* Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)
From: Paul Moore @ 2016-04-26 18:54 UTC (permalink / raw)
To: Lev Stipakov; +Cc: linux-audit, netfilter-devel
In-Reply-To: <nfnajo$4cj$1@ger.gmane.org>
On Tue, Apr 26, 2016 at 4:58 AM, Lev Stipakov <lstipakov@gmail.com> wrote:
> Hello,
>
> I see kernel panic with iptables-persistent package installed and one
> iptables rule with AUDIT target.
>
> root@debian7:~# uname -a
> Linux debian7 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64 GNU/Linux
>
> root@debian7:~# dpkg -l | grep iptables
> ii iptables 1.4.14-3.1
> ii iptables-persistent 0.5.7+deb7u1
>
> Steps to reproduce:
>
> 1) Install Debian 7 and iptables-persistent (see versions above)
> 2) Add iptables rule (must be OUTPUT chain):
>
> root@debian7:~# iptables -I OUTPUT -j AUDIT --type ACCEPT
>
> 3) Save rule:
>
> root@debian7:~# iptables-save > /etc/iptables/rules.v4
>
> 4) Reboot
>
> 5) Kernel panic (screenshot):
> https://www.dropbox.com/s/db40e5kc10e4ddg/kernel_panic2.png?dl=0
>
>
> I cannot reproduce it on (one of) previous kernel version:
>
> lev@debi7:~$ uname -a
> Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux
>
> lev@debi7:~$ dpkg -l | grep iptables
> ii iptables 1.4.14-3.1
> ii iptables-persistent 0.5.7+deb7u1
Unfortunately I don't have a Debian system available to test, but have
you tried reproducing this on a more modern kernel?
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)
From: Lev Stipakov @ 2016-04-26 19:58 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit, netfilter-devel
In-Reply-To: <CAHC9VhQ7577V3M_t9_GCJuGWsrCtUFJb-GjOnCmmEP+rHr-BcQ@mail.gmail.com>
Yep, it works fine on Debian 8:
lev@debi:~$ uname -a
Linux debi 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3
(2016-01-17) x86_64 GNU/Linux
On 26.04.2016 21:54, Paul Moore wrote:
>>
>> I cannot reproduce it on (one of) previous kernel version:
>>
>> lev@debi7:~$ uname -a
>> Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64 GNU/Linux
>>
>> lev@debi7:~$ dpkg -l | grep iptables
>> ii iptables 1.4.14-3.1
>> ii iptables-persistent 0.5.7+deb7u1
>
> Unfortunately I don't have a Debian system available to test, but have
> you tried reproducing this on a more modern kernel?
>
^ permalink raw reply
* Re: iptables audit target causes kernel panic with iptables-persistent (kernel 3.2.78)
From: Paul Moore @ 2016-04-26 20:17 UTC (permalink / raw)
To: Lev Stipakov; +Cc: linux-audit, netfilter-devel
In-Reply-To: <571FC86B.9000703@gmail.com>
On Tue, Apr 26, 2016 at 3:58 PM, Lev Stipakov <lstipakov@gmail.com> wrote:
> Yep, it works fine on Debian 8:
>
> lev@debi:~$ uname -a
> Linux debi 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17)
> x86_64 GNU/Linux
I would suggest bringing this up with the Debian kernel
packagers/maintainers, or doing a git-bisect of the Debian kernel if
you are comfortable with that sort of thing.
> On 26.04.2016 21:54, Paul Moore wrote:
>>>
>>>
>>> I cannot reproduce it on (one of) previous kernel version:
>>>
>>> lev@debi7:~$ uname -a
>>> Linux debi7 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2 x86_64
>>> GNU/Linux
>>>
>>> lev@debi7:~$ dpkg -l | grep iptables
>>> ii iptables 1.4.14-3.1
>>> ii iptables-persistent 0.5.7+deb7u1
>>
>> Unfortunately I don't have a Debian system available to test, but have
>> you tried reproducing this on a more modern kernel?
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH V4] audit: add tty field to LOGIN event
From: Paul Moore @ 2016-04-26 22:34 UTC (permalink / raw)
To: Peter Hurley, Richard Guy Briggs; +Cc: linux-audit, Paul Moore, linux-kernel
In-Reply-To: <571A5C54.7050704@hurleysoftware.com>
On Fri, Apr 22, 2016 at 1:16 PM, Peter Hurley <peter@hurleysoftware.com> wrote:
> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index b40ed5d..32cdafb 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -26,6 +26,7 @@
>> #include <linux/sched.h>
>> #include <linux/ptrace.h>
>> #include <uapi/linux/audit.h>
>> +#include <linux/tty.h>
>>
>> #define AUDIT_INO_UNSET ((unsigned long)-1)
>> #define AUDIT_DEV_UNSET ((dev_t)-1)
>> @@ -343,6 +344,23 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
>> return tsk->sessionid;
>> }
>>
>> +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
>> +{
>> + struct tty_struct *tty = NULL;
>> + unsigned long flags;
>> +
>> + spin_lock_irqsave(&tsk->sighand->siglock, flags);
>> + if (tsk->signal)
>> + tty = tty_kref_get(tsk->signal->tty);
>> + spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
I just merged Richard's patch, if nothing else it is better than it
was. However, I would like to talk about improving things, see below.
> Not that I'm objecting because I get that you're just refactoring
> existing code, but I thought I'd point out some stuff.
>
> 1. There's no need to check if signal_struct is NULL (ie. tsk->signal)
> because if it is, this will blow up trying to dereference the
> sighand_struct (ie tsk->sighand).
>
> 2. The existing usage is always tsk==current
Yep, there is only one caller I found that even works on task_structs
other than current (see audit_log_exit() via audit_free()), although
even then when it ends up calling into audit_log_task_info() tsk
should always be current.
I've got a patch compiling now to get rid of passing around current as
a a task_struct argument, assuming nothing blows up in testing I'll
post/merge it.
> 3. If the idea is to make this invulnerable to tsk being gone, then
> the usage is unsafe anyway.
I don't think that is our concern here.
> So ultimately (but not necessarily for this patch) I'd prefer that either
> a. audit use existing tty api instead of open-coding, or
> b. add any tty api functions required.
I'm open to suggestions, care to elaborate on either option? Feel
free to elaborate by patch too ;)
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH V4] audit: add tty field to LOGIN event
From: Peter Hurley @ 2016-04-27 0:57 UTC (permalink / raw)
To: Paul Moore, Richard Guy Briggs; +Cc: linux-audit, Paul Moore, linux-kernel
In-Reply-To: <CAHC9VhTiY5s19_W22KpzMTrQG2Y0TethjTxeWFnSFY9PCNNwzg@mail.gmail.com>
On 04/26/2016 03:34 PM, Paul Moore wrote:
> On Fri, Apr 22, 2016 at 1:16 PM, Peter Hurley <peter@hurleysoftware.com> wrote:
>> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>> index b40ed5d..32cdafb 100644
>>> --- a/include/linux/audit.h
>>> +++ b/include/linux/audit.h
>>> @@ -26,6 +26,7 @@
>>> #include <linux/sched.h>
>>> #include <linux/ptrace.h>
>>> #include <uapi/linux/audit.h>
>>> +#include <linux/tty.h>
>>>
>>> #define AUDIT_INO_UNSET ((unsigned long)-1)
>>> #define AUDIT_DEV_UNSET ((dev_t)-1)
>>> @@ -343,6 +344,23 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
>>> return tsk->sessionid;
>>> }
>>>
>>> +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
>>> +{
>>> + struct tty_struct *tty = NULL;
>>> + unsigned long flags;
>>> +
>>> + spin_lock_irqsave(&tsk->sighand->siglock, flags);
>>> + if (tsk->signal)
>>> + tty = tty_kref_get(tsk->signal->tty);
>>> + spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
>
> I just merged Richard's patch, if nothing else it is better than it
> was. However, I would like to talk about improving things, see below.
>
>> Not that I'm objecting because I get that you're just refactoring
>> existing code, but I thought I'd point out some stuff.
>>
>> 1. There's no need to check if signal_struct is NULL (ie. tsk->signal)
>> because if it is, this will blow up trying to dereference the
>> sighand_struct (ie tsk->sighand).
>>
>> 2. The existing usage is always tsk==current
>
> Yep, there is only one caller I found that even works on task_structs
> other than current (see audit_log_exit() via audit_free()), although
> even then when it ends up calling into audit_log_task_info() tsk
> should always be current.
>
> I've got a patch compiling now to get rid of passing around current as
> a a task_struct argument, assuming nothing blows up in testing I'll
> post/merge it.
>
>> 3. If the idea is to make this invulnerable to tsk being gone, then
>> the usage is unsafe anyway.
>
> I don't think that is our concern here.
>
>> So ultimately (but not necessarily for this patch) I'd prefer that either
>> a. audit use existing tty api instead of open-coding, or
>> b. add any tty api functions required.
>
> I'm open to suggestions, care to elaborate on either option?
So b) is only necessary if the answer to 3) was yes or if tsk != current.
Otherwise, the new audit_get_tty() is equivalent to get_current_tty()
which is the exported tty core interface for the identical operation.
I was only suggesting b) if get_current_tty() wasn't going to be
sufficient.
> Feel free to elaborate by patch too ;)
I can do that.
Regards,
Peter Hurley
^ permalink raw reply
* Re: PID's Mapping
From: Deepika Sundar @ 2016-04-27 11:19 UTC (permalink / raw)
To: Steve Grubb, rgb, linux-audit
In-Reply-To: <CAHj_pNeBvo5GJes_6kpp4KA+QMQG=itffTdxaXYJ4_owCi_4yQ@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2404 bytes --]
As per rule root(admin) is the one who is monitoring the system's
information .so,there must exist some namespace information in proc field
for the namespace related PID in global.Is this the way I'm approaching to
the namespace related stuffs is correct?
-Deepika
On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <sundar.deepika18@gmail.com
> wrote:
> Yeah.
> When the PID's which are in the namespace application has different PID
> compared to Global PID.There would be some means to map the PID's in the
> kernel level.Can anyone suggest How it can be mapped?
>
> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
>> > Is there any way that can be suggested as to map PID's of namespace in
>> > global?
>>
>> This is on the TODO list. We have been kicking around several ideas but
>> have
>> not come to a conclusion about what exactly needs to be done. The upshot
>> of
>> this is that basically containers have no support.
>>
>> -Steve
>>
>>
>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
>> wrote:
>> > > Please ask your question on the mailing list so that everyone can
>> benefit.
>> > >
>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
>> > >
>> > > <sundar.deepika18@gmail.com> wrote:
>> > > > How it can be achieved ,Can I get any idea on this?
>> > > >
>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
>> wrote:
>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
>> > > >>
>> > > >> <sowndarya.nadar@gmail.com> wrote:
>> > > >> > Hi
>> > > >> >
>> > > >> > Is there any way to map the PID's seen in the namespace
>> application
>> > >
>> > > with
>> > >
>> > > >> > the
>> > > >> > PID's seen in global?
>> > > >> > If it can be done please provide the documentation or idea on
>> how it
>> > >
>> > > can
>> > >
>> > > >> > be
>> > > >> > done.
>> > > >>
>> > > >> In general the audit subsystem doesn't pay attention to namespaces,
>> > > >> all PIDs reported to userspace are reported with respect to the
>> init
>> > > >> namespace.
>> > > >>
>> > > >> --
>> > > >> paul moore
>> > > >> www.paul-moore.com
>> > > >>
>> > > >> --
>> > > >> Linux-audit mailing list
>> > > >> Linux-audit@redhat.com
>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
>> > >
>> > > --
>> > > paul moore
>> > > www.paul-moore.com
>>
>>
>
[-- Attachment #1.2: Type: text/html, Size: 4376 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* audit review question
From: Warron S French @ 2016-04-27 21:10 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 2100 bytes --]
Hello, I hope you all are well and meeting your own professional challenges very well.
I have a scenario that I need a little help understanding how to work through in an isolated environment of 1 server and 6 workstations (7 machines).
The 7 machines are all running CentOS-6.7 and selinux = disabled.
All 6 workstations are configured through rsyslog.conf to send audit data to the server, and I have (but apparently not successfully configured general system messages to also report back to the same server).
I am using the conventional filesystems for each, but the directory structure below is different.
For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log the directory per day and per month and per year are auto created (miraculously).
For system messages, and I know this isn't the forum to get help on this so I will only list the directory is - /var/log/2016/04/27/wk{1..6}_syslog.log.
Now that I am doing this, and successfully, I want to test that the security auditors will be able to do their job properly, as well as I am trying to comply with some security constraint that requires me to centralize the logdata into a single server (hence the major driver for all of this).
I know that there is the aureport and ausearch command, but I am not sure that I am able to figure out the correct command-line structure to test that audit-data is getting into the appropriate file, on each day of the year, on a per serverName basis.
If a real-world situation occurred that the Security Auditors were asking to find out how many machines did userX attempt to log into, what would be the appropriate command for the example audit directory I listed above (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because I am not sure I am running the command with the appropriate switches to scan the files properly?
I used:
* aureport -if /var/log/audit/2016/04/27/ and it didn't like the input,
* aureport -if /var/log/audit/2016/04/27/* and it didn't like the input,
am I using the command improperly?
Warron French, MBA, SCSA
[-- Attachment #1.2: Type: text/html, Size: 8529 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH V4] audit: add tty field to LOGIN event
From: Richard Guy Briggs @ 2016-04-28 1:31 UTC (permalink / raw)
To: Peter Hurley; +Cc: linux-audit, pmoore, linux-kernel, sgrubb, eparis
In-Reply-To: <571A5C54.7050704@hurleysoftware.com>
On 16/04/22, Peter Hurley wrote:
> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace the call in audit_log_task_info() and to add it to
> > audit_log_set_loginuid(). Lock and bump the kref to protect it, adding
> > audit_put_tty() alias to decrement it.
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >
> > V4: Add missing prototype for audit_put_tty() when audit syscall is not
> > enabled (MIPS).
> >
> > V3: Introduce audit_put_tty() alias to decrement kref.
> >
> > V2: Use kref to protect tty signal struct while in use.
> >
> > ---
> >
> > include/linux/audit.h | 24 ++++++++++++++++++++++++
> > kernel/audit.c | 18 +++++-------------
> > kernel/auditsc.c | 8 ++++++--
> > 3 files changed, 35 insertions(+), 15 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index b40ed5d..32cdafb 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -26,6 +26,7 @@
> > #include <linux/sched.h>
> > #include <linux/ptrace.h>
> > #include <uapi/linux/audit.h>
> > +#include <linux/tty.h>
> >
> > #define AUDIT_INO_UNSET ((unsigned long)-1)
> > #define AUDIT_DEV_UNSET ((dev_t)-1)
> > @@ -343,6 +344,23 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> > return tsk->sessionid;
> > }
> >
> > +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
> > +{
> > + struct tty_struct *tty = NULL;
> > + unsigned long flags;
> > +
> > + spin_lock_irqsave(&tsk->sighand->siglock, flags);
> > + if (tsk->signal)
> > + tty = tty_kref_get(tsk->signal->tty);
> > + spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
>
>
> Not that I'm objecting because I get that you're just refactoring
> existing code, but I thought I'd point out some stuff.
>
> 1. There's no need to check if signal_struct is NULL (ie. tsk->signal)
> because if it is, this will blow up trying to dereference the
> sighand_struct (ie tsk->sighand).
Ok. This logic goes back 10 years and one month less two days. (45d9bb0e)
> 2. The existing usage is always tsk==current
My understanding is that when it is called via:
copy_process()
audit_free()
__audit_free()
audit_log_exit()
audit_log_task_info()
then tsk != current. This appears to be the only case which appears to
force lugging around tsk. This is noted in that commit referenced
above.
> 3. If the idea is to make this invulnerable to tsk being gone, then
> the usage is unsafe anyway.
>
>
> So ultimately (but not necessarily for this patch) I'd prefer that either
> a. audit use existing tty api instead of open-coding, or
> b. add any tty api functions required.
This latter option did cross my mind...
> Peter Hurley
>
> > + return tty;
> > +}
> > +
> > +static inline void audit_put_tty(struct tty_struct *tty)
> > +{
> > + tty_kref_put(tty);
> > +}
> > +
> > extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> > extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
> > extern void __audit_bprm(struct linux_binprm *bprm);
> > @@ -500,6 +518,12 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> > {
> > return -1;
> > }
> > +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
> > +{
> > + return NULL;
> > +}
> > +static inline void audit_put_tty(struct tty_struct *tty)
> > +{ }
> > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> > { }
> > static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 3a3e5de..7edd776 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -64,7 +64,6 @@
> > #include <linux/security.h>
> > #endif
> > #include <linux/freezer.h>
> > -#include <linux/tty.h>
> > #include <linux/pid_namespace.h>
> > #include <net/netns/generic.h>
> >
> > @@ -1873,21 +1872,14 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> > {
> > const struct cred *cred;
> > char comm[sizeof(tsk->comm)];
> > - char *tty;
> > + struct tty_struct *tty;
> >
> > if (!ab)
> > return;
> >
> > /* tsk == current */
> > cred = current_cred();
> > -
> > - spin_lock_irq(&tsk->sighand->siglock);
> > - if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
> > - tty = tsk->signal->tty->name;
> > - else
> > - tty = "(none)";
> > - spin_unlock_irq(&tsk->sighand->siglock);
> > -
> > + tty = audit_get_tty(tsk);
> > audit_log_format(ab,
> > " ppid=%d pid=%d auid=%u uid=%u gid=%u"
> > " euid=%u suid=%u fsuid=%u"
> > @@ -1903,11 +1895,11 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> > from_kgid(&init_user_ns, cred->egid),
> > from_kgid(&init_user_ns, cred->sgid),
> > from_kgid(&init_user_ns, cred->fsgid),
> > - tty, audit_get_sessionid(tsk));
> > -
> > + tty ? tty_name(tty) : "(none)",
> > + audit_get_sessionid(tsk));
> > + audit_put_tty(tty);
> > audit_log_format(ab, " comm=");
> > audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
> > -
> > audit_log_d_path_exe(ab, tsk->mm);
> > audit_log_task_context(ab);
> > }
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 195ffae..71e14d8 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1980,6 +1980,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> > {
> > struct audit_buffer *ab;
> > uid_t uid, oldloginuid, loginuid;
> > + struct tty_struct *tty;
> >
> > if (!audit_enabled)
> > return;
> > @@ -1987,14 +1988,17 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> > uid = from_kuid(&init_user_ns, task_uid(current));
> > oldloginuid = from_kuid(&init_user_ns, koldloginuid);
> > loginuid = from_kuid(&init_user_ns, kloginuid),
> > + tty = audit_get_tty(current);
> >
> > ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> > if (!ab)
> > return;
> > audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
> > audit_log_task_context(ab);
> > - audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
> > - oldloginuid, loginuid, oldsessionid, sessionid, !rc);
> > + audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
> > + oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
> > + oldsessionid, sessionid, !rc);
> > + audit_put_tty(tty);
> > audit_log_end(ab);
> > }
> >
> >
>
- RGB
^ permalink raw reply
* RE: audit 2.5.1 released
From: Manuel Scunthorpe @ 2016-04-28 2:45 UTC (permalink / raw)
To: linux-audit@redhat.com
In-Reply-To: <176682998.5729077.1461811556032.JavaMail.yahoo.ref@mail.yahoo.com>
[-- Attachment #1.1: Type: text/plain, Size: 1307 bytes --]
The build fails in Arch Linux openrc when configure has the option --enable-systemd=no
It seems to work and build the package but fails at the end, I think it is a makefile error. I wanted to build the package with static libs rather than use the precompiled Arch version.I tried the standard 2.4.4 version in ABS then modified it slightly to build the latest 2.5.1 version, they both gave the same result.For 2.5.1 I used this command as the checksums were different to 2.4.4 and the modified PKGBUILD which I attached to this message along with the log files, although they stop just before the sed error.
$ makepkg -L --skipinteg
The end of the build finishes like this:make[2]: Nothing to be done for 'install-exec-am'.
make[2]: Nothing to be done for 'install-data-am'.
make[2]: Leaving directory '/home/steve/build/a3udit/src/audit-2.5.1'
make[1]: Leaving directory '/home/steve/build/a3udit/src/audit-2.5.1'
sed: can't read usr/lib/systemd/system/auditd.service: No such file or directory
==> ERROR: A failure occurred in package().
Aborting...
I did build the 2.4.4 version successfully earlier by setting --enable-systemd=yes but I don't know if that would break anything or simply create an unused .service file.There is a problem with this build config option though.
[-- Attachment #1.2: Type: text/html, Size: 2477 bytes --]
[-- Attachment #2: auditfiles.tar.xz --]
[-- Type: application/octet-stream, Size: 14076 bytes --]
[-- Attachment #3: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH V4] audit: add tty field to LOGIN event
From: Peter Hurley @ 2016-04-28 3:05 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit, pmoore, linux-kernel, sgrubb, eparis
In-Reply-To: <20160428013140.GD18994@madcap2.tricolour.ca>
On 04/27/2016 06:31 PM, Richard Guy Briggs wrote:
> On 16/04/22, Peter Hurley wrote:
>> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
>>> The tty field was missing from AUDIT_LOGIN events.
>>>
>>> Refactor code to create a new function audit_get_tty(), using it to
>>> replace the call in audit_log_task_info() and to add it to
>>> audit_log_set_loginuid(). Lock and bump the kref to protect it, adding
>>> audit_put_tty() alias to decrement it.
>>>
>>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>>> ---
>>>
>>> V4: Add missing prototype for audit_put_tty() when audit syscall is not
>>> enabled (MIPS).
>>>
>>> V3: Introduce audit_put_tty() alias to decrement kref.
>>>
>>> V2: Use kref to protect tty signal struct while in use.
>>>
>>> ---
>>>
>>> include/linux/audit.h | 24 ++++++++++++++++++++++++
>>> kernel/audit.c | 18 +++++-------------
>>> kernel/auditsc.c | 8 ++++++--
>>> 3 files changed, 35 insertions(+), 15 deletions(-)
>>>
>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>> index b40ed5d..32cdafb 100644
>>> --- a/include/linux/audit.h
>>> +++ b/include/linux/audit.h
>>> @@ -26,6 +26,7 @@
>>> #include <linux/sched.h>
>>> #include <linux/ptrace.h>
>>> #include <uapi/linux/audit.h>
>>> +#include <linux/tty.h>
>>>
>>> #define AUDIT_INO_UNSET ((unsigned long)-1)
>>> #define AUDIT_DEV_UNSET ((dev_t)-1)
>>> @@ -343,6 +344,23 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
>>> return tsk->sessionid;
>>> }
>>>
>>> +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
>>> +{
>>> + struct tty_struct *tty = NULL;
>>> + unsigned long flags;
>>> +
>>> + spin_lock_irqsave(&tsk->sighand->siglock, flags);
>>> + if (tsk->signal)
>>> + tty = tty_kref_get(tsk->signal->tty);
>>> + spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
>>
>>
>> Not that I'm objecting because I get that you're just refactoring
>> existing code, but I thought I'd point out some stuff.
>>
>> 1. There's no need to check if signal_struct is NULL (ie. tsk->signal)
>> because if it is, this will blow up trying to dereference the
>> sighand_struct (ie tsk->sighand).
>
> Ok. This logic goes back 10 years and one month less two days. (45d9bb0e)
>
>> 2. The existing usage is always tsk==current
>
> My understanding is that when it is called via:
>
> copy_process()
> audit_free()
> __audit_free()
> audit_log_exit()
> audit_log_task_info()
>
> then tsk != current.
While it's true that tsk != current here, everything relevant to tty
in task_struct is the same because the nascent task is not even half-done.
So tsk->sighand == current->sighand, tsk->signal == current->signal etc.
If you're uncomfortable with pass-through execution like that, then the
simple solution is:
struct tty_struct *tty = NULL;
/* tsk != current when copy_process() failed */
if (tsk == current)
tty = get_current_tty();
because tty_kref_put(tty) accepts NULL tty and (obviously) so does
tty_name(tty).
Regards,
Peter Hurley
> This appears to be the only case which appears to
> force lugging around tsk. This is noted in that commit referenced
> above.
>
>> 3. If the idea is to make this invulnerable to tsk being gone, then
>> the usage is unsafe anyway.
>>
>>
>> So ultimately (but not necessarily for this patch) I'd prefer that either
>> a. audit use existing tty api instead of open-coding, or
>> b. add any tty api functions required.
>
> This latter option did cross my mind...
>
>> Peter Hurley
>>
>>> + return tty;
>>> +}
>>> +
>>> +static inline void audit_put_tty(struct tty_struct *tty)
>>> +{
>>> + tty_kref_put(tty);
>>> +}
>>> +
>>> extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
>>> extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
>>> extern void __audit_bprm(struct linux_binprm *bprm);
>>> @@ -500,6 +518,12 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
>>> {
>>> return -1;
>>> }
>>> +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
>>> +{
>>> + return NULL;
>>> +}
>>> +static inline void audit_put_tty(struct tty_struct *tty)
>>> +{ }
>>> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
>>> { }
>>> static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
>>> diff --git a/kernel/audit.c b/kernel/audit.c
>>> index 3a3e5de..7edd776 100644
>>> --- a/kernel/audit.c
>>> +++ b/kernel/audit.c
>>> @@ -64,7 +64,6 @@
>>> #include <linux/security.h>
>>> #endif
>>> #include <linux/freezer.h>
>>> -#include <linux/tty.h>
>>> #include <linux/pid_namespace.h>
>>> #include <net/netns/generic.h>
>>>
>>> @@ -1873,21 +1872,14 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
>>> {
>>> const struct cred *cred;
>>> char comm[sizeof(tsk->comm)];
>>> - char *tty;
>>> + struct tty_struct *tty;
>>>
>>> if (!ab)
>>> return;
>>>
>>> /* tsk == current */
>>> cred = current_cred();
>>> -
>>> - spin_lock_irq(&tsk->sighand->siglock);
>>> - if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
>>> - tty = tsk->signal->tty->name;
>>> - else
>>> - tty = "(none)";
>>> - spin_unlock_irq(&tsk->sighand->siglock);
>>> -
>>> + tty = audit_get_tty(tsk);
>>> audit_log_format(ab,
>>> " ppid=%d pid=%d auid=%u uid=%u gid=%u"
>>> " euid=%u suid=%u fsuid=%u"
>>> @@ -1903,11 +1895,11 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
>>> from_kgid(&init_user_ns, cred->egid),
>>> from_kgid(&init_user_ns, cred->sgid),
>>> from_kgid(&init_user_ns, cred->fsgid),
>>> - tty, audit_get_sessionid(tsk));
>>> -
>>> + tty ? tty_name(tty) : "(none)",
>>> + audit_get_sessionid(tsk));
>>> + audit_put_tty(tty);
>>> audit_log_format(ab, " comm=");
>>> audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
>>> -
>>> audit_log_d_path_exe(ab, tsk->mm);
>>> audit_log_task_context(ab);
>>> }
>>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>>> index 195ffae..71e14d8 100644
>>> --- a/kernel/auditsc.c
>>> +++ b/kernel/auditsc.c
>>> @@ -1980,6 +1980,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
>>> {
>>> struct audit_buffer *ab;
>>> uid_t uid, oldloginuid, loginuid;
>>> + struct tty_struct *tty;
>>>
>>> if (!audit_enabled)
>>> return;
>>> @@ -1987,14 +1988,17 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
>>> uid = from_kuid(&init_user_ns, task_uid(current));
>>> oldloginuid = from_kuid(&init_user_ns, koldloginuid);
>>> loginuid = from_kuid(&init_user_ns, kloginuid),
>>> + tty = audit_get_tty(current);
>>>
>>> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
>>> if (!ab)
>>> return;
>>> audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
>>> audit_log_task_context(ab);
>>> - audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
>>> - oldloginuid, loginuid, oldsessionid, sessionid, !rc);
>>> + audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
>>> + oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
>>> + oldsessionid, sessionid, !rc);
>>> + audit_put_tty(tty);
>>> audit_log_end(ab);
>>> }
>>>
>>>
>>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>
^ permalink raw reply
* Re: PID's Mapping
From: Deepika Sundar @ 2016-04-28 5:42 UTC (permalink / raw)
To: Steve Grubb, rgb, linux-audit
In-Reply-To: <CAHj_pNfqHdkPruyYF-6SG3b7CQF-O48_35EvsAOWJ09AuW4Pzg@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 3035 bytes --]
Thank you for the replies.
As per My understanding Root as Admin it has the control over all the
namespaces.If this is correct,
(i) Is that root should have access to all namespace relate info,
for ex: PID's in the host is mapped to what PID's in the Namespace?
if not ,
(ii) Init should have only access to his own process and should not have
access to other namespace.
Is this design limitation (or) Is it designed for better security ?
On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <sundar.deepika18@gmail.com>
wrote:
> As per rule root(admin) is the one who is monitoring the system's
> information .so,there must exist some namespace information in proc field
> for the namespace related PID in global.Is this the way I'm approaching to
> the namespace related stuffs is correct?
>
>
> -Deepika
>
> On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> sundar.deepika18@gmail.com> wrote:
>
>> Yeah.
>> When the PID's which are in the namespace application has different PID
>> compared to Global PID.There would be some means to map the PID's in the
>> kernel level.Can anyone suggest How it can be mapped?
>>
>> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>
>>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
>>> > Is there any way that can be suggested as to map PID's of namespace in
>>> > global?
>>>
>>> This is on the TODO list. We have been kicking around several ideas but
>>> have
>>> not come to a conclusion about what exactly needs to be done. The upshot
>>> of
>>> this is that basically containers have no support.
>>>
>>> -Steve
>>>
>>>
>>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
>>> wrote:
>>> > > Please ask your question on the mailing list so that everyone can
>>> benefit.
>>> > >
>>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
>>> > >
>>> > > <sundar.deepika18@gmail.com> wrote:
>>> > > > How it can be achieved ,Can I get any idea on this?
>>> > > >
>>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
>>> wrote:
>>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
>>> > > >>
>>> > > >> <sowndarya.nadar@gmail.com> wrote:
>>> > > >> > Hi
>>> > > >> >
>>> > > >> > Is there any way to map the PID's seen in the namespace
>>> application
>>> > >
>>> > > with
>>> > >
>>> > > >> > the
>>> > > >> > PID's seen in global?
>>> > > >> > If it can be done please provide the documentation or idea on
>>> how it
>>> > >
>>> > > can
>>> > >
>>> > > >> > be
>>> > > >> > done.
>>> > > >>
>>> > > >> In general the audit subsystem doesn't pay attention to
>>> namespaces,
>>> > > >> all PIDs reported to userspace are reported with respect to the
>>> init
>>> > > >> namespace.
>>> > > >>
>>> > > >> --
>>> > > >> paul moore
>>> > > >> www.paul-moore.com
>>> > > >>
>>> > > >> --
>>> > > >> Linux-audit mailing list
>>> > > >> Linux-audit@redhat.com
>>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
>>> > >
>>> > > --
>>> > > paul moore
>>> > > www.paul-moore.com
>>>
>>>
>>
>
[-- Attachment #1.2: Type: text/html, Size: 5417 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: New field to auditd.conf file
From: Deepika Sundar @ 2016-04-28 5:59 UTC (permalink / raw)
To: Richard Guy Briggs, linux-audit, Paul Moore
In-Reply-To: <20160426003738.GA18488@madcap2.tricolour.ca>
[-- Attachment #1.1: Type: text/plain, Size: 13182 bytes --]
Thank you for all replies and Sorry, I am new to this audit subsystem field.
I am facing the problem in the initial stage itself that,Where to add the
new field in the source code, as per my work understanding in the below
code,Is it possible to fine tune by adding new field say,*"APPLICATION ID" *in
that structure.
If not possible, What is the impact ? *OR*
Is it possible to add a new member without any impact?
Please Suggest me with some IDEA where new field in audit structure can be
added and It should not break compatibility.Provide Documentation where I
can refer to do.
Once I am clear with the method I can Share the code to review.
Kernel/audit.c
void audit_log_task_info
<http://lxr.free-electrons.com/ident?i=audit_log_task_info>(struct
audit_buffer <http://lxr.free-electrons.com/ident?i=audit_buffer> *ab,
struct task_struct <http://lxr.free-electrons.com/ident?i=task_struct>
*tsk <http://lxr.free-electrons.com/ident?i=tsk>)
1873 <http://lxr.free-electrons.com/source/kernel/audit.c#L1873> {1874
<http://lxr.free-electrons.com/source/kernel/audit.c#L1874>
const struct cred <http://lxr.free-electrons.com/ident?i=cred> *cred
<http://lxr.free-electrons.com/ident?i=cred>;1875
<http://lxr.free-electrons.com/source/kernel/audit.c#L1875>
char comm <http://lxr.free-electrons.com/ident?i=comm>[sizeof(tsk
<http://lxr.free-electrons.com/ident?i=tsk>->comm
<http://lxr.free-electrons.com/ident?i=comm>)];1876
<http://lxr.free-electrons.com/source/kernel/audit.c#L1876>
char *tty <http://lxr.free-electrons.com/ident?i=tty>;1877
<http://lxr.free-electrons.com/source/kernel/audit.c#L1877> 1878
<http://lxr.free-electrons.com/source/kernel/audit.c#L1878> if
(!ab)1879 <http://lxr.free-electrons.com/source/kernel/audit.c#L1879>
return;1880
<http://lxr.free-electrons.com/source/kernel/audit.c#L1880> 1881
<http://lxr.free-electrons.com/source/kernel/audit.c#L1881>
*/* tsk == current */*1882
<http://lxr.free-electrons.com/source/kernel/audit.c#L1882>
cred <http://lxr.free-electrons.com/ident?i=cred> = current_cred
<http://lxr.free-electrons.com/ident?i=current_cred>();1883
<http://lxr.free-electrons.com/source/kernel/audit.c#L1883> 1884
<http://lxr.free-electrons.com/source/kernel/audit.c#L1884>
spin_lock_irq <http://lxr.free-electrons.com/ident?i=spin_lock_irq>(&tsk
<http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1885
<http://lxr.free-electrons.com/source/kernel/audit.c#L1885> if
(tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal && tsk
<http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
<http://lxr.free-electrons.com/ident?i=tty> && tsk
<http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
<http://lxr.free-electrons.com/ident?i=tty>->name
<http://lxr.free-electrons.com/ident?i=name>)1886
<http://lxr.free-electrons.com/source/kernel/audit.c#L1886>
tty <http://lxr.free-electrons.com/ident?i=tty> = tsk
<http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
<http://lxr.free-electrons.com/ident?i=tty>->name
<http://lxr.free-electrons.com/ident?i=name>;1887
<http://lxr.free-electrons.com/source/kernel/audit.c#L1887>
else1888 <http://lxr.free-electrons.com/source/kernel/audit.c#L1888>
tty <http://lxr.free-electrons.com/ident?i=tty> =
*"(none)"*;1889
<http://lxr.free-electrons.com/source/kernel/audit.c#L1889>
spin_unlock_irq
<http://lxr.free-electrons.com/ident?i=spin_unlock_irq>(&tsk
<http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1890
<http://lxr.free-electrons.com/source/kernel/audit.c#L1890> 1891
<http://lxr.free-electrons.com/source/kernel/audit.c#L1891>
audit_log_format
<http://lxr.free-electrons.com/ident?i=audit_log_format>(ab,1892
<http://lxr.free-electrons.com/source/kernel/audit.c#L1892>
*" ppid=%d pid=%d auid=%u uid=%u gid=%u"*1893
<http://lxr.free-electrons.com/source/kernel/audit.c#L1893>
*" euid=%u suid=%u fsuid=%u"*1894
<http://lxr.free-electrons.com/source/kernel/audit.c#L1894>
*" egid=%u sgid=%u fsgid=%u tty=%s ses=%u"*,1895
<http://lxr.free-electrons.com/source/kernel/audit.c#L1895>
task_ppid_nr
<http://lxr.free-electrons.com/ident?i=task_ppid_nr>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>),1896
<http://lxr.free-electrons.com/source/kernel/audit.c#L1896>
task_pid_nr
<http://lxr.free-electrons.com/ident?i=task_pid_nr>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>),1897
<http://lxr.free-electrons.com/source/kernel/audit.c#L1897>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>,
audit_get_loginuid
<http://lxr.free-electrons.com/ident?i=audit_get_loginuid>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>)),1898
<http://lxr.free-electrons.com/source/kernel/audit.c#L1898>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->uid
<http://lxr.free-electrons.com/ident?i=uid>),1899
<http://lxr.free-electrons.com/source/kernel/audit.c#L1899>
from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->gid
<http://lxr.free-electrons.com/ident?i=gid>),1900
<http://lxr.free-electrons.com/source/kernel/audit.c#L1900>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->euid),1901
<http://lxr.free-electrons.com/source/kernel/audit.c#L1901>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->suid),1902
<http://lxr.free-electrons.com/source/kernel/audit.c#L1902>
from_kuid
<http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->fsuid),1903
<http://lxr.free-electrons.com/source/kernel/audit.c#L1903>
from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->egid),1904
<http://lxr.free-electrons.com/source/kernel/audit.c#L1904>
from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->sgid),1905
<http://lxr.free-electrons.com/source/kernel/audit.c#L1905>
from_kgid
<http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
<http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
<http://lxr.free-electrons.com/ident?i=cred>->fsgid),1906
<http://lxr.free-electrons.com/source/kernel/audit.c#L1906> +
tty <http://lxr.free-electrons.com/ident?i=tty>,
audit_get_sessionid
<http://lxr.free-electrons.com/ident?i=audit_get_sessionid>(tsk
<http://lxr.free-electrons.com/ident?i=tsk>),*ApplicationID............);
*1907 <http://lxr.free-electrons.com/source/kernel/audit.c#L1907> 1908
<http://lxr.free-electrons.com/source/kernel/audit.c#L1908>
audit_log_format
<http://lxr.free-electrons.com/ident?i=audit_log_format>*(ab, **"
comm="**);
*1909 <http://lxr.free-electrons.com/source/kernel/audit.c#L1909>
audit_log_untrustedstring
<http://lxr.free-electrons.com/ident?i=audit_log_untrustedstring>*(ab,
*get_task_comm <http://lxr.free-electrons.com/ident?i=get_task_comm>*(*comm
<http://lxr.free-electrons.com/ident?i=comm>*, *tsk
<http://lxr.free-electrons.com/ident?i=tsk>*));
*1910 <http://lxr.free-electrons.com/source/kernel/audit.c#L1910> 1911
<http://lxr.free-electrons.com/source/kernel/audit.c#L1911>
audit_log_d_path_exe
<http://lxr.free-electrons.com/ident?i=audit_log_d_path_exe>*(ab, *tsk
<http://lxr.free-electrons.com/ident?i=tsk>*->mm);
*1912 <http://lxr.free-electrons.com/source/kernel/audit.c#L1912>
audit_log_task_context
<http://lxr.free-electrons.com/ident?i=audit_log_task_context>*(ab);
*1913 <http://lxr.free-electrons.com/source/kernel/audit.c#L1913>* }*
On Tue, Apr 26, 2016 at 6:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 16/04/25, Deepika Sundar wrote:
> > I wanted to add the namespace information in the audit record for example
> > pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside
> > Audit structure?
>
> We've been looking at this issue for several years now and don't have an
> obvious solution yet. There has been discussion on this list. It is on
> the radar:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1045666
>
>
> > On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote:
> > > As we've already mentioned several times, we can make no guarantees
> > > regarding functionality or compatibility without seeing your code.
> > > While it may be frustrating, this is how Open Source development
> > > works.
> > >
> > > If you are interested in our help you will need to describe, in
> > > detail, what you are trying to do and ideally post your existing code
> > > so it can be reviewed.
> > >
> > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
> > > <sundar.deepika18@gmail.com> wrote:
> > > > Okay,If I update the Ausearch/aureport in order to aware of the new
> > > field in
> > > > the audit log structure can it be feasible one?
> > > >
> > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> > > >>
> > > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> > > >> > In general way,Is there any compatibility issues if audit log
> > > structure
> > > >> > gets modified?
> > > >>
> > > >> Yes, there can be problems if the log structure gets modified.
> > > >> Ausearch/report
> > > >> are highly optimized for an exact format.
> > > >>
> > > >> -Steve
> > > >>
> > > >>
> > > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com>
> > > wrote:
> > > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > > >> > > > As per my understanding audit log structure can be extendible
> > > based
> > > >> > > > on
> > > >> > > > requirements and in my project I need to add the identifier
> field
> > > >> > > > for
> > > >> > > > the
> > > >> > > > application and as of now I couldn't able to revel the What
> > > >> > > > application
> > > >> > > > trying to develop to update.So,Is there any possibility that
> > > without
> > > >> > > > breaking any Compatibility issues I can do it ?
> > > >> > >
> > > >> > > I have no idea what you are doing so there is no guarantee that
> it
> > > >> > > won't
> > > >> > > break
> > > >> > > something. If your project is going to be released as open
> source
> > > its
> > > >> > > generally best to collaborate with people so that problems can
> be
> > > >> > > pointed
> > > >> > > out.
> > > >> > > Otherwise you risk spending a lot of time on something only to
> have
> > > it
> > > >> > > rejected.
> > > >> > >
> > > >> > > -Steve
> > > >> > >
> > > >> > > > OR If any compatibility issues please specify .
> > > >> > > >
> > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <
> paul@paul-moore.com>
> > > >> > > > wrote:
> > > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > > >> > > > >
> > > >> > > > > <sundar.deepika18@gmail.com> wrote:
> > > >> > > > > > In the same way, in the kernel side
> > > >> > > > > > Can I able to add one new field to the audit log structure
> > > >> > > > > > without
> > > >> > > > >
> > > >> > > > > breaking
> > > >> > > > >
> > > >> > > > > > Compatibility? If so,
> > > >> > > > > >
> > > >> > > > > > 1.How can I add new field without breaking
> compatibility?
> > > >> > > > > >
> > > >> > > > > > or
> > > >> > > > > >
> > > >> > > > > > 2.Is there any reserve field in audit log structure so
> that
> > > I
> > > >> > > > > > can
> > > >> > >
> > > >> > > make
> > > >> > >
> > > >> > > > > use
> > > >> > > > >
> > > >> > > > > > of it?
> > > >> > > > >
> > > >> > > > > You need to be more specific about what you are trying to
> do.
> > > >> > > > > Speaking generally, unless you work to get your changed
> merged
> > > >> > > > > into
> > > >> > > > > the upstream kernel and userspace tools we cannot guarantee
> > > >> > > > > present or
> > > >> > > > > future compatibility.
> > > >> > > > >
> > > >> > > > > --
> > > >> > > > > paul moore
> > > >> > > > > www.paul-moore.com
> > > >>
> > > >
> > > >
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
> > >
> > >
> > >
> > > --
> > > paul moore
> > > security @ redhat
> > >
>
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>
[-- Attachment #1.2: Type: text/html, Size: 35218 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: audit review question
From: Steve Grubb @ 2016-04-28 15:09 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <BY1PR09MB08876A7BF5D3D5824EA00409C7640@BY1PR09MB0887.namprd09.prod.outlook.com>
On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote:
> I have a scenario that I need a little help understanding how to work
> through in an isolated environment of 1 server and 6 workstations (7
> machines). The 7 machines are all running CentOS-6.7 and selinux =
> disabled.
>
> All 6 workstations are configured through rsyslog.conf to send audit data to
> the server, and I have (but apparently not successfully configured general
> system messages to also report back to the same server). I am using the
> conventional filesystems for each, but the directory structure below is
> different.
Rsyslog will likely mangle the audit lines such that its no longer in the
native audit format. I don't know if its headers can be stripped as it writes
to disk.
> For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log the
> directory per day and per month and per year are auto created
> (miraculously). For system messages, and I know this isn't the forum to get
> help on this so I will only list the directory is -
> /var/log/2016/04/27/wk{1..6}_syslog.log.
>
> Now that I am doing this, and successfully, I want to test that the security
> auditors will be able to do their job properly, as well as I am trying to
> comply with some security constraint that requires me to centralize the
> logdata into a single server (hence the major driver for all of this).
>
> I know that there is the aureport and ausearch command, but I am not sure
> that I am able to figure out the correct command-line structure to test
> that audit-data is getting into the appropriate file, on each day of the
> year, on a per serverName basis.
>
> If a real-world situation occurred that the Security Auditors were asking to
> find out how many machines did userX attempt to log into, what would be the
> appropriate command for the example audit directory I listed above
> (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because I am not sure I am
> running the command with the appropriate switches to scan the files
> properly?
>
> I used:
>
> * aureport -if /var/log/audit/2016/04/27/ and it didn't like the
> input,
Probably due to the header it inserts to each record. But this is how you
should do it.
> * aureport -if /var/log/audit/2016/04/27/* and it didn't like the
> input, am I using the command improperly?
You shouldn't need the '*'. If the passed option is a dir, then it
automatically looks for more files. But note that the native rotation is
audit.log <- newest
audit.log.1
audit.log.2
audit.log.3 <- oldest
rsyslog would also have to use this scheme. I have never investigated if it
does. That does not means that a wrapper script couldn't be made to walk the
files in rsyslog's order and send them to aureport via stdin. You could
probably even add a sed command to strip the rsyslog headers from each record.
Not the best answer, but once it hits rsyslog, it can change the record in
ways that unknown to me.
-Steve
^ permalink raw reply
* RE: audit review question
From: Warron S French @ 2016-04-28 15:50 UTC (permalink / raw)
To: Steve Grubb, linux-audit@redhat.com
In-Reply-To: <5168316.VjEz05O2MH@x2>
Steve, thanks for your replies to all of my questions.
Can you please send me a walk through document for trying to send the 6 workstations and 1 servers audit-data into the same directory structure? Something that will definitely work, please?
I have a VM environment that I can make changes on and then test, so I would be very grateful for any cooperation I could get.
My intent is to have all the machines log data to the same machine. I want the system security auditors to be able to use the typical aureport and ausearch commands (that I know you write).
So, I have to ask, can this be done, and the audit logs be parsed on a per hostname-basis?
Can they be stored in directories that are /var/log/audit/YYYY/MM/DD/Hostname_audit.log format - or is that inadvisable considering the intention to continue to support/use the two commands: aureport and ausearch? What would you advise - please?
I am aware of the /etc/audisp directory, which I am sure is associated with the audispd daemon, but I don't have the foggiest clue of how to configure them together.
It is only because of stumbling around for the last 2 years (and very feverishly the last 2 days) that I have learned how to use the auditctl and aureport commands. I want to do this correctly, and I want to do it consistently with "industry standards" so that I can continue to get support from people like the folks in this 'forum.'
Thanks, for any advice and useful links you can share. I am certain that as you provide them and I read them it will force me to ask even more questions. I hope you don't mind.
Warron French, MBA, SCSA
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Thursday, April 28, 2016 11:10 AM
To: linux-audit@redhat.com
Cc: Warron S French <warron.s.french@aero.org>
Subject: Re: audit review question
On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote:
> I have a scenario that I need a little help understanding how to work
> through in an isolated environment of 1 server and 6 workstations (7
> machines). The 7 machines are all running CentOS-6.7 and selinux =
> disabled.
>
> All 6 workstations are configured through rsyslog.conf to send audit
> data to the server, and I have (but apparently not successfully
> configured general system messages to also report back to the same
> server). I am using the conventional filesystems for each, but the
> directory structure below is different.
Rsyslog will likely mangle the audit lines such that its no longer in the native audit format. I don't know if its headers can be stripped as it writes to disk.
> For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log the
> directory per day and per month and per year are auto created
> (miraculously). For system messages, and I know this isn't the forum
> to get help on this so I will only list the directory is -
> /var/log/2016/04/27/wk{1..6}_syslog.log.
>
> Now that I am doing this, and successfully, I want to test that the
> security auditors will be able to do their job properly, as well as I
> am trying to comply with some security constraint that requires me to
> centralize the logdata into a single server (hence the major driver for all of this).
>
> I know that there is the aureport and ausearch command, but I am not
> sure that I am able to figure out the correct command-line structure
> to test that audit-data is getting into the appropriate file, on each
> day of the year, on a per serverName basis.
>
> If a real-world situation occurred that the Security Auditors were
> asking to find out how many machines did userX attempt to log into,
> what would be the appropriate command for the example audit directory
> I listed above (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because
> I am not sure I am running the command with the appropriate switches
> to scan the files properly?
>
> I used:
>
> * aureport -if /var/log/audit/2016/04/27/ and it didn't like the
> input,
Probably due to the header it inserts to each record. But this is how you should do it.
> * aureport -if /var/log/audit/2016/04/27/* and it didn't like the
> input, am I using the command improperly?
You shouldn't need the '*'. If the passed option is a dir, then it
automatically looks for more files. But note that the native rotation is
audit.log <- newest
audit.log.1
audit.log.2
audit.log.3 <- oldest
rsyslog would also have to use this scheme. I have never investigated if it
does. That does not means that a wrapper script couldn't be made to walk the
files in rsyslog's order and send them to aureport via stdin. You could
probably even add a sed command to strip the rsyslog headers from each record.
Not the best answer, but once it hits rsyslog, it can change the record in
ways that unknown to me.
-Steve
^ permalink raw reply
* Re: audit 2.5.1 released
From: Steve Grubb @ 2016-04-28 16:18 UTC (permalink / raw)
To: linux-audit, Manuel Scunthorpe
In-Reply-To: <176682998.5729077.1461811556032.JavaMail.yahoo@mail.yahoo.com>
On Thursday, April 28, 2016 02:45:55 AM Manuel Scunthorpe wrote:
> The build fails in Arch Linux openrc when configure has the option
> --enable-systemd=no It seems to work and build the package but fails at the
> end, I think it is a makefile error. I wanted to build the package with
> static libs rather than use the precompiled Arch version.I tried the
> standard 2.4.4 version in ABS then modified it slightly to build the latest
> 2.5.1 version, they both gave the same result.For 2.5.1 I used this command
> as the checksums were different to 2.4.4 and the modified PKGBUILD which I
> attached to this message along with the log files, although they stop just
> before the sed error. $ makepkg -L --skipinteg
> The end of the build finishes like this:make[2]: Nothing to be done for
> 'install-exec-am'. make[2]: Nothing to be done for 'install-data-am'.
> make[2]: Leaving directory '/home/steve/build/a3udit/src/audit-2.5.1'
> make[1]: Leaving directory '/home/steve/build/a3udit/src/audit-2.5.1'
> sed: can't read usr/lib/systemd/system/auditd.service: No such file or
> directory ==> ERROR: A failure occurred in package().
> Aborting...
The PKGBUILD script can't make up its mind on systemd. In the configure it says
no, but then it tries to sed a systemd file. :-)
make[1]: Leaving directory '/home/steve/build/a3udit/src/audit-2.5.1'
sed: can't read usr/lib/systemd/system/auditd.service: No such file or
directory
^[[1m^[[31m==> ERROR:^[(B^[[m^[[1m A failure occurred in package().^[(B^[[m
^[[1m Aborting...^[(B^[[m
If you don't want systemd, then remove the
usr/lib/systemd/system/auditd.service file from the sed command as well as the
chmod of that file. Instead, you probably need to do something with
etc/rc.d/init.d/audit.service.
Also, if you do not need to send audit events to a zos server, then you can
also add --disable-zos-remote which removes a dependency on openldap-devel
which seems unaccounted for in your dependencies but is in your buildroot.
That will also require deleting lines with zos-remote in the PKGBUILD.
-Steve
^ permalink raw reply
* Re: [PATCH V4] audit: add tty field to LOGIN event
From: Richard Guy Briggs @ 2016-04-28 19:28 UTC (permalink / raw)
To: Peter Hurley; +Cc: linux-audit, pmoore, linux-kernel, sgrubb, eparis
In-Reply-To: <57217DDF.5070608@hurleysoftware.com>
On 16/04/27, Peter Hurley wrote:
> On 04/27/2016 06:31 PM, Richard Guy Briggs wrote:
> > On 16/04/22, Peter Hurley wrote:
> >> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
> >>> The tty field was missing from AUDIT_LOGIN events.
> >>>
> >>> Refactor code to create a new function audit_get_tty(), using it to
> >>> replace the call in audit_log_task_info() and to add it to
> >>> audit_log_set_loginuid(). Lock and bump the kref to protect it, adding
> >>> audit_put_tty() alias to decrement it.
> >>>
> >>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> >>> ---
> >>>
> >>> V4: Add missing prototype for audit_put_tty() when audit syscall is not
> >>> enabled (MIPS).
> >>>
> >>> V3: Introduce audit_put_tty() alias to decrement kref.
> >>>
> >>> V2: Use kref to protect tty signal struct while in use.
> >>>
> >>> ---
> >>>
> >>> include/linux/audit.h | 24 ++++++++++++++++++++++++
> >>> kernel/audit.c | 18 +++++-------------
> >>> kernel/auditsc.c | 8 ++++++--
> >>> 3 files changed, 35 insertions(+), 15 deletions(-)
> >>>
> >>> diff --git a/include/linux/audit.h b/include/linux/audit.h
> >>> index b40ed5d..32cdafb 100644
> >>> --- a/include/linux/audit.h
> >>> +++ b/include/linux/audit.h
> >>> @@ -26,6 +26,7 @@
> >>> #include <linux/sched.h>
> >>> #include <linux/ptrace.h>
> >>> #include <uapi/linux/audit.h>
> >>> +#include <linux/tty.h>
> >>>
> >>> #define AUDIT_INO_UNSET ((unsigned long)-1)
> >>> #define AUDIT_DEV_UNSET ((dev_t)-1)
> >>> @@ -343,6 +344,23 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> >>> return tsk->sessionid;
> >>> }
> >>>
> >>> +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
> >>> +{
> >>> + struct tty_struct *tty = NULL;
> >>> + unsigned long flags;
> >>> +
> >>> + spin_lock_irqsave(&tsk->sighand->siglock, flags);
> >>> + if (tsk->signal)
> >>> + tty = tty_kref_get(tsk->signal->tty);
> >>> + spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
> >>
> >>
> >> Not that I'm objecting because I get that you're just refactoring
> >> existing code, but I thought I'd point out some stuff.
> >>
> >> 1. There's no need to check if signal_struct is NULL (ie. tsk->signal)
> >> because if it is, this will blow up trying to dereference the
> >> sighand_struct (ie tsk->sighand).
> >
> > Ok. This logic goes back 10 years and one month less two days. (45d9bb0e)
> >
> >> 2. The existing usage is always tsk==current
> >
> > My understanding is that when it is called via:
> >
> > copy_process()
> > audit_free()
> > __audit_free()
> > audit_log_exit()
> > audit_log_task_info()
> >
> > then tsk != current.
>
> While it's true that tsk != current here, everything relevant to tty
> in task_struct is the same because the nascent task is not even half-done.
> So tsk->sighand == current->sighand, tsk->signal == current->signal etc.
I agree this is true except in the case of !CLONE_SIGHAND, if it fails
after copy_sighand() or copy_signal() then it would be null and would
get freed before audit_free() is called. By the time tty gets copied
from current in this case, it is past the point of failure in
copy_process().
> If you're uncomfortable with pass-through execution like that, then the
> simple solution is:
>
> struct tty_struct *tty = NULL;
>
> /* tsk != current when copy_process() failed */
> if (tsk == current)
> tty = get_current_tty();
>
> because tty_kref_put(tty) accepts NULL tty and (obviously) so does
> tty_name(tty).
Given the circumstances above, this appears reasonable to me at first
look.
> Peter Hurley
>
> > This appears to be the only case which appears to
> > force lugging around tsk. This is noted in that commit referenced
> > above.
> >
> >> 3. If the idea is to make this invulnerable to tsk being gone, then
> >> the usage is unsafe anyway.
> >>
> >>
> >> So ultimately (but not necessarily for this patch) I'd prefer that either
> >> a. audit use existing tty api instead of open-coding, or
> >> b. add any tty api functions required.
> >
> > This latter option did cross my mind...
> >
> >> Peter Hurley
> >>
> >>> + return tty;
> >>> +}
> >>> +
> >>> +static inline void audit_put_tty(struct tty_struct *tty)
> >>> +{
> >>> + tty_kref_put(tty);
> >>> +}
> >>> +
> >>> extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> >>> extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
> >>> extern void __audit_bprm(struct linux_binprm *bprm);
> >>> @@ -500,6 +518,12 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> >>> {
> >>> return -1;
> >>> }
> >>> +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
> >>> +{
> >>> + return NULL;
> >>> +}
> >>> +static inline void audit_put_tty(struct tty_struct *tty)
> >>> +{ }
> >>> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> >>> { }
> >>> static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
> >>> diff --git a/kernel/audit.c b/kernel/audit.c
> >>> index 3a3e5de..7edd776 100644
> >>> --- a/kernel/audit.c
> >>> +++ b/kernel/audit.c
> >>> @@ -64,7 +64,6 @@
> >>> #include <linux/security.h>
> >>> #endif
> >>> #include <linux/freezer.h>
> >>> -#include <linux/tty.h>
> >>> #include <linux/pid_namespace.h>
> >>> #include <net/netns/generic.h>
> >>>
> >>> @@ -1873,21 +1872,14 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> >>> {
> >>> const struct cred *cred;
> >>> char comm[sizeof(tsk->comm)];
> >>> - char *tty;
> >>> + struct tty_struct *tty;
> >>>
> >>> if (!ab)
> >>> return;
> >>>
> >>> /* tsk == current */
> >>> cred = current_cred();
> >>> -
> >>> - spin_lock_irq(&tsk->sighand->siglock);
> >>> - if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
> >>> - tty = tsk->signal->tty->name;
> >>> - else
> >>> - tty = "(none)";
> >>> - spin_unlock_irq(&tsk->sighand->siglock);
> >>> -
> >>> + tty = audit_get_tty(tsk);
> >>> audit_log_format(ab,
> >>> " ppid=%d pid=%d auid=%u uid=%u gid=%u"
> >>> " euid=%u suid=%u fsuid=%u"
> >>> @@ -1903,11 +1895,11 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> >>> from_kgid(&init_user_ns, cred->egid),
> >>> from_kgid(&init_user_ns, cred->sgid),
> >>> from_kgid(&init_user_ns, cred->fsgid),
> >>> - tty, audit_get_sessionid(tsk));
> >>> -
> >>> + tty ? tty_name(tty) : "(none)",
> >>> + audit_get_sessionid(tsk));
> >>> + audit_put_tty(tty);
> >>> audit_log_format(ab, " comm=");
> >>> audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
> >>> -
> >>> audit_log_d_path_exe(ab, tsk->mm);
> >>> audit_log_task_context(ab);
> >>> }
> >>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> >>> index 195ffae..71e14d8 100644
> >>> --- a/kernel/auditsc.c
> >>> +++ b/kernel/auditsc.c
> >>> @@ -1980,6 +1980,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> >>> {
> >>> struct audit_buffer *ab;
> >>> uid_t uid, oldloginuid, loginuid;
> >>> + struct tty_struct *tty;
> >>>
> >>> if (!audit_enabled)
> >>> return;
> >>> @@ -1987,14 +1988,17 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> >>> uid = from_kuid(&init_user_ns, task_uid(current));
> >>> oldloginuid = from_kuid(&init_user_ns, koldloginuid);
> >>> loginuid = from_kuid(&init_user_ns, kloginuid),
> >>> + tty = audit_get_tty(current);
> >>>
> >>> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
> >>> if (!ab)
> >>> return;
> >>> audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
> >>> audit_log_task_context(ab);
> >>> - audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
> >>> - oldloginuid, loginuid, oldsessionid, sessionid, !rc);
> >>> + audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
> >>> + oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
> >>> + oldsessionid, sessionid, !rc);
> >>> + audit_put_tty(tty);
> >>> audit_log_end(ab);
> >>> }
> >>>
> >>>
> >>
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Kernel Security Engineering, Base Operating Systems, Red Hat
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635, Internal: (81) 32635
> >
>
- RGB
^ permalink raw reply
* Re: [PATCH V4] audit: add tty field to LOGIN event
From: Peter Hurley @ 2016-04-28 19:32 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit, pmoore, linux-kernel, sgrubb, eparis
In-Reply-To: <20160428192803.GG18994@madcap2.tricolour.ca>
On 04/28/2016 12:28 PM, Richard Guy Briggs wrote:
> On 16/04/27, Peter Hurley wrote:
>> On 04/27/2016 06:31 PM, Richard Guy Briggs wrote:
>>> On 16/04/22, Peter Hurley wrote:
>>>> On 04/21/2016 11:14 AM, Richard Guy Briggs wrote:
>>>>> The tty field was missing from AUDIT_LOGIN events.
>>>>>
>>>>> Refactor code to create a new function audit_get_tty(), using it to
>>>>> replace the call in audit_log_task_info() and to add it to
>>>>> audit_log_set_loginuid(). Lock and bump the kref to protect it, adding
>>>>> audit_put_tty() alias to decrement it.
>>>>>
>>>>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>>>>> ---
>>>>>
>>>>> V4: Add missing prototype for audit_put_tty() when audit syscall is not
>>>>> enabled (MIPS).
>>>>>
>>>>> V3: Introduce audit_put_tty() alias to decrement kref.
>>>>>
>>>>> V2: Use kref to protect tty signal struct while in use.
>>>>>
>>>>> ---
>>>>>
>>>>> include/linux/audit.h | 24 ++++++++++++++++++++++++
>>>>> kernel/audit.c | 18 +++++-------------
>>>>> kernel/auditsc.c | 8 ++++++--
>>>>> 3 files changed, 35 insertions(+), 15 deletions(-)
>>>>>
>>>>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>>>>> index b40ed5d..32cdafb 100644
>>>>> --- a/include/linux/audit.h
>>>>> +++ b/include/linux/audit.h
>>>>> @@ -26,6 +26,7 @@
>>>>> #include <linux/sched.h>
>>>>> #include <linux/ptrace.h>
>>>>> #include <uapi/linux/audit.h>
>>>>> +#include <linux/tty.h>
>>>>>
>>>>> #define AUDIT_INO_UNSET ((unsigned long)-1)
>>>>> #define AUDIT_DEV_UNSET ((dev_t)-1)
>>>>> @@ -343,6 +344,23 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
>>>>> return tsk->sessionid;
>>>>> }
>>>>>
>>>>> +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
>>>>> +{
>>>>> + struct tty_struct *tty = NULL;
>>>>> + unsigned long flags;
>>>>> +
>>>>> + spin_lock_irqsave(&tsk->sighand->siglock, flags);
>>>>> + if (tsk->signal)
>>>>> + tty = tty_kref_get(tsk->signal->tty);
>>>>> + spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
>>>>
>>>>
>>>> Not that I'm objecting because I get that you're just refactoring
>>>> existing code, but I thought I'd point out some stuff.
>>>>
>>>> 1. There's no need to check if signal_struct is NULL (ie. tsk->signal)
>>>> because if it is, this will blow up trying to dereference the
>>>> sighand_struct (ie tsk->sighand).
>>>
>>> Ok. This logic goes back 10 years and one month less two days. (45d9bb0e)
>>>
>>>> 2. The existing usage is always tsk==current
>>>
>>> My understanding is that when it is called via:
>>>
>>> copy_process()
>>> audit_free()
>>> __audit_free()
>>> audit_log_exit()
>>> audit_log_task_info()
>>>
>>> then tsk != current.
>>
>> While it's true that tsk != current here, everything relevant to tty
>> in task_struct is the same because the nascent task is not even half-done.
>> So tsk->sighand == current->sighand, tsk->signal == current->signal etc.
>
> I agree this is true except in the case of !CLONE_SIGHAND, if it fails
> after copy_sighand() or copy_signal() then it would be null and would
> get freed before audit_free() is called. By the time tty gets copied
> from current in this case, it is past the point of failure in
> copy_process().
Oh, right.
>> If you're uncomfortable with pass-through execution like that, then the
>> simple solution is:
>>
>> struct tty_struct *tty = NULL;
>>
>> /* tsk != current when copy_process() failed */
>> if (tsk == current)
>> tty = get_current_tty();
>>
>> because tty_kref_put(tty) accepts NULL tty and (obviously) so does
>> tty_name(tty).
>
> Given the circumstances above, this appears reasonable to me at first
> look.
Ok.
I'll spend more analysis time before I actually submit a patch for this.
>>> This appears to be the only case which appears to
>>> force lugging around tsk. This is noted in that commit referenced
>>> above.
>>>
>>>> 3. If the idea is to make this invulnerable to tsk being gone, then
>>>> the usage is unsafe anyway.
>>>>
>>>>
>>>> So ultimately (but not necessarily for this patch) I'd prefer that either
>>>> a. audit use existing tty api instead of open-coding, or
>>>> b. add any tty api functions required.
>>>
>>> This latter option did cross my mind...
>>>
>>>> Peter Hurley
>>>>
>>>>> + return tty;
>>>>> +}
>>>>> +
>>>>> +static inline void audit_put_tty(struct tty_struct *tty)
>>>>> +{
>>>>> + tty_kref_put(tty);
>>>>> +}
>>>>> +
>>>>> extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
>>>>> extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
>>>>> extern void __audit_bprm(struct linux_binprm *bprm);
>>>>> @@ -500,6 +518,12 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
>>>>> {
>>>>> return -1;
>>>>> }
>>>>> +static inline struct tty_struct *audit_get_tty(struct task_struct *tsk)
>>>>> +{
>>>>> + return NULL;
>>>>> +}
>>>>> +static inline void audit_put_tty(struct tty_struct *tty)
>>>>> +{ }
>>>>> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
>>>>> { }
>>>>> static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
>>>>> diff --git a/kernel/audit.c b/kernel/audit.c
>>>>> index 3a3e5de..7edd776 100644
>>>>> --- a/kernel/audit.c
>>>>> +++ b/kernel/audit.c
>>>>> @@ -64,7 +64,6 @@
>>>>> #include <linux/security.h>
>>>>> #endif
>>>>> #include <linux/freezer.h>
>>>>> -#include <linux/tty.h>
>>>>> #include <linux/pid_namespace.h>
>>>>> #include <net/netns/generic.h>
>>>>>
>>>>> @@ -1873,21 +1872,14 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
>>>>> {
>>>>> const struct cred *cred;
>>>>> char comm[sizeof(tsk->comm)];
>>>>> - char *tty;
>>>>> + struct tty_struct *tty;
>>>>>
>>>>> if (!ab)
>>>>> return;
>>>>>
>>>>> /* tsk == current */
>>>>> cred = current_cred();
>>>>> -
>>>>> - spin_lock_irq(&tsk->sighand->siglock);
>>>>> - if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
>>>>> - tty = tsk->signal->tty->name;
>>>>> - else
>>>>> - tty = "(none)";
>>>>> - spin_unlock_irq(&tsk->sighand->siglock);
>>>>> -
>>>>> + tty = audit_get_tty(tsk);
>>>>> audit_log_format(ab,
>>>>> " ppid=%d pid=%d auid=%u uid=%u gid=%u"
>>>>> " euid=%u suid=%u fsuid=%u"
>>>>> @@ -1903,11 +1895,11 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
>>>>> from_kgid(&init_user_ns, cred->egid),
>>>>> from_kgid(&init_user_ns, cred->sgid),
>>>>> from_kgid(&init_user_ns, cred->fsgid),
>>>>> - tty, audit_get_sessionid(tsk));
>>>>> -
>>>>> + tty ? tty_name(tty) : "(none)",
>>>>> + audit_get_sessionid(tsk));
>>>>> + audit_put_tty(tty);
>>>>> audit_log_format(ab, " comm=");
>>>>> audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
>>>>> -
>>>>> audit_log_d_path_exe(ab, tsk->mm);
>>>>> audit_log_task_context(ab);
>>>>> }
>>>>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>>>>> index 195ffae..71e14d8 100644
>>>>> --- a/kernel/auditsc.c
>>>>> +++ b/kernel/auditsc.c
>>>>> @@ -1980,6 +1980,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
>>>>> {
>>>>> struct audit_buffer *ab;
>>>>> uid_t uid, oldloginuid, loginuid;
>>>>> + struct tty_struct *tty;
>>>>>
>>>>> if (!audit_enabled)
>>>>> return;
>>>>> @@ -1987,14 +1988,17 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
>>>>> uid = from_kuid(&init_user_ns, task_uid(current));
>>>>> oldloginuid = from_kuid(&init_user_ns, koldloginuid);
>>>>> loginuid = from_kuid(&init_user_ns, kloginuid),
>>>>> + tty = audit_get_tty(current);
>>>>>
>>>>> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
>>>>> if (!ab)
>>>>> return;
>>>>> audit_log_format(ab, "pid=%d uid=%u", task_pid_nr(current), uid);
>>>>> audit_log_task_context(ab);
>>>>> - audit_log_format(ab, " old-auid=%u auid=%u old-ses=%u ses=%u res=%d",
>>>>> - oldloginuid, loginuid, oldsessionid, sessionid, !rc);
>>>>> + audit_log_format(ab, " old-auid=%u auid=%u tty=%s old-ses=%u ses=%u res=%d",
>>>>> + oldloginuid, loginuid, tty ? tty_name(tty) : "(none)",
>>>>> + oldsessionid, sessionid, !rc);
>>>>> + audit_put_tty(tty);
>>>>> audit_log_end(ab);
>>>>> }
>>>>>
>>>>>
>>>>
>>>
>>> - RGB
>>>
>>> --
>>> Richard Guy Briggs <rgb@redhat.com>
>>> Kernel Security Engineering, Base Operating Systems, Red Hat
>>> Remote, Ottawa, Canada
>>> Voice: +1.647.777.2635, Internal: (81) 32635
>>>
>>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>
^ permalink raw reply
* Centralized Logging question #2
From: Warron S French @ 2016-04-28 19:55 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 512 bytes --]
If I centralize audit logging through rsyslog, and I have each of the remote machines' /etc/rsyslog.conf to use the same generic audit.log file name instead of customizing the audit logs with something like; HOSTNAME-audit.log, because ausearch apparently only looks for a file specifically of the format audit.log...
Will the log-data submitted from the various hosts be consolidated into a single file? Will the ausearch command then be usable with the -if argument?
Warron French, MBA, SCSA
[-- Attachment #1.2: Type: text/html, Size: 2839 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH V4] audit: add tty field to LOGIN event
From: Paul Moore @ 2016-04-28 20:07 UTC (permalink / raw)
To: Richard Guy Briggs, Peter Hurley; +Cc: linux-audit, linux-kernel
In-Reply-To: <20160428013140.GD18994@madcap2.tricolour.ca>
On Wed, Apr 27, 2016 at 9:31 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 16/04/22, Peter Hurley wrote:
>> 2. The existing usage is always tsk==current
>
> My understanding is that when it is called via:
>
> copy_process()
> audit_free()
> __audit_free()
> audit_log_exit()
> audit_log_task_info()
>
> then tsk != current. This appears to be the only case which appears to
> force lugging around tsk. This is noted in that commit referenced
> above.
In the case where copy_process() ends up calling __audit_free(), the
call to audit_log_exit() is conditional on the audit context
in_syscall field being true and unless I missed something, the copied
process' audit context should not have in_syscall set to true.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: Log:namespaces per task
From: Richard Guy Briggs @ 2016-04-29 2:19 UTC (permalink / raw)
To: Deepika Sundar; +Cc: linux-audit
In-Reply-To: <CAHj_pNdJS=8qX=Kz-r_vhZtdkr4TKLsLz8eTrwqQUs0w-xzrTA@mail.gmail.com>
On 16/04/26, Deepika Sundar wrote:
[re-adding the list]
> https://www.redhat.com/archives/linux-audit/2015-April/msg00031.html
> In the above link it is mentioned that cloned action for the initial
> creation has the pid=481,is this a pid seen in namespace or the global
> one?Please clarify me.
This is always the initial PID namespace in the audit logs for now,
which are with respect to the initial PID namespace.
The kernel knows from which namespace a request is made and if it were
possible to have a process in a non-initial PID namespace query the
kernel, it would get back an answer relative to that namespace. That is
not currently possible.
> -Deepika
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: PID's Mapping
From: Richard Guy Briggs @ 2016-04-29 2:33 UTC (permalink / raw)
To: Deepika Sundar; +Cc: linux-audit
In-Reply-To: <CAHj_pNfqHdkPruyYF-6SG3b7CQF-O48_35EvsAOWJ09AuW4Pzg@mail.gmail.com>
On 16/04/27, Deepika Sundar wrote:
> As per rule root(admin) is the one who is monitoring the system's
> information .so,there must exist some namespace information in proc field
> for the namespace related PID in global.Is this the way I'm approaching to
> the namespace related stuffs is correct?
I'm having some trouble parsing your text, but I'll try to answer the
question.
"root" is not necessarily omniscient as it has been assumed to be
frequently in the past. This is true of Linux Capabilities and I
believe SELinux.
It is possible for a process to be owned by "root" (UID 0) in a
non-initial PID namespace and it would not have access to initial PID
namespace information nor any of the other PID namespaces that are not
children of its own PID namespace.
Anything visible from the proc filesystem should be relative to the
namespaces of the process requesting it.
This gets into a whole lot of discussion about Linux kernel namespaces
in general, and I'd recommend you seek out articles about the six Linux
kernel namespaces on Linux Weekly News (lwn.net) on the topic.
> -Deepika
>
> On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <sundar.deepika18@gmail.com wrote:
> > Yeah.
> > When the PID's which are in the namespace application has different PID
> > compared to Global PID.There would be some means to map the PID's in the
> > kernel level.Can anyone suggest How it can be mapped?
> >
> > On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> >
> >> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> >> > Is there any way that can be suggested as to map PID's of namespace in
> >> > global?
> >>
> >> This is on the TODO list. We have been kicking around several ideas but
> >> have
> >> not come to a conclusion about what exactly needs to be done. The upshot
> >> of
> >> this is that basically containers have no support.
> >>
> >> -Steve
> >>
> >>
> >> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
> >> wrote:
> >> > > Please ask your question on the mailing list so that everyone can
> >> benefit.
> >> > >
> >> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> >> > >
> >> > > <sundar.deepika18@gmail.com> wrote:
> >> > > > How it can be achieved ,Can I get any idea on this?
> >> > > >
> >> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
> >> wrote:
> >> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> >> > > >>
> >> > > >> <sowndarya.nadar@gmail.com> wrote:
> >> > > >> > Hi
> >> > > >> >
> >> > > >> > Is there any way to map the PID's seen in the namespace
> >> application
> >> > >
> >> > > with
> >> > >
> >> > > >> > the
> >> > > >> > PID's seen in global?
> >> > > >> > If it can be done please provide the documentation or idea on
> >> how it
> >> > >
> >> > > can
> >> > >
> >> > > >> > be
> >> > > >> > done.
> >> > > >>
> >> > > >> In general the audit subsystem doesn't pay attention to namespaces,
> >> > > >> all PIDs reported to userspace are reported with respect to the
> >> init
> >> > > >> namespace.
> >> > > >>
> >> > > >> --
> >> > > >> paul moore
> >> > > >> www.paul-moore.com
> >> > > >>
> >> > > >> --
> >> > > >> Linux-audit mailing list
> >> > > >> Linux-audit@redhat.com
> >> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> >> > >
> >> > > --
> >> > > paul moore
> >> > > www.paul-moore.com
> >>
> >>
> >
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: PID's Mapping
From: Richard Guy Briggs @ 2016-04-29 2:37 UTC (permalink / raw)
To: Deepika Sundar; +Cc: linux-audit
In-Reply-To: <CAHj_pNdJRB2iGj8dtUmBNPK476Qj=Bjd16M8rdHZZadLnVBBsw@mail.gmail.com>
On 16/04/28, Deepika Sundar wrote:
> Thank you for the replies.
>
> As per My understanding Root as Admin it has the control over all the
> namespaces.If this is correct,
As per my previous email, not necessarily.
> (i) Is that root should have access to all namespace relate info,
> for ex: PID's in the host is mapped to what PID's in the Namespace?
The initial PID namespace knows about all the PIDs on the machine since
the PID namespaces are hierarchical. There is a mapping from the PID in
the initial PID namespace to its PID in a child PID namespace. A child
PID namespace should never be able to find out what its PID is in a
parent PID namespace.
> if not ,
>
> (ii) Init should have only access to his own process and should not have
> access to other namespace.
See above.
> Is this design limitation (or) Is it designed for better security ?
Both.
> On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <sundar.deepika18@gmail.com> wrote:
> > As per rule root(admin) is the one who is monitoring the system's
> > information .so,there must exist some namespace information in proc field
> > for the namespace related PID in global.Is this the way I'm approaching to
> > the namespace related stuffs is correct?
> >
> > -Deepika
> >
> > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > sundar.deepika18@gmail.com> wrote:
> >
> >> Yeah.
> >> When the PID's which are in the namespace application has different PID
> >> compared to Global PID.There would be some means to map the PID's in the
> >> kernel level.Can anyone suggest How it can be mapped?
> >>
> >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> >>
> >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> >>> > Is there any way that can be suggested as to map PID's of namespace in
> >>> > global?
> >>>
> >>> This is on the TODO list. We have been kicking around several ideas but
> >>> have
> >>> not come to a conclusion about what exactly needs to be done. The upshot
> >>> of
> >>> this is that basically containers have no support.
> >>>
> >>> -Steve
> >>>
> >>>
> >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
> >>> wrote:
> >>> > > Please ask your question on the mailing list so that everyone can
> >>> benefit.
> >>> > >
> >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> >>> > >
> >>> > > <sundar.deepika18@gmail.com> wrote:
> >>> > > > How it can be achieved ,Can I get any idea on this?
> >>> > > >
> >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
> >>> wrote:
> >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> >>> > > >>
> >>> > > >> <sowndarya.nadar@gmail.com> wrote:
> >>> > > >> > Hi
> >>> > > >> >
> >>> > > >> > Is there any way to map the PID's seen in the namespace
> >>> application
> >>> > >
> >>> > > with
> >>> > >
> >>> > > >> > the
> >>> > > >> > PID's seen in global?
> >>> > > >> > If it can be done please provide the documentation or idea on
> >>> how it
> >>> > >
> >>> > > can
> >>> > >
> >>> > > >> > be
> >>> > > >> > done.
> >>> > > >>
> >>> > > >> In general the audit subsystem doesn't pay attention to
> >>> namespaces,
> >>> > > >> all PIDs reported to userspace are reported with respect to the
> >>> init
> >>> > > >> namespace.
> >>> > > >>
> >>> > > >> --
> >>> > > >> paul moore
> >>> > > >> www.paul-moore.com
> >>> > > >>
> >>> > > >> --
> >>> > > >> Linux-audit mailing list
> >>> > > >> Linux-audit@redhat.com
> >>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> >>> > >
> >>> > > --
> >>> > > paul moore
> >>> > > www.paul-moore.com
> >>>
> >>>
> >>
> >
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: New field to auditd.conf file
From: Richard Guy Briggs @ 2016-04-29 2:47 UTC (permalink / raw)
To: Deepika Sundar; +Cc: linux-audit
In-Reply-To: <CAHj_pNfgkMn2CkZPzcp55tbJx_0St5RZ9Pz4vLR+s+RTNXuJwA@mail.gmail.com>
On 16/04/28, Deepika Sundar wrote:
> Thank you for all replies and Sorry, I am new to this audit subsystem field.
>
> I am facing the problem in the initial stage itself that,Where to add the
> new field in the source code, as per my work understanding in the below
> code,Is it possible to fine tune by adding new field say,*"APPLICATION ID" *in
> that structure.
>
> If not possible, What is the impact ? *OR*
> Is it possible to add a new member without any impact?
> Please Suggest me with some IDEA where new field in audit structure can be
> added and It should not break compatibility.Provide Documentation where I
> can refer to do.
> Once I am clear with the method I can Share the code to review.
There is a list of technical resources at:
http://people.redhat.com/sgrubb/audit/
with a section on "Specs".
In particular, please see:
http://people.redhat.com/sgrubb/audit/audit-events.txt
http://people.redhat.com/sgrubb/audit/audit-parse.txt
I don't understand what this is below...
> Kernel/audit.c
>
> void audit_log_task_info
> <http://lxr.free-electrons.com/ident?i=audit_log_task_info>(struct
> audit_buffer <http://lxr.free-electrons.com/ident?i=audit_buffer> *ab,
> struct task_struct <http://lxr.free-electrons.com/ident?i=task_struct>
> *tsk <http://lxr.free-electrons.com/ident?i=tsk>)
>
> 1873 <http://lxr.free-electrons.com/source/kernel/audit.c#L1873> {1874
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1874>
> const struct cred <http://lxr.free-electrons.com/ident?i=cred> *cred
> <http://lxr.free-electrons.com/ident?i=cred>;1875
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1875>
> char comm <http://lxr.free-electrons.com/ident?i=comm>[sizeof(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->comm
> <http://lxr.free-electrons.com/ident?i=comm>)];1876
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1876>
> char *tty <http://lxr.free-electrons.com/ident?i=tty>;1877
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1877> 1878
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1878> if
> (!ab)1879 <http://lxr.free-electrons.com/source/kernel/audit.c#L1879>
> return;1880
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1880> 1881
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1881>
> */* tsk == current */*1882
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1882>
> cred <http://lxr.free-electrons.com/ident?i=cred> = current_cred
> <http://lxr.free-electrons.com/ident?i=current_cred>();1883
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1883> 1884
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1884>
> spin_lock_irq <http://lxr.free-electrons.com/ident?i=spin_lock_irq>(&tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1885
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1885> if
> (tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal && tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
> <http://lxr.free-electrons.com/ident?i=tty> && tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
> <http://lxr.free-electrons.com/ident?i=tty>->name
> <http://lxr.free-electrons.com/ident?i=name>)1886
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1886>
> tty <http://lxr.free-electrons.com/ident?i=tty> = tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
> <http://lxr.free-electrons.com/ident?i=tty>->name
> <http://lxr.free-electrons.com/ident?i=name>;1887
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1887>
> else1888 <http://lxr.free-electrons.com/source/kernel/audit.c#L1888>
> tty <http://lxr.free-electrons.com/ident?i=tty> =
> *"(none)"*;1889
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1889>
> spin_unlock_irq
> <http://lxr.free-electrons.com/ident?i=spin_unlock_irq>(&tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1890
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1890> 1891
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1891>
> audit_log_format
> <http://lxr.free-electrons.com/ident?i=audit_log_format>(ab,1892
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1892>
> *" ppid=%d pid=%d auid=%u uid=%u gid=%u"*1893
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1893>
> *" euid=%u suid=%u fsuid=%u"*1894
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1894>
> *" egid=%u sgid=%u fsgid=%u tty=%s ses=%u"*,1895
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1895>
> task_ppid_nr
> <http://lxr.free-electrons.com/ident?i=task_ppid_nr>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>),1896
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1896>
> task_pid_nr
> <http://lxr.free-electrons.com/ident?i=task_pid_nr>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>),1897
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1897>
> from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>,
> audit_get_loginuid
> <http://lxr.free-electrons.com/ident?i=audit_get_loginuid>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>)),1898
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1898>
> from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->uid
> <http://lxr.free-electrons.com/ident?i=uid>),1899
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1899>
> from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->gid
> <http://lxr.free-electrons.com/ident?i=gid>),1900
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1900>
> from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->euid),1901
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1901>
> from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->suid),1902
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1902>
> from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->fsuid),1903
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1903>
> from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->egid),1904
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1904>
> from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->sgid),1905
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1905>
> from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->fsgid),1906
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1906> +
> tty <http://lxr.free-electrons.com/ident?i=tty>,
> audit_get_sessionid
> <http://lxr.free-electrons.com/ident?i=audit_get_sessionid>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>),*ApplicationID............);
> *1907 <http://lxr.free-electrons.com/source/kernel/audit.c#L1907> 1908
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1908>
> audit_log_format
> <http://lxr.free-electrons.com/ident?i=audit_log_format>*(ab, **"
> comm="**);
> *1909 <http://lxr.free-electrons.com/source/kernel/audit.c#L1909>
> audit_log_untrustedstring
> <http://lxr.free-electrons.com/ident?i=audit_log_untrustedstring>*(ab,
> *get_task_comm <http://lxr.free-electrons.com/ident?i=get_task_comm>*(*comm
> <http://lxr.free-electrons.com/ident?i=comm>*, *tsk
> <http://lxr.free-electrons.com/ident?i=tsk>*));
> *1910 <http://lxr.free-electrons.com/source/kernel/audit.c#L1910> 1911
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1911>
> audit_log_d_path_exe
> <http://lxr.free-electrons.com/ident?i=audit_log_d_path_exe>*(ab, *tsk
> <http://lxr.free-electrons.com/ident?i=tsk>*->mm);
> *1912 <http://lxr.free-electrons.com/source/kernel/audit.c#L1912>
> audit_log_task_context
> <http://lxr.free-electrons.com/ident?i=audit_log_task_context>*(ab);
> *1913 <http://lxr.free-electrons.com/source/kernel/audit.c#L1913>* }*
>
>
>
>
>
> On Tue, Apr 26, 2016 at 6:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 16/04/25, Deepika Sundar wrote:
> > > I wanted to add the namespace information in the audit record for example
> > > pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside
> > > Audit structure?
> >
> > We've been looking at this issue for several years now and don't have an
> > obvious solution yet. There has been discussion on this list. It is on
> > the radar:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1045666
> >
> >
> > > On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote:
> > > > As we've already mentioned several times, we can make no guarantees
> > > > regarding functionality or compatibility without seeing your code.
> > > > While it may be frustrating, this is how Open Source development
> > > > works.
> > > >
> > > > If you are interested in our help you will need to describe, in
> > > > detail, what you are trying to do and ideally post your existing code
> > > > so it can be reviewed.
> > > >
> > > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
> > > > <sundar.deepika18@gmail.com> wrote:
> > > > > Okay,If I update the Ausearch/aureport in order to aware of the new
> > > > field in
> > > > > the audit log structure can it be feasible one?
> > > > >
> > > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com>
> > wrote:
> > > > >>
> > > > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> > > > >> > In general way,Is there any compatibility issues if audit log
> > > > structure
> > > > >> > gets modified?
> > > > >>
> > > > >> Yes, there can be problems if the log structure gets modified.
> > > > >> Ausearch/report
> > > > >> are highly optimized for an exact format.
> > > > >>
> > > > >> -Steve
> > > > >>
> > > > >>
> > > > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com>
> > > > wrote:
> > > > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > > > >> > > > As per my understanding audit log structure can be extendible
> > > > based
> > > > >> > > > on
> > > > >> > > > requirements and in my project I need to add the identifier
> > field
> > > > >> > > > for
> > > > >> > > > the
> > > > >> > > > application and as of now I couldn't able to revel the What
> > > > >> > > > application
> > > > >> > > > trying to develop to update.So,Is there any possibility that
> > > > without
> > > > >> > > > breaking any Compatibility issues I can do it ?
> > > > >> > >
> > > > >> > > I have no idea what you are doing so there is no guarantee that
> > it
> > > > >> > > won't
> > > > >> > > break
> > > > >> > > something. If your project is going to be released as open
> > source
> > > > its
> > > > >> > > generally best to collaborate with people so that problems can
> > be
> > > > >> > > pointed
> > > > >> > > out.
> > > > >> > > Otherwise you risk spending a lot of time on something only to
> > have
> > > > it
> > > > >> > > rejected.
> > > > >> > >
> > > > >> > > -Steve
> > > > >> > >
> > > > >> > > > OR If any compatibility issues please specify .
> > > > >> > > >
> > > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <
> > paul@paul-moore.com>
> > > > >> > > > wrote:
> > > > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > > > >> > > > >
> > > > >> > > > > <sundar.deepika18@gmail.com> wrote:
> > > > >> > > > > > In the same way, in the kernel side
> > > > >> > > > > > Can I able to add one new field to the audit log structure
> > > > >> > > > > > without
> > > > >> > > > >
> > > > >> > > > > breaking
> > > > >> > > > >
> > > > >> > > > > > Compatibility? If so,
> > > > >> > > > > >
> > > > >> > > > > > 1.How can I add new field without breaking
> > compatibility?
> > > > >> > > > > >
> > > > >> > > > > > or
> > > > >> > > > > >
> > > > >> > > > > > 2.Is there any reserve field in audit log structure so
> > that
> > > > I
> > > > >> > > > > > can
> > > > >> > >
> > > > >> > > make
> > > > >> > >
> > > > >> > > > > use
> > > > >> > > > >
> > > > >> > > > > > of it?
> > > > >> > > > >
> > > > >> > > > > You need to be more specific about what you are trying to
> > do.
> > > > >> > > > > Speaking generally, unless you work to get your changed
> > merged
> > > > >> > > > > into
> > > > >> > > > > the upstream kernel and userspace tools we cannot guarantee
> > > > >> > > > > present or
> > > > >> > > > > future compatibility.
> > > > >> > > > >
> > > > >> > > > > www.paul-moore.com
> > > >
> > > > paul moore
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* Re: PID's Mapping
From: Deepika Sundar @ 2016-04-29 5:22 UTC (permalink / raw)
To: Richard Guy Briggs, Paul Moore, linux-audit
In-Reply-To: <20160429023733.GL18994@madcap2.tricolour.ca>
[-- Attachment #1.1: Type: text/plain, Size: 4574 bytes --]
Thank You for the valuable Response RGB.
As you mentioned in the above statement is what I was looking for, "There
is a mapping from the PID in the initial PID namespace to its PID in a
child PID namespace".
As per your context, Is it initial PID namespace is the one which is get
created in the "HOST"?
Please provide me details about how to enter into INIT-PID namespace to get
the mappings of child PID Namespace.
-DEEPIKA
On Fri, Apr 29, 2016 at 8:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 16/04/28, Deepika Sundar wrote:
> > Thank you for the replies.
> >
> > As per My understanding Root as Admin it has the control over all the
> > namespaces.If this is correct,
>
> As per my previous email, not necessarily.
>
> > (i) Is that root should have access to all namespace relate info,
> > for ex: PID's in the host is mapped to what PID's in the Namespace?
>
> The initial PID namespace knows about all the PIDs on the machine since
> the PID namespaces are hierarchical. There is a mapping from the PID in
> the initial PID namespace to its PID in a child PID namespace. A child
> PID namespace should never be able to find out what its PID is in a
> parent PID namespace.
>
> > if not ,
> >
> > (ii) Init should have only access to his own process and should not have
> > access to other namespace.
>
> See above.
>
> > Is this design limitation (or) Is it designed for better security ?
>
> Both.
>
> > On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <
> sundar.deepika18@gmail.com> wrote:
> > > As per rule root(admin) is the one who is monitoring the system's
> > > information .so,there must exist some namespace information in proc
> field
> > > for the namespace related PID in global.Is this the way I'm
> approaching to
> > > the namespace related stuffs is correct?
> > >
> > > -Deepika
> > >
> > > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > > sundar.deepika18@gmail.com> wrote:
> > >
> > >> Yeah.
> > >> When the PID's which are in the namespace application has different
> PID
> > >> compared to Global PID.There would be some means to map the PID's in
> the
> > >> kernel level.Can anyone suggest How it can be mapped?
> > >>
> > >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> > >>
> > >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> > >>> > Is there any way that can be suggested as to map PID's of
> namespace in
> > >>> > global?
> > >>>
> > >>> This is on the TODO list. We have been kicking around several ideas
> but
> > >>> have
> > >>> not come to a conclusion about what exactly needs to be done. The
> upshot
> > >>> of
> > >>> this is that basically containers have no support.
> > >>>
> > >>> -Steve
> > >>>
> > >>>
> > >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
> > >>> wrote:
> > >>> > > Please ask your question on the mailing list so that everyone can
> > >>> benefit.
> > >>> > >
> > >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> > >>> > >
> > >>> > > <sundar.deepika18@gmail.com> wrote:
> > >>> > > > How it can be achieved ,Can I get any idea on this?
> > >>> > > >
> > >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <
> paul@paul-moore.com>
> > >>> wrote:
> > >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> > >>> > > >>
> > >>> > > >> <sowndarya.nadar@gmail.com> wrote:
> > >>> > > >> > Hi
> > >>> > > >> >
> > >>> > > >> > Is there any way to map the PID's seen in the namespace
> > >>> application
> > >>> > >
> > >>> > > with
> > >>> > >
> > >>> > > >> > the
> > >>> > > >> > PID's seen in global?
> > >>> > > >> > If it can be done please provide the documentation or idea
> on
> > >>> how it
> > >>> > >
> > >>> > > can
> > >>> > >
> > >>> > > >> > be
> > >>> > > >> > done.
> > >>> > > >>
> > >>> > > >> In general the audit subsystem doesn't pay attention to
> > >>> namespaces,
> > >>> > > >> all PIDs reported to userspace are reported with respect to
> the
> > >>> init
> > >>> > > >> namespace.
> > >>> > > >>
> > >>> > > >> --
> > >>> > > >> paul moore
> > >>> > > >> www.paul-moore.com
> > >>> > > >>
> > >>> > > >> --
> > >>> > > >> Linux-audit mailing list
> > >>> > > >> Linux-audit@redhat.com
> > >>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> > >>> > >
> > >>> > > --
> > >>> > > paul moore
> > >>> > > www.paul-moore.com
> > >>>
> > >>>
> > >>
> > >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>
[-- Attachment #1.2: Type: text/html, Size: 7990 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log
From: Vincas Dargis @ 2016-04-29 7:03 UTC (permalink / raw)
To: linux-audit
Hi,
There was email about fixing ausearch for AppArmor:
https://www.redhat.com/archives/linux-audit/2014-May/msg00094.html
Is there any progress regarding that issue?
I have tried to search for AVC on Debian Testing (auditd 2.4.5), and
it fails to "grep" me AppArmor related events.
P.S. How do I actually reply to original thread that I did not
received, since I just subscribed? I though I could maybe find raw
message in archive https://www.redhat.com/archives/linux-audit/ but
there aren't (no such message in 2014-May/Jun gz) . Oh how I hate
using mailing lists so much... /rant.
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox