching passwd file contents somehow?
> 
> Thanks,
> Farhan
> 
>> On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> 
>> Hello,
>> 
>>> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
>>> This week I released version 2 of the Linux Auditd app for Splunk:
>>> https://splunkbase.splunk.com/app/2642/
>> 
>>> Be sure to let me know if you have any suggestions for improvements.
>> 
>> Thanks for posting this. Its good to see utilities like this
>> supporting the audit daemon.
>> 
>> If anyone else has plugins to logging frameworks, reports, helpful
>> scripts, etc...feel free to post a notice about them. We are sort of
>> working on a new home for the audit system at github and can probably
>> dedicate a page to related and helpful projects.
>> 
>> -Steve
>> 
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/45646706/attachment.html>
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 31 Mar 2016 05:18:22 +0000
> From: Douglas Brown <doug.brown@qut.edu.au>
> To: F Rafi <farhanible@gmail.com>
> Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
> Subject: Re: Linux Auditd app for Splunk
> Message-ID: <D3C762FA-9B17-4272-B20F-640DD2EF273C@qut.edu.au>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi Farhan,
> 
> Good question. There?s no source of truth (that I know of) for the severity of auditd event types so I created a lookup based upon my experience. Here it is: https://github.com/doksu/splunk_auditd/blob/master/linux-auditd/appserver/addons/TA_linux-auditd/lookups/audit_types.csv
> 
> Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :)
> 
> The app has three identities lookups it merges together: local, directory and learnt. The first two you?re meant to populate (see here for more details: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration), but technically you don?t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ?learnt? lookup based upon USER_START events.
> 
> Cheers,
> Doug
> 
> From: F Rafi <farhanible@gmail.com<mailto:farhanible@gmail.com>>
> Date: Thursday, 31 March 2016 at 3:01 PM
> To: Doksu <doug.brown@qut.edu.au<mailto:doug.brown@qut.edu.au>>
> Cc: "linux-audit@redhat.com<mailto:linux-audit@redhat.com>" <linux-audit@redhat.com<mailto:linux-audit@redhat.com>>, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>>
> Subject: Re: Linux Auditd app for Splunk
> 
> "I've turned SELinux off ... and as per Dan Walsh that's a bad thing."   Love it.
> 
> Some questions.
> 
> 1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating.
> 
> 2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow?
> 
> Thanks,
> Farhan
> 
> On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote:
> Hello,
> 
>> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
>> This week I released version 2 of the Linux Auditd app for Splunk:
>> https://splunkbase.splunk.com/app/2642/
> 
>> Be sure to let me know if you have any suggestions for improvements.
> 
> Thanks for posting this. Its good to see utilities like this supporting the audit daemon.
> 
> If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com<mailto:Linux-audit@redhat.com>
> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/6f026b8c/attachment.html>
> 
> ------------------------------
> 
> Message: 6
> Date: Thu, 31 Mar 2016 07:33:18 -0400
> From: Kangkook Jee <aixer77@gmail.com>
> To: Steve Grubb <sgrubb@redhat.com>
> Cc: linux-audit@redhat.com
> Subject: Re: auditd reports port number '0' for connect() system call
> Message-ID: <46420AF1-CBB8-45E2-B0BA-71A788AEEC43@gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Dear Steve,
> 
> Thanks a lot for your quick response.
> Would you tell me from what saddr fields that you get the port number value ?779??
> 
> This might indicate my code to extract the field might be wrong. Would you also inform me what is the correct way to decode saddr string?
> 
> Thanks again!
> 
> Regards, Kangkook
> 
> 
>> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> 
>> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>>> If I understood correctly, connect() should return error when
>>> sin_port field is set with '0'. Would anyone explain this to me or
>>> help me with fix this problem?
>> 
>> I get 779 as the port from your event.
>> 
>> -Steve
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/5ccc071f/attachment.html>
> 
> ------------------------------
> 
> Message: 7
> Date: Thu, 31 Mar 2016 08:54:30 -0400
> From: Kangkook Jee <aixer77@gmail.com>
> To: Steve Grubb <sgrubb@redhat.com>
> Cc: linux-audit@redhat.com
> Subject: Re: auditd reports port number '0' for connect() system call
> 
> Message-ID: <AE5F3C07-3DA7-4DD9-9B9D-7807518DB4A6@gmail.com>
> Content-Type: text/plain; charset=utf-8
> 
> I checked out with strings that I provided from the previous email.
> 
> The first 3 ones gave me proper port numbers.
> 
> $ ~/bin/sock_decode 020000358A0F6C0B0000000000000000
> 020000358A0F6C0B0000000000000000: sa_family: 2 addr: 191631242, port: 53 (13568) $ ~/bin/sock_decode 0200006F8A0FA5090000000000000000
> 0200006F8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 111 (28416) $ ~/bin/sock_decode 0200030B8A0FA5090000000000000000
> 0200030B8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 779 (2819)
> 
> 
> but, last three one didn?t
> 
> $ ~/bin/sock_decode 0200000036447A640000000000000000
> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0) $ ~/bin/sock_decode 020000003644ECD00000000000000000
> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0) $ ~/bin/sock_decode 02000000369520250000000000000000
> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
> 
> Would you check this out?
> 
> /Kangkook
> 
>> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> 
>> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>>> If I understood correctly, connect() should return error when
>>> sin_port field is set with '0'. Would anyone explain this to me or
>>> help me with fix this problem?
>> 
>> I get 779 as the port from your event.
>> 
>> -Steve
> 
> 
> 
> 
> ------------------------------
> 
> Message: 8
> Date: Thu, 31 Mar 2016 10:49:28 +0200
> From: Jiri Slaby <jslaby@suse.cz>
> To: paul@paul-moore.com
> Cc: linux-audit@redhat.com, Jiri Slaby <jslaby@suse.cz>,
>        linux-kernel@vger.kernel.org
> Subject: [PATCH] audit: cleanup prune_tree_thread
> Message-ID: <1459414168-5010-1-git-send-email-jslaby@suse.cz>
> 
> We can use kthread_run instead of kthread_create+wake_up_process for creating the thread.
> 
> We do not need to set the task state to TASK_RUNNING after schedule(), the process is in that state already.
> 
> And we do not need to set the state to TASK_INTERRUPTIBLE when not doing schedule() as we set the state to TASK_RUNNING immediately afterwards.
> 
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: <linux-audit@redhat.com>
> ---
> kernel/audit_tree.c | 12 +++++-------
> 1 file changed, 5 insertions(+), 7 deletions(-)
> 
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 5efe9b299a12..25772476fa4a 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -661,10 +661,10 @@ static int tag_mount(struct vfsmount *mnt, void *arg)  static int prune_tree_thread(void *unused)  {
>        for (;;) {
> -               set_current_state(TASK_INTERRUPTIBLE);
> -               if (list_empty(&prune_list))
> +               if (list_empty(&prune_list)) {
> +                       set_current_state(TASK_INTERRUPTIBLE);
>                        schedule();
> -               __set_current_state(TASK_RUNNING);
> +               }
> 
>                mutex_lock(&audit_cmd_mutex);
>                mutex_lock(&audit_filter_mutex);
> @@ -693,16 +693,14 @@ static int audit_launch_prune(void)  {
>        if (prune_thread)
>                return 0;
> -       prune_thread = kthread_create(prune_tree_thread, NULL,
> +       prune_thread = kthread_run(prune_tree_thread, NULL,
>                                "audit_prune_tree");
>        if (IS_ERR(prune_thread)) {
>                pr_err("cannot start thread audit_prune_tree");
>                prune_thread = NULL;
>                return -ENOMEM;
> -       } else {
> -               wake_up_process(prune_thread);
> -               return 0;
>        }
> +       return 0;
> }
> 
> /* called with audit_filter_mutex */
> --
> 2.7.4
> 
> 
> 
> ------------------------------
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> End of Linux-audit Digest, Vol 138, Issue 9
> *******************************************
> 
> !!!*************************************************************************************
> "Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
> 
> This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* RE: Linux Auditd app for Splunk
From: Maupertuis Philippe @ 2016-04-01  7:34 UTC (permalink / raw)
  To: linux-audit@redhat.com

The splunk app seems very promising.
Is there a way to use it when audit records are sent to a central syslog server before feeding Splunk.
For now, the auditd  record are prefixed by syslog information when received by Splunk.

Regards
Philippe

-----Message d'origine-----
De : linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] De la part de linux-audit-request@redhat.com
Envoyé : jeudi 31 mars 2016 18:00
À : linux-audit@redhat.com
Objet : Linux-audit Digest, Vol 138, Issue 9

Send Linux-audit mailing list submissions to
        linux-audit@redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
        linux-audit-request@redhat.com

You can reach the person managing the list at
        linux-audit-owner@redhat.com

When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..."


Today's Topics:

   1. Linux Auditd app for Splunk (Douglas Brown)
   2. Re: auditd reports port number '0' for connect() system call
      (Steve Grubb)
   3. Re: Linux Auditd app for Splunk (Steve Grubb)
   4. Re: Linux Auditd app for Splunk (F Rafi)
   5. Re: Linux Auditd app for Splunk (Douglas Brown)
   6. Re: auditd reports port number '0' for connect() system call
      (Kangkook Jee)
   7. Re: auditd reports port number '0' for connect() system call
      (Kangkook Jee)
   8. [PATCH] audit: cleanup prune_tree_thread (Jiri Slaby)


----------------------------------------------------------------------

Message: 1
Date: Wed, 30 Mar 2016 22:34:39 +0000
From: Douglas Brown <doug.brown@qut.edu.au>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Linux Auditd app for Splunk
Message-ID: <64E84EA2-7954-4B57-857C-DD3B1009A0CB@qut.edu.au>
Content-Type: text/plain; charset="utf-8"

Hi all,

This week I released version 2 of the Linux Auditd app for Splunk: https://splunkbase.splunk.com/app/2642/

Be sure to let me know if you have any suggestions for improvements.

Cheers,
Doug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/linux-audit/attachments/20160330/5a7aca52/attachment.html>

------------------------------

Message: 2
Date: Wed, 30 Mar 2016 19:29:58 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: auditd reports port number '0' for connect() system call
Message-ID: <1876918.F3mpSQW0Wx@x2>
Content-Type: text/plain; charset="us-ascii"

On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
> If I understood correctly, connect() should return error when sin_port
> field is set with '0'. Would anyone explain this to me or help me with
> fix this problem?

I get 779 as the port from your event.

-Steve



------------------------------

Message: 3
Date: Wed, 30 Mar 2016 20:46:58 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Linux Auditd app for Splunk
Message-ID: <97302213.LyDR1vQNKZ@x2>
Content-Type: text/plain; charset="us-ascii"

Hello,

On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/

> Be sure to let me know if you have any suggestions for improvements.

Thanks for posting this. Its good to see utilities like this supporting the audit daemon.

If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.

-Steve



------------------------------

Message: 4
Date: Thu, 31 Mar 2016 01:01:10 -0400
From: F Rafi <farhanible@gmail.com>
To: doug.brown@qut.edu.au
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Linux Auditd app for Splunk
Message-ID:
        <CABXp1cuoqfJJ=UyWPRnhb6qVPu9tnQNZKSvaFiSXwLGkfSBWLw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

"I've turned SELinux off ... and as per Dan Walsh that's a bad thing."
Love it.

Some questions.

*1. For the Severe Events panel: *Where is the severity coming from? The auditd logs don't show a severity rating.

*2. AUID to username mapping: *How are you doing this? Via tty logs or fetching passwd file contents somehow?

Thanks,
Farhan

On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> Hello,
>
> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> > This week I released version 2 of the Linux Auditd app for Splunk:
> > https://splunkbase.splunk.com/app/2642/
>
> > Be sure to let me know if you have any suggestions for improvements.
>
> Thanks for posting this. Its good to see utilities like this
> supporting the audit daemon.
>
> If anyone else has plugins to logging frameworks, reports, helpful
> scripts, etc...feel free to post a notice about them. We are sort of
> working on a new home for the audit system at github and can probably
> dedicate a page to related and helpful projects.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/45646706/attachment.html>

------------------------------

Message: 5
Date: Thu, 31 Mar 2016 05:18:22 +0000
From: Douglas Brown <doug.brown@qut.edu.au>
To: F Rafi <farhanible@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Linux Auditd app for Splunk
Message-ID: <D3C762FA-9B17-4272-B20F-640DD2EF273C@qut.edu.au>
Content-Type: text/plain; charset="utf-8"

Hi Farhan,

Good question. There?s no source of truth (that I know of) for the severity of auditd event types so I created a lookup based upon my experience. Here it is: https://github.com/doksu/splunk_auditd/blob/master/linux-auditd/appserver/addons/TA_linux-auditd/lookups/audit_types.csv

Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :)

The app has three identities lookups it merges together: local, directory and learnt. The first two you?re meant to populate (see here for more details: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration), but technically you don?t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ?learnt? lookup based upon USER_START events.

Cheers,
Doug

From: F Rafi <farhanible@gmail.com<mailto:farhanible@gmail.com>>
Date: Thursday, 31 March 2016 at 3:01 PM
To: Doksu <doug.brown@qut.edu.au<mailto:doug.brown@qut.edu.au>>
Cc: "linux-audit@redhat.com<mailto:linux-audit@redhat.com>" <linux-audit@redhat.com<mailto:linux-audit@redhat.com>>, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>>
Subject: Re: Linux Auditd app for Splunk

"I've turned SELinux off ... and as per Dan Walsh that's a bad thing."   Love it.

Some questions.

1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating.

2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow?

Thanks,
Farhan

On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote:
Hello,

On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/

> Be sure to let me know if you have any suggestions for improvements.

Thanks for posting this. Its good to see utilities like this supporting the audit daemon.

If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com<mailto:Linux-audit@redhat.com>
https://www.redhat.com/mailman/listinfo/linux-audit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/6f026b8c/attachment.html>

------------------------------

Message: 6
Date: Thu, 31 Mar 2016 07:33:18 -0400
From: Kangkook Jee <aixer77@gmail.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: auditd reports port number '0' for connect() system call
Message-ID: <46420AF1-CBB8-45E2-B0BA-71A788AEEC43@gmail.com>
Content-Type: text/plain; charset="utf-8"

Dear Steve,

Thanks a lot for your quick response.
Would you tell me from what saddr fields that you get the port number value ?779??

This might indicate my code to extract the field might be wrong. Would you also inform me what is the correct way to decode saddr string?

Thanks again!

Regards, Kangkook


> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when
>> sin_port field is set with '0'. Would anyone explain this to me or
>> help me with fix this problem?
>
> I get 779 as the port from your event.
>
> -Steve

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/linux-audit/attachments/20160331/5ccc071f/attachment.html>

------------------------------

Message: 7
Date: Thu, 31 Mar 2016 08:54:30 -0400
From: Kangkook Jee <aixer77@gmail.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: auditd reports port number '0' for connect() system call

Message-ID: <AE5F3C07-3DA7-4DD9-9B9D-7807518DB4A6@gmail.com>
Content-Type: text/plain; charset=utf-8

I checked out with strings that I provided from the previous email.

The first 3 ones gave me proper port numbers.

$ ~/bin/sock_decode 020000358A0F6C0B0000000000000000
020000358A0F6C0B0000000000000000: sa_family: 2 addr: 191631242, port: 53 (13568) $ ~/bin/sock_decode 0200006F8A0FA5090000000000000000
0200006F8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 111 (28416) $ ~/bin/sock_decode 0200030B8A0FA5090000000000000000
0200030B8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 779 (2819)


but, last three one didn?t

$ ~/bin/sock_decode 0200000036447A640000000000000000
0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0) $ ~/bin/sock_decode 020000003644ECD00000000000000000
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0) $ ~/bin/sock_decode 02000000369520250000000000000000
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)

Would you check this out?

/Kangkook

> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when
>> sin_port field is set with '0'. Would anyone explain this to me or
>> help me with fix this problem?
>
> I get 779 as the port from your event.
>
> -Steve




------------------------------

Message: 8
Date: Thu, 31 Mar 2016 10:49:28 +0200
From: Jiri Slaby <jslaby@suse.cz>
To: paul@paul-moore.com
Cc: linux-audit@redhat.com, Jiri Slaby <jslaby@suse.cz>,
        linux-kernel@vger.kernel.org
Subject: [PATCH] audit: cleanup prune_tree_thread
Message-ID: <1459414168-5010-1-git-send-email-jslaby@suse.cz>

We can use kthread_run instead of kthread_create+wake_up_process for creating the thread.

We do not need to set the task state to TASK_RUNNING after schedule(), the process is in that state already.

And we do not need to set the state to TASK_INTERRUPTIBLE when not doing schedule() as we set the state to TASK_RUNNING immediately afterwards.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: <linux-audit@redhat.com>
---
 kernel/audit_tree.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 5efe9b299a12..25772476fa4a 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -661,10 +661,10 @@ static int tag_mount(struct vfsmount *mnt, void *arg)  static int prune_tree_thread(void *unused)  {
        for (;;) {
-               set_current_state(TASK_INTERRUPTIBLE);
-               if (list_empty(&prune_list))
+               if (list_empty(&prune_list)) {
+                       set_current_state(TASK_INTERRUPTIBLE);
                        schedule();
-               __set_current_state(TASK_RUNNING);
+               }

                mutex_lock(&audit_cmd_mutex);
                mutex_lock(&audit_filter_mutex);
@@ -693,16 +693,14 @@ static int audit_launch_prune(void)  {
        if (prune_thread)
                return 0;
-       prune_thread = kthread_create(prune_tree_thread, NULL,
+       prune_thread = kthread_run(prune_tree_thread, NULL,
                                "audit_prune_tree");
        if (IS_ERR(prune_thread)) {
                pr_err("cannot start thread audit_prune_tree");
                prune_thread = NULL;
                return -ENOMEM;
-       } else {
-               wake_up_process(prune_thread);
-               return 0;
        }
+       return 0;
 }

 /* called with audit_filter_mutex */
--
2.7.4



------------------------------

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

End of Linux-audit Digest, Vol 138, Issue 9
*******************************************

!!!*************************************************************************************
"Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"

^ permalink raw reply

* Re: auditd reports port number '0' for connect() system call
From: Kangkook Jee @ 2016-03-31 22:11 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <2356527.JVHcORIXqi@x2>

Here an event directly from auditd for connect() system call (syscall=42) with port number 0.
Do you think connect() system call still can be called with port number 0?

type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000

If it is bind() it makes but I’m not sure we can still do this with connect().

Thanks! 

/Kangkook



type=SYSCALL msg=audit(1459301607.178:35720095): arch=c000003e syscall=42 success=yes exit=0 a0=2c a1=7f1fbe8f81f0 a2=10 a3=0 items=0 ppid=2779 pid=31713 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=500#
type=SOCKADDR msg=audit(1459301607.178:35720095): saddr=0200000036447A640000000000000000

> On Mar 31, 2016, at 5:50 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote:
>> but, last three one didn’t 
>> 
>> $ ~/bin/sock_decode 0200000036447A640000000000000000
>> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
>> $ ~/bin/sock_decode 020000003644ECD00000000000000000
>> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
>> $ ~/bin/sock_decode 02000000369520250000000000000000
>> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
>> 
>> Would you check this out?
> 
> You didn't give the events, but rather the sockaddr field alone. Port 0 is 
> valid in some uses. It mean give me an ephemeral port.
> 
> http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90
> 
> 90 /* Obtain a reference to a local port for the given sock,
> 91  * if snum is zero it means select any available local port.
> 
> -Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: auditd reports port number '0' for connect() system call
From: Steve Grubb @ 2016-03-31 21:50 UTC (permalink / raw)
  To: Kangkook Jee; +Cc: linux-audit
In-Reply-To: <AE5F3C07-3DA7-4DD9-9B9D-7807518DB4A6@gmail.com>

On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote:
> but, last three one didn’t 
> 
> $ ~/bin/sock_decode 0200000036447A640000000000000000
> 0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
> $ ~/bin/sock_decode 020000003644ECD00000000000000000
> 020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
> $ ~/bin/sock_decode 02000000369520250000000000000000
> 02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)
> 
> Would you check this out?

You didn't give the events, but rather the sockaddr field alone. Port 0 is 
valid in some uses. It mean give me an ephemeral port.

http://lxr.free-electrons.com/source/net/ipv4/inet_connection_sock.c#L90

 90 /* Obtain a reference to a local port for the given sock,
 91  * if snum is zero it means select any available local port.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: auditd reports port number '0' for connect() system call
From: Kangkook Jee @ 2016-03-31 12:54 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1876918.F3mpSQW0Wx@x2>

I checked out with strings that I provided from the previous email.

The first 3 ones gave me proper port numbers. 

$ ~/bin/sock_decode 020000358A0F6C0B0000000000000000
020000358A0F6C0B0000000000000000: sa_family: 2 addr: 191631242, port: 53 (13568)
$ ~/bin/sock_decode 0200006F8A0FA5090000000000000000
0200006F8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 111 (28416)
$ ~/bin/sock_decode 0200030B8A0FA5090000000000000000
0200030B8A0FA5090000000000000000: sa_family: 2 addr: 161812362, port: 779 (2819)


but, last three one didn’t 

$ ~/bin/sock_decode 0200000036447A640000000000000000
0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
$ ~/bin/sock_decode 020000003644ECD00000000000000000
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
$ ~/bin/sock_decode 02000000369520250000000000000000
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0)

Would you check this out?

/Kangkook

> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when sin_port field
>> is set with '0'. Would anyone explain this to me or help me with fix this
>> problem?
> 
> I get 779 as the port from your event.
> 
> -Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: auditd reports port number '0' for connect() system call
From: Kangkook Jee @ 2016-03-31 11:33 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1876918.F3mpSQW0Wx@x2>


[-- Attachment #1.1: Type: text/plain, Size: 698 bytes --]

Dear Steve, 

Thanks a lot for your quick response. 
Would you tell me from what saddr fields that you get the port number value ‘779’?

This might indicate my code to extract the field might be wrong. Would you also inform me what is the correct way to decode saddr string?

Thanks again!

Regards, Kangkook


> On Mar 30, 2016, at 7:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> 
> On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
>> If I understood correctly, connect() should return error when sin_port field
>> is set with '0'. Would anyone explain this to me or help me with fix this
>> problem?
> 
> I get 779 as the port from your event.
> 
> -Steve


[-- Attachment #1.2: Type: text/html, Size: 1535 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* [PATCH] audit: cleanup prune_tree_thread
From: Jiri Slaby @ 2016-03-31  8:49 UTC (permalink / raw)
  To: paul; +Cc: eparis, linux-kernel, Jiri Slaby, linux-audit

We can use kthread_run instead of kthread_create+wake_up_process for
creating the thread.

We do not need to set the task state to TASK_RUNNING after schedule(),
the process is in that state already.

And we do not need to set the state to TASK_INTERRUPTIBLE when not
doing schedule() as we set the state to TASK_RUNNING immediately
afterwards.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: <linux-audit@redhat.com>
---
 kernel/audit_tree.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 5efe9b299a12..25772476fa4a 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -661,10 +661,10 @@ static int tag_mount(struct vfsmount *mnt, void *arg)
 static int prune_tree_thread(void *unused)
 {
 	for (;;) {
-		set_current_state(TASK_INTERRUPTIBLE);
-		if (list_empty(&prune_list))
+		if (list_empty(&prune_list)) {
+			set_current_state(TASK_INTERRUPTIBLE);
 			schedule();
-		__set_current_state(TASK_RUNNING);
+		}
 
 		mutex_lock(&audit_cmd_mutex);
 		mutex_lock(&audit_filter_mutex);
@@ -693,16 +693,14 @@ static int audit_launch_prune(void)
 {
 	if (prune_thread)
 		return 0;
-	prune_thread = kthread_create(prune_tree_thread, NULL,
+	prune_thread = kthread_run(prune_tree_thread, NULL,
 				"audit_prune_tree");
 	if (IS_ERR(prune_thread)) {
 		pr_err("cannot start thread audit_prune_tree");
 		prune_thread = NULL;
 		return -ENOMEM;
-	} else {
-		wake_up_process(prune_thread);
-		return 0;
 	}
+	return 0;
 }
 
 /* called with audit_filter_mutex */
-- 
2.7.4

^ permalink raw reply related

* Re: Linux Auditd app for Splunk
From: Douglas Brown @ 2016-03-31  5:18 UTC (permalink / raw)
  To: F Rafi; +Cc: linux-audit@redhat.com
In-Reply-To: <CABXp1cuoqfJJ=UyWPRnhb6qVPu9tnQNZKSvaFiSXwLGkfSBWLw@mail.gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 2499 bytes --]

Hi Farhan,

Good question. There’s no source of truth (that I know of) for the severity of auditd event types so I created a lookup based upon my experience. Here it is: https://github.com/doksu/splunk_auditd/blob/master/linux-auditd/appserver/addons/TA_linux-auditd/lookups/audit_types.csv

Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :)

The app has three identities lookups it merges together: local, directory and learnt. The first two you’re meant to populate (see here for more details: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuration#configuration), but technically you don’t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ‘learnt’ lookup based upon USER_START events.

Cheers,
Doug

From: F Rafi <farhanible@gmail.com<mailto:farhanible@gmail.com>>
Date: Thursday, 31 March 2016 at 3:01 PM
To: Doksu <doug.brown@qut.edu.au<mailto:doug.brown@qut.edu.au>>
Cc: "linux-audit@redhat.com<mailto:linux-audit@redhat.com>" <linux-audit@redhat.com<mailto:linux-audit@redhat.com>>, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>>
Subject: Re: Linux Auditd app for Splunk

"I've turned SELinux off ... and as per Dan Walsh that's a bad thing."   Love it.

Some questions.

1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating.

2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow?

Thanks,
Farhan

On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote:
Hello,

On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/

> Be sure to let me know if you have any suggestions for improvements.

Thanks for posting this. Its good to see utilities like this supporting the
audit daemon.

If anyone else has plugins to logging frameworks, reports, helpful scripts,
etc...feel free to post a notice about them. We are sort of working on a new
home for the audit system at github and can probably dedicate a page to
related and helpful projects.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com<mailto:Linux-audit@redhat.com>
https://www.redhat.com/mailman/listinfo/linux-audit


[-- Attachment #1.2: Type: text/html, Size: 4694 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* Re: Linux Auditd app for Splunk
From: F Rafi @ 2016-03-31  5:01 UTC (permalink / raw)
  To: doug.brown; +Cc: linux-audit@redhat.com
In-Reply-To: <97302213.LyDR1vQNKZ@x2>


[-- Attachment #1.1: Type: text/plain, Size: 1168 bytes --]

"I've turned SELinux off ... and as per Dan Walsh that's a bad thing."
Love it.

Some questions.

*1. For the Severe Events panel: *Where is the severity coming from? The
auditd logs don't show a severity rating.

*2. AUID to username mapping: *How are you doing this? Via tty logs or
fetching passwd file contents somehow?

Thanks,
Farhan

On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> Hello,
>
> On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> > This week I released version 2 of the Linux Auditd app for Splunk:
> > https://splunkbase.splunk.com/app/2642/
>
> > Be sure to let me know if you have any suggestions for improvements.
>
> Thanks for posting this. Its good to see utilities like this supporting the
> audit daemon.
>
> If anyone else has plugins to logging frameworks, reports, helpful scripts,
> etc...feel free to post a notice about them. We are sort of working on a
> new
> home for the audit system at github and can probably dedicate a page to
> related and helpful projects.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 1934 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* Re: Linux Auditd app for Splunk
From: Steve Grubb @ 2016-03-31  0:46 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <64E84EA2-7954-4B57-857C-DD3B1009A0CB@qut.edu.au>

Hello,

On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/
 
> Be sure to let me know if you have any suggestions for improvements.

Thanks for posting this. Its good to see utilities like this supporting the 
audit daemon.

If anyone else has plugins to logging frameworks, reports, helpful scripts, 
etc...feel free to post a notice about them. We are sort of working on a new 
home for the audit system at github and can probably dedicate a page to 
related and helpful projects.

-Steve

^ permalink raw reply

* Re: auditd reports port number '0' for connect() system call
From: Steve Grubb @ 2016-03-30 23:29 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <BB85AA6D-1E28-4B4C-AD5D-35AB87CC07E6@gmail.com>

On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
> If I understood correctly, connect() should return error when sin_port field
> is set with '0'. Would anyone explain this to me or help me with fix this
> problem?

I get 779 as the port from your event.

-Steve

^ permalink raw reply

* Linux Auditd app for Splunk
From: Douglas Brown @ 2016-03-30 22:34 UTC (permalink / raw)
  To: linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 208 bytes --]

Hi all,

This week I released version 2 of the Linux Auditd app for Splunk: https://splunkbase.splunk.com/app/2642/

Be sure to let me know if you have any suggestions for improvements.

Cheers,
Doug

[-- Attachment #1.2: Type: text/html, Size: 696 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* auditd reports port number '0' for connect() system call
From: Kangkook Jee @ 2016-03-30  3:19 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 2846 bytes --]

Hi all, 

I'm developing custom audit client to monitor Linux system activities. 
I'm testing my client from Ubuntu 14.04 (64-bit) system with the following auditctl rules.

sudo auditctl -l                                                                                                                     
LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=open,close,dup,dup2,socket,connect,accept,listen,socketpair,clone,fork,vfork,execve,exit,creat,unlink,exit_group,openat,unlinkat,accept4,dup3

And I captured the raw system messages with the following command.

sudo auditd -f > /tmp/log.txt

While /tmp/log.txt contains a considerable amount of raw audit messages, I grep'ed only connect() system calls with its associated saddr entries.

grep -A1 -e "syscall=42 success=yes" /tmp/log.txt

--
type=SYSCALL msg=audit(1459302277.538:35891018): arch=c000003e syscall=42 success=yes exit=0 a0=61 a1=7f2ec75a1ed0 a2=10 a3=1 items=0 ppid=2779 pid=21581 auid=4294967295 uid=8271 gid=5001 euid=8271 suid=8271 fsuid=8271 egid=5001 sgid=5001 fsgid=5001 tty=(none) ses=4294967295 comm="Chrome_IOThread" exe="/opt/google/chrome/chrome" key=(null)
type=SOCKADDR msg=audit(1459302277.538:35891018): saddr=020000358A0F6C0B0000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898719): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898719): saddr=0200006F8A0FA5090000000000000000
--
type=SYSCALL msg=audit(1459302309.098:35898722): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fffe9a24980 a2=10 a3=7fffe9a246d0 items=0 ppid=20312 pid=2991 auid=4294967295 uid=8271 gid=5001 euid=0 suid=0 fsuid=0 egid=0 sgid=5001 fsgid=0 tty=pts23 ses=4294967295 comm="sudo" exe="/usr/bin/sudo" key=(null)
type=SOCKADDR msg=audit(1459302309.098:35898722): saddr=0200030B8A0FA5090000000000000000
...

For these entries, I decoded saddr entries with the attached program and extracted entries port values '0'.

g++ -o sock_decode sock_decode.cpp
grep -A1 -e "syscall=42 success=yes" /tmp/log.txt |grep saddr | awk 'BEGIN{FS="="} {print “ ./sock_decode " $4}' |sh  |grep "sa_family: 2.* port: 0"  |more

0200000036447A640000000000000000: sa_family: 2 addr: 1685734454, port: 0 (0)
020000003644ECD00000000000000000: sa_family: 2 addr: 3505144886, port: 0 (0)
02000000369520250000000000000000: sa_family: 2 addr: 622892342, port: 0 (0) 
....

If I understood correctly, connect() should return error when sin_port field is set with '0'.
Would anyone explain this to me or help me with fix this problem? 
Thanks a lot for your help in advance!





[-- Attachment #1.2.1: Type: text/html, Size: 4682 bytes --]

[-- Attachment #1.2.2: sock_decode.cpp --]
[-- Type: application/octet-stream, Size: 2667 bytes --]

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <cctype>
#include <netinet/in.h>

// from Audit source.
static unsigned char x2c(const unsigned char *buf)
{
        static const char AsciiArray[17] = "0123456789ABCDEF";
        const char *ptr;
        unsigned char total=0;

        ptr = strchr(AsciiArray, (char)toupper(buf[0]));
        if (ptr)
                total = (unsigned char)(((ptr-AsciiArray) & 0x0F)<<4);
        ptr = strchr(AsciiArray, (char)toupper(buf[1]));
        if (ptr)
                total += (unsigned char)((ptr-AsciiArray) & 0x0F);

        return total;
}

// from Audit source.
char *au_unescape(char *buf)                                                                                                                                                                                                    {
        int len, i;
        char saved, *str, *ptr = buf;

        /* Find the end of the name */
        if (*ptr == '(') {
                ptr = strchr(ptr, ')');
                if (ptr == NULL)
                {
                        return NULL;
                }
                else
                        ptr++;
        } else {
                while (isxdigit(*ptr))
                        ptr++;
        }
        saved = *ptr;
        *ptr = 0;
        str = strdup(buf);
        *ptr = saved;

        /* See if its '(null)' from the kernel */
        if (*buf == '(')
                return str;

        /* We can get away with this since the buffer is 2 times
         * bigger than what we are putting there.
         */
        len = strlen(str);
        if (len < 2) {
                free(str);
                return NULL;
        }
        ptr = str;
        for (i=0; i<len; i+=2) {
                *ptr = x2c((unsigned char *)&str[i]);
                ptr++;
        }
        *ptr = 0;
        return str;
}

struct sockaddr* get_au_sockaddr(const char* val, int *ret_len) {
    *ret_len = strlen(val) / 2; /* because audit msg uses hexadecimal to
     represent sock addr */

    // convert hexadecimal sock addr to char string
    return (struct sockaddr *) au_unescape((char *) val);
}

int main(int argc, char* argv[]) {

    if (argc != 2) {
        fprintf(stderr, "<Usage> %s <SOCKSTRING>\n", argv[0]);
        exit(-1);
    }
    int len = 0;
    struct sockaddr* sa = get_au_sockaddr(argv[1], &len);
    int port = ntohs(((struct sockaddr_in *)sa)->sin_port);

    uint32_t addr = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
    printf("%s: sa_family: %d addr: %u, port: %d (%d)\n",
            argv[1], sa->sa_family, addr, port, ((struct sockaddr_in *)sa)->sin_port);
}

[-- Attachment #1.2.3: Type: text/html, Size: 266 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply

* [ANNOUNCE] Linux Security Summit 2016 - CFP
From: James Morris @ 2016-03-24 22:55 UTC (permalink / raw)
  To: linux-security-module
  Cc: linux-kernel, lwn, fedora-selinux-list, selinux, ubuntu-hardened,
	Linux Security Summit Program Committee, netfilter-devel,
	linux-crypto, Audit-ML, gentoo-hardened, keyrings, tpmdd-devel,
	kernel-hardening, oss-security

[-- Attachment #1: Type: text/plain, Size: 3061 bytes --]

==========================================================================
                 ANNOUNCEMENT AND CALL FOR PARTICIPATION

                       LINUX SECURITY SUMMIT 2016
                              25-26 AUGUST
                            TORONTO, CANADA
                           
==========================================================================


DESCRIPTION

  The Linux Security Summit (LSS) is a technical forum for collaboration
  between Linux developers, researchers, and end users.  Its primary aim
  is to foster community efforts in analyzing and solving Linux security
  challenges.

  The format of the summit will be:
  
    * Refereed presentations
    * Discussion topics
    * Subsystem reports
    * Breakout development sessions 


WEB SITE

  http://events.linuxfoundation.org/events/linux-security-summit


TWITTER

  For event updates and announcements, follow:

  https://twitter.com/LinuxSecSummit


DATES / LOCATION

  The Linux Security Summit for 2016 will be held  August 25th and 26th
  in Toronto, Canada.  It will be co-located with LinuxCon.

  The Linux Security Summit CFP is now open, and will close on June 10th.
  
  Accepted speakers will be notified by June 17th.


WHO SHOULD ATTEND

  We're seeking a diverse range of attendees, and welcome participation
  by people involved in Linux security development, operations, and research.

  The LSS is a unique global event which provides the opportunity to present
  and discuss your work or research with key Linux security community
  members and maintainers.  It’s also useful for those who wish to keep up
  with the latest in Linux security development, and to provide input to
  the development process.


CALL FOR PARTICIPATION

  The program committee currently seeks proposals for:

  * Refereed Presentations:
      45 minutes in length, including at least 10 minutes of discussion.
      One-page abstracts are encouraged.

  * Discussion Topics:
      30 minutes in length.
 
  Topic areas include, but are not limited to:
  
    * Kernel self-protection
    * Access control
    * Cryptography and key management
    * Integrity control
    * Hardware security
    * Trust systems
    * Storage and file systems
    * Virtualization and containers
    * Case studies
    * Identity management
    * Code analysis
    * Security analytics
    * Secure development and operational practices
    * Emerging technologies, threats & techniques 
    
  Proposals should be submitted via the event web site:

    http://events.linuxfoundation.org/events/linux-security-summit/program/cfp


PROGRAM COMMITTEE

  The Linux Security Summit for 2016 is organized by:

    * James Morris, Oracle
    * Serge Hallyn, Canonical
    * Paul Moore, Red Hat
    * Stephen Smalley, NSA
    * Elena Reshetova, Intel
    * Herbert Xu, Red Hat
    * John Johansen, Canonical
    * Kees Cook, Google
    * Casey Schaufler, Intel
    * Mimi Zohar, IBM

  The program committee may be contacted as a group via email:

    lss-pc@lists.linuxfoundation.org

   

^ permalink raw reply

* Re: EXT :Re: audit.rules setting
From: Steve Grubb @ 2016-03-22 14:40 UTC (permalink / raw)
  To: Boyce, Kevin P (AS); +Cc: linux-audit@redhat.com
In-Reply-To: <d2872ae671d74c08bc3457672f69c9fe@XCGVAG30.northgrum.com>

On Tuesday, March 22, 2016 02:26:33 PM Boyce, Kevin P wrote:
> With regard to this subject I don't know if it is possible, but it bothers
> me when shutting down a system that you get errors (when -e 2 is enabled)
> when auditd is stopping. That might be unavoidable though.

If this is a sysVinit system, then there are variables in /etc/sysconfig/auditd 
such as AUDITD_CLEAN_STOP that determine what the init script does.

If you have a systemd based init system, then by default it does not modify 
rules like the sysVinit one does. It does have a ExecStopPost= variable that 
can be modified if you wanted to clear rules on shutdown.

-Steve

> -----Original Message-----
> From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
> On Behalf Of Steve Grubb Sent: Tuesday, March 22, 2016 10:06 AM
> To: linux-audit@redhat.com
> Subject: EXT :Re: audit.rules setting
> 
> On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote:
> > Does the "-e 2" have to be the last line of the audit.rules file?
> 
> Yes. Once its sent to the kernel, the kernel rules tables are immutable.
> 
> > Does it have to be listed prior to all of the syscalls and watches
> > configured in the file?
> 
> No. This will make it not load anything.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* RE: EXT :Re: audit.rules setting
From: Boyce, Kevin P (AS) @ 2016-03-22 14:26 UTC (permalink / raw)
  To: Steve Grubb, linux-audit@redhat.com
In-Reply-To: <3733418.XMMLLTDFfX@x2>

With regard to this subject I don't know if it is possible, but it bothers me when shutting down a system that you get errors (when -e 2 is enabled) when auditd is stopping.
That might be unavoidable though.

Kevin Boyce


-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
Sent: Tuesday, March 22, 2016 10:06 AM
To: linux-audit@redhat.com
Subject: EXT :Re: audit.rules setting

On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote:
> Does the "-e 2" have to be the last line of the audit.rules file?

Yes. Once its sent to the kernel, the kernel rules tables are immutable.


> Does it have to be listed prior to all of the syscalls and watches 
> configured in the file?

No. This will make it not load anything.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply

* Re: audit.rules setting
From: Steve Grubb @ 2016-03-22 14:06 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <BY1PR09MB0887F3A8E6CB06578182DF97C7800@BY1PR09MB0887.namprd09.prod.outlook.com>

On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote:
> Does the "-e 2" have to be the last line of the audit.rules file?

Yes. Once its sent to the kernel, the kernel rules tables are immutable.


> Does it have to be listed prior to all of the syscalls and watches
> configured in the file?

No. This will make it not load anything.

-Steve

^ permalink raw reply

* Re: Strings encoding
From: Steve Grubb @ 2016-03-22 13:46 UTC (permalink / raw)
  To: linux-audit
In-Reply-To: <ncqt4j$vn1$1@ger.gmane.org>

Hello,

On Tuesday, March 22, 2016 09:44:19 AM Lev Stipakov wrote:
> The string values can be either enclosed in quotation marks or
> hex-encoded. Is it safe to assume that sequence of bytes after hex
> decoding is always utf-8 encoded string?

There are no guarantees what they are. This is used whenever the user could 
have controlled the input in a way to trick the audit parser. And in one case 
the hex encoding is an actual socket address structure.

-Steve

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox