* [PATCH V2 0/2] Add support for session ID user filtering
From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
See also the set of userspace suport patches:
Add support for sessionid user filters, sessionid_set and loginuid_set
https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
and the test case:
https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
Richard Guy Briggs (2):
audit: add support for session ID user filter
audit: add AUDIT_SESSIONID_SET support
include/linux/audit.h | 10 ++++++++++
include/uapi/linux/audit.h | 2 ++
kernel/auditfilter.c | 5 +++++
kernel/auditsc.c | 6 ++++++
4 files changed, 23 insertions(+), 0 deletions(-)
^ permalink raw reply
* [PATCH 5/5] Add support for loginuid_set option for event filtering and searches.
From: Richard Guy Briggs @ 2016-08-02 9:39 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/src/aureport-options.c | 1 +
trunk/src/ausearch-common.h | 1 +
trunk/src/ausearch-options.c | 43 +++++++++++++++++++++++++++++++++++++++++-
trunk/src/ausearch-parse.c | 16 +++++++-------
4 files changed, 52 insertions(+), 9 deletions(-)
diff --git a/trunk/src/aureport-options.c b/trunk/src/aureport-options.c
index b15cbb5..a0c78ea 100644
--- a/trunk/src/aureport-options.c
+++ b/trunk/src/aureport-options.c
@@ -44,6 +44,7 @@ int no_config = 0;
/* These are for compatibility with parser */
unsigned int event_id = -1;
uid_t event_uid = -1, event_loginuid = -2, event_euid = -1;
+int event_loginuid_set = -1;
const char *event_tuid = NULL, *event_teuid = NULL, *event_tauid = NULL;
gid_t event_gid = -1, event_egid = -1;
slist *event_node_list = NULL;
diff --git a/trunk/src/ausearch-common.h b/trunk/src/ausearch-common.h
index d60ea5f..cdb51e9 100644
--- a/trunk/src/ausearch-common.h
+++ b/trunk/src/ausearch-common.h
@@ -48,6 +48,7 @@ extern gid_t event_gid, event_egid;
extern pid_t event_pid;
extern int event_exact_match;
extern uid_t event_uid, event_euid, event_loginuid;
+extern int event_loginuid_set;
extern const char *event_tuid, *event_teuid, *event_tauid;
slist *event_node_list;
extern const char *event_comm;
diff --git a/trunk/src/ausearch-options.c b/trunk/src/ausearch-options.c
index f970c76..143a26f 100644
--- a/trunk/src/ausearch-options.c
+++ b/trunk/src/ausearch-options.c
@@ -50,6 +50,7 @@ success_t event_success = S_UNSET;
int event_exact_match = 0;
uid_t event_uid = -1, event_euid = -1, event_loginuid = -2;
const char *event_tuid = NULL, *event_teuid = NULL, *event_tauid = NULL;
+int event_loginuid_set = -1;
int event_syscall = -1, event_machine = -1;
int event_ua = 0, event_ga = 0, event_se = 0;
int just_one = 0;
@@ -84,7 +85,7 @@ struct nv_pair {
enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
-S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
+S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, S_LOGINUID_SET,
S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_SESSIONID_SET, S_EXIT,
S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
@@ -159,6 +160,7 @@ static struct nv_pair optiontab[] = {
{ S_UUID, "--uuid" },
{ S_LOGINID, "-ul" },
{ S_LOGINID, "--loginuid" },
+ { S_LOGINUID_SET, "--loginuid_set" },
{ S_VERSION, "-v" },
{ S_VERSION, "--version" },
{ S_VMNAME, "-vm" },
@@ -221,6 +223,7 @@ static void usage(void)
"\t-ue,--uid-effective <effective User id> search based on Effective\n\t\t\t\t\tuser id\n"
"\t-ui,--uid <User Id>\t\tsearch based on user id\n"
"\t-ul,--loginuid <login id>\tsearch based on the User's Login id\n"
+ "\t--loginuid_set <0/1>\tsearch based on the User's Login id set or unset\n"
"\t-uu,--uuid <guest UUID>\t\tsearch for events related to the virtual\n"
"\t\t\t\t\tmachine with the given UUID.\n"
"\t-v,--version\t\t\tversion\n"
@@ -1107,6 +1110,44 @@ int check_params(int count, char *vars[])
}
c++;
break;
+ case S_LOGINUID_SET:
+ if (!optarg) {
+ if ((c+1 < count) && vars[c+1])
+ optarg = vars[c+1];
+ else {
+ fprintf(stderr,
+ "Argument is required for %s\n",
+ vars[c]);
+ retval = -1;
+ break;
+ }
+ }
+ {
+ size_t len = strlen(optarg);
+ if (isdigit(optarg[0])) {
+ errno = 0;
+ event_loginuid = strtoul(optarg,NULL,10);
+ if (errno) {
+ fprintf(stderr,
+ "Error (%s) converting %s\n",
+ strerror(errno), optarg);
+ retval = -1;
+ }
+ if (event_loginuid_set > 1) {
+ fprintf(stderr,
+ "Loginuid_set must be a boolean value, was %s\n",
+ optarg);
+ retval = -1;
+ }
+ } else {
+ fprintf(stderr,
+ "Loginuid_set must be a boolean value, was %s\n",
+ optarg);
+ retval = -1;
+ }
+ }
+ c++;
+ break;
case S_UUID:
if (!optarg) {
fprintf(stderr,
diff --git a/trunk/src/ausearch-parse.c b/trunk/src/ausearch-parse.c
index c45d54e..a489d25 100644
--- a/trunk/src/ausearch-parse.c
+++ b/trunk/src/ausearch-parse.c
@@ -251,7 +251,7 @@ static int parse_task_info(lnode *n, search_items *s)
*term = ' ';
}
// optionally get loginuid
- if (event_loginuid != -2 || event_tauid) {
+ if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
str = strstr(term, "auid=");
if (str == NULL) {
str = strstr(term, "loginuid=");
@@ -823,7 +823,7 @@ static int parse_user(const lnode *n, search_items *s)
s->tuid = lookup_uid("uid", s->uid);
}
// optionally get loginuid
- if (event_loginuid != -2 || event_tauid) {
+ if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
*term = ' ';
str = strstr(term, "auid=");
if (str == NULL) { // Try the older one
@@ -1271,7 +1271,7 @@ static int parse_login(const lnode *n, search_items *s)
}
}
// optionally get loginuid
- if (event_loginuid != -2 || event_tauid) {
+ if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
str = strstr(term, "new auid=");
if (str == NULL) {
// 3.14 kernel changed it to the next line
@@ -1354,7 +1354,7 @@ static int parse_daemon1(const lnode *n, search_items *s)
term = mptr;
// optionally get auid
- if (event_loginuid != -2 || event_tauid) {
+ if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
str = strstr(mptr, "auid=");
if (str == NULL)
return 1;
@@ -1613,7 +1613,7 @@ static int parse_integrity(const lnode *n, search_items *s)
}
// optionally get loginuid
- if (event_loginuid != -2 || event_tauid) {
+ if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
str = strstr(n->message, "auid=");
if (str) {
ptr = str + 5;
@@ -1890,7 +1890,7 @@ static int parse_kernel_anom(const lnode *n, search_items *s)
char *str, *ptr, *term = n->message;
// optionally get loginuid
- if (event_loginuid != -2 || event_tauid) {
+ if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
str = strstr(term, "auid=");
if (str == NULL)
return 1;
@@ -2078,7 +2078,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
char *str, *ptr, *term = n->message;
// optionally get loginuid - old kernels skip auid for CONFIG_CHANGE
- if (event_loginuid != -2 || event_tauid) {
+ if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
str = strstr(term, "auid=");
if (str == NULL && n->type != AUDIT_CONFIG_CHANGE)
return 1;
@@ -2257,7 +2257,7 @@ static int parse_tty(const lnode *n, search_items *s)
}
// optionally get loginuid
- if (event_loginuid != -2 || event_tauid) {
+ if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
str = strstr(term, "auid=");
if (str == NULL)
return 5;
--
1.7.1
^ permalink raw reply related
* [PATCH 4/5] Add sessionid_set option to ausearch and aureport
From: Richard Guy Briggs @ 2016-08-02 9:39 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/src/aureport-options.c | 3 ++-
trunk/src/ausearch-match.c | 3 +++
trunk/src/ausearch-options.c | 42 +++++++++++++++++++++++++++++++++++++++++-
trunk/src/ausearch-options.h | 1 +
trunk/src/ausearch-parse.c | 14 +++++++-------
5 files changed, 54 insertions(+), 9 deletions(-)
diff --git a/trunk/src/aureport-options.c b/trunk/src/aureport-options.c
index 9a0fc18..b15cbb5 100644
--- a/trunk/src/aureport-options.c
+++ b/trunk/src/aureport-options.c
@@ -59,7 +59,7 @@ const char *event_uuid = NULL;
const char *event_vmname = NULL;
long long event_exit = 0;
int event_exit_is_set = 0;
-int event_ppid = -1, event_session_id = -2;
+int event_ppid = -1, event_session_id = -2, event_session_id_set = -1;
int event_debug = 0, event_machine = -1;
/* These are used by aureport */
@@ -565,6 +565,7 @@ int check_params(int count, char *vars[])
else {
set_detail(D_DETAILED);
event_session_id = 1;
+ event_session_id_set = 1;
event_loginuid = 1;
event_tauid = dummy;
event_terminal = dummy;
diff --git a/trunk/src/ausearch-match.c b/trunk/src/ausearch-match.c
index ec8a582..bff7e24 100644
--- a/trunk/src/ausearch-match.c
+++ b/trunk/src/ausearch-match.c
@@ -112,6 +112,9 @@ int match(llist *l)
if ((event_session_id != -2) &&
(event_session_id != l->s.session_id))
return 0;
+ if ((event_session_id_set != -1) &&
+ (event_session_id_set != (l->s.session_id != -1)))
+ return 0;
if (event_exit_is_set) {
if (l->s.exit_is_set == 0)
return 0;
diff --git a/trunk/src/ausearch-options.c b/trunk/src/ausearch-options.c
index 521748d..f970c76 100644
--- a/trunk/src/ausearch-options.c
+++ b/trunk/src/ausearch-options.c
@@ -54,6 +54,7 @@ int event_syscall = -1, event_machine = -1;
int event_ua = 0, event_ga = 0, event_se = 0;
int just_one = 0;
uint32_t event_session_id = -2;
+uint32_t event_session_id_set = -1;
long long event_exit = 0;
int event_exit_is_set = 0;
int line_buffered = 0;
@@ -85,7 +86,7 @@ enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
-S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
+S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_SESSIONID_SET, S_EXIT,
S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
static struct nv_pair optiontab[] = {
@@ -137,6 +138,7 @@ static struct nv_pair optiontab[] = {
{ S_CONTEXT, "-se" },
{ S_CONTEXT, "--context" },
{ S_SESSION, "--session" },
+ { S_SESSIONID_SET, "--sessionid_set" },
{ S_SUBJECT, "-su" },
{ S_SUBJECT, "--subject" },
{ S_OSUCCESS, "-sv" },
@@ -209,6 +211,7 @@ static void usage(void)
"\t-sc,--syscall <SysCall name>\tsearch based on syscall name or number\n"
"\t-se,--context <SE Linux context> search based on either subject or\n\t\t\t\t\t object\n"
"\t--session <login session id>\tsearch based on login session id\n"
+ "\t--sessionid_set <0/1>\tsearch based on login session id set or unset\n"
"\t-su,--subject <SE Linux context> search based on context of the Subject\n"
"\t-sv,--success <Success Value>\tsearch based on syscall or event\n\t\t\t\t\tsuccess value\n"
"\t-te,--end [end date] [end time]\tending date & time for search\n"
@@ -767,6 +770,43 @@ int check_params(int count, char *vars[])
}
}
break;
+ case S_SESSIONID_SET:
+ if (!optarg) {
+ if ((c+1 < count) && vars[c+1])
+ optarg = vars[c+1];
+ else {
+ fprintf(stderr,
+ "Argument is required for %s\n",
+ vars[c]);
+ retval = -1;
+ break;
+ }
+ }
+ {
+ size_t len = strlen(optarg);
+ if (isdigit(optarg[0])) {
+ errno = 0;
+ event_session_id_set = strtoul(optarg,NULL,10);
+ if (errno) {
+ fprintf(stderr, "Error converting %s\n",
+ optarg);
+ retval = -1;
+ }
+ if (event_session_id_set > 1) {
+ fprintf(stderr,
+ "Session id set must be a boolean value, was %s\n",
+ optarg);
+ retval = -1;
+ }
+ c++;
+ } else {
+ fprintf(stderr,
+ "Session id must be a boolean value, was %s\n",
+ optarg);
+ retval = -1;
+ }
+ }
+ break;
case S_EXIT:
if (!optarg) {
if ((c+1 < count) && vars[c+1])
diff --git a/trunk/src/ausearch-options.h b/trunk/src/ausearch-options.h
index 1372762..947f5d6 100644
--- a/trunk/src/ausearch-options.h
+++ b/trunk/src/ausearch-options.h
@@ -40,6 +40,7 @@ extern int line_buffered;
extern int event_debug;
extern pid_t event_ppid;
extern uint32_t event_session_id;
+extern uint32_t event_session_id_set;
extern ilist *event_type;
/* Data type to govern output format */
diff --git a/trunk/src/ausearch-parse.c b/trunk/src/ausearch-parse.c
index 3047925..c45d54e 100644
--- a/trunk/src/ausearch-parse.c
+++ b/trunk/src/ausearch-parse.c
@@ -357,7 +357,7 @@ static int parse_task_info(lnode *n, search_items *s)
}
}
// ses
- if (event_session_id != -2 ) {
+ if (event_session_id != -2 || event_session_id_set != -1) {
str = strstr(term, "ses=");
if (str) {
ptr = str + 4;
@@ -845,7 +845,7 @@ static int parse_user(const lnode *n, search_items *s)
s->tauid = lookup_uid("auid", s->loginuid);
}
// ses
- if (event_session_id != -2 ) {
+ if (event_session_id != -2 || event_session_id_set != -1) {
str = strstr(term, "ses=");
if (str) {
ptr = str + 4;
@@ -1317,7 +1317,7 @@ static int parse_login(const lnode *n, search_items *s)
s->success = S_SUCCESS;
}
// ses
- if (event_session_id != -2 ) {
+ if (event_session_id != -2 || event_session_id_set != -1) {
if (term == NULL)
term = n->message;
str = strstr(term, "new ses=");
@@ -1631,7 +1631,7 @@ static int parse_integrity(const lnode *n, search_items *s)
}
// ses
- if (event_session_id != -2 ) {
+ if (event_session_id != -2 || event_session_id_set != -1) {
str = strstr(term, "ses=");
if (str) {
ptr = str + 4;
@@ -1944,7 +1944,7 @@ static int parse_kernel_anom(const lnode *n, search_items *s)
}
}
- if (event_session_id != -2) {
+ if (event_session_id != -2 || event_session_id_set != -1) {
str = strstr(term, "ses=");
if (str) {
ptr = str + 4;
@@ -2100,7 +2100,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
}
// ses
- if (event_session_id != -2 ) {
+ if (event_session_id != -2 || event_session_id_set != -1) {
str = strstr(term, "ses=");
if (str) {
ptr = str + 4;
@@ -2277,7 +2277,7 @@ static int parse_tty(const lnode *n, search_items *s)
}
// ses
- if (event_session_id != -2 ) {
+ if (event_session_id != -2 || event_session_id_set != -1) {
str = strstr(term, "ses=");
if (str) {
ptr = str + 4;
--
1.7.1
^ permalink raw reply related
* [PATCH 3/5] Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET
From: Richard Guy Briggs @ 2016-08-02 9:38 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>
See upstream kernel commits:
780a7654cee8d61819512385e778e4827db4bfbc (3.10.rc1)
(audit: Make testing for a valid loginuid explicit.)
041d7b98ffe59c59fdd639931dea7d74f9aa9a59 (3.19.rc2)
(audit: restore AUDIT_LOGINUID unset ABI)
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/fieldtab.h | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index b7b9f51..eeb951e 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -31,6 +31,8 @@ _S(AUDIT_SGID, "sgid" )
_S(AUDIT_FSGID, "fsgid" )
_S(AUDIT_LOGINUID, "auid" )
_S(AUDIT_LOGINUID, "loginuid" )
+_S(AUDIT_LOGINUID_SET, "auid_set" )
+_S(AUDIT_LOGINUID_SET, "loginuid_set" )
_S(AUDIT_SESSIONID, "sessionid" )
_S(AUDIT_SESSIONID_SET,"sessionid_set")
_S(AUDIT_PERS, "pers" )
--
1.7.1
^ permalink raw reply related
* [PATCH 2/5] Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
From: Richard Guy Briggs @ 2016-08-02 9:38 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>
Add sessionid_set field option from kernel uapi macro SESSIONID_SET to
enable specifying that sessionID is set or not in user filters.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/fieldtab.h | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index 88cf8ea..b7b9f51 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -32,6 +32,7 @@ _S(AUDIT_FSGID, "fsgid" )
_S(AUDIT_LOGINUID, "auid" )
_S(AUDIT_LOGINUID, "loginuid" )
_S(AUDIT_SESSIONID, "sessionid" )
+_S(AUDIT_SESSIONID_SET,"sessionid_set")
_S(AUDIT_PERS, "pers" )
_S(AUDIT_ARCH, "arch" )
_S(AUDIT_MSGTYPE, "msgtype" )
--
1.7.1
^ permalink raw reply related
* [PATCH 1/5] Add userspace support for session ID user filter.
From: Richard Guy Briggs @ 2016-08-02 9:38 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
In-Reply-To: <1470130741-31650-1-git-send-email-rgb@redhat.com>
Add support for the session ID user filter by adding the field name
"sessionid" using the kernel defined macro value AUDIT_SESSIONID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/fieldtab.h | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index bf48c95..88cf8ea 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -31,6 +31,7 @@ _S(AUDIT_SGID, "sgid" )
_S(AUDIT_FSGID, "fsgid" )
_S(AUDIT_LOGINUID, "auid" )
_S(AUDIT_LOGINUID, "loginuid" )
+_S(AUDIT_SESSIONID, "sessionid" )
_S(AUDIT_PERS, "pers" )
_S(AUDIT_ARCH, "arch" )
_S(AUDIT_MSGTYPE, "msgtype" )
--
1.7.1
^ permalink raw reply related
* [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
From: Richard Guy Briggs @ 2016-08-02 9:38 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
Add support for sessionid, sessionid_set (first two patches) and
loginuid_set (and auid_set) (third patch) in user filters. The first
two are directly related to issue "ghak4":
https://github.com/linux-audit/audit-kernel/issues/4
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
The third is to support a kernel change from 3.10 and 3.19 to avoid
using in-band values to indicate the loginuid is unset.
The last two patches are to add unset flags to sessionid and loginuid
for ausearch and aureport. These two patches are extras and not
required for basic support.
Richard Guy Briggs (5):
Add userspace support for session ID user filter.
Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET
Add sessionid_set option to ausearch and aureport
Add support for loginuid_set option for event filtering and searches.
trunk/lib/fieldtab.h | 4 ++
trunk/src/aureport-options.c | 4 +-
trunk/src/ausearch-common.h | 1 +
trunk/src/ausearch-match.c | 3 +
trunk/src/ausearch-options.c | 85 +++++++++++++++++++++++++++++++++++++++++-
trunk/src/ausearch-options.h | 1 +
trunk/src/ausearch-parse.c | 30 +++++++-------
7 files changed, 110 insertions(+), 18 deletions(-)
^ permalink raw reply
* [PATCH] Ignore tags and cscope output files.
From: Richard Guy Briggs @ 2016-08-02 8:31 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/.gitignore | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/trunk/.gitignore b/trunk/.gitignore
index ec0aa96..ba296d3 100644
--- a/trunk/.gitignore
+++ b/trunk/.gitignore
@@ -7,7 +7,9 @@ gen_*_h
INSTALL
Makefile
Makefile.in
+tags
TAGS
+cscope.*
/aclocal.m4
/autom4te.cache
/audit*.tar.gz
--
1.7.1
^ permalink raw reply related
* audit 2.6.6 released
From: Steve Grubb @ 2016-08-01 16:37 UTC (permalink / raw)
To: linux-audit
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Interpret ioctlcmd fields
- Fix the permission of the audit logging directory
- Fix timeout in autrace better
- Add gitignore file to ignore generated files if using git (Richard Guy Briggs)
- audit_log_user_comm_message now resolves comm if NULL is passed
- Update syscall table
- Fix multi-key support in auparse which was broke in tty escape bug fix
- Add multi-key support for syscall rules
This is a bug fix release. I didn't want to wait too long after the directory
permission problem was discovered, but I did want to give a little time in
case there was anything else discovered. The main issue fixed in this release
is the audit log directory permissions. If a group was given for log_group in
auditd.conf, the audit daemon gave write permissions on the directory to the
group. This appears to have started in the 2.6.1 release.
The autrace program was timing out too quickly waiting to check rules. It now
uses the select syscall to wait on rules.
The multi-key support that was added for IDS purposes with prelude was found
to have been broken by the tty escape bug fix. In troubleshooting that, I found
that it was not supported on the "new style" audit rules. So, that has been
fixed so that you can put multiple keys on syscall rules. Multiple key support
was fixed, but to do it right meant that the filed type had to change from
AUPARSE_TYPE_ESCAPED to AUPARSE_TYPE_ESCAPED_KEY.
Please let me know if you run across any problems with this release.
-Steve
^ permalink raw reply
* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Mateusz Piotrowski @ 2016-08-01 15:13 UTC (permalink / raw)
To: linux-audit; +Cc: Konrad Witaszczyk
In-Reply-To: <37697145.Sr86xZ3kit@x2>
On 01 Aug 2016, at 16:46, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
>>
>> According to the field dictionary[1] there are fields which names are
>> defined by the following regex: "a[[:digit:]+]\[.*\]".
>>
>> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
>> doesn't fit the regex which seems to require a pair of square brackets (so
>> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
>> Linux Audit source code.
>
> I think you have to have aurguments that are larger than the audit record
> limit and so many arguments that you have multiple execve records to contain
> them all.
>
> Here's one reference:
> https://www.redhat.com/archives/linux-audit/2007-October/msg00015.html
Thanks.
>> My questions are:
>> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
>> doesn't apply anymore?
>
> Possibly. But try to generate it and see.
Sure, I'll notify you if I manage to get one.
>> 2. Could you suggest me where to look to see how those arguments to the
>> execve syscall are handled?
>
> Handled where? Kernel? Userspace doesn't do much with any execve argument
> except decode it.
Yeah, that's what I was trying to find - how this regex is handled in auparse/interpret.c[2].
We can see how "a0" is handled for example[3] but I couldn't find anything about "a4[foo]".
>> 3. Could you post an example of a record with a field which fits the regex
>> (assuming the regex is valid)?
>
> The archive link above explains what was going to be added. Offhand I don't
> have one of these laying around in my logs. This test might create one for
> you:
>
> https://github.com/linux-audit/audit-testsuite/tree/master/tests/exec_execve
Thanks a lot.
>> [1]:
>> https://github.com/linux-audit/audit-documentation/blob/master/specs/fields
>> /field-dictionary.csv#L3 [2]:
>> https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html
Cheers,
-m
[2]: https://github.com/linux-audit/audit-userspace/blob/master/auparse/interpret.c
[3]: https://github.com/linux-audit/audit-userspace/blob/master/auparse/interpret.c#L2805
^ permalink raw reply
* Re: Question about the a[[:digit:]+]\[.*\] fields
From: Steve Grubb @ 2016-08-01 14:46 UTC (permalink / raw)
To: linux-audit; +Cc: Konrad Witaszczyk
In-Reply-To: <791A85A1-9404-4763-9584-D673DDDD747D@FreeBSD.org>
On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
> Hello,
>
> According to the field dictionary[1] there are fields which names are
> defined by the following regex: "a[[:digit:]+]\[.*\]".
>
> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
> doesn't fit the regex which seems to require a pair of square brackets (so
> "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the
> Linux Audit source code.
I think you have to have aurguments that are larger than the audit record
limit and so many arguments that you have multiple execve records to contain
them all.
Here's one reference:
https://www.redhat.com/archives/linux-audit/2007-October/msg00015.html
> My questions are:
> 1. Is this regex valid and up-to-date? Or is it an outdated rule which
> doesn't apply anymore?
Possibly. But try to generate it and see.
> 2. Could you suggest me where to look to see how those arguments to the
> execve syscall are handled?
Handled where? Kernel? Userspace doesn't do much with any execve argument
except decode it.
> 3. Could you post an example of a record with a field which fits the regex
> (assuming the regex is valid)?
The archive link above explains what was going to be added. Offhand I don't
have one of these laying around in my logs. This test might create one for
you:
https://github.com/linux-audit/audit-testsuite/tree/master/tests/exec_execve
-Steve
> [1]:
> https://github.com/linux-audit/audit-documentation/blob/master/specs/fields
> /field-dictionary.csv#L3 [2]:
> https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] prctl: remove one-shot limitation for changing exe link
From: Eric W. Biederman @ 2016-07-31 18:45 UTC (permalink / raw)
To: Mateusz Guzik
Cc: bsegall, mhocko, peterz, Stanislav Kinsburskiy, linux-kernel,
oleg, Cyrill Gorcunov, Richard Guy Briggs, mingo, john.stultz,
matthltc, akpm, luto, vbabka, xemul
In-Reply-To: <20160730202821.7ojhciviocjfnw7p@mguzik>
Mateusz Guzik <mguzik@redhat.com> writes:
> On Sat, Jul 30, 2016 at 12:31:40PM -0500, Eric W. Biederman wrote:
>> So what I am requesting is very simple. That the checks in
>> prctl_set_mm_exe_file be tightened up to more closely approach what
>> execve requires. Thus preserving the value of the /proc/[pid]/exe for
>> the applications that want to use the exe link.
>>
>> Once the checks in prctl_set_mm_exe_file are tightened up please feel
>> free to remove the one shot test.
>>
>
> This is more fishy.
>
> First of all exe_file is used by the audit subsystem. So someone has to
> ask audit people what is the significance (if any) of the field.
>
> All exe_file users but one use get_mm_exe_file and handle NULL
> gracefully.
>
> Even with the current limit of changing the field once, the user can
> cause a transient failure of get_mm_exe_file which can fail to increment
> the refcount before it drops to 0.
>
> This transient failure can be used to get a NULL value stored in
> ->exe_file during fork (in dup_mmap):
> RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
>
> The one place which is not using get_mm_exe_file to get to the pointer
> is audit_exe_compare:
> rcu_read_lock();
> exe_file = rcu_dereference(tsk->mm->exe_file);
> ino = exe_file->f_inode->i_ino;
> dev = exe_file->f_inode->i_sb->s_dev;
> rcu_read_unlock();
>
> This is buggy on 2 accounts:
> 1. exe_file can be NULL
> 2. rcu does not protect f_inode
>
> The issue is made worse with allowing arbitrary number changes.
>
> Modifying get_mm_exe_file to retry is trivial and in effect never return
> NULL is trivial. With arbitrary number of changes allowed this may
> require some cond_resched() or something.
>
> For comments I cc'ed Richard Guy Briggs, who is both an audit person and
> the author of audit_exe_compare.
That is fair. Keeping the existing users working is what needs to
happen.
At the same time we have an arbitrary number of possible changes with
exec, but I guess that works differently because the mm is changed as
well.
So yes let's bug fix this piece of code and then we can see about
relaxing constraints.
Eric
^ permalink raw reply
* Question about the a[[:digit:]+]\[.*\] fields
From: Mateusz Piotrowski @ 2016-07-31 22:16 UTC (permalink / raw)
To: linux-audit; +Cc: Konrad Witaszczyk
Hello,
According to the field dictionary[1] there are fields which names are defined by the following regex: "a[[:digit:]+]\[.*\]".
I was able to find examples of fields like "a4" and "a5" (see [2]) but it doesn't fit the regex which seems to require a pair of square brackets (so "a4" should be "a4[]" or "a4[foo]"). I couldn't find any reference in the Linux Audit source code.
My questions are:
1. Is this regex valid and up-to-date? Or is it an outdated rule which doesn't apply anymore?
2. Could you suggest me where to look to see how those arguments to the execve syscall are handled?
3. Could you post an example of a record with a field which fits the regex (assuming the regex is valid)?
Cheers!
-Mateusz
[1]: https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv#L3
[2]: https://www.redhat.com/archives/linux-audit/2012-October/msg00090.html
^ permalink raw reply
* [GIT PULL] Audit patches for 4.8
From: Paul Moore @ 2016-07-28 7:31 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-audit, linux-kernel
Hi Linus,
Six audit patches for 4.8. There are a couple of style and minor whitespace
tweaks for the logs, as well as a minor fixup to catch errors on user filter
rules, however the major improvements are a fix to the s390 syscall argument
masking code (reviewed by the nice s390 folks), some consolidation around the
exclude filtering (less code, always a win), and a double-fetch fix for
recording the execve arguments. Please pull for 4.8.
Thanks,
-Paul
---
The following changes since commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a:
Linux 4.6 (2016-05-15 15:43:13 -0700)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.8
for you to fetch changes up to 43761473c254b45883a64441dd0bc85a42f3645c:
audit: fix a double fetch in audit_log_single_execve_arg()
(2016-07-20 14:15:46 -0400)
----------------------------------------------------------------
Paul Moore (3):
audit: fix some horrible switch statement style crimes
s390: ensure that syscall arguments are properly masked on s390
audit: fix a double fetch in audit_log_single_execve_arg()
Richard Guy Briggs (2):
audit: fixup: log on errors from filter user rules
audit: add fields to exclude filter by reusing user filter
Steve Grubb (1):
audit: fix whitespace in CWD record
arch/s390/kernel/ptrace.c | 10 +-
include/linux/audit.h | 2 -
kernel/audit.c | 4 +-
kernel/audit.h | 2 +
kernel/auditfilter.c | 147 +++++++-------------
kernel/auditsc.c | 342 +++++++++++++++++++++---------------------
6 files changed, 235 insertions(+), 272 deletions(-)
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [PATCH] alpha_table.h: Syscall 511 is getrandom, not renameat2
From: Steve Grubb @ 2016-07-26 15:47 UTC (permalink / raw)
To: linux-audit; +Cc: James Clarke
In-Reply-To: <20160723191509.7249-1-jrtc27@jrtc27.com>
On Saturday, July 23, 2016 8:15:09 PM EDT James Clarke wrote:
> ---
> This fixes gen_alpha_tables_h aborting due to renameat2 being duplicated.
>
> lib/alpha_table.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/alpha_table.h b/lib/alpha_table.h
> index 08171cc..c43744f 100644
> --- a/lib/alpha_table.h
> +++ b/lib/alpha_table.h
> @@ -451,6 +451,6 @@ _S(507, "finit_module")
> _S(508, "sched_setattr")
> _S(509, "sched_getattr")
> _S(510, "renameat2")
> -_S(511, "renameat2")
> +_S(511, "getrandom")
> _S(512, "memfd_create")
> _S(513, "execveat")
Fixed in commit 1368.
Thanks!
-Steve
^ permalink raw reply
* [PATCH] semanage: add auditing of changes in records
From: Miroslav Vadkerti @ 2016-07-26 15:15 UTC (permalink / raw)
To: selinux; +Cc: linux-audit
In-Reply-To: <[PATCH 1/2] semanage: add auditing of changes in records>
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.
A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.
The format of the audit events was discussed with the audit userspace
maintainer.
This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 3b0b108..7d6caa3 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
"socket file": "s",
"symbolic link": "l",
"named pipe": "p"}
+
+proto_to_audit = {"tcp": 17,
+ "udp": 6,
+ "ipv4": 4,
+ "ipv6": 41}
+
+ftype_to_audit = {"": "any",
+ "b": "block",
+ "c": "char",
+ "d": "dir",
+ "f": "file",
+ "l": "symlink",
+ "p": "pipe",
+ "s": "socket"}
+
try:
import audit
@@ -90,6 +105,7 @@ try:
def __init__(self):
self.audit_fd = audit.audit_open()
self.log_list = []
+ self.log_change_list = []
def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
@@ -109,10 +125,17 @@ try:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+ def log_change(self, msg):
+ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""])
+
def commit(self, success):
for l in self.log_list:
audit.audit_log_semanage_message(*(l + [success]))
+ for l in self.log_change_list:
+ audit.audit_log_user_comm_message(*(l + [success]))
+
self.log_list = []
+ self.log_change_list = []
except:
class logger:
@@ -138,6 +161,9 @@ except:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
+ def log_change(self, msg):
+ self.log_list.append(" %s" % msg)
+
def commit(self, success):
if success == 1:
message = "Successful: "
@@ -155,6 +181,9 @@ class nulllogger:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
pass
+ def log_change(self, msg):
+ pass
+
def commit(self, success):
pass
@@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
+
def add(self, port, proto, serange, type):
self.begin()
self.__add(port, proto, serange, type)
@@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
+
def modify(self, port, proto, serange, setype):
self.begin()
self.__modify(port, proto, serange, setype)
@@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
port_str = "%s-%s" % (low, high)
+
(k, proto_d, low, high) = self.__genkey(port_str, proto_str)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % port_str)
@@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
raise ValueError(_("Could not delete the port %s") % port_str)
semanage_port_key_free(k)
+ if low == high:
+ port_str = low
+
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
+
self.commit()
def __delete(self, port, proto):
@@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
+
def delete(self, port, proto):
self.begin()
self.__delete(port, proto)
@@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
+
def add(self, addr, mask, proto, serange, ctype):
self.begin()
self.__add(addr, mask, proto, serange, ctype)
@@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
+
def modify(self, addr, mask, proto, serange, setype):
self.begin()
self.__modify(addr, mask, proto, serange, setype)
@@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
+
def delete(self, addr, mask, proto):
self.begin()
self.__delete(addr, mask, proto)
@@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
+
def add(self, interface, serange, ctype):
self.begin()
self.__add(interface, serange, ctype)
@@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
+
def modify(self, interface, serange, setype):
self.begin()
self.__modify(interface, serange, setype)
@@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
+ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
+
def delete(self, interface):
self.begin()
self.__delete(interface)
@@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
if i.startswith(target + "/"):
raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
+ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.equiv[target] = substitute
self.equal_ind = True
self.commit()
@@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Equivalence class for %s does not exists") % target)
self.equiv[target] = substitute
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.commit()
def createcon(self, target, seuser="system_u"):
@@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
self.__add(target, type, ftype, serange, seuser)
@@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def modify(self, target, setype, ftype, serange, seuser):
self.begin()
self.__modify(target, setype, ftype, serange, seuser)
@@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
+
self.equiv = {}
self.equal_ind = True
self.commit()
@@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
if target in self.equiv.keys():
self.equiv.pop(target)
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
return
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
def delete(self, target, ftype):
self.begin()
self.__delete(target, ftype)
--
1.8.3.1
^ permalink raw reply related
* Re: Auditing device files
From: Richard Guy Briggs @ 2016-07-26 15:05 UTC (permalink / raw)
To: Ed Christiansen MS; +Cc: linux-audit
In-Reply-To: <48d5912c-2b81-3b8c-1ff7-49299e4b5822@ll.mit.edu>
On 2016-07-26 09:40, Ed Christiansen MS wrote:
> Here's a place to start
> http://linux.die.net/man/8/pam_tty_audit
It is a place to start, but that page is a bit out of date, since
pam_tty_audit now has a "log_passwd" option that isn't documented on
that page.
This is a bit more up to date:
https://www.mankier.com/8/pam_tty_audit
> On 7/26/2016 5:00 AM, Pavithra P wrote:
> >Hi,
> >
> >I am trying to see what commands are typed in my terminal and serial
> >port. For that I am using auditd daemon which helps me in auditing
> >files.
> >I thought of a creating audit rules on /dev/tty and /dev/ttyAMA0 for
> >seeing whats happening on terminal and serial device respectively
> >
> >auditctl -w /dev/tty -p rwx -k terminal
> >auditctl -w /dev/ttyAMA0 -p rwx -k serialport
> >
> >But this records only the echo on tty. I cant audit all the commands
> >typed on the terminal. I enabled tty logging in the PAM file too by
> >adding session required pam_tty_audit.so enable=* in /etc/pam.d/sshd
> >file.
> >Is there any other way to do this auditing. I want to use auditd
> >daemon only so that all my auditing log is in one file.
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply
* [PATCH] security: lsm_audit: print pid and tid
From: Jeff Vander Stoep @ 2016-07-26 14:54 UTC (permalink / raw)
To: selinux; +Cc: Jeff Vander Stoep, linux-audit
dump_common_audit_data() currently contains a field for pid, but the
value printed is actually the thread ID, tid. Update this value to
return the task group ID. Add a new field for tid. With this change
the values printed by audit now match the values returned by the
getpid() and gettid() syscalls.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
---
security/lsm_audit.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index cccbf30..57f26c1 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -220,7 +220,8 @@ static void dump_common_audit_data(struct audit_buffer *ab,
*/
BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
- audit_log_format(ab, " pid=%d comm=", task_pid_nr(current));
+ audit_log_format(ab, " pid=%d tid=%d comm=", task_tgid_vnr(tsk),
+ task_pid_vnr(tsk));
audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm)));
switch (a->type) {
@@ -294,10 +295,12 @@ static void dump_common_audit_data(struct audit_buffer *ab,
case LSM_AUDIT_DATA_TASK: {
struct task_struct *tsk = a->u.tsk;
if (tsk) {
- pid_t pid = task_pid_nr(tsk);
+ pid_t pid = task_tgid_vnr(tsk);
if (pid) {
char comm[sizeof(tsk->comm)];
audit_log_format(ab, " opid=%d ocomm=", pid);
+ audit_log_format(ab, " opid=%d otid=%d ocomm=",
+ pid, task_pid_vnr(tsk));
audit_log_untrustedstring(ab,
memcpy(comm, tsk->comm, sizeof(comm)));
}
--
2.8.0.rc3.226.g39d4020
^ permalink raw reply related
* Re: Auditing device files
From: Ed Christiansen MS @ 2016-07-26 13:40 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <CABBiaOFDucUxu+nYJ_ehPPn_qOAjCyEvvL2pR2OwSJ1D276GSQ@mail.gmail.com>
Here's a place to start
http://linux.die.net/man/8/pam_tty_audit
On 7/26/2016 5:00 AM, Pavithra P wrote:
> Hi,
>
> I am trying to see what commands are typed in my terminal and serial
> port. For that I am using auditd daemon which helps me in auditing
> files.
> I thought of a creating audit rules on /dev/tty and /dev/ttyAMA0 for
> seeing whats happening on terminal and serial device respectively
>
> auditctl -w /dev/tty -p rwx -k terminal
> auditctl -w /dev/ttyAMA0 -p rwx -k serialport
>
> But this records only the echo on tty. I cant audit all the commands
> typed on the terminal. I enabled tty logging in the PAM file too by
> adding session required pam_tty_audit.so enable=* in /etc/pam.d/sshd
> file.
> Is there any other way to do this auditing. I want to use auditd
> daemon only so that all my auditing log is in one file.
>
^ permalink raw reply
* Re: [PATCH 1/2] semanage: add auditing of changes in records
From: Miroslav Vadkerti @ 2016-07-26 10:50 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit, selinux
In-Reply-To: <10070280.KoedIQp72C@x2>
[-- Attachment #1.1: Type: text/plain, Size: 13354 bytes --]
Hi Steve,
I did not know that I won't need to override those parameters when I
started to prepare the patch. I can just remove those and pass always "" as
hostname, addr and tty. I will submit a new patch in a few minutes ..
Thanks and best regards,
/M
On Mon, Jul 25, 2016 at 9:07 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> Thanks for adding these audit events. I have just one question below.
>
> On Monday, July 25, 2016 6:37:06 PM EDT Miroslav Vadkerti wrote:
> > Common Criteria requirement FMT_MSA.1 needs any configuration change
> > that affect enforcement of policy to be audited. This patch adds
> > auditing of changes in security context mappings for network ports,
> > interfaces, nodes and file contexts.
> >
> > A new function log_change is introduced that audits additions,
> > modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> > audit event.
> >
> > The format of the audit events was discussed with the audit userspace
> > maintainer.
> >
> > This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
> >
> > Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
> > ---
> > policycoreutils/semanage/seobject.py | 75
> > ++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+)
> >
> > diff --git a/policycoreutils/semanage/seobject.py
> > b/policycoreutils/semanage/seobject.py index 3b0b108..799ce24 100644
> > --- a/policycoreutils/semanage/seobject.py
> > +++ b/policycoreutils/semanage/seobject.py
> > @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
> > "socket file": "s",
> > "symbolic link": "l",
> > "named pipe": "p"}
> > +
> > +proto_to_audit = {"tcp": 17,
> > + "udp": 6,
> > + "ipv4": 4,
> > + "ipv6": 41}
> > +
> > +ftype_to_audit = {"": "any",
> > + "b": "block",
> > + "c": "char",
> > + "d": "dir",
> > + "f": "file",
> > + "l": "symlink",
> > + "p": "pipe",
> > + "s": "socket"}
> > +
> > try:
> > import audit
> >
> > @@ -90,6 +105,7 @@ try:
> > def __init__(self):
> > self.audit_fd = audit.audit_open()
> > self.log_list = []
> > + self.log_change_list = []
> >
> > def log(self, msg, name="", sename="", serole="", serange="",
> > oldsename="", oldserole="", oldserange=""):
> >
> > @@ -109,10 +125,17 @@ try:
> > def log_remove(self, msg, name="", sename="", serole="",
> > serange="", oldsename="", oldserole="", oldserange=""):
> > self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE,
> sys.argv[0],
> > str(msg), name, 0, sename, serole, serange, oldsename, oldserole,
> > oldserange, "", "", ""])
> >
> > + def log_change(self, msg, hostname="", addr="", tty=""):
> > + self.log_change_list.append([self.audit_fd,
> > audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr,
> > tty]) +
> > def commit(self, success):
> > for l in self.log_list:
> > audit.audit_log_semanage_message(*(l + [success]))
> > + for l in self.log_change_list:
> > + audit.audit_log_user_comm_message(*(l + [success]))
> > +
> > self.log_list = []
> > + self.log_change_list = []
> > except:
> > class logger:
> >
> > @@ -138,6 +161,9 @@ except:
> > def log_remove(self, msg, name="", sename="", serole="",
> > serange="", oldsename="", oldserole="", oldserange=""): self.log(msg,
> name,
> > sename, serole, serange, oldsename, oldserole, oldserange)
> >
> > + def log_change(self, msg, hostname="", addr="", tty=""):
> > + self.log_list.append(" %s" % msg)
> > +
>
> Is it really necessary to do something with hostname, addr, & tty here...
>
> > def commit(self, success):
> > if success == 1:
> > message = "Successful: "
> > @@ -155,6 +181,9 @@ class nulllogger:
> > def log_remove(self, msg, name="", sename="", serole="", serange="",
> > oldsename="", oldserole="", oldserange=""): pass
> >
> > + def log_change(self, msg, hostname="", addr="", tty=""):
> > + pass
> > +
>
> and here? I think those are already handled in the audit logging function.
>
> -Steve
>
> > def commit(self, success):
> > pass
> >
> > @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
> > semanage_port_key_free(k)
> > semanage_port_free(p)
> >
> > + self.mylog.log_change("resrc=port op=add lport=%s proto=%s
> > tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> > "object_r", type, serange)) +
> > def add(self, port, proto, serange, type):
> > self.begin()
> > self.__add(port, proto, serange, type)
> > @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
> > semanage_port_key_free(k)
> > semanage_port_free(p)
> >
> > + self.mylog.log_change("resrc=port op=modify lport=%s proto=%s
> > tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> > "object_r", setype, serange)) +
> > def modify(self, port, proto, serange, setype):
> > self.begin()
> > self.__modify(port, proto, serange, setype)
> > @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
> > low = semanage_port_get_low(port)
> > high = semanage_port_get_high(port)
> > port_str = "%s-%s" % (low, high)
> > +
> > (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
> > if rc < 0:
> > raise ValueError(_("Could not create a key for %s") %
> > port_str) @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
> > raise ValueError(_("Could not delete the port %s") %
> > port_str) semanage_port_key_free(k)
> >
> > + if low == high:
> > + port_str = low
> > +
> > + self.mylog.log_change("resrc=port op=delete lport=%s
> proto=%s"
> > % (port_str, proto_to_audit[proto_str])) +
> > self.commit()
> >
> > def __delete(self, port, proto):
> > @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
> >
> > semanage_port_key_free(k)
> >
> > + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" %
> > (port, proto_to_audit[proto])) +
> > def delete(self, port, proto):
> > self.begin()
> > self.__delete(port, proto)
> > @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
> > semanage_node_key_free(k)
> > semanage_node_free(node)
> >
> > + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s
> > proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> > proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype,
> > serange)) +
> > def add(self, addr, mask, proto, serange, ctype):
> > self.begin()
> > self.__add(addr, mask, proto, serange, ctype)
> > @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
> > semanage_node_key_free(k)
> > semanage_node_free(node)
> >
> > + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s
> > proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> > proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype,
> > serange)) +
> > def modify(self, addr, mask, proto, serange, setype):
> > self.begin()
> > self.__modify(addr, mask, proto, serange, setype)
> > @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
> >
> > semanage_node_key_free(k)
> >
> > + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s
> > proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]])) +
> > def delete(self, addr, mask, proto):
> > self.begin()
> > self.__delete(addr, mask, proto)
> > @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
> > semanage_iface_key_free(k)
> > semanage_iface_free(iface)
> >
> > + self.mylog.log_change("resrc=interface op=add netif=%s
> > tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype,
> > serange)) +
> > def add(self, interface, serange, ctype):
> > self.begin()
> > self.__add(interface, serange, ctype)
> > @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
> > semanage_iface_key_free(k)
> > semanage_iface_free(iface)
> >
> > + self.mylog.log_change("resrc=interface op=modify netif=%s
> > tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype,
> > serange)) +
> > def modify(self, interface, serange, setype):
> > self.begin()
> > self.__modify(interface, serange, setype)
> > @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
> >
> > semanage_iface_key_free(k)
> >
> > + self.mylog.log_change("resrc=interface op=delete netif=%s" %
> > interface) +
> > def delete(self, interface):
> > self.begin()
> > self.__delete(interface)
> > @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
> > if i.startswith(target + "/"):
> > raise ValueError(_("File spec %s conflicts with
> > equivalency rule '%s %s'") % (target, i, fdict[i]))
> >
> > + self.mylog.log_change("resrc=fcontext op=add-equal %s %s" %
> > (audit.audit_encode_nv_string("sglob", target, 0),
> > audit.audit_encode_nv_string("tglob", substitute, 0))) +
> > self.equiv[target] = substitute
> > self.equal_ind = True
> > self.commit()
> > @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
> > raise ValueError(_("Equivalence class for %s does not
> exists")
> > % target) self.equiv[target] = substitute
> > self.equal_ind = True
> > +
> > + self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" %
> > (audit.audit_encode_nv_string("sglob", target, 0),
> > audit.audit_encode_nv_string("tglob", substitute, 0))) +
> > self.commit()
> >
> > def createcon(self, target, seuser="system_u"):
> > @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
> > semanage_fcontext_key_free(k)
> > semanage_fcontext_free(fcontext)
> >
> > + if not seuser:
> > + seuser = "system_u"
> > +
> > + self.mylog.log_change("resrc=fcontext op=add %s ftype=%s
> > tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target,
> 0),
> > ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> > def add(self, target, type, ftype="", serange="",
> seuser="system_u"):
> > self.begin()
> > self.__add(target, type, ftype, serange, seuser)
> > @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
> > semanage_fcontext_key_free(k)
> > semanage_fcontext_free(fcontext)
> >
> > + if not seuser:
> > + seuser = "system_u"
> > +
> > + self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
> > tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target,
> 0),
> > ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> > def modify(self, target, setype, ftype, serange, seuser):
> > self.begin()
> > self.__modify(target, setype, ftype, serange, seuser)
> > @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
> > raise ValueError(_("Could not delete the file context
> %s")
> > % target) semanage_fcontext_key_free(k)
> >
> > + self.mylog.log_change("resrc=fcontext op=delete %s
> ftype=%s" %
> > (audit.audit_encode_nv_string("tglob", target, 0),
> > ftype_to_audit[ftype_str])) +
> > self.equiv = {}
> > self.equal_ind = True
> > self.commit()
> > @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
> > if target in self.equiv.keys():
> > self.equiv.pop(target)
> > self.equal_ind = True
> > +
> > + self.mylog.log_change("resrc=fcontext op=delete-equal %s
> > ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> > ftype_to_audit[ftype])) +
> > return
> >
> > (rc, k) = semanage_fcontext_key_create(self.sh, target,
> > file_types[ftype]) @@ -1996,6 +2069,8 @@ class
> > fcontextRecords(semanageRecords):
> >
> > semanage_fcontext_key_free(k)
> >
> > + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
> > (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype]))
> > +
> > def delete(self, target, ftype):
> > self.begin()
> > self.__delete(target, ftype)
>
>
>
--
Miroslav Vadkerti :: Senior QE / RHCSS :: BaseOS QE Security
IRC mvadkert #qe #urt #brno #rpmdiff :: GPG 0x25881087
Desk Phone +420 532 294 129 :: Mobile +420 773 944 252
Red Hat Czech s.r.o, Purkyňova 99/71, 612 00, Brno, CR
[-- Attachment #1.2: Type: text/html, Size: 18451 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Auditing device files
From: Pavithra P @ 2016-07-26 9:00 UTC (permalink / raw)
To: linux-audit
Hi,
I am trying to see what commands are typed in my terminal and serial
port. For that I am using auditd daemon which helps me in auditing
files.
I thought of a creating audit rules on /dev/tty and /dev/ttyAMA0 for
seeing whats happening on terminal and serial device respectively
auditctl -w /dev/tty -p rwx -k terminal
auditctl -w /dev/ttyAMA0 -p rwx -k serialport
But this records only the echo on tty. I cant audit all the commands
typed on the terminal. I enabled tty logging in the PAM file too by
adding session required pam_tty_audit.so enable=* in /etc/pam.d/sshd
file.
Is there any other way to do this auditing. I want to use auditd
daemon only so that all my auditing log is in one file.
--
With regards,
P Pavithra
^ permalink raw reply
* Re: [PATCH 1/2] semanage: add auditing of changes in records
From: Steve Grubb @ 2016-07-25 19:07 UTC (permalink / raw)
To: linux-audit; +Cc: selinux
In-Reply-To: <1469464627-2159-1-git-send-email-mvadkert@redhat.com>
Hello,
Thanks for adding these audit events. I have just one question below.
On Monday, July 25, 2016 6:37:06 PM EDT Miroslav Vadkerti wrote:
> Common Criteria requirement FMT_MSA.1 needs any configuration change
> that affect enforcement of policy to be audited. This patch adds
> auditing of changes in security context mappings for network ports,
> interfaces, nodes and file contexts.
>
> A new function log_change is introduced that audits additions,
> modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> audit event.
>
> The format of the audit events was discussed with the audit userspace
> maintainer.
>
> This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
>
> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
> ---
> policycoreutils/semanage/seobject.py | 75
> ++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+)
>
> diff --git a/policycoreutils/semanage/seobject.py
> b/policycoreutils/semanage/seobject.py index 3b0b108..799ce24 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
> "socket file": "s",
> "symbolic link": "l",
> "named pipe": "p"}
> +
> +proto_to_audit = {"tcp": 17,
> + "udp": 6,
> + "ipv4": 4,
> + "ipv6": 41}
> +
> +ftype_to_audit = {"": "any",
> + "b": "block",
> + "c": "char",
> + "d": "dir",
> + "f": "file",
> + "l": "symlink",
> + "p": "pipe",
> + "s": "socket"}
> +
> try:
> import audit
>
> @@ -90,6 +105,7 @@ try:
> def __init__(self):
> self.audit_fd = audit.audit_open()
> self.log_list = []
> + self.log_change_list = []
>
> def log(self, msg, name="", sename="", serole="", serange="",
> oldsename="", oldserole="", oldserange=""):
>
> @@ -109,10 +125,17 @@ try:
> def log_remove(self, msg, name="", sename="", serole="",
> serange="", oldsename="", oldserole="", oldserange=""):
> self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0],
> str(msg), name, 0, sename, serole, serange, oldsename, oldserole,
> oldserange, "", "", ""])
>
> + def log_change(self, msg, hostname="", addr="", tty=""):
> + self.log_change_list.append([self.audit_fd,
> audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr,
> tty]) +
> def commit(self, success):
> for l in self.log_list:
> audit.audit_log_semanage_message(*(l + [success]))
> + for l in self.log_change_list:
> + audit.audit_log_user_comm_message(*(l + [success]))
> +
> self.log_list = []
> + self.log_change_list = []
> except:
> class logger:
>
> @@ -138,6 +161,9 @@ except:
> def log_remove(self, msg, name="", sename="", serole="",
> serange="", oldsename="", oldserole="", oldserange=""): self.log(msg, name,
> sename, serole, serange, oldsename, oldserole, oldserange)
>
> + def log_change(self, msg, hostname="", addr="", tty=""):
> + self.log_list.append(" %s" % msg)
> +
Is it really necessary to do something with hostname, addr, & tty here...
> def commit(self, success):
> if success == 1:
> message = "Successful: "
> @@ -155,6 +181,9 @@ class nulllogger:
> def log_remove(self, msg, name="", sename="", serole="", serange="",
> oldsename="", oldserole="", oldserange=""): pass
>
> + def log_change(self, msg, hostname="", addr="", tty=""):
> + pass
> +
and here? I think those are already handled in the audit logging function.
-Steve
> def commit(self, success):
> pass
>
> @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> + self.mylog.log_change("resrc=port op=add lport=%s proto=%s
> tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> "object_r", type, serange)) +
> def add(self, port, proto, serange, type):
> self.begin()
> self.__add(port, proto, serange, type)
> @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> + self.mylog.log_change("resrc=port op=modify lport=%s proto=%s
> tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> "object_r", setype, serange)) +
> def modify(self, port, proto, serange, setype):
> self.begin()
> self.__modify(port, proto, serange, setype)
> @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
> low = semanage_port_get_low(port)
> high = semanage_port_get_high(port)
> port_str = "%s-%s" % (low, high)
> +
> (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
> if rc < 0:
> raise ValueError(_("Could not create a key for %s") %
> port_str) @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
> raise ValueError(_("Could not delete the port %s") %
> port_str) semanage_port_key_free(k)
>
> + if low == high:
> + port_str = low
> +
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s"
> % (port_str, proto_to_audit[proto_str])) +
> self.commit()
>
> def __delete(self, port, proto):
> @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
>
> semanage_port_key_free(k)
>
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" %
> (port, proto_to_audit[proto])) +
> def delete(self, port, proto):
> self.begin()
> self.__delete(port, proto)
> @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s
> proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype,
> serange)) +
> def add(self, addr, mask, proto, serange, ctype):
> self.begin()
> self.__add(addr, mask, proto, serange, ctype)
> @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s
> proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype,
> serange)) +
> def modify(self, addr, mask, proto, serange, setype):
> self.begin()
> self.__modify(addr, mask, proto, serange, setype)
> @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
>
> semanage_node_key_free(k)
>
> + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s
> proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]])) +
> def delete(self, addr, mask, proto):
> self.begin()
> self.__delete(addr, mask, proto)
> @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
> semanage_iface_key_free(k)
> semanage_iface_free(iface)
>
> + self.mylog.log_change("resrc=interface op=add netif=%s
> tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype,
> serange)) +
> def add(self, interface, serange, ctype):
> self.begin()
> self.__add(interface, serange, ctype)
> @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
> semanage_iface_key_free(k)
> semanage_iface_free(iface)
>
> + self.mylog.log_change("resrc=interface op=modify netif=%s
> tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype,
> serange)) +
> def modify(self, interface, serange, setype):
> self.begin()
> self.__modify(interface, serange, setype)
> @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
>
> semanage_iface_key_free(k)
>
> + self.mylog.log_change("resrc=interface op=delete netif=%s" %
> interface) +
> def delete(self, interface):
> self.begin()
> self.__delete(interface)
> @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
> if i.startswith(target + "/"):
> raise ValueError(_("File spec %s conflicts with
> equivalency rule '%s %s'") % (target, i, fdict[i]))
>
> + self.mylog.log_change("resrc=fcontext op=add-equal %s %s" %
> (audit.audit_encode_nv_string("sglob", target, 0),
> audit.audit_encode_nv_string("tglob", substitute, 0))) +
> self.equiv[target] = substitute
> self.equal_ind = True
> self.commit()
> @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
> raise ValueError(_("Equivalence class for %s does not exists")
> % target) self.equiv[target] = substitute
> self.equal_ind = True
> +
> + self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" %
> (audit.audit_encode_nv_string("sglob", target, 0),
> audit.audit_encode_nv_string("tglob", substitute, 0))) +
> self.commit()
>
> def createcon(self, target, seuser="system_u"):
> @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
> semanage_fcontext_key_free(k)
> semanage_fcontext_free(fcontext)
>
> + if not seuser:
> + seuser = "system_u"
> +
> + self.mylog.log_change("resrc=fcontext op=add %s ftype=%s
> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> def add(self, target, type, ftype="", serange="", seuser="system_u"):
> self.begin()
> self.__add(target, type, ftype, serange, seuser)
> @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
> semanage_fcontext_key_free(k)
> semanage_fcontext_free(fcontext)
>
> + if not seuser:
> + seuser = "system_u"
> +
> + self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> def modify(self, target, setype, ftype, serange, seuser):
> self.begin()
> self.__modify(target, setype, ftype, serange, seuser)
> @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
> raise ValueError(_("Could not delete the file context %s")
> % target) semanage_fcontext_key_free(k)
>
> + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
> (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype_str])) +
> self.equiv = {}
> self.equal_ind = True
> self.commit()
> @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
> if target in self.equiv.keys():
> self.equiv.pop(target)
> self.equal_ind = True
> +
> + self.mylog.log_change("resrc=fcontext op=delete-equal %s
> ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype])) +
> return
>
> (rc, k) = semanage_fcontext_key_create(self.sh, target,
> file_types[ftype]) @@ -1996,6 +2069,8 @@ class
> fcontextRecords(semanageRecords):
>
> semanage_fcontext_key_free(k)
>
> + self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
> (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
> def delete(self, target, ftype):
> self.begin()
> self.__delete(target, ftype)
^ permalink raw reply
* [PATCH 2/2] semanage: fix modify action in node and interface
From: Miroslav Vadkerti @ 2016-07-25 16:37 UTC (permalink / raw)
To: selinux; +Cc: linux-audit
In-Reply-To: <1469464627-2159-1-git-send-email-mvadkert@redhat.com>
The modify actions of security context mappings for
interface and node actully called add action.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
policycoreutils/semanage/semanage | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
index 954411d..b199ebe 100644
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
@@ -524,7 +524,7 @@ def handleInterface(args):
if args.action is "add":
OBJECT.add(args.interface, args.range, args.type)
if args.action is "modify":
- OBJECT.add(args.interface, args.range, args.type)
+ OBJECT.modify(args.interface, args.range, args.type)
if args.action is "delete":
OBJECT.delete(args.interface)
if args.action is "list":
@@ -607,7 +607,7 @@ def handleNode(args):
if args.action is "add":
OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
if args.action is "modify":
- OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
+ OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type)
if args.action is "delete":
OBJECT.delete(args.node, args.netmask, args.proto)
if args.action is "list":
--
1.8.3.1
^ permalink raw reply related
* [PATCH 1/2] semanage: add auditing of changes in records
From: Miroslav Vadkerti @ 2016-07-25 16:37 UTC (permalink / raw)
To: selinux; +Cc: linux-audit
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.
A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.
The format of the audit events was discussed with the audit userspace
maintainer.
This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 3b0b108..799ce24 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
"socket file": "s",
"symbolic link": "l",
"named pipe": "p"}
+
+proto_to_audit = {"tcp": 17,
+ "udp": 6,
+ "ipv4": 4,
+ "ipv6": 41}
+
+ftype_to_audit = {"": "any",
+ "b": "block",
+ "c": "char",
+ "d": "dir",
+ "f": "file",
+ "l": "symlink",
+ "p": "pipe",
+ "s": "socket"}
+
try:
import audit
@@ -90,6 +105,7 @@ try:
def __init__(self):
self.audit_fd = audit.audit_open()
self.log_list = []
+ self.log_change_list = []
def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
@@ -109,10 +125,17 @@ try:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+ def log_change(self, msg, hostname="", addr="", tty=""):
+ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr, tty])
+
def commit(self, success):
for l in self.log_list:
audit.audit_log_semanage_message(*(l + [success]))
+ for l in self.log_change_list:
+ audit.audit_log_user_comm_message(*(l + [success]))
+
self.log_list = []
+ self.log_change_list = []
except:
class logger:
@@ -138,6 +161,9 @@ except:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
+ def log_change(self, msg, hostname="", addr="", tty=""):
+ self.log_list.append(" %s" % msg)
+
def commit(self, success):
if success == 1:
message = "Successful: "
@@ -155,6 +181,9 @@ class nulllogger:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
pass
+ def log_change(self, msg, hostname="", addr="", tty=""):
+ pass
+
def commit(self, success):
pass
@@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
+
def add(self, port, proto, serange, type):
self.begin()
self.__add(port, proto, serange, type)
@@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
+
def modify(self, port, proto, serange, setype):
self.begin()
self.__modify(port, proto, serange, setype)
@@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
port_str = "%s-%s" % (low, high)
+
(k, proto_d, low, high) = self.__genkey(port_str, proto_str)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % port_str)
@@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
raise ValueError(_("Could not delete the port %s") % port_str)
semanage_port_key_free(k)
+ if low == high:
+ port_str = low
+
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
+
self.commit()
def __delete(self, port, proto):
@@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
+
def delete(self, port, proto):
self.begin()
self.__delete(port, proto)
@@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
+
def add(self, addr, mask, proto, serange, ctype):
self.begin()
self.__add(addr, mask, proto, serange, ctype)
@@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
+
def modify(self, addr, mask, proto, serange, setype):
self.begin()
self.__modify(addr, mask, proto, serange, setype)
@@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
+
def delete(self, addr, mask, proto):
self.begin()
self.__delete(addr, mask, proto)
@@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
+
def add(self, interface, serange, ctype):
self.begin()
self.__add(interface, serange, ctype)
@@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
+
def modify(self, interface, serange, setype):
self.begin()
self.__modify(interface, serange, setype)
@@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
+ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
+
def delete(self, interface):
self.begin()
self.__delete(interface)
@@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
if i.startswith(target + "/"):
raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
+ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.equiv[target] = substitute
self.equal_ind = True
self.commit()
@@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Equivalence class for %s does not exists") % target)
self.equiv[target] = substitute
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.commit()
def createcon(self, target, seuser="system_u"):
@@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
self.__add(target, type, ftype, serange, seuser)
@@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def modify(self, target, setype, ftype, serange, seuser):
self.begin()
self.__modify(target, setype, ftype, serange, seuser)
@@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
+
self.equiv = {}
self.equal_ind = True
self.commit()
@@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
if target in self.equiv.keys():
self.equiv.pop(target)
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
return
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
def delete(self, target, ftype):
self.begin()
self.__delete(target, ftype)
--
1.8.3.1
^ permalink raw reply related
* [PATCH] alpha_table.h: Syscall 511 is getrandom, not renameat2
From: James Clarke @ 2016-07-23 19:15 UTC (permalink / raw)
To: linux-audit; +Cc: James Clarke
---
This fixes gen_alpha_tables_h aborting due to renameat2 being duplicated.
lib/alpha_table.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/alpha_table.h b/lib/alpha_table.h
index 08171cc..c43744f 100644
--- a/lib/alpha_table.h
+++ b/lib/alpha_table.h
@@ -451,6 +451,6 @@ _S(507, "finit_module")
_S(508, "sched_setattr")
_S(509, "sched_getattr")
_S(510, "renameat2")
-_S(511, "renameat2")
+_S(511, "getrandom")
_S(512, "memfd_create")
_S(513, "execveat")
--
2.9.1
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox