* Re: [PATCH] audit: add tty field to LOGIN event
From: Richard Guy Briggs @ 2016-04-18 18:27 UTC (permalink / raw)
To: Peter Hurley; +Cc: linux-audit, linux-kernel, sgrubb, pmoore, eparis
In-Reply-To: <570EE4D4.4080903@hurleysoftware.com>
On 16/04/13, Peter Hurley wrote:
> Hi Richard,
Hi Peter,
> On 04/13/2016 04:25 PM, Richard Guy Briggs wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace the call in audit_log_task_info() and to add it to
> > audit_log_set_loginuid().
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > include/linux/audit.h | 18 ++++++++++++++++++
> > kernel/audit.c | 11 +----------
> > kernel/auditsc.c | 5 +++--
> > 3 files changed, 22 insertions(+), 12 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index b40ed5d..20c6649 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -26,6 +26,7 @@
> > #include <linux/sched.h>
> > #include <linux/ptrace.h>
> > #include <uapi/linux/audit.h>
> > +#include <linux/tty.h>
> >
> > #define AUDIT_INO_UNSET ((unsigned long)-1)
> > #define AUDIT_DEV_UNSET ((dev_t)-1)
> > @@ -343,6 +344,19 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> > return tsk->sessionid;
> > }
> >
> > +static inline char *audit_get_tty(struct task_struct *tsk)
> > +{
> > + char *tty;
> > +
> > + spin_lock_irq(&tsk->sighand->siglock);
> > + if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
> > + tty = tsk->signal->tty->name;
> > + else
> > + tty = "(none)";
> > + spin_unlock_irq(&tsk->sighand->siglock);
>
> This is unsafe because the tty could be immediately torn down after the
> siglock is dropped, and return a dangling ptr.
Understood. The other option is to copy the value out...
Thanks for the helpful review. Rev 2 coming...
> > + return tty;
> > +}
> > +
> > extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> > extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
> > extern void __audit_bprm(struct linux_binprm *bprm);
> > @@ -500,6 +514,10 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> > {
> > return -1;
> > }
> > +static inline char *audit_get_tty(struct task_struct *tsk)
> > +{
> > + return "(invalid)";
> > +}
> > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> > { }
> > static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 3a3e5de..fae11df 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -64,7 +64,6 @@
> > #include <linux/security.h>
> > #endif
> > #include <linux/freezer.h>
> > -#include <linux/tty.h>
> > #include <linux/pid_namespace.h>
> > #include <net/netns/generic.h>
> >
> > @@ -1873,7 +1872,6 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> > {
> > const struct cred *cred;
> > char comm[sizeof(tsk->comm)];
> > - char *tty;
>
> struct tty_struct *tty;
>
> >
> > if (!ab)
> > return;
> > @@ -1881,13 +1879,6 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> > /* tsk == current */
> > cred = current_cred();
> >
> > - spin_lock_irq(&tsk->sighand->siglock);
> > - if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
> > - tty = tsk->signal->tty->name;
> > - else
> > - tty = "(none)";
> > - spin_unlock_irq(&tsk->sighand->siglock);
>
> tty = get_current_tty();
>
> > -
> > audit_log_format(ab,
> > " ppid=%d pid=%d auid=%u uid=%u gid=%u"
> > " euid=%u suid=%u fsuid=%u"
> > @@ -1903,7 +1894,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> > from_kgid(&init_user_ns, cred->egid),
> > from_kgid(&init_user_ns, cred->sgid),
> > from_kgid(&init_user_ns, cred->fsgid),
> > - tty, audit_get_sessionid(tsk));
> > + audit_get_tty(tsk), audit_get_sessionid(tsk));
>
> tty_name(tty), ....);
> ^^^^^^^^^^
> returns "NULL tty" if tty == NULL
>
> tty_kref_put(tty);
>
>
> >
> > audit_log_format(ab, " comm=");
> > audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 195ffae..a0467fb 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1993,8 +1993,9 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> > return;
> > audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
> > audit_log_task_context(ab);
> > - audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
> > - oldloginuid, loginuid, oldsessionid, sessionid, !rc);
>
> tty = get_current_tty();
>
> > + audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
> > + oldloginuid, loginuid, audit_get_tty(current),
>
> ......., tty_name(tty),
>
> > + oldsessionid, sessionid, !rc);
>
> tty_kref_put(tty);
>
> Regards,
> Peter Hurley
>
>
> > audit_log_end(ab);
> > }
> >
> >
>
- RGB
^ permalink raw reply
* Re: Beginner question
From: Bryan Harris @ 2016-04-18 16:52 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <97412449.buIX4bphSG@x2>
Hi Steve,
Thanks for your help. I will see about getting this into my RHEL6
system one way or another.
V/r,
Bryan
On Mon, Apr 18, 2016 at 12:31 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
>> Okay here goes. I must have a simple misunderstanding or I may be
>> doing something wrong.
>>
>> When I do the below three commands the auid shown back to me is not
>> the same from all the commands, but it's the same event. In the first
>> aureport I'm getting back an auid of zero for root. In the second
>> aureport I get back my teammate's auid. Also in the ausearch for the
>> specific event I get my teammate's auid. I would expect my teammate's
>> auid across all but that's not what I see.
>>
>> It seems the first aureport replaces the auid with uid.
>
> This is correct and its a bug. This was fixed in the 2.4.1 release of the audit
> package.
>
> https://fedorahosted.org/audit/changeset/1047
>
> -Steve
>
>> Can anyone point me in the right direction to get my expected results
>> working? I'm happy to share audit.rules and/or PAM configuration,
>> although they appear to be the result of someone following the
>> standard security guidelines.
>>
>> The Red Hat support people have pointed me to "Chapter 7. System
>> Auditing" which I am happy to read. However, I already stumbled upon
>> "7.8. Creating Audit Reports" and I didn't see anything that helped me
>> out.
>>
>> Here are the commands.
>>
>> $ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>>
>> Login Report
>> ============================================
>> # date time auid host term exe success event
>> ============================================
>> 1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
>>
>> $ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>>
>> Login Summary Report
>> ============================
>> total auid
>> ============================
>> 1 849603
>>
>> $ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
>> 04/13/2016 17:02:06
>> ----
>> time->Wed Apr 13 17:02:06 2016
>> type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
>> uid=0 auid=849603 ses=4572
>> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
>> exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
>> terminal=/dev/pts/2 res=success'
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: Beginner question
From: Steve Grubb @ 2016-04-18 16:31 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <CAJ00z7CtA_zAsnLE=o3oskPoQKBuaDmXjJcf6C-0QJGZpzShdg@mail.gmail.com>
On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
> Okay here goes. I must have a simple misunderstanding or I may be
> doing something wrong.
>
> When I do the below three commands the auid shown back to me is not
> the same from all the commands, but it's the same event. In the first
> aureport I'm getting back an auid of zero for root. In the second
> aureport I get back my teammate's auid. Also in the ausearch for the
> specific event I get my teammate's auid. I would expect my teammate's
> auid across all but that's not what I see.
>
> It seems the first aureport replaces the auid with uid.
This is correct and its a bug. This was fixed in the 2.4.1 release of the audit
package.
https://fedorahosted.org/audit/changeset/1047
-Steve
> Can anyone point me in the right direction to get my expected results
> working? I'm happy to share audit.rules and/or PAM configuration,
> although they appear to be the result of someone following the
> standard security guidelines.
>
> The Red Hat support people have pointed me to "Chapter 7. System
> Auditing" which I am happy to read. However, I already stumbled upon
> "7.8. Creating Audit Reports" and I didn't see anything that helped me
> out.
>
> Here are the commands.
>
> $ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Report
> ============================================
> # date time auid host term exe success event
> ============================================
> 1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
>
> $ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Summary Report
> ============================
> total auid
> ============================
> 1 849603
>
> $ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
> 04/13/2016 17:02:06
> ----
> time->Wed Apr 13 17:02:06 2016
> type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
> uid=0 auid=849603 ses=4572
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
> exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
> terminal=/dev/pts/2 res=success'
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: PID's Mapping
From: Krithika Nadar @ 2016-04-18 5:36 UTC (permalink / raw)
To: Paul Moore, linux-audit
In-Reply-To: <CAHC9VhSAo6GoN57cwdHDG4xJprzmgoucACvxT51EB6vSQ=PDdw@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 653 bytes --]
Is there any way that can be suggested as to map PID's of namespace in
global?
On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> <sowndarya.nadar@gmail.com> wrote:
> > Hi
> >
> > Is there any way to map the PID's seen in the namespace application with
> the
> > PID's seen in global?
> > If it can be done please provide the documentation or idea on how it can
> be
> > done.
>
> In general the audit subsystem doesn't pay attention to namespaces,
> all PIDs reported to userspace are reported with respect to the init
> namespace.
>
> --
> paul moore
> www.paul-moore.com
>
[-- Attachment #1.2: Type: text/html, Size: 1230 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: PID's Mapping
From: Paul Moore @ 2016-04-14 22:42 UTC (permalink / raw)
To: sowndarya kumar; +Cc: linux-audit
In-Reply-To: <CAOuJ2B0QANTksL=p47VFBzuWpTcPjacUd01zAPfZECYyfPT+yw@mail.gmail.com>
On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
<sowndarya.nadar@gmail.com> wrote:
> Hi
>
> Is there any way to map the PID's seen in the namespace application with the
> PID's seen in global?
> If it can be done please provide the documentation or idea on how it can be
> done.
In general the audit subsystem doesn't pay attention to namespaces,
all PIDs reported to userspace are reported with respect to the init
namespace.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Python auparse bindings memory leak
From: Santosh Ananthakrishnan @ 2016-04-14 21:37 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 421 bytes --]
Hi list
The get_timestamp function in the auparse extension module seems to have an
extra Py_INCREF. There's already a #FIXME at the line:
https://fedorahosted.org/audit/browser/tags/audit-2.5.1/bindings/python/auparse_python.c#L1090
.
Has this been investigated before? Rebuilding the package with that
increment removed resolved our memory usage issues, so I'm hoping this
doesn't silently break something.
-Santosh
[-- Attachment #1.2: Type: text/html, Size: 651 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Beginner question
From: Bryan Harris @ 2016-04-14 12:27 UTC (permalink / raw)
To: linux-audit
Hello all,
I joined the mailing list but have not received the confirmation email
yet. Please include me in the reply if you don't mind.
Okay here goes. I must have a simple misunderstanding or I may be
doing something wrong.
When I do the below three commands the auid shown back to me is not
the same from all the commands, but it's the same event. In the first
aureport I'm getting back an auid of zero for root. In the second
aureport I get back my teammate's auid. Also in the ausearch for the
specific event I get my teammate's auid. I would expect my teammate's
auid across all but that's not what I see.
It seems the first aureport replaces the auid with uid.
Can anyone point me in the right direction to get my expected results
working? I'm happy to share audit.rules and/or PAM configuration,
although they appear to be the result of someone following the
standard security guidelines.
The Red Hat support people have pointed me to "Chapter 7. System
Auditing" which I am happy to read. However, I already stumbled upon
"7.8. Creating Audit Reports" and I didn't see anything that helped me
out.
Here are the commands.
$ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Report
============================================
# date time auid host term exe success event
============================================
1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
$ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Summary Report
============================
total auid
============================
1 849603
$ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
04/13/2016 17:02:06
----
time->Wed Apr 13 17:02:06 2016
type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
uid=0 auid=849603 ses=4572
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
terminal=/dev/pts/2 res=success'
V/r,
Bryan
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: add tty field to LOGIN event
From: Peter Hurley @ 2016-04-14 0:31 UTC (permalink / raw)
To: Richard Guy Briggs, linux-audit, linux-kernel; +Cc: sgrubb, pmoore, eparis
In-Reply-To: <4587fd4a69c5d41f9596c0644ce22dc38db47d04.1460589810.git.rgb@redhat.com>
Hi Richard,
On 04/13/2016 04:25 PM, Richard Guy Briggs wrote:
> The tty field was missing from AUDIT_LOGIN events.
>
> Refactor code to create a new function audit_get_tty(), using it to
> replace the call in audit_log_task_info() and to add it to
> audit_log_set_loginuid().
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> include/linux/audit.h | 18 ++++++++++++++++++
> kernel/audit.c | 11 +----------
> kernel/auditsc.c | 5 +++--
> 3 files changed, 22 insertions(+), 12 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index b40ed5d..20c6649 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -26,6 +26,7 @@
> #include <linux/sched.h>
> #include <linux/ptrace.h>
> #include <uapi/linux/audit.h>
> +#include <linux/tty.h>
>
> #define AUDIT_INO_UNSET ((unsigned long)-1)
> #define AUDIT_DEV_UNSET ((dev_t)-1)
> @@ -343,6 +344,19 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> return tsk->sessionid;
> }
>
> +static inline char *audit_get_tty(struct task_struct *tsk)
> +{
> + char *tty;
> +
> + spin_lock_irq(&tsk->sighand->siglock);
> + if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
> + tty = tsk->signal->tty->name;
> + else
> + tty = "(none)";
> + spin_unlock_irq(&tsk->sighand->siglock);
This is unsafe because the tty could be immediately torn down after the
siglock is dropped, and return a dangling ptr.
> + return tty;
> +}
> +
> extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
> extern void __audit_bprm(struct linux_binprm *bprm);
> @@ -500,6 +514,10 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> {
> return -1;
> }
> +static inline char *audit_get_tty(struct task_struct *tsk)
> +{
> + return "(invalid)";
> +}
> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> { }
> static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 3a3e5de..fae11df 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -64,7 +64,6 @@
> #include <linux/security.h>
> #endif
> #include <linux/freezer.h>
> -#include <linux/tty.h>
> #include <linux/pid_namespace.h>
> #include <net/netns/generic.h>
>
> @@ -1873,7 +1872,6 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> {
> const struct cred *cred;
> char comm[sizeof(tsk->comm)];
> - char *tty;
struct tty_struct *tty;
>
> if (!ab)
> return;
> @@ -1881,13 +1879,6 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> /* tsk == current */
> cred = current_cred();
>
> - spin_lock_irq(&tsk->sighand->siglock);
> - if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
> - tty = tsk->signal->tty->name;
> - else
> - tty = "(none)";
> - spin_unlock_irq(&tsk->sighand->siglock);
tty = get_current_tty();
> -
> audit_log_format(ab,
> " ppid=%d pid=%d auid=%u uid=%u gid=%u"
> " euid=%u suid=%u fsuid=%u"
> @@ -1903,7 +1894,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> from_kgid(&init_user_ns, cred->egid),
> from_kgid(&init_user_ns, cred->sgid),
> from_kgid(&init_user_ns, cred->fsgid),
> - tty, audit_get_sessionid(tsk));
> + audit_get_tty(tsk), audit_get_sessionid(tsk));
tty_name(tty), ....);
^^^^^^^^^^
returns "NULL tty" if tty == NULL
tty_kref_put(tty);
>
> audit_log_format(ab, " comm=");
> audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 195ffae..a0467fb 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1993,8 +1993,9 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> return;
> audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
> audit_log_task_context(ab);
> - audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
> - oldloginuid, loginuid, oldsessionid, sessionid, !rc);
tty = get_current_tty();
> + audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
> + oldloginuid, loginuid, audit_get_tty(current),
......., tty_name(tty),
> + oldsessionid, sessionid, !rc);
tty_kref_put(tty);
Regards,
Peter Hurley
> audit_log_end(ab);
> }
>
>
^ permalink raw reply
* [PATCH] audit: add tty field to LOGIN event
From: Richard Guy Briggs @ 2016-04-13 23:25 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
The tty field was missing from AUDIT_LOGIN events.
Refactor code to create a new function audit_get_tty(), using it to
replace the call in audit_log_task_info() and to add it to
audit_log_set_loginuid().
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/linux/audit.h | 18 ++++++++++++++++++
kernel/audit.c | 11 +----------
kernel/auditsc.c | 5 +++--
3 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index b40ed5d..20c6649 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -26,6 +26,7 @@
#include <linux/sched.h>
#include <linux/ptrace.h>
#include <uapi/linux/audit.h>
+#include <linux/tty.h>
#define AUDIT_INO_UNSET ((unsigned long)-1)
#define AUDIT_DEV_UNSET ((dev_t)-1)
@@ -343,6 +344,19 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
return tsk->sessionid;
}
+static inline char *audit_get_tty(struct task_struct *tsk)
+{
+ char *tty;
+
+ spin_lock_irq(&tsk->sighand->siglock);
+ if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
+ tty = tsk->signal->tty->name;
+ else
+ tty = "(none)";
+ spin_unlock_irq(&tsk->sighand->siglock);
+ return tty;
+}
+
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
extern void __audit_bprm(struct linux_binprm *bprm);
@@ -500,6 +514,10 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
return -1;
}
+static inline char *audit_get_tty(struct task_struct *tsk)
+{
+ return "(invalid)";
+}
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{ }
static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
diff --git a/kernel/audit.c b/kernel/audit.c
index 3a3e5de..fae11df 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -64,7 +64,6 @@
#include <linux/security.h>
#endif
#include <linux/freezer.h>
-#include <linux/tty.h>
#include <linux/pid_namespace.h>
#include <net/netns/generic.h>
@@ -1873,7 +1872,6 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
{
const struct cred *cred;
char comm[sizeof(tsk->comm)];
- char *tty;
if (!ab)
return;
@@ -1881,13 +1879,6 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
/* tsk == current */
cred = current_cred();
- spin_lock_irq(&tsk->sighand->siglock);
- if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
- tty = tsk->signal->tty->name;
- else
- tty = "(none)";
- spin_unlock_irq(&tsk->sighand->siglock);
-
audit_log_format(ab,
" ppid=%d pid=%d auid=%u uid=%u gid=%u"
" euid=%u suid=%u fsuid=%u"
@@ -1903,7 +1894,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
from_kgid(&init_user_ns, cred->egid),
from_kgid(&init_user_ns, cred->sgid),
from_kgid(&init_user_ns, cred->fsgid),
- tty, audit_get_sessionid(tsk));
+ audit_get_tty(tsk), audit_get_sessionid(tsk));
audit_log_format(ab, " comm=");
audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 195ffae..a0467fb 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1993,8 +1993,9 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
return;
audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
audit_log_task_context(ab);
- audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
- oldloginuid, loginuid, oldsessionid, sessionid, !rc);
+ audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
+ oldloginuid, loginuid, audit_get_tty(current),
+ oldsessionid, sessionid, !rc);
audit_log_end(ab);
}
--
1.7.1
^ permalink raw reply related
* RE: audit 2.5.1 released
From: Warron S French @ 2016-04-13 21:05 UTC (permalink / raw)
To: Steve Grubb, linux-audit@redhat.com
In-Reply-To: <7902180.HVh8nUMe7u@x2>
Ah, thank you for the clarification.
Warron French, MBA, SCSA
The Aerospace Corporation
CCS> TCI> System Administrator Specialist III
A101/Rm N3417
Mailstop:CH1-210
UNCLASS: 571.304.7534
CLASS: 894-7534
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Wednesday, April 13, 2016 4:18 PM
To: linux-audit@redhat.com
Cc: Warron S French <warron.s.french@aero.org>
Subject: Re: audit 2.5.1 released
On Wednesday, April 13, 2016 08:07:41 PM Warron S French wrote:
> can you please explain the versioning you use when you make these
> announcements?
>
> I am running CentOS-6.6 and that auditd release I have is at a much
> lower revision; auditd-2.3.7-5.el6.x86_64 for the package.
>
> Is that JUST BECAUSE I am on CentOS, and they are that far behind or
> is it because they handle RPM versioning separately from RedHat?
The version in Centos the same base source code version that is on RHEL. I don't know if Centos adds any additional patches or not. The enterprise operating systems get updated slowly in order to provide stability. RHEL 6.8 is being updated to 2.4.5 which I believe Centos will pickup, too.
The 2.5 branch is unsuitable for an old OS like RHEL6. It supports features that are in newer kernels.
-Steve
> -----Original Message-----
> From: linux-audit-bounces@redhat.com
> [mailto:linux-audit-bounces@redhat.com]
> On Behalf Of Steve Grubb Sent: Wednesday, April 13, 2016 4:02 PM
> To: linux-audit@redhat.com
> Subject: audit 2.5.1 released
>
> Hello,
>
> I've just released a new version of the audit daemon. It can be
> downloaded from http://people.redhat.com/sgrubb/audit. It will also be
> in rawhide soon. The ChangeLog is:
>
> - Updated and added audit rules
> - Updated errno table for 4.4 kernel
> - Change interpretation of exit to use errno define rather than a
> number
> - Add distribute_network configuration option to auditd
> - New aggregate only mode for auditd
> - Cleanup tmp file left by augenrules --check
> - Fix initial build from svn without golang support installed
> - Update auparse interpretations for hook, action, macproto, chardev,
> and net - Update interpretations for the 4.5 kernel
> - Fix DST bug in ausearch/report time handling
> - Add optional ExecStopPost to auditd.service to clear rules on
> service exit
> - Update ausearch/report buffer size for locales with large time
> formats - Add auparse_feed_age_events function to auparse library
> - Use auparse_feed_age_events in zos & prelude plugins
>
> This update includes more rules to compose into a policy. There is a
> new
> pci- dss set of rules, for example.
>
> Interpretations have been updated and improved.
>
> Auditd gained a new configuration options, distribute_network, which
> determines if events read from the network should be distributed to
> audispd for plugin analysis. This would allow for whole datacenter
> realtime analysis. The other configuration option, There is also a new
> option in the auditd.service file, ExecStopPost, which clears audit rules on shutdown.
> This allows makes shutdown more quiet like the sysVinit systems.
>
> There is a new function in auparse library to age pending events. This
> is necessary when an event has accumulated but no new events are
> arriving which would cause aging and processing of events that time
> out. The example plugin code has been updated to show its proper use.
>
> Please let me know if you run across any problems with this release.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: audit 2.5.1 released
From: Steve Grubb @ 2016-04-13 20:17 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <BY1PR09MB0887703C4DEA838ABD9CAC47C7960@BY1PR09MB0887.namprd09.prod.outlook.com>
On Wednesday, April 13, 2016 08:07:41 PM Warron S French wrote:
> can you please explain the versioning you use when you make these
> announcements?
>
> I am running CentOS-6.6 and that auditd release I have is at a much lower
> revision; auditd-2.3.7-5.el6.x86_64 for the package.
>
> Is that JUST BECAUSE I am on CentOS, and they are that far behind or is it
> because they handle RPM versioning separately from RedHat?
The version in Centos the same base source code version that is on RHEL. I
don't know if Centos adds any additional patches or not. The enterprise
operating systems get updated slowly in order to provide stability. RHEL 6.8
is being updated to 2.4.5 which I believe Centos will pickup, too.
The 2.5 branch is unsuitable for an old OS like RHEL6. It supports features
that are in newer kernels.
-Steve
> -----Original Message-----
> From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
> On Behalf Of Steve Grubb Sent: Wednesday, April 13, 2016 4:02 PM
> To: linux-audit@redhat.com
> Subject: audit 2.5.1 released
>
> Hello,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:
>
> - Updated and added audit rules
> - Updated errno table for 4.4 kernel
> - Change interpretation of exit to use errno define rather than a number
> - Add distribute_network configuration option to auditd
> - New aggregate only mode for auditd
> - Cleanup tmp file left by augenrules --check
> - Fix initial build from svn without golang support installed
> - Update auparse interpretations for hook, action, macproto, chardev, and
> net - Update interpretations for the 4.5 kernel
> - Fix DST bug in ausearch/report time handling
> - Add optional ExecStopPost to auditd.service to clear rules on service exit
> - Update ausearch/report buffer size for locales with large time formats -
> Add auparse_feed_age_events function to auparse library
> - Use auparse_feed_age_events in zos & prelude plugins
>
> This update includes more rules to compose into a policy. There is a new
> pci- dss set of rules, for example.
>
> Interpretations have been updated and improved.
>
> Auditd gained a new configuration options, distribute_network, which
> determines if events read from the network should be distributed to audispd
> for plugin analysis. This would allow for whole datacenter realtime
> analysis. The other configuration option, There is also a new option in the
> auditd.service file, ExecStopPost, which clears audit rules on shutdown.
> This allows makes shutdown more quiet like the sysVinit systems.
>
> There is a new function in auparse library to age pending events. This is
> necessary when an event has accumulated but no new events are arriving
> which would cause aging and processing of events that time out. The example
> plugin code has been updated to show its proper use.
>
> Please let me know if you run across any problems with this release.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* RE: audit 2.5.1 released
From: Warron S French @ 2016-04-13 20:07 UTC (permalink / raw)
To: linux-audit@redhat.com
In-Reply-To: <7421261.mz4oQuZqgc@x2>
Hello Steve,
can you please explain the versioning you use when you make these announcements?
I am running CentOS-6.6 and that auditd release I have is at a much lower revision; auditd-2.3.7-5.el6.x86_64 for the package.
Is that JUST BECAUSE I am on CentOS, and they are that far behind or is it because they handle RPM versioning separately from RedHat?
Thank you sir,
Warron French, MBA, SCSA
-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
Sent: Wednesday, April 13, 2016 4:02 PM
To: linux-audit@redhat.com
Subject: audit 2.5.1 released
Hello,
I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is:
- Updated and added audit rules
- Updated errno table for 4.4 kernel
- Change interpretation of exit to use errno define rather than a number
- Add distribute_network configuration option to auditd
- New aggregate only mode for auditd
- Cleanup tmp file left by augenrules --check
- Fix initial build from svn without golang support installed
- Update auparse interpretations for hook, action, macproto, chardev, and net
- Update interpretations for the 4.5 kernel
- Fix DST bug in ausearch/report time handling
- Add optional ExecStopPost to auditd.service to clear rules on service exit
- Update ausearch/report buffer size for locales with large time formats
- Add auparse_feed_age_events function to auparse library
- Use auparse_feed_age_events in zos & prelude plugins
This update includes more rules to compose into a policy. There is a new pci- dss set of rules, for example.
Interpretations have been updated and improved.
Auditd gained a new configuration options, distribute_network, which determines if events read from the network should be distributed to audispd for plugin analysis. This would allow for whole datacenter realtime analysis. The other configuration option, There is also a new option in the auditd.service file, ExecStopPost, which clears audit rules on shutdown. This allows makes shutdown more quiet like the sysVinit systems.
There is a new function in auparse library to age pending events. This is necessary when an event has accumulated but no new events are arriving which would cause aging and processing of events that time out. The example plugin code has been updated to show its proper use.
Please let me know if you run across any problems with this release.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* audit 2.5.1 released
From: Steve Grubb @ 2016-04-13 20:01 UTC (permalink / raw)
To: linux-audit
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Updated and added audit rules
- Updated errno table for 4.4 kernel
- Change interpretation of exit to use errno define rather than a number
- Add distribute_network configuration option to auditd
- New aggregate only mode for auditd
- Cleanup tmp file left by augenrules --check
- Fix initial build from svn without golang support installed
- Update auparse interpretations for hook, action, macproto, chardev, and net
- Update interpretations for the 4.5 kernel
- Fix DST bug in ausearch/report time handling
- Add optional ExecStopPost to auditd.service to clear rules on service exit
- Update ausearch/report buffer size for locales with large time formats
- Add auparse_feed_age_events function to auparse library
- Use auparse_feed_age_events in zos & prelude plugins
This update includes more rules to compose into a policy. There is a new pci-
dss set of rules, for example.
Interpretations have been updated and improved.
Auditd gained a new configuration options, distribute_network, which determines
if events read from the network should be distributed to audispd for plugin
analysis. This would allow for whole datacenter realtime analysis. The other
configuration option, There is also a new option in the auditd.service file,
ExecStopPost, which clears audit rules on shutdown. This allows makes shutdown
more quiet like the sysVinit systems.
There is a new function in auparse library to age pending events. This is
necessary when an event has accumulated but no new events are arriving which
would cause aging and processing of events that time out. The example plugin
code has been updated to show its proper use.
Please let me know if you run across any problems with this release.
-Steve
^ permalink raw reply
* Re: New field to auditd.conf file
From: Steve Grubb @ 2016-04-13 12:31 UTC (permalink / raw)
To: Deepika Sundar; +Cc: linux-audit
In-Reply-To: <CAHj_pNdfg=Sz7yvqem=d_0gSbBpg6ZAxMauCUzNS_EHUfe0K3g@mail.gmail.com>
On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> As per my understanding audit log structure can be extendible based on
> requirements and in my project I need to add the identifier field for the
> application and as of now I couldn't able to revel the What application
> trying to develop to update.So,Is there any possibility that without
> breaking any Compatibility issues I can do it ?
I have no idea what you are doing so there is no guarantee that it won't break
something. If your project is going to be released as open source its
generally best to collaborate with people so that problems can be pointed out.
Otherwise you risk spending a lot of time on something only to have it
rejected.
-Steve
> OR If any compatibility issues please specify .
>
> On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote:
> > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> >
> > <sundar.deepika18@gmail.com> wrote:
> > > In the same way, in the kernel side
> > > Can I able to add one new field to the audit log structure without
> >
> > breaking
> >
> > > Compatibility? If so,
> > >
> > > 1.How can I add new field without breaking compatibility?
> > >
> > > or
> > >
> > > 2.Is there any reserve field in audit log structure so that I can make
> >
> > use
> >
> > > of it?
> >
> > You need to be more specific about what you are trying to do.
> > Speaking generally, unless you work to get your changed merged into
> > the upstream kernel and userspace tools we cannot guarantee present or
> > future compatibility.
> >
> > --
> > paul moore
> > www.paul-moore.com
^ permalink raw reply
* PID's Mapping
From: sowndarya kumar @ 2016-04-13 5:43 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 197 bytes --]
Hi
Is there any way to map the PID's seen in the namespace application with
the PID's seen in global?
If it can be done please provide the documentation or idea on how it can be
done.
-Krithika
[-- Attachment #1.2: Type: text/html, Size: 299 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: New field to auditd.conf file
From: Deepika Sundar @ 2016-04-13 5:33 UTC (permalink / raw)
To: Paul Moore, Steve Grubb, linux-audit
In-Reply-To: <CAHC9VhQEvTRrUgnBOd0B9LzAesDoqSnndfgpaXDXYO-jFME0xw@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1143 bytes --]
As per my understanding audit log structure can be extendible based on
requirements and in my project I need to add the identifier field for the
application and as of now I couldn't able to revel the What application
trying to develop to update.So,Is there any possibility that without
breaking any Compatibility issues I can do it ? OR
If any compatibility issues please specify .
On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> <sundar.deepika18@gmail.com> wrote:
> > In the same way, in the kernel side
> > Can I able to add one new field to the audit log structure without
> breaking
> > Compatibility? If so,
> > 1.How can I add new field without breaking compatibility?
> > or
> > 2.Is there any reserve field in audit log structure so that I can make
> use
> > of it?
>
> You need to be more specific about what you are trying to do.
> Speaking generally, unless you work to get your changed merged into
> the upstream kernel and userspace tools we cannot guarantee present or
> future compatibility.
>
> --
> paul moore
> www.paul-moore.com
>
[-- Attachment #1.2: Type: text/html, Size: 1762 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
From: Richard Guy Briggs @ 2016-04-12 20:34 UTC (permalink / raw)
To: Andi Kleen; +Cc: Paul Moore, Andi Kleen, linux-kernel, linux-audit
In-Reply-To: <20160410223155.GD2336@tassilo.jf.intel.com>
On 16/04/10, Andi Kleen wrote:
> On Sun, Apr 10, 2016 at 06:17:53PM -0400, Paul Moore wrote:
> > On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi@firstfloor.org> wrote:
> > >> What kernel version are you using? I believe we fixed that in Linux
> > >> 4.5 with the following:
> > >
> > > This is 4.6-rc2.
> > >>
> > >> commit 96368701e1c89057bbf39222e965161c68a85b4b
> > >> From: Paul Moore <pmoore@redhat.com>
> > >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
> > >>
> > >> audit: force seccomp event logging to honor the audit_enabled flag
> > >
> > > No you didn't fix it because audit_enabled is always enabled by systemd
> > > for user space auditing, see the original description of my patch.
> > Sorry, I read your email too quickly; you are correct, that commit
> > fixed a different problem.
> >
> > Let me think on this a bit more. Technically I don't see this as a
> > bug with the kernel, userspace is enabling audit and you are getting
> > audit messages as a result; from my opinion this is the expected
>
> It's a bug in the kernel because seccomp is different from everything else.
>
> The kernel only produces audit messages when audit rules are set
> for every other case.
I can think of other examples, such as CONFIG_CHANGE, LOGIN,
NETFILTER_CFG, MAC_*, AVC and surely others, if I am understanding your
point.
> The only exception is this seccomp message which is produced
> unconditionally. Doesn't make sense to treat seccomp special
> here. It should only be audited when some kind of rule is set.
We had the opposite problem with AUDIT_USER_AVC and maybe also with
AUDIT_USER_SELINUX_ERR.
> > behavior. However, we've talked in the past about providing better
> > control over seccomp's auditing/logging and that work would allow you
> > to quiet all seccomp messages if you desired.
> >
> > If you are interested, I started tracking this issue at the link below:
> >
> > * https://github.com/linux-audit/audit-kernel/issues/13
>
> Making it a sysctl is fine for me as long as it is disabled by default
> so that user space doesn't need to be modified to make seccomp
> stop spamming.
>
> Audit should always be opt-in, not opt-out.
Not for those who rely on it...
> However I think making it conditional on syscall auditing like
> in my patch is equivalent and much simpler.
>
> If you really insist on the sysctl I can send patch.
>
> -Andi
- RGB
^ permalink raw reply
* Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default
From: Paul Moore @ 2016-04-12 1:17 UTC (permalink / raw)
To: Eric Paris; +Cc: Andi Kleen, linux-kernel, Andi Kleen, linux-audit
In-Reply-To: <1460390286.3268.36.camel@redhat.com>
On Monday, April 11, 2016 10:58:06 AM Eric Paris wrote:
> I'm all for a way to shut up unsolicited audit messages, especially
> seccomp with errno or trap. I think it would be best to default 'KILL'
> to on and everything else to off. I'm no so sure a sysctl is the right
> way though. Enabling more forms of 'seccomp audit' should really be a
> part of the audit policy.
The seccomp events are very useful for people who are working with seccomp
filters and I want to ensure that we have the ability to emit these events
regardless of if audit is enabled, or even compiled into the kernel using
dmesg/syslog as we do today with other auditable events, e.g. SELinux.
Because of this desire to log regardless of audit, I figured a sysctl tunable
made more sense than an audit based filter. As I mentioned previously, I'm
not completely sold on the sysctl based solution, but it is the best solution
that I can think of at the moment. Alternatives are welcome.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default
From: Andi Kleen @ 2016-04-11 21:55 UTC (permalink / raw)
To: Eric Paris; +Cc: Paul Moore, Andi Kleen, linux-kernel, Andi Kleen, linux-audit
In-Reply-To: <1460390286.3268.36.camel@redhat.com>
On Mon, Apr 11, 2016 at 10:58:06AM -0500, Eric Paris wrote:
> Just an FYI originally the idea was to follow the pattern of logging
> set by core dumps see kernel/auditsc.c::audit_core_dumps(). Which is
> gated by audit_enable but not anything else. I believe at that time the
> only option was kill, which meant, much like the core dumper, spam was
> not a likely result given the initiator is killed.
Given that user space now uses audit independently for its own
logging I don't think making things depend only on audit_enable
is good practice anymore.
>
> I'm all for a way to shut up unsolicited audit messages, especially
> seccomp with errno or trap. I think it would be best to default 'KILL'
> to on and everything else to off. I'm no so sure a sysctl is the right
> way though. Enabling more forms of 'seccomp audit' should really be a
> part of the audit policy.
That was my original patch -- make it conditional on syscall auditing.
If that's the right approach please apply that one.
-Andi
^ permalink raw reply
* Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default
From: Eric Paris @ 2016-04-11 15:58 UTC (permalink / raw)
To: Paul Moore, Andi Kleen; +Cc: linux-kernel, Andi Kleen, linux-audit
In-Reply-To: <CAHC9VhTnkbU_kJbOdwTF4BW=qZTL_xR7CddCZ5CDXKNNvi_nUQ@mail.gmail.com>
Just an FYI originally the idea was to follow the pattern of logging
set by core dumps see kernel/auditsc.c::audit_core_dumps(). Which is
gated by audit_enable but not anything else. I believe at that time the
only option was kill, which meant, much like the core dumper, spam was
not a likely result given the initiator is killed.
I'm all for a way to shut up unsolicited audit messages, especially
seccomp with errno or trap. I think it would be best to default 'KILL'
to on and everything else to off. I'm no so sure a sysctl is the right
way though. Enabling more forms of 'seccomp audit' should really be a
part of the audit policy.
(p.s. I think the action should be part of the seccomp message, as
right now all we know is that Andi's message isn't KILL since the
sig=0)
-Eric
On Mon, 2016-04-11 at 09:30 -0400, Paul Moore wrote:
> On Mon, Apr 11, 2016 at 12:13 AM, Andi Kleen <andi@firstfloor.org>
> wrote:
> >
> > From: Andi Kleen <ak@linux.intel.com>
> >
> > When I run chrome on my opensuse system every time I open
> > a new tab the system log is spammed with:
> >
> > audit[16857]: SECCOMP auid=1000 uid=1000 gid=100 ses=1 pid=16857
> > comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e
> > syscall=273 compat=0 ip=0x7fe27c11a444 code=0x50000
> >
> > This happens because chrome uses SECCOMP for its sandbox,
> > and for some reason always reaches a SECCOMP_KILL or more likely
> > SECCOMP_RET_ERRNO in the rule set.
> >
> > The seccomp auditing was originally added by Eric with
> >
> > commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31
> > Author: Eric Paris <eparis@redhat.com>
> > Date: Tue Jan 3 14:23:05 2012 -0500
> >
> > seccomp: audit abnormal end to a process due to seccomp
> >
> > The audit system likes to collect information about
> > processes that end
> > abnormally (SIGSEGV) as this may me useful intrusion
> > detection information.
> > This patch adds audit support to collect information when
> > seccomp
> > forces a task to exit because of misbehavior in a similar
> > way.
> >
> > I don't have any other syscall auditing enabled,
> > just the standard user space auditing used by the systemd
> > and PAM userland. So basic auditing is alwas enabled,
> > but no other kernel auditing.
> >
> > Add a sysctl to enable this unconditional behavior with default
> > to off. This replaces an earlier patch that simply checked
> > whether syscall auditing was on, but Paul Moore preferred
> > this more elaborate approach.
> >
> > Signed-off-by: Andi Kleen <ak@linux.intel.com>
> > ---
> > Documentation/sysctl/kernel.txt | 9 +++++++++
> > include/linux/audit.h | 4 +++-
> > kernel/seccomp.c | 4 ++++
> > kernel/sysctl.c | 11 +++++++++++
> > 4 files changed, 27 insertions(+), 1 deletion(-)
> Quick response as I'm traveling the next few days and
> time/connectivity will be spotty ... thanks for sending an updated
> patch, some initial thoughts:
>
> * My thinking was that the sysctl knob could be a threshold value
> such
> that setting it to 0x00030000 would only log TRAP and KILL.
> * With the sysctl tunable defaulting to no-logging there is no need
> to
> check for audit_enabled, further, checking for audit_enabled would
> prevent logging to dmesg/syslog which I believe is valuable (you may
> not).
> * A bit nitpicky, but considering the possibility of logging to
> dmesg/syslog when auditing is disabled, I think
> "seccomp-log-threshold" or similar would be a better sysctl name.
>
> >
> > diff --git a/Documentation/sysctl/kernel.txt
> > b/Documentation/sysctl/kernel.txt
> > index 57653a4..abc6ef9 100644
> > --- a/Documentation/sysctl/kernel.txt
> > +++ b/Documentation/sysctl/kernel.txt
> > @@ -21,6 +21,7 @@ show up in /proc/sys/kernel:
> > - acct
> > - acpi_video_flags
> > - auto_msgmni
> > +- audit_log_seccomp
> > - bootloader_type [ X86 only ]
> > - bootloader_version [ X86 only ]
> > - callhome [ S390 only ]
> > @@ -129,6 +130,14 @@ upon memory add/remove or upon ipc namespace
> > creation/removal.
> > Echoing "1" into this file enabled msgmni automatic recomputing.
> > Echoing "0" turned it off. auto_msgmni default value was 1.
> >
> > +==============================================================
> > +
> > +audit_log_seccomp
> > +
> > +When this variable is set to 1 every
> > SECCOMP_KILL/SECCOMP_RET_ERRNO
> > +results in an audit log. This is generally a bad idea because
> > +it leads to a audit message every time Chrome opens a new tab.
> > +Defaults to 0.
> >
> > ==============================================================
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index e38e3fc..c7787ba 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -315,9 +315,11 @@ static inline void audit_inode_child(struct
> > inode *parent,
> > }
> > void audit_core_dumps(long signr);
> >
> > +extern int audit_log_seccomp;
> > +
> > static inline void audit_seccomp(unsigned long syscall, long
> > signr, int code)
> > {
> > - if (!audit_enabled)
> > + if (!audit_enabled || !audit_log_seccomp)
> > return;
> >
> > /* Force a record to be reported if a signal was delivered.
> > */
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index e1e5a35..09a8b03 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -25,6 +25,10 @@
> > #include <asm/syscall.h>
> > #endif
> >
> > +#ifdef CONFIG_AUDIT
> > +int audit_log_seccomp __read_mostly = 0;
> > +#endif
> > +
> > #ifdef CONFIG_SECCOMP_FILTER
> > #include <linux/filter.h>
> > #include <linux/pid.h>
> > diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> > index 725587f..0c7611e 100644
> > --- a/kernel/sysctl.c
> > +++ b/kernel/sysctl.c
> > @@ -65,6 +65,7 @@
> > #include <linux/sched/sysctl.h>
> > #include <linux/kexec.h>
> > #include <linux/bpf.h>
> > +#include <linux/audit.h>
> >
> > #include <asm/uaccess.h>
> > #include <asm/processor.h>
> > @@ -529,6 +530,16 @@ static struct ctl_table kern_table[] = {
> > .proc_handler = proc_dointvec,
> > },
> > #endif
> > +#ifdef CONFIG_AUDIT
> > + {
> > + .procname = "audit-log-seccomp",
> > + .data = &audit_log_seccomp,
> > + .maxlen = sizeof(int),
> > + .mode = 0644,
> > + .proc_handler = proc_dointvec,
> > + },
> > +
> > +#endif
> > {
> > .procname = "print-fatal-signals",
> > .data = &print_fatal_signals,
> > --
> > 2.7.4
> >
>
>
^ permalink raw reply
* Re: [PATCH] audit: Don't spam logs with SECCOMP_KILL/RET_ERRNO by default
From: Paul Moore @ 2016-04-11 13:30 UTC (permalink / raw)
To: Andi Kleen; +Cc: Andi Kleen, linux-kernel, linux-audit
In-Reply-To: <1460348008-27076-1-git-send-email-andi@firstfloor.org>
On Mon, Apr 11, 2016 at 12:13 AM, Andi Kleen <andi@firstfloor.org> wrote:
> From: Andi Kleen <ak@linux.intel.com>
>
> When I run chrome on my opensuse system every time I open
> a new tab the system log is spammed with:
>
> audit[16857]: SECCOMP auid=1000 uid=1000 gid=100 ses=1 pid=16857
> comm="chrome" exe="/opt/google/chrome/chrome" sig=0 arch=c000003e
> syscall=273 compat=0 ip=0x7fe27c11a444 code=0x50000
>
> This happens because chrome uses SECCOMP for its sandbox,
> and for some reason always reaches a SECCOMP_KILL or more likely
> SECCOMP_RET_ERRNO in the rule set.
>
> The seccomp auditing was originally added by Eric with
>
> commit 85e7bac33b8d5edafc4e219c7dfdb3d48e0b4e31
> Author: Eric Paris <eparis@redhat.com>
> Date: Tue Jan 3 14:23:05 2012 -0500
>
> seccomp: audit abnormal end to a process due to seccomp
>
> The audit system likes to collect information about processes that end
> abnormally (SIGSEGV) as this may me useful intrusion detection information.
> This patch adds audit support to collect information when seccomp
> forces a task to exit because of misbehavior in a similar way.
>
> I don't have any other syscall auditing enabled,
> just the standard user space auditing used by the systemd
> and PAM userland. So basic auditing is alwas enabled,
> but no other kernel auditing.
>
> Add a sysctl to enable this unconditional behavior with default
> to off. This replaces an earlier patch that simply checked
> whether syscall auditing was on, but Paul Moore preferred
> this more elaborate approach.
>
> Signed-off-by: Andi Kleen <ak@linux.intel.com>
> ---
> Documentation/sysctl/kernel.txt | 9 +++++++++
> include/linux/audit.h | 4 +++-
> kernel/seccomp.c | 4 ++++
> kernel/sysctl.c | 11 +++++++++++
> 4 files changed, 27 insertions(+), 1 deletion(-)
Quick response as I'm traveling the next few days and
time/connectivity will be spotty ... thanks for sending an updated
patch, some initial thoughts:
* My thinking was that the sysctl knob could be a threshold value such
that setting it to 0x00030000 would only log TRAP and KILL.
* With the sysctl tunable defaulting to no-logging there is no need to
check for audit_enabled, further, checking for audit_enabled would
prevent logging to dmesg/syslog which I believe is valuable (you may
not).
* A bit nitpicky, but considering the possibility of logging to
dmesg/syslog when auditing is disabled, I think
"seccomp-log-threshold" or similar would be a better sysctl name.
> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
> index 57653a4..abc6ef9 100644
> --- a/Documentation/sysctl/kernel.txt
> +++ b/Documentation/sysctl/kernel.txt
> @@ -21,6 +21,7 @@ show up in /proc/sys/kernel:
> - acct
> - acpi_video_flags
> - auto_msgmni
> +- audit_log_seccomp
> - bootloader_type [ X86 only ]
> - bootloader_version [ X86 only ]
> - callhome [ S390 only ]
> @@ -129,6 +130,14 @@ upon memory add/remove or upon ipc namespace creation/removal.
> Echoing "1" into this file enabled msgmni automatic recomputing.
> Echoing "0" turned it off. auto_msgmni default value was 1.
>
> +==============================================================
> +
> +audit_log_seccomp
> +
> +When this variable is set to 1 every SECCOMP_KILL/SECCOMP_RET_ERRNO
> +results in an audit log. This is generally a bad idea because
> +it leads to a audit message every time Chrome opens a new tab.
> +Defaults to 0.
>
> ==============================================================
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index e38e3fc..c7787ba 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -315,9 +315,11 @@ static inline void audit_inode_child(struct inode *parent,
> }
> void audit_core_dumps(long signr);
>
> +extern int audit_log_seccomp;
> +
> static inline void audit_seccomp(unsigned long syscall, long signr, int code)
> {
> - if (!audit_enabled)
> + if (!audit_enabled || !audit_log_seccomp)
> return;
>
> /* Force a record to be reported if a signal was delivered. */
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index e1e5a35..09a8b03 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -25,6 +25,10 @@
> #include <asm/syscall.h>
> #endif
>
> +#ifdef CONFIG_AUDIT
> +int audit_log_seccomp __read_mostly = 0;
> +#endif
> +
> #ifdef CONFIG_SECCOMP_FILTER
> #include <linux/filter.h>
> #include <linux/pid.h>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 725587f..0c7611e 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -65,6 +65,7 @@
> #include <linux/sched/sysctl.h>
> #include <linux/kexec.h>
> #include <linux/bpf.h>
> +#include <linux/audit.h>
>
> #include <asm/uaccess.h>
> #include <asm/processor.h>
> @@ -529,6 +530,16 @@ static struct ctl_table kern_table[] = {
> .proc_handler = proc_dointvec,
> },
> #endif
> +#ifdef CONFIG_AUDIT
> + {
> + .procname = "audit-log-seccomp",
> + .data = &audit_log_seccomp,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec,
> + },
> +
> +#endif
> {
> .procname = "print-fatal-signals",
> .data = &print_fatal_signals,
> --
> 2.7.4
>
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
From: Paul Moore @ 2016-04-11 13:23 UTC (permalink / raw)
To: Andi Kleen; +Cc: Andi Kleen, linux-kernel, linux-audit
In-Reply-To: <20160411040744.GH9407@two.firstfloor.org>
On Mon, Apr 11, 2016 at 12:07 AM, Andi Kleen <andi@firstfloor.org> wrote:
> On Sun, Apr 10, 2016 at 10:30:10PM -0400, Paul Moore wrote:
>> On Sun, Apr 10, 2016 at 6:31 PM, Andi Kleen <ak@linux.intel.com> wrote:
>> > On Sun, Apr 10, 2016 at 06:17:53PM -0400, Paul Moore wrote:
>> >> On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi@firstfloor.org> wrote:
>> >> >> What kernel version are you using? I believe we fixed that in Linux
>> >> >> 4.5 with the following:
>> >> >
>> >> > This is 4.6-rc2.
>> >> >>
>> >> >> commit 96368701e1c89057bbf39222e965161c68a85b4b
>> >> >> From: Paul Moore <pmoore@redhat.com>
>> >> >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
>> >> >>
>> >> >> audit: force seccomp event logging to honor the audit_enabled flag
>> >> >
>> >> > No you didn't fix it because audit_enabled is always enabled by systemd
>> >> > for user space auditing, see the original description of my patch.
>> >>
>> >> [NOTE: adding the audit list to the CC line]
>> >
>> > This mailing list is marked subscriber only in MAINTAINERS so I
>> > intentionally didn't add it. It's unlikely that my emails
>> > will make it through.
>>
>> Steve Grubb checks it on a regular basis and approves anything
>> remotely audit related. Please make use of it in the future; it's
>> listed in MAINTAINERS for a reason.
>
> Nothing has appeared by now. A mailing list that does not allow
> real time discussion is fairly useless.
>
> Dropped again.
Re-added.
There is always value in having the conversation archived.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
From: Paul Moore @ 2016-04-11 2:30 UTC (permalink / raw)
To: Andi Kleen; +Cc: Andi Kleen, Eric Paris, linux-kernel, linux-audit
In-Reply-To: <20160410223155.GD2336@tassilo.jf.intel.com>
On Sun, Apr 10, 2016 at 6:31 PM, Andi Kleen <ak@linux.intel.com> wrote:
> On Sun, Apr 10, 2016 at 06:17:53PM -0400, Paul Moore wrote:
>> On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi@firstfloor.org> wrote:
>> >> What kernel version are you using? I believe we fixed that in Linux
>> >> 4.5 with the following:
>> >
>> > This is 4.6-rc2.
>> >>
>> >> commit 96368701e1c89057bbf39222e965161c68a85b4b
>> >> From: Paul Moore <pmoore@redhat.com>
>> >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
>> >>
>> >> audit: force seccomp event logging to honor the audit_enabled flag
>> >
>> > No you didn't fix it because audit_enabled is always enabled by systemd
>> > for user space auditing, see the original description of my patch.
>>
>> [NOTE: adding the audit list to the CC line]
>
> This mailing list is marked subscriber only in MAINTAINERS so I
> intentionally didn't add it. It's unlikely that my emails
> will make it through.
Steve Grubb checks it on a regular basis and approves anything
remotely audit related. Please make use of it in the future; it's
listed in MAINTAINERS for a reason.
>> Sorry, I read your email too quickly; you are correct, that commit
>> fixed a different problem.
>>
>> Let me think on this a bit more. Technically I don't see this as a
>> bug with the kernel, userspace is enabling audit and you are getting
>> audit messages as a result; from my opinion this is the expected
>
> It's a bug in the kernel because seccomp is different from everything else.
This behavior has existed since seccomp auditing was first introduced.
I disagree with your opinion that it is a bug, but I don't think it is
worth arguing over the distinction since we are talking about changing
it regardless.
>> ... However, we've talked in the past about providing better
>> control over seccomp's auditing/logging and that work would allow you
>> to quiet all seccomp messages if you desired.
>>
>> If you are interested, I started tracking this issue at the link below:
>>
>> * https://github.com/linux-audit/audit-kernel/issues/13
>
> Making it a sysctl is fine for me as long as it is disabled by default
> so that user space doesn't need to be modified to make seccomp
> stop spamming.
>
> Audit should always be opt-in, not opt-out.
>From my perspective, you, or rather systemd in your case, is opting in
by enabling audit.
> However I think making it conditional on syscall auditing like
> in my patch is equivalent and much simpler.
>
> If you really insist on the sysctl I can send patch.
As I said earlier, I haven't given this a lot of thought as of yet,
but so far I like the sysctl approach much more than the patch you
sent earlier.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
From: Andi Kleen @ 2016-04-10 22:31 UTC (permalink / raw)
To: Paul Moore; +Cc: Andi Kleen, Eric Paris, linux-kernel, linux-audit
In-Reply-To: <CAHC9VhT1Eu_Z5xk-e3iF7nJT7QZOH1VJuvJBvB5UAZ5CV9=fVQ@mail.gmail.com>
On Sun, Apr 10, 2016 at 06:17:53PM -0400, Paul Moore wrote:
> On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi@firstfloor.org> wrote:
> >> What kernel version are you using? I believe we fixed that in Linux
> >> 4.5 with the following:
> >
> > This is 4.6-rc2.
> >>
> >> commit 96368701e1c89057bbf39222e965161c68a85b4b
> >> From: Paul Moore <pmoore@redhat.com>
> >> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
> >>
> >> audit: force seccomp event logging to honor the audit_enabled flag
> >
> > No you didn't fix it because audit_enabled is always enabled by systemd
> > for user space auditing, see the original description of my patch.
>
> [NOTE: adding the audit list to the CC line]
This mailing list is marked subscriber only in MAINTAINERS so I
intentionally didn't add it. It's unlikely that my emails
will make it through.
> Sorry, I read your email too quickly; you are correct, that commit
> fixed a different problem.
>
> Let me think on this a bit more. Technically I don't see this as a
> bug with the kernel, userspace is enabling audit and you are getting
> audit messages as a result; from my opinion this is the expected
It's a bug in the kernel because seccomp is different from everything else.
The kernel only produces audit messages when audit rules are set
for every other case.
The only exception is this seccomp message which is produced
unconditionally. Doesn't make sense to treat seccomp special
here. It should only be audited when some kind of rule is set.
> behavior. However, we've talked in the past about providing better
> control over seccomp's auditing/logging and that work would allow you
> to quiet all seccomp messages if you desired.
>
> If you are interested, I started tracking this issue at the link below:
>
> * https://github.com/linux-audit/audit-kernel/issues/13
Making it a sysctl is fine for me as long as it is disabled by default
so that user space doesn't need to be modified to make seccomp
stop spamming.
Audit should always be opt-in, not opt-out.
However I think making it conditional on syscall auditing like
in my patch is equivalent and much simpler.
If you really insist on the sysctl I can send patch.
-Andi
^ permalink raw reply
* Re: [PATCH] Don't audit SECCOMP_KILL/RET_ERRNO when syscall auditing is disabled
From: Paul Moore @ 2016-04-10 22:17 UTC (permalink / raw)
To: Andi Kleen; +Cc: Andi Kleen, linux-kernel, linux-audit
In-Reply-To: <20160410024152.GG9407@two.firstfloor.org>
On Sat, Apr 9, 2016 at 10:41 PM, Andi Kleen <andi@firstfloor.org> wrote:
>> What kernel version are you using? I believe we fixed that in Linux
>> 4.5 with the following:
>
> This is 4.6-rc2.
>>
>> commit 96368701e1c89057bbf39222e965161c68a85b4b
>> From: Paul Moore <pmoore@redhat.com>
>> Date: Wed, 13 Jan 2016 10:18:55 -0400 (09:18 -0500)
>>
>> audit: force seccomp event logging to honor the audit_enabled flag
>
> No you didn't fix it because audit_enabled is always enabled by systemd
> for user space auditing, see the original description of my patch.
[NOTE: adding the audit list to the CC line]
Sorry, I read your email too quickly; you are correct, that commit
fixed a different problem.
Let me think on this a bit more. Technically I don't see this as a
bug with the kernel, userspace is enabling audit and you are getting
audit messages as a result; from my opinion this is the expected
behavior. However, we've talked in the past about providing better
control over seccomp's auditing/logging and that work would allow you
to quiet all seccomp messages if you desired.
If you are interested, I started tracking this issue at the link below:
* https://github.com/linux-audit/audit-kernel/issues/13
--
paul moore
www.paul-moore.com
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox