* [PATCH] Ignore tags and cscope output files.
From: Richard Guy Briggs @ 2016-08-02 8:31 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/.gitignore | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/trunk/.gitignore b/trunk/.gitignore
index ec0aa96..ba296d3 100644
--- a/trunk/.gitignore
+++ b/trunk/.gitignore
@@ -7,7 +7,9 @@ gen_*_h
INSTALL
Makefile
Makefile.in
+tags
TAGS
+cscope.*
/aclocal.m4
/autom4te.cache
/audit*.tar.gz
--
1.7.1
^ permalink raw reply related
* audit 2.6.6 released
From: Steve Grubb @ 2016-08-01 16:37 UTC (permalink / raw)
To: linux-audit
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Interpret ioctlcmd fields
- Fix the permission of the audit logging directory
- Fix timeout in autrace better
- Add gitignore file to ignore generated files if using git (Richard Guy Briggs)
- audit_log_user_comm_message now resolves comm if NULL is passed
- Update syscall table
- Fix multi-key support in auparse which was broke in tty escape bug fix
- Add multi-key support for syscall rules
This is a bug fix release. I didn't want to wait too long after the directory
permission problem was discovered, but I did want to give a little time in
case there was anything else discovered. The main issue fixed in this release
is the audit log directory permissions. If a group was given for log_group in
auditd.conf, the audit daemon gave write permissions on the directory to the
group. This appears to have started in the 2.6.1 release.
The autrace program was timing out too quickly waiting to check rules. It now
uses the select syscall to wait on rules.
The multi-key support that was added for IDS purposes with prelude was found
to have been broken by the tty escape bug fix. In troubleshooting that, I found
that it was not supported on the "new style" audit rules. So, that has been
fixed so that you can put multiple keys on syscall rules. Multiple key support
was fixed, but to do it right meant that the filed type had to change from
AUPARSE_TYPE_ESCAPED to AUPARSE_TYPE_ESCAPED_KEY.
Please let me know if you run across any problems with this release.
-Steve
^ permalink raw reply
* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Mateusz Piotrowski @ 2016-08-01 15:13 UTC (permalink / raw)
To: linux-audit; +Cc: Konrad Witaszczyk
In-Reply-To: <37697145.Sr86xZ3kit@x2>
On 01 Aug 2016, at 16:46, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>>
>> According to the field dictionary[1] there are fields which names are
>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>
>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>> doesn't fit the regex which seems to require a pair of square brackets (so
>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>> Linux Audit source code.
>
> I think you have to have aurguments that are larger than the audit record
> limit and so many arguments that you have multiple execve records to contain
> them all.
>
> Here's one reference:
> https://www.redhat.com/archives/linux-audit/2007-October/msg00015.html
Thanks.
>> My questions are:
>> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
>> doesn't apply anymore?
>
> Possibly. But try to generate it and see.
Sure, I'll notify you if I manage to get one.
>> 2. Could you suggest me where to look to see how those arguments to the
>> execve syscall are handled?
>
> Handled where? Kernel? Userspace doesn't do much with any execve argument
> except decode it.
Yeah, that's what I was trying to find - how this regex is handled in auparse/interpret.c[2].
We can see how "a0" is handled for example[3] but I couldn't find anything about "a4[foo]".
>> 3. Could you post an example of a record with a field which fits the regex
>> (assuming the regex is valid)?
>
> The archive link above explains what was going to be added. Offhand I don't
> have one of these laying around in my logs. This test might create one for
> you:
>
> https://github.com/linux-audit/audit-testsuite/tree/master/tests/exec_execve
Thanks a lot.
>> [1]:
>> https://github.com/linux-audit/audit-documentation/blob/master/specs/fields
>> /field-dictionary.csv#L3 [2]:
>> https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html
Cheers,
-m
[2]: https://github.com/linux-audit/audit-userspace/blob/master/auparse/interpret.c
[3]: https://github.com/linux-audit/audit-userspace/blob/master/auparse/interpret.c#L2805
^ permalink raw reply
* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Steve Grubb @ 2016-08-01 14:46 UTC (permalink / raw)
To: linux-audit; +Cc: Konrad Witaszczyk
In-Reply-To: <791A85A1-9404-4763-9584-D673DDDD747D@FreeBSD.org>
On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
> Hello,
>
> According to the field dictionary[1] there are fields which names are
> defined by the following regex: "a[[:digit:]+]\[.*\]".
>
> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
> doesn't fit the regex which seems to require a pair of square brackets (so
> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
> Linux Audit source code.
I think you have to have aurguments that are larger than the audit record
limit and so many arguments that you have multiple execve records to contain
them all.
Here's one reference:
https://www.redhat.com/archives/linux-audit/2007-October/msg00015.html
> My questions are:
> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
> doesn't apply anymore?
Possibly. But try to generate it and see.
> 2. Could you suggest me where to look to see how those arguments to the
> execve syscall are handled?
Handled where? Kernel? Userspace doesn't do much with any execve argument
except decode it.
> 3. Could you post an example of a record with a field which fits the regex
> (assuming the regex is valid)?
The archive link above explains what was going to be added. Offhand I don't
have one of these laying around in my logs. This test might create one for
you:
https://github.com/linux-audit/audit-testsuite/tree/master/tests/exec_execve
-Steve
> [1]:
> https://github.com/linux-audit/audit-documentation/blob/master/specs/fields
> /field-dictionary.csv#L3 [2]:
> https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] prctl: remove one-shot limitation for changing exe link
From: Eric W. Biederman @ 2016-07-31 18:45 UTC (permalink / raw)
To: Mateusz Guzik
Cc: bsegall, mhocko, peterz, Stanislav Kinsburskiy, linux-kernel,
oleg, Cyrill Gorcunov, Richard Guy Briggs, mingo, john.stultz,
matthltc, akpm, luto, vbabka, xemul
In-Reply-To: <20160730202821.7ojhciviocjfnw7p@mguzik>
Mateusz Guzik <mguzik@redhat.com> writes:
> On Sat, Jul 30, 2016 at 12:31:40PM -0500, Eric W. Biederman wrote:
>> So what I am requesting is very simple. That the checks in
>> prctl_set_mm_exe_file be tightened up to more closely approach what
>> execve requires. Thus preserving the value of the /proc/[pid]/exe for
>> the applications that want to use the exe link.
>>
>> Once the checks in prctl_set_mm_exe_file are tightened up please feel
>> free to remove the one shot test.
>>
>
> This is more fishy.
>
> First of all exe_file is used by the audit subsystem. So someone has to
> ask audit people what is the significance (if any) of the field.
>
> All exe_file users but one use get_mm_exe_file and handle NULL
> gracefully.
>
> Even with the current limit of changing the field once, the user can
> cause a transient failure of get_mm_exe_file which can fail to increment
> the refcount before it drops to 0.
>
> This transient failure can be used to get a NULL value stored in
> ->exe_file during fork (in dup_mmap):
> RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
>
> The one place which is not using get_mm_exe_file to get to the pointer
> is audit_exe_compare:
> rcu_read_lock();
> exe_file = rcu_dereference(tsk->mm->exe_file);
> ino = exe_file->f_inode->i_ino;
> dev = exe_file->f_inode->i_sb->s_dev;
> rcu_read_unlock();
>
> This is buggy on 2 accounts:
> 1. exe_file can be NULL
> 2. rcu does not protect f_inode
>
> The issue is made worse with allowing arbitrary number changes.
>
> Modifying get_mm_exe_file to retry is trivial and in effect never return
> NULL is trivial. With arbitrary number of changes allowed this may
> require some cond_resched() or something.
>
> For comments I cc'ed Richard Guy Briggs, who is both an audit person and
> the author of audit_exe_compare.
That is fair. Keeping the existing users working is what needs to
happen.
At the same time we have an arbitrary number of possible changes with
exec, but I guess that works differently because the mm is changed as
well.
So yes let's bug fix this piece of code and then we can see about
relaxing constraints.
Eric
^ permalink raw reply
* Question about the a[[:digit:]+]\[.*\] fields
From: Mateusz Piotrowski @ 2016-07-31 22:16 UTC (permalink / raw)
To: linux-audit; +Cc: Konrad Witaszczyk
Hello,
According to the field dictionary[1] there are fields which names are defined by the following regex: "a[[:digit:]+]\[.*\]".
I was able to find examples of fields like "a4" and "a5" (see [2]) but it doesn't fit the regex which seems to require a pair of square brackets (so "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the Linux Audit source code.
My questions are:
1. Is this regex valid and up-to-date? Or is it an outdated rule which doesn't apply anymore?
2. Could you suggest me where to look to see how those arguments to the execve syscall are handled?
3. Could you post an example of a record with a field which fits the regex (assuming the regex is valid)?
Cheers!
-Mateusz
[1]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L3
[2]: https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html
^ permalink raw reply
* [GIT PULL] Audit patches for 4.8
From: Paul Moore @ 2016-07-28 7:31 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-audit, linux-kernel
Hi Linus,
Six audit patches for 4.8. There are a couple of style and minor whitespace
tweaks for the logs, as well as a minor fixup to catch errors on user filter
rules, however the major improvements are a fix to the s390 syscall argument
masking code (reviewed by the nice s390 folks), some consolidation around the
exclude filtering (less code, always a win), and a double-fetch fix for
recording the execve arguments. Please pull for 4.8.
Thanks,
-Paul
---
The following changes since commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a:
Linux 4.6 (2016-05-15 15:43:13 -0700)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.8
for you to fetch changes up to 43761473c254b45883a64441dd0bc85a42f3645c:
audit: fix a double fetch in audit_log_single_execve_arg()
(2016-07-20 14:15:46 -0400)
----------------------------------------------------------------
Paul Moore (3):
audit: fix some horrible switch statement style crimes
s390: ensure that syscall arguments are properly masked on s390
audit: fix a double fetch in audit_log_single_execve_arg()
Richard Guy Briggs (2):
audit: fixup: log on errors from filter user rules
audit: add fields to exclude filter by reusing user filter
Steve Grubb (1):
audit: fix whitespace in CWD record
arch/s390/kernel/ptrace.c | 10 +-
include/linux/audit.h | 2 -
kernel/audit.c | 4 +-
kernel/audit.h | 2 +
kernel/auditfilter.c | 147 +++++++-------------
kernel/auditsc.c | 342 +++++++++++++++++++++---------------------
6 files changed, 235 insertions(+), 272 deletions(-)
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [PATCH] alpha_table.h: Syscall 511 is getrandom, not renameat2
From: Steve Grubb @ 2016-07-26 15:47 UTC (permalink / raw)
To: linux-audit; +Cc: James Clarke
In-Reply-To: <20160723191509.7249-1-jrtc27@jrtc27.com>
On Saturday, July 23, 2016 8:15:09 PM EDT James Clarke wrote:
> ---
> This fixes gen_alpha_tables_h aborting due to renameat2 being duplicated.
>
> lib/alpha_table.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/alpha_table.h b/lib/alpha_table.h
> index 08171cc..c43744f 100644
> --- a/lib/alpha_table.h
> +++ b/lib/alpha_table.h
> @@ -451,6 +451,6 @@ _S(507, "finit_module")
> _S(508, "sched_setattr")
> _S(509, "sched_getattr")
> _S(510, "renameat2")
> -_S(511, "renameat2")
> +_S(511, "getrandom")
> _S(512, "memfd_create")
> _S(513, "execveat")
Fixed in commit 1368.
Thanks!
-Steve
^ permalink raw reply
* [PATCH] semanage: add auditing of changes in records
From: Miroslav Vadkerti @ 2016-07-26 15:15 UTC (permalink / raw)
To: selinux; +Cc: linux-audit
In-Reply-To: <[PATCH 1/2] semanage: add auditing of changes in records>
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.
A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.
The format of the audit events was discussed with the audit userspace
maintainer.
This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 3b0b108..7d6caa3 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
"socket file": "s",
"symbolic link": "l",
"named pipe": "p"}
+
+proto_to_audit = {"tcp": 17,
+ "udp": 6,
+ "ipv4": 4,
+ "ipv6": 41}
+
+ftype_to_audit = {"": "any",
+ "b": "block",
+ "c": "char",
+ "d": "dir",
+ "f": "file",
+ "l": "symlink",
+ "p": "pipe",
+ "s": "socket"}
+
try:
import audit
@@ -90,6 +105,7 @@ try:
def __init__(self):
self.audit_fd = audit.audit_open()
self.log_list = []
+ self.log_change_list = []
def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
@@ -109,10 +125,17 @@ try:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+ def log_change(self, msg):
+ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""])
+
def commit(self, success):
for l in self.log_list:
audit.audit_log_semanage_message(*(l + [success]))
+ for l in self.log_change_list:
+ audit.audit_log_user_comm_message(*(l + [success]))
+
self.log_list = []
+ self.log_change_list = []
except:
class logger:
@@ -138,6 +161,9 @@ except:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
+ def log_change(self, msg):
+ self.log_list.append(" %s" % msg)
+
def commit(self, success):
if success == 1:
message = "Successful: "
@@ -155,6 +181,9 @@ class nulllogger:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
pass
+ def log_change(self, msg):
+ pass
+
def commit(self, success):
pass
@@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
+
def add(self, port, proto, serange, type):
self.begin()
self.__add(port, proto, serange, type)
@@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
+
def modify(self, port, proto, serange, setype):
self.begin()
self.__modify(port, proto, serange, setype)
@@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
port_str = "%s-%s" % (low, high)
+
(k, proto_d, low, high) = self.__genkey(port_str, proto_str)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % port_str)
@@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
raise ValueError(_("Could not delete the port %s") % port_str)
semanage_port_key_free(k)
+ if low == high:
+ port_str = low
+
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
+
self.commit()
def __delete(self, port, proto):
@@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
+
def delete(self, port, proto):
self.begin()
self.__delete(port, proto)
@@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
+
def add(self, addr, mask, proto, serange, ctype):
self.begin()
self.__add(addr, mask, proto, serange, ctype)
@@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
+
def modify(self, addr, mask, proto, serange, setype):
self.begin()
self.__modify(addr, mask, proto, serange, setype)
@@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
+
def delete(self, addr, mask, proto):
self.begin()
self.__delete(addr, mask, proto)
@@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
+
def add(self, interface, serange, ctype):
self.begin()
self.__add(interface, serange, ctype)
@@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
+
def modify(self, interface, serange, setype):
self.begin()
self.__modify(interface, serange, setype)
@@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
+ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
+
def delete(self, interface):
self.begin()
self.__delete(interface)
@@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
if i.startswith(target + "/"):
raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
+ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.equiv[target] = substitute
self.equal_ind = True
self.commit()
@@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Equivalence class for %s does not exists") % target)
self.equiv[target] = substitute
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.commit()
def createcon(self, target, seuser="system_u"):
@@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
self.__add(target, type, ftype, serange, seuser)
@@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def modify(self, target, setype, ftype, serange, seuser):
self.begin()
self.__modify(target, setype, ftype, serange, seuser)
@@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
+
self.equiv = {}
self.equal_ind = True
self.commit()
@@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
if target in self.equiv.keys():
self.equiv.pop(target)
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
return
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
def delete(self, target, ftype):
self.begin()
self.__delete(target, ftype)
--
1.8.3.1
^ permalink raw reply related
* Re: Auditing device files
From: Richard Guy Briggs @ 2016-07-26 15:05 UTC (permalink / raw)
To: Ed Christiansen MS; +Cc: linux-audit
In-Reply-To: <48d5912c-2b81-3b8c-1ff7-49299e4b5822@ll.mit.edu>
On 2016-07-26 09:40, Ed Christiansen MS wrote:
> Here's a place to start
> http://linux.die.net/man/8/pam_tty_audit
It is a place to start, but that page is a bit out of date, since
pam_tty_audit now has a "log_passwd" option that isn't documented on
that page.
This is a bit more up to date:
https://www.mankier.com/8/pam_tty_audit
> On 7/26/2016 5:00 AM, Pavithra P wrote:
> >Hi,
> >
> >I am trying to see what commands are typed in my terminal and serial
> >port. For that I am using auditd daemon which helps me in auditing
> >files.
> >I thought of a creating audit rules on /dev/tty and /dev/ttyAMA0 for
> >seeing whats happening on terminal and serial device respectively
> >
> >auditctl -w /dev/tty -p rwx -k terminal
> >auditctl -w /dev/ttyAMA0 -p rwx -k serialport
> >
> >But this records only the echo on tty. I cant audit all the commands
> >typed on the terminal. I enabled tty logging in the PAM file too by
> >adding session required pam_tty_audit.so enable=* in /etc/pam.d/sshd
> >file.
> >Is there any other way to do this auditing. I want to use auditd
> >daemon only so that all my auditing log is in one file.
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* [PATCH] security: lsm_audit: print pid and tid
From: Jeff Vander Stoep @ 2016-07-26 14:54 UTC (permalink / raw)
To: selinux; +Cc: Jeff Vander Stoep, linux-audit
dump_common_audit_data() currently contains a field for pid, but the
value printed is actually the thread ID, tid. Update this value to
return the task group ID. Add a new field for tid. With this change
the values printed by audit now match the values returned by the
getpid() and gettid() syscalls.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
security/lsm_audit.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index cccbf30..57f26c1 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
*/
BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
- audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
+ audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
+ task_pid_vnr(tsk));
audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
switch (a->type) {
@@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab,
case LSM_AUDIT_DATA_TASK: {
struct task_struct *tsk = a->u.tsk;
if (tsk) {
- pid_t pid = task_pid_nr(tsk);
+ pid_t pid = task_tgid_vnr(tsk);
if (pid) {
char comm[sizeof(tsk->comm)];
audit_log_format(ab, " opid=%d ocomm=", pid);
+ audit_log_format(ab, " opid=%d otid=%d ocomm=",
+ pid, task_pid_vnr(tsk));
audit_log_untrustedstring(ab,
memcpy(comm, tsk->comm, sizeof(comm)));
}
--
2.8.0.rc3.226.g39d4020
^ permalink raw reply related
* Re: Auditing device files
From: Ed Christiansen MS @ 2016-07-26 13:40 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <CABBiaOFDucUxu+nYJ_ehPPn_qOAjCyEvvL2pR2OwSJ1D276GSQ@mail.gmail.com>
Here's a place to start
http://linux.die.net/man/8/pam_tty_audit
On 7/26/2016 5:00 AM, Pavithra P wrote:
> Hi,
>
> I am trying to see what commands are typed in my terminal and serial
> port. For that I am using auditd daemon which helps me in auditing
> files.
> I thought of a creating audit rules on /dev/tty and /dev/ttyAMA0 for
> seeing whats happening on terminal and serial device respectively
>
> auditctl -w /dev/tty -p rwx -k terminal
> auditctl -w /dev/ttyAMA0 -p rwx -k serialport
>
> But this records only the echo on tty. I cant audit all the commands
> typed on the terminal. I enabled tty logging in the PAM file too by
> adding session required pam_tty_audit.so enable=* in /etc/pam.d/sshd
> file.
> Is there any other way to do this auditing. I want to use auditd
> daemon only so that all my auditing log is in one file.
>
^ permalink raw reply
* Re: [PATCH 1/2] semanage: add auditing of changes in records
From: Miroslav Vadkerti @ 2016-07-26 10:50 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit, selinux
In-Reply-To: <10070280.KoedIQp72C@x2>
[-- Attachment #1.1: Type: text/plain, Size: 13354 bytes --]
Hi Steve,
I did not know that I won't need to override those parameters when I
started to prepare the patch. I can just remove those and pass always "" as
hostname, addr and tty. I will submit a new patch in a few minutes ..
Thanks and best regards,
/M
On Mon, Jul 25, 2016 at 9:07 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> Thanks for adding these audit events. I have just one question below.
>
> On Monday, July 25, 2016 6:37:06 PM EDT Miroslav Vadkerti wrote:
> > Common Criteria requirement FMT_MSA.1 needs any configuration change
> > that affect enforcement of policy to be audited. This patch adds
> > auditing of changes in security context mappings for network ports,
> > interfaces, nodes and file contexts.
> >
> > A new function log_change is introduced that audits additions,
> > modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> > audit event.
> >
> > The format of the audit events was discussed with the audit userspace
> > maintainer.
> >
> > This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
> >
> > Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
> > ---
> > policycoreutils/semanage/seobject.py | 75
> > ++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+)
> >
> > diff --git a/policycoreutils/semanage/seobject.py
> > b/policycoreutils/semanage/seobject.py index 3b0b108..799ce24 100644
> > --- a/policycoreutils/semanage/seobject.py
> > +++ b/policycoreutils/semanage/seobject.py
> > @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
> > "socket file": "s",
> > "symbolic link": "l",
> > "named pipe": "p"}
> > +
> > +proto_to_audit = {"tcp": 17,
> > + "udp": 6,
> > + "ipv4": 4,
> > + "ipv6": 41}
> > +
> > +ftype_to_audit = {"": "any",
> > + "b": "block",
> > + "c": "char",
> > + "d": "dir",
> > + "f": "file",
> > + "l": "symlink",
> > + "p": "pipe",
> > + "s": "socket"}
> > +
> > try:
> > import audit
> >
> > @@ -90,6 +105,7 @@ try:
> > def __init__(self):
> > self.audit_fd = audit.audit_open()
> > self.log_list = []
> > + self.log_change_list = []
> >
> > def log(self, msg, name="", sename="", serole="", serange="",
> > oldsename="", oldserole="", oldserange=""):
> >
> > @@ -109,10 +125,17 @@ try:
> > def log_remove(self, msg, name="", sename="", serole="",
> > serange="", oldsename="", oldserole="", oldserange=""):
> > self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE,
> sys.argv[0],
> > str(msg), name, 0, sename, serole, serange, oldsename, oldserole,
> > oldserange, "", "", ""])
> >
> > + def log_change(self, msg, hostname="", addr="", tty=""):
> > + self.log_change_list.append([self.audit_fd,
> > audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr,
> > tty]) +
> > def commit(self, success):
> > for l in self.log_list:
> > audit.audit_log_semanage_message(*(l + [success]))
> > + for l in self.log_change_list:
> > + audit.audit_log_user_comm_message(*(l + [success]))
> > +
> > self.log_list = []
> > + self.log_change_list = []
> > except:
> > class logger:
> >
> > @@ -138,6 +161,9 @@ except:
> > def log_remove(self, msg, name="", sename="", serole="",
> > serange="", oldsename="", oldserole="", oldserange=""): self.log(msg,
> name,
> > sename, serole, serange, oldsename, oldserole, oldserange)
> >
> > + def log_change(self, msg, hostname="", addr="", tty=""):
> > + self.log_list.append(" %s" % msg)
> > +
>
> Is it really necessary to do something with hostname, addr, & tty here...
>
> > def commit(self, success):
> > if success == 1:
> > message = "Successful: "
> > @@ -155,6 +181,9 @@ class nulllogger:
> > def log_remove(self, msg, name="", sename="", serole="", serange="",
> > oldsename="", oldserole="", oldserange=""): pass
> >
> > + def log_change(self, msg, hostname="", addr="", tty=""):
> > + pass
> > +
>
> and here? I think those are already handled in the audit logging function.
>
> -Steve
>
> > def commit(self, success):
> > pass
> >
> > @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
> > semanage_port_key_free(k)
> > semanage_port_free(p)
> >
> > + self.mylog.log_change("resrc=port op=add lport=%s proto=%s
> > tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> > "object_r", type, serange)) +
> > def add(self, port, proto, serange, type):
> > self.begin()
> > self.__add(port, proto, serange, type)
> > @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
> > semanage_port_key_free(k)
> > semanage_port_free(p)
> >
> > + self.mylog.log_change("resrc=port op=modify lport=%s proto=%s
> > tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> > "object_r", setype, serange)) +
> > def modify(self, port, proto, serange, setype):
> > self.begin()
> > self.__modify(port, proto, serange, setype)
> > @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
> > low = semanage_port_get_low(port)
> > high = semanage_port_get_high(port)
> > port_str = "%s-%s" % (low, high)
> > +
> > (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
> > if rc < 0:
> > raise ValueError(_("Could not create a key for %s") %
> > port_str) @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
> > raise ValueError(_("Could not delete the port %s") %
> > port_str) semanage_port_key_free(k)
> >
> > + if low == high:
> > + port_str = low
> > +
> > + self.mylog.log_change("resrc=port op=delete lport=%s
> proto=%s"
> > % (port_str, proto_to_audit[proto_str])) +
> > self.commit()
> >
> > def __delete(self, port, proto):
> > @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
> >
> > semanage_port_key_free(k)
> >
> > + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" %
> > (port, proto_to_audit[proto])) +
> > def delete(self, port, proto):
> > self.begin()
> > self.__delete(port, proto)
> > @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
> > semanage_node_key_free(k)
> > semanage_node_free(node)
> >
> > + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s
> > proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> > proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype,
> > serange)) +
> > def add(self, addr, mask, proto, serange, ctype):
> > self.begin()
> > self.__add(addr, mask, proto, serange, ctype)
> > @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
> > semanage_node_key_free(k)
> > semanage_node_free(node)
> >
> > + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s
> > proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> > proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype,
> > serange)) +
> > def modify(self, addr, mask, proto, serange, setype):
> > self.begin()
> > self.__modify(addr, mask, proto, serange, setype)
> > @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
> >
> > semanage_node_key_free(k)
> >
> > + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s
> > proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]])) +
> > def delete(self, addr, mask, proto):
> > self.begin()
> > self.__delete(addr, mask, proto)
> > @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
> > semanage_iface_key_free(k)
> > semanage_iface_free(iface)
> >
> > + self.mylog.log_change("resrc=interface op=add netif=%s
> > tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype,
> > serange)) +
> > def add(self, interface, serange, ctype):
> > self.begin()
> > self.__add(interface, serange, ctype)
> > @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
> > semanage_iface_key_free(k)
> > semanage_iface_free(iface)
> >
> > + self.mylog.log_change("resrc=interface op=modify netif=%s
> > tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype,
> > serange)) +
> > def modify(self, interface, serange, setype):
> > self.begin()
> > self.__modify(interface, serange, setype)
> > @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
> >
> > semanage_iface_key_free(k)
> >
> > + self.mylog.log_change("resrc=interface op=delete netif=%s" %
> > interface) +
> > def delete(self, interface):
> > self.begin()
> > self.__delete(interface)
> > @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
> > if i.startswith(target + "/"):
> > raise ValueError(_("File spec %s conflicts with
> > equivalency rule '%s %s'") % (target, i, fdict[i]))
> >
> > + self.mylog.log_change("resrc=fcontext op=add-equal %s %s" %
> > (audit.audit_encode_nv_string("sglob", target, 0),
> > audit.audit_encode_nv_string("tglob", substitute, 0))) +
> > self.equiv[target] = substitute
> > self.equal_ind = True
> > self.commit()
> > @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
> > raise ValueError(_("Equivalence class for %s does not
> exists")
> > % target) self.equiv[target] = substitute
> > self.equal_ind = True
> > +
> > + self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" %
> > (audit.audit_encode_nv_string("sglob", target, 0),
> > audit.audit_encode_nv_string("tglob", substitute, 0))) +
> > self.commit()
> >
> > def createcon(self, target, seuser="system_u"):
> > @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
> > semanage_fcontext_key_free(k)
> > semanage_fcontext_free(fcontext)
> >
> > + if not seuser:
> > + seuser = "system_u"
> > +
> > + self.mylog.log_change("resrc=fcontext op=add %s ftype=%s
> > tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target,
> 0),
> > ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> > def add(self, target, type, ftype="", serange="",
> seuser="system_u"):
> > self.begin()
> > self.__add(target, type, ftype, serange, seuser)
> > @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
> > semanage_fcontext_key_free(k)
> > semanage_fcontext_free(fcontext)
> >
> > + if not seuser:
> > + seuser = "system_u"
> > +
> > + self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
> > tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target,
> 0),
> > ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> > def modify(self, target, setype, ftype, serange, seuser):
> > self.begin()
> > self.__modify(target, setype, ftype, serange, seuser)
> > @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
> > raise ValueError(_("Could not delete the file context
> %s")
> > % target) semanage_fcontext_key_free(k)
> >
> > + self.mylog.log_change("resrc=fcontext op=delete %s
> ftype=%s" %
> > (audit.audit_encode_nv_string("tglob", target, 0),
> > ftype_to_audit[ftype_str])) +
> > self.equiv = {}
> > self.equal_ind = True
> > self.commit()
> > @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
> > if target in self.equiv.keys():
> > self.equiv.pop(target)
> > self.equal_ind = True
> > +
> > + self.mylog.log_change("resrc=fcontext op=delete-equal %s
> > ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> > ftype_to_audit[ftype])) +
> > return
> >
> > (rc, k) = semanage_fcontext_key_create(self.sh, target,
> > file_types[ftype]) @@ -1996,6 +2069,8 @@ class
> > fcontextRecords(semanageRecords):
> >
> > semanage_fcontext_key_free(k)
> >
> > + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
> > (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype]))
> > +
> > def delete(self, target, ftype):
> > self.begin()
> > self.__delete(target, ftype)
>
>
>
--
Miroslav Vadkerti :: Senior QE / RHCSS :: BaseOS QE Security
IRC mvadkert #qe #urt #brno #rpmdiff :: GPG 0x25881087
Desk Phone +420 532 294 129 :: Mobile +420 773 944 252
Red Hat Czech s.r.o, Purkyňova 99/71, 612 00, Brno, CR
[-- Attachment #1.2: Type: text/html, Size: 18451 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Auditing device files
From: Pavithra P @ 2016-07-26 9:00 UTC (permalink / raw)
To: linux-audit
Hi,
I am trying to see what commands are typed in my terminal and serial
port. For that I am using auditd daemon which helps me in auditing
files.
I thought of a creating audit rules on /dev/tty and /dev/ttyAMA0 for
seeing whats happening on terminal and serial device respectively
auditctl -w /dev/tty -p rwx -k terminal
auditctl -w /dev/ttyAMA0 -p rwx -k serialport
But this records only the echo on tty. I cant audit all the commands
typed on the terminal. I enabled tty logging in the PAM file too by
adding session required pam_tty_audit.so enable=* in /etc/pam.d/sshd
file.
Is there any other way to do this auditing. I want to use auditd
daemon only so that all my auditing log is in one file.
--
With regards,
P Pavithra
^ permalink raw reply
* Re: [PATCH 1/2] semanage: add auditing of changes in records
From: Steve Grubb @ 2016-07-25 19:07 UTC (permalink / raw)
To: linux-audit; +Cc: selinux
In-Reply-To: <1469464627-2159-1-git-send-email-mvadkert@redhat.com>
Hello,
Thanks for adding these audit events. I have just one question below.
On Monday, July 25, 2016 6:37:06 PM EDT Miroslav Vadkerti wrote:
> Common Criteria requirement FMT_MSA.1 needs any configuration change
> that affect enforcement of policy to be audited. This patch adds
> auditing of changes in security context mappings for network ports,
> interfaces, nodes and file contexts.
>
> A new function log_change is introduced that audits additions,
> modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> audit event.
>
> The format of the audit events was discussed with the audit userspace
> maintainer.
>
> This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
>
> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
> ---
> policycoreutils/semanage/seobject.py | 75
> ++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+)
>
> diff --git a/policycoreutils/semanage/seobject.py
> b/policycoreutils/semanage/seobject.py index 3b0b108..799ce24 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
> "socket file": "s",
> "symbolic link": "l",
> "named pipe": "p"}
> +
> +proto_to_audit = {"tcp": 17,
> + "udp": 6,
> + "ipv4": 4,
> + "ipv6": 41}
> +
> +ftype_to_audit = {"": "any",
> + "b": "block",
> + "c": "char",
> + "d": "dir",
> + "f": "file",
> + "l": "symlink",
> + "p": "pipe",
> + "s": "socket"}
> +
> try:
> import audit
>
> @@ -90,6 +105,7 @@ try:
> def __init__(self):
> self.audit_fd = audit.audit_open()
> self.log_list = []
> + self.log_change_list = []
>
> def log(self, msg, name="", sename="", serole="", serange="",
> oldsename="", oldserole="", oldserange=""):
>
> @@ -109,10 +125,17 @@ try:
> def log_remove(self, msg, name="", sename="", serole="",
> serange="", oldsename="", oldserole="", oldserange=""):
> self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0],
> str(msg), name, 0, sename, serole, serange, oldsename, oldserole,
> oldserange, "", "", ""])
>
> + def log_change(self, msg, hostname="", addr="", tty=""):
> + self.log_change_list.append([self.audit_fd,
> audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr,
> tty]) +
> def commit(self, success):
> for l in self.log_list:
> audit.audit_log_semanage_message(*(l + [success]))
> + for l in self.log_change_list:
> + audit.audit_log_user_comm_message(*(l + [success]))
> +
> self.log_list = []
> + self.log_change_list = []
> except:
> class logger:
>
> @@ -138,6 +161,9 @@ except:
> def log_remove(self, msg, name="", sename="", serole="",
> serange="", oldsename="", oldserole="", oldserange=""): self.log(msg, name,
> sename, serole, serange, oldsename, oldserole, oldserange)
>
> + def log_change(self, msg, hostname="", addr="", tty=""):
> + self.log_list.append(" %s" % msg)
> +
Is it really necessary to do something with hostname, addr, & tty here...
> def commit(self, success):
> if success == 1:
> message = "Successful: "
> @@ -155,6 +181,9 @@ class nulllogger:
> def log_remove(self, msg, name="", sename="", serole="", serange="",
> oldsename="", oldserole="", oldserange=""): pass
>
> + def log_change(self, msg, hostname="", addr="", tty=""):
> + pass
> +
and here? I think those are already handled in the audit logging function.
-Steve
> def commit(self, success):
> pass
>
> @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> + self.mylog.log_change("resrc=port op=add lport=%s proto=%s
> tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> "object_r", type, serange)) +
> def add(self, port, proto, serange, type):
> self.begin()
> self.__add(port, proto, serange, type)
> @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> + self.mylog.log_change("resrc=port op=modify lport=%s proto=%s
> tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> "object_r", setype, serange)) +
> def modify(self, port, proto, serange, setype):
> self.begin()
> self.__modify(port, proto, serange, setype)
> @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
> low = semanage_port_get_low(port)
> high = semanage_port_get_high(port)
> port_str = "%s-%s" % (low, high)
> +
> (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
> if rc < 0:
> raise ValueError(_("Could not create a key for %s") %
> port_str) @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
> raise ValueError(_("Could not delete the port %s") %
> port_str) semanage_port_key_free(k)
>
> + if low == high:
> + port_str = low
> +
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s"
> % (port_str, proto_to_audit[proto_str])) +
> self.commit()
>
> def __delete(self, port, proto):
> @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
>
> semanage_port_key_free(k)
>
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" %
> (port, proto_to_audit[proto])) +
> def delete(self, port, proto):
> self.begin()
> self.__delete(port, proto)
> @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s
> proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype,
> serange)) +
> def add(self, addr, mask, proto, serange, ctype):
> self.begin()
> self.__add(addr, mask, proto, serange, ctype)
> @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s
> proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype,
> serange)) +
> def modify(self, addr, mask, proto, serange, setype):
> self.begin()
> self.__modify(addr, mask, proto, serange, setype)
> @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
>
> semanage_node_key_free(k)
>
> + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s
> proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]])) +
> def delete(self, addr, mask, proto):
> self.begin()
> self.__delete(addr, mask, proto)
> @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
> semanage_iface_key_free(k)
> semanage_iface_free(iface)
>
> + self.mylog.log_change("resrc=interface op=add netif=%s
> tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype,
> serange)) +
> def add(self, interface, serange, ctype):
> self.begin()
> self.__add(interface, serange, ctype)
> @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
> semanage_iface_key_free(k)
> semanage_iface_free(iface)
>
> + self.mylog.log_change("resrc=interface op=modify netif=%s
> tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype,
> serange)) +
> def modify(self, interface, serange, setype):
> self.begin()
> self.__modify(interface, serange, setype)
> @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
>
> semanage_iface_key_free(k)
>
> + self.mylog.log_change("resrc=interface op=delete netif=%s" %
> interface) +
> def delete(self, interface):
> self.begin()
> self.__delete(interface)
> @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
> if i.startswith(target + "/"):
> raise ValueError(_("File spec %s conflicts with
> equivalency rule '%s %s'") % (target, i, fdict[i]))
>
> + self.mylog.log_change("resrc=fcontext op=add-equal %s %s" %
> (audit.audit_encode_nv_string("sglob", target, 0),
> audit.audit_encode_nv_string("tglob", substitute, 0))) +
> self.equiv[target] = substitute
> self.equal_ind = True
> self.commit()
> @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
> raise ValueError(_("Equivalence class for %s does not exists")
> % target) self.equiv[target] = substitute
> self.equal_ind = True
> +
> + self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" %
> (audit.audit_encode_nv_string("sglob", target, 0),
> audit.audit_encode_nv_string("tglob", substitute, 0))) +
> self.commit()
>
> def createcon(self, target, seuser="system_u"):
> @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
> semanage_fcontext_key_free(k)
> semanage_fcontext_free(fcontext)
>
> + if not seuser:
> + seuser = "system_u"
> +
> + self.mylog.log_change("resrc=fcontext op=add %s ftype=%s
> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> def add(self, target, type, ftype="", serange="", seuser="system_u"):
> self.begin()
> self.__add(target, type, ftype, serange, seuser)
> @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
> semanage_fcontext_key_free(k)
> semanage_fcontext_free(fcontext)
>
> + if not seuser:
> + seuser = "system_u"
> +
> + self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> def modify(self, target, setype, ftype, serange, seuser):
> self.begin()
> self.__modify(target, setype, ftype, serange, seuser)
> @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
> raise ValueError(_("Could not delete the file context %s")
> % target) semanage_fcontext_key_free(k)
>
> + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
> (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype_str])) +
> self.equiv = {}
> self.equal_ind = True
> self.commit()
> @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
> if target in self.equiv.keys():
> self.equiv.pop(target)
> self.equal_ind = True
> +
> + self.mylog.log_change("resrc=fcontext op=delete-equal %s
> ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype])) +
> return
>
> (rc, k) = semanage_fcontext_key_create(self.sh, target,
> file_types[ftype]) @@ -1996,6 +2069,8 @@ class
> fcontextRecords(semanageRecords):
>
> semanage_fcontext_key_free(k)
>
> + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
> (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
> def delete(self, target, ftype):
> self.begin()
> self.__delete(target, ftype)
^ permalink raw reply
* [PATCH 2/2] semanage: fix modify action in node and interface
From: Miroslav Vadkerti @ 2016-07-25 16:37 UTC (permalink / raw)
To: selinux; +Cc: linux-audit
In-Reply-To: <1469464627-2159-1-git-send-email-mvadkert@redhat.com>
The modify actions of security context mappings for
interface and node actully called add action.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
policycoreutils/semanage/semanage | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
index 954411d..b199ebe 100644
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
@@ -524,7 +524,7 @@ def handleInterface(args):
if args.action is "add":
OBJECT.add(args.interface, args.range, args.type)
if args.action is "modify":
- OBJECT.add(args.interface, args.range, args.type)
+ OBJECT.modify(args.interface, args.range, args.type)
if args.action is "delete":
OBJECT.delete(args.interface)
if args.action is "list":
@@ -607,7 +607,7 @@ def handleNode(args):
if args.action is "add":
OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
if args.action is "modify":
- OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
+ OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type)
if args.action is "delete":
OBJECT.delete(args.node, args.netmask, args.proto)
if args.action is "list":
--
1.8.3.1
^ permalink raw reply related
* [PATCH 1/2] semanage: add auditing of changes in records
From: Miroslav Vadkerti @ 2016-07-25 16:37 UTC (permalink / raw)
To: selinux; +Cc: linux-audit
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.
A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.
The format of the audit events was discussed with the audit userspace
maintainer.
This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 3b0b108..799ce24 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
"socket file": "s",
"symbolic link": "l",
"named pipe": "p"}
+
+proto_to_audit = {"tcp": 17,
+ "udp": 6,
+ "ipv4": 4,
+ "ipv6": 41}
+
+ftype_to_audit = {"": "any",
+ "b": "block",
+ "c": "char",
+ "d": "dir",
+ "f": "file",
+ "l": "symlink",
+ "p": "pipe",
+ "s": "socket"}
+
try:
import audit
@@ -90,6 +105,7 @@ try:
def __init__(self):
self.audit_fd = audit.audit_open()
self.log_list = []
+ self.log_change_list = []
def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
@@ -109,10 +125,17 @@ try:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+ def log_change(self, msg, hostname="", addr="", tty=""):
+ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr, tty])
+
def commit(self, success):
for l in self.log_list:
audit.audit_log_semanage_message(*(l + [success]))
+ for l in self.log_change_list:
+ audit.audit_log_user_comm_message(*(l + [success]))
+
self.log_list = []
+ self.log_change_list = []
except:
class logger:
@@ -138,6 +161,9 @@ except:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
+ def log_change(self, msg, hostname="", addr="", tty=""):
+ self.log_list.append(" %s" % msg)
+
def commit(self, success):
if success == 1:
message = "Successful: "
@@ -155,6 +181,9 @@ class nulllogger:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
pass
+ def log_change(self, msg, hostname="", addr="", tty=""):
+ pass
+
def commit(self, success):
pass
@@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
+
def add(self, port, proto, serange, type):
self.begin()
self.__add(port, proto, serange, type)
@@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
+
def modify(self, port, proto, serange, setype):
self.begin()
self.__modify(port, proto, serange, setype)
@@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
port_str = "%s-%s" % (low, high)
+
(k, proto_d, low, high) = self.__genkey(port_str, proto_str)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % port_str)
@@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
raise ValueError(_("Could not delete the port %s") % port_str)
semanage_port_key_free(k)
+ if low == high:
+ port_str = low
+
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
+
self.commit()
def __delete(self, port, proto):
@@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
+
def delete(self, port, proto):
self.begin()
self.__delete(port, proto)
@@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
+
def add(self, addr, mask, proto, serange, ctype):
self.begin()
self.__add(addr, mask, proto, serange, ctype)
@@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
+
def modify(self, addr, mask, proto, serange, setype):
self.begin()
self.__modify(addr, mask, proto, serange, setype)
@@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
+
def delete(self, addr, mask, proto):
self.begin()
self.__delete(addr, mask, proto)
@@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
+
def add(self, interface, serange, ctype):
self.begin()
self.__add(interface, serange, ctype)
@@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
+
def modify(self, interface, serange, setype):
self.begin()
self.__modify(interface, serange, setype)
@@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
+ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
+
def delete(self, interface):
self.begin()
self.__delete(interface)
@@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
if i.startswith(target + "/"):
raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
+ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.equiv[target] = substitute
self.equal_ind = True
self.commit()
@@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Equivalence class for %s does not exists") % target)
self.equiv[target] = substitute
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.commit()
def createcon(self, target, seuser="system_u"):
@@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
self.__add(target, type, ftype, serange, seuser)
@@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def modify(self, target, setype, ftype, serange, seuser):
self.begin()
self.__modify(target, setype, ftype, serange, seuser)
@@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
+
self.equiv = {}
self.equal_ind = True
self.commit()
@@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
if target in self.equiv.keys():
self.equiv.pop(target)
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
return
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
def delete(self, target, ftype):
self.begin()
self.__delete(target, ftype)
--
1.8.3.1
^ permalink raw reply related
* [PATCH] alpha_table.h: Syscall 511 is getrandom, not renameat2
From: James Clarke @ 2016-07-23 19:15 UTC (permalink / raw)
To: linux-audit; +Cc: James Clarke
---
This fixes gen_alpha_tables_h aborting due to renameat2 being duplicated.
lib/alpha_table.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/alpha_table.h b/lib/alpha_table.h
index 08171cc..c43744f 100644
--- a/lib/alpha_table.h
+++ b/lib/alpha_table.h
@@ -451,6 +451,6 @@ _S(507, "finit_module")
_S(508, "sched_setattr")
_S(509, "sched_getattr")
_S(510, "renameat2")
-_S(511, "renameat2")
+_S(511, "getrandom")
_S(512, "memfd_create")
_S(513, "execveat")
--
2.9.1
^ permalink raw reply related
* Re: [PATCH] audit: fix a double fetch in audit_log_single_execve_arg()
From: Paul Moore @ 2016-07-22 14:10 UTC (permalink / raw)
To: linux-audit; +Cc: Pengfei Wang
In-Reply-To: <CAHC9VhTcFM0YQ-LS=dUZLcYFm=110WZie+BKnGNjHWmJcGc7Dg@mail.gmail.com>
On Wed, Jul 20, 2016 at 2:56 PM, Paul Moore <paul@paul-moore.com> wrote:
> Generally I would take a patch this late for the upcoming merge
> window, but considering the nature of this patch I'm going to make an
> exception. I've added it to the audit#next branch and I've built a
> temporary kernel for testing at the link below for anyone who may be
> interested; I'm also building a new pcmoore/kernel-secnext COPR kernel
> with the patch right now, it should be available in a few hours.
>
> * https://copr.fedorainfracloud.org/coprs/pcmoore/kernel-testing/build/394059
Unfortunately there was an issue with the COPR build and the link
above failed, the link below should lead you to a working kernel.
* https://copr.fedorainfracloud.org/coprs/pcmoore/kernel-secnext/build/402631
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] Add .gitignore file for git-svn and github.
From: Steve Grubb @ 2016-07-21 18:56 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <20160721000625.GA1304@madcap2.tricolour.ca>
On Wednesday, July 20, 2016 8:06:25 PM EDT Richard Guy Briggs wrote:
> On 2016-07-20 19:19, Richard Guy Briggs wrote:
> > Ignore generated files if using git.
Thanks. Applied.
> I should add this this is based on audit-2.6.5.
It applies fine against trunk.
-Steve
^ permalink raw reply
* Re: /var/log/audit ownership/permissions
From: Steve Grubb @ 2016-07-21 14:31 UTC (permalink / raw)
To: Ondrej Moris; +Cc: linux-audit
In-Reply-To: <5790D860.8060508@redhat.com>
On Thursday, July 21, 2016 4:12:48 PM EDT Ondrej Moris wrote:
> On 07/21/2016 03:55 PM, Steve Grubb wrote:
> >> I am fine with that but while I see the motivation [1], I
> >> just cannot find where is that happening in the code.
> >
> > https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886
>
> Thanks, now it is clear. You one thing - line 903 suggests that it is
> either 0700 or 0770 which I can confirm by testing:
>
> # # log_group = root
> # ls -ld /var/log/audit/
> drwx------. 2 root root 4096 Jul 21 09:56 /var/log/audit/
>
> # # log_group = input
> # ls -ld /var/log/audit/
> drwxrwx---. 2 root input 4096 Jul 21 09:56 /var/log/audit/
Fixed in commit 1360.
> >> Besides, specfile
> >> still contains:
> >>
> >> %attr(750,root,root) %dir %{_var}/log/audit
> >
> > Maybe I should take the attr away or modify it to (-,root,-). The group
> > can
> > change. For example, I have wheel allowed to run audit reports on my
> > system.>
> >> and hence 'rpm -V audit' obviously fails.
> >
> > Yeah. Hmm.
>
> Yes, change you mentioned would solve 'rpm -V' problem. It sounds very
> reasonable since both group ownership and permission are configurable
> via auditd.conf.
Also fixed in the same commit.
-Steve
^ permalink raw reply
* Re: /var/log/audit ownership/permissions
From: Ondrej Moris @ 2016-07-21 14:12 UTC (permalink / raw)
To: Steve Grubb, linux-audit
In-Reply-To: <12890758.RtUGNIL9cO@x2>
On 07/21/2016 03:55 PM, Steve Grubb wrote:
> On Thursday, July 21, 2016 11:48:04 AM EDT Ondrej Moris wrote:
>> Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from
>> 750 to 600.
>
> The directory should be 0750 or 0700 depending on your config. 0600 would be a
> mistake.
Sorry, it was a typo - it should be 0700 (not 0600).
>
>
>> I am fine with that but while I see the motivation [1], I
>> just cannot find where is that happening in the code.
>
> https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886
Thanks, now it is clear. You one thing - line 903 suggests that it is
either 0700 or 0770 which I can confirm by testing:
# # log_group = root
# ls -ld /var/log/audit/
drwx------. 2 root root 4096 Jul 21 09:56 /var/log/audit/
# # log_group = input
# ls -ld /var/log/audit/
drwxrwx---. 2 root input 4096 Jul 21 09:56 /var/log/audit/
>
>> Besides, specfile
>> still contains:
>>
>> %attr(750,root,root) %dir %{_var}/log/audit
>
> Maybe I should take the attr away or modify it to (-,root,-). The group can
> change. For example, I have wheel allowed to run audit reports on my system.
>
>> and hence 'rpm -V audit' obviously fails.
>
> Yeah. Hmm.
Yes, change you mentioned would solve 'rpm -V' problem. It sounds very
reasonable since both group ownership and permission are configurable
via auditd.conf.
>
> -Steve
>
>> [1]
>> http://post-office.corp.redhat.com/archives/tech-list/2016-May/msg00468.html
>>
>> --
>> Ondrej
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
^ permalink raw reply
* Re: /var/log/audit ownership/permissions
From: Steve Grubb @ 2016-07-21 13:55 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <1d3522ae-ff55-5a91-5e8d-b64fac67e84b@redhat.com>
On Thursday, July 21, 2016 11:48:04 AM EDT Ondrej Moris wrote:
> Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from
> 750 to 600.
The directory should be 0750 or 0700 depending on your config. 0600 would be a
mistake.
> I am fine with that but while I see the motivation [1], I
> just cannot find where is that happening in the code.
https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886
> Besides, specfile
> still contains:
>
> %attr(750,root,root) %dir %{_var}/log/audit
Maybe I should take the attr away or modify it to (-,root,-). The group can
change. For example, I have wheel allowed to run audit reports on my system.
> and hence 'rpm -V audit' obviously fails.
Yeah. Hmm.
-Steve
> [1]
> http://post-office.corp.redhat.com/archives/tech-list/2016-May/msg00468.html
>
> --
> Ondrej
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: /var/log/audit ownership/permissions
From: Ondrej Moris @ 2016-07-21 9:48 UTC (permalink / raw)
To: linux-audit
Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from
750 to 600. I am fine with that but while I see the motivation [1], I
just cannot find where is that happening in the code. Besides, specfile
still contains:
%attr(750,root,root) %dir %{_var}/log/audit
and hence 'rpm -V audit' obviously fails.
[1]
http://post-office.corp.redhat.com/archives/tech-list/2016-May/msg00468.html
--
Ondrej
^ permalink raw reply
* Re: [PATCH] Add .gitignore file for git-svn and github.
From: Richard Guy Briggs @ 2016-07-21 0:06 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <1469056797-23741-1-git-send-email-rgb@redhat.com>
On 2016-07-20 19:19, Richard Guy Briggs wrote:
> Ignore generated files if using git.
I should add this this is based on audit-2.6.5.
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> trunk/.gitignore | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 files changed, 54 insertions(+), 0 deletions(-)
> create mode 100644 trunk/.gitignore
>
> diff --git a/trunk/.gitignore b/trunk/.gitignore
> new file mode 100644
> index 0000000..a328f80
> --- /dev/null
> +++ b/trunk/.gitignore
> @@ -0,0 +1,54 @@
> +*~
> +*.[oa]
> +*.lo
> +*.la
> +*.pc
> +gen_*_h
> +INSTALL
> +Makefile
> +Makefile.in
> +TAGS
> +/aclocal.m4
> +/autom4te.cache
> +/audit*.tar.gz
> +/audit-rhel?.spec
> +/config.guess
> +/config.sub
> +/config.status
> +/config.log
> +/config.h
> +/config.h.in
> +/configure
> +/compile
> +/depcomp
> +/install-sh
> +/libtool
> +/missing
> +/py-compile
> +.libs/
> +.deps/
> +audisp/audispd
> +audisp/plugins/remote/audisp-remote
> +audisp/plugins/zos-remote/audispd-zos-remote
> +auparse/*tabs.h
> +auparse/epoll_ctls.h
> +auparse/strsplit.c
> +bindings/swig/python/audit.py
> +bindings/swig/python/audit_wrap.c
> +bindings/swig/python3/audit.py
> +bindings/swig/python3/audit_wrap.c
> +lib/*tabs.h
> +lib/*tables.h
> +m4/libtool.m4
> +m4/lt*.m4
> +src/auditctl
> +src/auditd
> +src/aureport
> +src/ausearch
> +src/autrace
> +stamp-h1
> +test-driver
> +tools/aulast/aulast
> +tools/aulastlog/aulastlog
> +tools/ausyscall/ausyscall
> +tools/auvirt/auvirt
> --
> 1.7.1
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox