* [PATCH 2/2] audit: log binding and unbinding to netlink multicast
From: Steve Grubb @ 2016-11-30 19:26 UTC (permalink / raw)
To: linux-audit
Log information about programs connecting and disconnecting to the audit
netlink multicast socket. This is needed so that during investigations a
security officer can tell who or what had access to the audit trail. This
helps to meet the FAU_SAR.2 requirement for Common Criteria.
Signed-off-by: sgrubb <sgrubb@redhat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 31 +++++++++++++++++++++++++++----
2 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 82e8aa5..e6dd046 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,7 @@
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
+#define AUDIT_EVENT_LISTENER 1330 /* Task joined multicast read socket */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 22f8c3d..910a7c1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1161,22 +1161,45 @@ void audit_log_task_simple(struct audit_buffer *ab,
struct task_struct *tsk)
}
EXPORT_SYMBOL(audit_log_task_simple);
+/* Log information about who is connecting to the audit multicast socket */
+static void audit_log_multicast_bind(int group, const char *op, int err)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
+ if (!ab)
+ return;
+
+ audit_log_task_simple(ab, current);
+ audit_log_format(ab, " nlnk-grp=%d op=%s res=%d", group, op, !err);
+ audit_log_end(ab);
+}
+
/* Run custom bind function on netlink socket group connect or bind requests.
*/
-static int audit_bind(struct net *net, int group)
+static int audit_multicast_bind(struct net *net, int group)
{
+ int err = 0;
+
if (!capable(CAP_AUDIT_READ))
- return -EPERM;
+ err = -EPERM;
+ audit_log_multicast_bind(group, "connect", err);
- return 0;
+ return err;
+}
+
+static void audit_multicast_unbind(struct net *net, int group)
+{
+ audit_log_multicast_bind(group, "disconnect", 0);
}
static int __net_init audit_net_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
- .bind = audit_bind,
+ .bind = audit_multicast_bind,
.flags = NL_CFG_F_NONROOT_RECV,
.groups = AUDIT_NLGRP_MAX,
+ .unbind = audit_multicast_unbind,
};
struct audit_net *aunet = net_generic(net, audit_net_id);
--
2.7.4
^ permalink raw reply related
* [PATCH 1/2] audit: create audit_log_task_simple function
From: Steve Grubb @ 2016-11-30 19:25 UTC (permalink / raw)
To: linux-audit
The audit subsystem has 2 general kinds of audit events, syscall auditing
and hardwired audit events. Syscall auditing records quite a lot about the
process because it doesn't know ahead of time what is important to the
current syscall. For hardwired events, the information recorded can be
greatly reduced.
This patch adds a new function, audit_log_task_simple, which should be used
for most cases because it sticks to what is necessary for "hardwired"
events. It provides pid, uid, auid, tty, session, context, comm, exe.
Signed-off-by: sgrubb <sgrubb@redhat.com>
---
include/linux/audit.h | 5 +++++
kernel/audit.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..eaf7615 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -159,6 +159,8 @@ static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk);
+extern void audit_log_task_simple(struct audit_buffer *ab,
+ struct task_struct *tsk);
extern int audit_update_lsm_rules(void);
@@ -213,6 +215,9 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
static inline void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk)
{ }
+static inline void audit_log_task_simple(struct audit_buffer *ab,
+ struct task_struct *tsk)
+{ }
#define audit_enabled 0
#endif /* CONFIG_AUDIT */
diff --git a/kernel/audit.c b/kernel/audit.c
index a8a91bd..22f8c3d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1128,6 +1128,39 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
+/*
+ * This function logs the essential information needed to understand
+ * what or who is causing the event.
+ */
+void audit_log_task_simple(struct audit_buffer *ab, struct task_struct *tsk)
+{
+ const struct cred *cred;
+ char comm[sizeof(tsk->comm)];
+ struct tty_struct *tty;
+
+ if (!ab)
+ return;
+
+ /* tsk == current */
+ cred = current_cred();
+
+ tty = audit_get_tty(tsk);
+ audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
+ task_pid_nr(tsk),
+ from_kuid(&init_user_ns, cred->uid),
+ from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
+ tty ? tty_name(tty) : "(none)",
+ audit_get_sessionid(tsk));
+ audit_put_tty(tty);
+
+ audit_log_task_context(ab); /* subj= */
+ audit_log_format(ab, " comm=");
+ audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
+
+ audit_log_d_path_exe(ab, tsk->mm); /* exe= */
+}
+EXPORT_SYMBOL(audit_log_task_simple);
+
/* Run custom bind function on netlink socket group connect or bind requests. */
static int audit_bind(struct net *net, int group)
{
--
2.7.4
^ permalink raw reply related
* [PATCH 0/2] audit: log binding and unbinding to netlink multicast socket
From: Steve Grubb @ 2016-11-30 19:23 UTC (permalink / raw)
To: linux-audit
Hello,
I am resurrecting this old patch. Its been cleaned up by adding a simple task
logging function which should, in the future, serve almost all kernel logging
needs. The cleaned up bind and unbind functions call it to create the preamble
and then finish with specific data items for bind/unbinding.
In essence, this patch logs connecting and disconnecting to the audit netlink
multicast socket. This is needed so that during investigations a security
officer can tell who or what had access to the audit trail. This helps to meet
the FAU_SAR.2 SFR for Common Criteria.
Sample output:
type=UNKNOWN[1330] audit(1480532106.644:2): pid=1 uid=0 auid=4294967295
tty=(none) ses=4294967295 subj=kernel comm="systemd" exe="/usr/lib/systemd/
systemd" nlnk-grp=1 op=connect res=1
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
^ permalink raw reply
* Re: [PATCH] netns: avoid disabling irq for netns id
From: David Miller @ 2016-11-30 19:58 UTC (permalink / raw)
To: pmoore; +Cc: netdev, linux-audit, xiyou.wangcong
In-Reply-To: <148045748887.22539.3188295553967836703.stgit@sifl>
From: Paul Moore <pmoore@redhat.com>
Date: Tue, 29 Nov 2016 17:11:29 -0500
> From: Paul Moore <paul@paul-moore.com>
>
> Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns
> id") now that we've fixed some audit multicast issues that caused
> problems with original attempt. Additional information, and history,
> can be found in the links below:
>
> * https://github.com/linux-audit/audit-kernel/issues/22
> * https://github.com/linux-audit/audit-kernel/issues/23
>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
This doesn't apply cleanly to the net-next tree, could you please
respin?
Thanks.
^ permalink raw reply
* Re: [PATCH] netns: avoid disabling irq for netns id
From: Paul Moore @ 2016-11-30 20:35 UTC (permalink / raw)
To: David Miller; +Cc: netdev, linux-audit, xiyou.wangcong
In-Reply-To: <20161130.145822.727604546507312208.davem@davemloft.net>
On Wed, Nov 30, 2016 at 2:58 PM, David Miller <davem@davemloft.net> wrote:
> From: Paul Moore <pmoore@redhat.com>
> Date: Tue, 29 Nov 2016 17:11:29 -0500
>
>> From: Paul Moore <paul@paul-moore.com>
>>
>> Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns
>> id") now that we've fixed some audit multicast issues that caused
>> problems with original attempt. Additional information, and history,
>> can be found in the links below:
>>
>> * https://github.com/linux-audit/audit-kernel/issues/22
>> * https://github.com/linux-audit/audit-kernel/issues/23
>>
>> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>
> This doesn't apply cleanly to the net-next tree, could you please
> respin?
As I mentioned in a reply to the patch posting, because this relies on
a number of patches in the audit tree I've gone ahead and merged this
patch into the audit#next branch. Unless you have any objections,
I'll send this to Linus with the rest of the v4.10 audit patches.
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [PATCH] netns: avoid disabling irq for netns id
From: David Miller @ 2016-11-30 21:12 UTC (permalink / raw)
To: pmoore; +Cc: netdev, linux-audit, xiyou.wangcong
In-Reply-To: <CAGH-Kgv0UpmDdaW=z8pa1VvmrcJeaA57uMneqNEgex6Xa8NSQw@mail.gmail.com>
From: Paul Moore <pmoore@redhat.com>
Date: Wed, 30 Nov 2016 15:35:46 -0500
> On Wed, Nov 30, 2016 at 2:58 PM, David Miller <davem@davemloft.net> wrote:
>> From: Paul Moore <pmoore@redhat.com>
>> Date: Tue, 29 Nov 2016 17:11:29 -0500
>>
>>> From: Paul Moore <paul@paul-moore.com>
>>>
>>> Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns
>>> id") now that we've fixed some audit multicast issues that caused
>>> problems with original attempt. Additional information, and history,
>>> can be found in the links below:
>>>
>>> * https://github.com/linux-audit/audit-kernel/issues/22
>>> * https://github.com/linux-audit/audit-kernel/issues/23
>>>
>>> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
>>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>>
>> This doesn't apply cleanly to the net-next tree, could you please
>> respin?
>
> As I mentioned in a reply to the patch posting, because this relies on
> a number of patches in the audit tree I've gone ahead and merged this
> patch into the audit#next branch. Unless you have any objections,
> I'll send this to Linus with the rest of the v4.10 audit patches.
That's fine with me.
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: Paul Moore @ 2016-12-01 0:04 UTC (permalink / raw)
To: Florian Westphal; +Cc: linux-kernel, linux-audit, Eric Paris
In-Reply-To: <1479215774-29810-1-git-send-email-fw@strlen.de>
On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw@strlen.de> wrote:
> allows better debugging as freeing audit buffers now always honors slub
> debug hooks (e.g. object poisoning) and leak checker can detect the
> free operation.
>
> Removal also results in a small speedup (using
> single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
>
> super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
> Before:
> 294953
> After:
> 298013
>
> (alloc/free no longer serializes on spinlock, allocator can use percpu
> pool).
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> kernel/audit.c | 53 ++++++++---------------------------------------------
> 1 file changed, 8 insertions(+), 45 deletions(-)
Sorry for the delay, I was hoping to have some time to play around
with this and offer a more meaningful comment ... I've often wondered
about converting audit_buffer, and audit_context for that matter, over
to their own kmem_cache; have you considered that? Or was this
proposed due to simplicity?
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: William Roberts @ 2016-12-01 0:19 UTC (permalink / raw)
To: Florian Westphal; +Cc: linux-audit, linux-kernel
In-Reply-To: <1479215774-29810-1-git-send-email-fw@strlen.de>
[-- Attachment #1.1: Type: text/plain, Size: 4742 bytes --]
On Nov 29, 2016 07:10, "Florian Westphal" <fw@strlen.de> wrote:
>
> allows better debugging as freeing audit buffers now always honors slub
> debug hooks (e.g. object poisoning) and leak checker can detect the
> free operation.
>
> Removal also results in a small speedup (using
> single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
>
> super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
> Before:
> 294953
> After:
> 298013
A bigger number is better? Sorry for the html Gmail app on Android won't
let me switch.
>
> (alloc/free no longer serializes on spinlock, allocator can use percpu
> pool).
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> kernel/audit.c | 53 ++++++++---------------------------------------------
> 1 file changed, 8 insertions(+), 45 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index f1ca11613379..396868dc523a 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -131,13 +131,6 @@ static int audit_net_id;
> /* Hash for inode-based rules */
> struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
>
> -/* The audit_freelist is a list of pre-allocated audit buffers (if more
> - * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
> - * being placed on the freelist). */
> -static DEFINE_SPINLOCK(audit_freelist_lock);
> -static int audit_freelist_count;
> -static LIST_HEAD(audit_freelist);
> -
> static struct sk_buff_head audit_skb_queue;
> /* queue of skbs to send to auditd when/if it comes back */
> static struct sk_buff_head audit_skb_hold_queue;
> @@ -164,17 +157,11 @@ DEFINE_MUTEX(audit_cmd_mutex);
> * should be at least that large. */
> #define AUDIT_BUFSIZ 1024
>
> -/* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
> - * audit_freelist. Doing so eliminates many kmalloc/kfree calls. */
> -#define AUDIT_MAXFREE (2*NR_CPUS)
> -
> -/* The audit_buffer is used when formatting an audit record. The caller
> - * locks briefly to get the record off the freelist or to allocate the
> - * buffer, and locks briefly to send the buffer to the netlink layer or
> +/* The audit_buffer is used when formatting an audit record.
> + * The caller locks briefly to send the buffer to the netlink layer or
> * to place it on a transmit queue. Multiple audit_buffers can be in
> * use simultaneously. */
> struct audit_buffer {
> - struct list_head list;
> struct sk_buff *skb; /* formatted skb ready to send */
> struct audit_context *ctx; /* NULL or associated context */
> gfp_t gfp_mask;
> @@ -1247,43 +1234,22 @@ __setup("audit_backlog_limit=",
audit_backlog_limit_set);
>
> static void audit_buffer_free(struct audit_buffer *ab)
> {
> - unsigned long flags;
> -
> if (!ab)
> return;
>
> kfree_skb(ab->skb);
> - spin_lock_irqsave(&audit_freelist_lock, flags);
> - if (audit_freelist_count > AUDIT_MAXFREE)
> - kfree(ab);
> - else {
> - audit_freelist_count++;
> - list_add(&ab->list, &audit_freelist);
> - }
> - spin_unlock_irqrestore(&audit_freelist_lock, flags);
> + kfree(ab);
> }
>
> static struct audit_buffer * audit_buffer_alloc(struct audit_context
*ctx,
> gfp_t gfp_mask, int type)
> {
> - unsigned long flags;
> - struct audit_buffer *ab = NULL;
> + struct audit_buffer *ab;
> struct nlmsghdr *nlh;
>
> - spin_lock_irqsave(&audit_freelist_lock, flags);
> - if (!list_empty(&audit_freelist)) {
> - ab = list_entry(audit_freelist.next,
> - struct audit_buffer, list);
> - list_del(&ab->list);
> - --audit_freelist_count;
> - }
> - spin_unlock_irqrestore(&audit_freelist_lock, flags);
> -
> - if (!ab) {
> - ab = kmalloc(sizeof(*ab), gfp_mask);
> - if (!ab)
> - goto err;
> - }
> + ab = kmalloc(sizeof(*ab), gfp_mask);
> + if (!ab)
> + return NULL;
>
> ab->ctx = ctx;
> ab->gfp_mask = gfp_mask;
> @@ -1294,13 +1260,10 @@ static struct audit_buffer *
audit_buffer_alloc(struct audit_context *ctx,
>
> nlh = nlmsg_put(ab->skb, 0, 0, type, 0, 0);
> if (!nlh)
> - goto out_kfree_skb;
> + goto err;
>
> return ab;
>
> -out_kfree_skb:
> - kfree_skb(ab->skb);
> - ab->skb = NULL;
> err:
> audit_buffer_free(ab);
> return NULL;
> --
> 2.7.3
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
[-- Attachment #1.2: Type: text/html, Size: 6473 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: Florian Westphal @ 2016-12-01 1:44 UTC (permalink / raw)
To: Paul Moore; +Cc: Florian Westphal, linux-kernel, linux-audit, Eric Paris
In-Reply-To: <CAHC9VhTC+VJZNWE8bfxYEWazi4Kpk_sEwhzr6danM5ogE3G+LA@mail.gmail.com>
Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw@strlen.de> wrote:
> > allows better debugging as freeing audit buffers now always honors slub
> > debug hooks (e.g. object poisoning) and leak checker can detect the
> > free operation.
> >
> > Removal also results in a small speedup (using
> > single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
> >
> > super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
> > Before:
> > 294953
> > After:
> > 298013
> >
> > (alloc/free no longer serializes on spinlock, allocator can use percpu
> > pool).
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
> > kernel/audit.c | 53 ++++++++---------------------------------------------
> > 1 file changed, 8 insertions(+), 45 deletions(-)
>
> Sorry for the delay, I was hoping to have some time to play around
> with this and offer a more meaningful comment ... I've often wondered
> about converting audit_buffer, and audit_context for that matter, over
> to their own kmem_cache; have you considered that? Or was this
> proposed due to simplicity?
Not sure I understand, you could still convert it on top of this.
(Although audit_buffer is just 24 bytes after this patch so it will
come from 32byte kmalloc slab).
I don't think it makes sense to keep this DIY cache on top of slub
cache.
^ permalink raw reply
* Auditd cause high CPU and high Load
From: Minh Tien Nguyen @ 2016-12-01 3:59 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 599 bytes --]
Dear Audit team.
My name is Nguyen Minh Tien. I came from Singapore. I am working as a
developer for Garena LTD. Last week, I met a problem with Audit on our
product servers. The Auditd process had caused of some pick time on our
server. In that times, system CPU cost a lot, around 100%. And the Load
average is over 30. We have tried to find the root cause and have failed.
Could you help us for that case?
The servers, which meet the performance issue, use Redhat 6.8 and their
kernel is 2.6.32.
--
Best regards
_________________________
Nguyen Minh Tien - SA Team
email: nguyenmt@garena.com
[-- Attachment #1.2: Type: text/html, Size: 832 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Auditd cause high CPU and high Load
From: Steve Grubb @ 2016-12-01 13:57 UTC (permalink / raw)
To: linux-audit; +Cc: Minh Tien Nguyen
In-Reply-To: <CAHSvBsOyo0g1zu-1nwPuiQNhRfZ_L9MaEGx_eFe9sFYb8=pB2Q@mail.gmail.com>
Hello,
On Thursday, December 1, 2016 11:59:47 AM EST Minh Tien Nguyen wrote:
> My name is Nguyen Minh Tien. I came from Singapore. I am working as a
> developer for Garena LTD. Last week, I met a problem with Audit on our
> product servers. The Auditd process had caused of some pick time on our
> server. In that times, system CPU cost a lot, around 100%. And the Load
> average is over 30. We have tried to find the root cause and have failed.
> Could you help us for that case?
>
> The servers, which meet the performance issue, use Redhat 6.8 and their
> kernel is 2.6.32.
You might want to check the flush setting for /etc/audit/auditd.conf. I would
recommend using incremental and set the freq to something like 200 or 500.
Using sync or data will kill performance, but the event is written to disk
before processing the next event.
-Steve
^ permalink raw reply
* Re: Auditd cause high CPU and high Load
From: Minh Tien Nguyen @ 2016-12-01 14:07 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1971735.NS9UXEdAuI@x2>
[-- Attachment #1.1: Type: text/plain, Size: 1210 bytes --]
He Steve Grubb.
Nice to heard from you. Thank you so much for your help. We will try to set
that config and see the result.
Thanks & best regards.
On Thu, Dec 1, 2016 at 9:57 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> On Thursday, December 1, 2016 11:59:47 AM EST Minh Tien Nguyen wrote:
> > My name is Nguyen Minh Tien. I came from Singapore. I am working as a
> > developer for Garena LTD. Last week, I met a problem with Audit on our
> > product servers. The Auditd process had caused of some pick time on our
> > server. In that times, system CPU cost a lot, around 100%. And the Load
> > average is over 30. We have tried to find the root cause and have failed.
> > Could you help us for that case?
> >
> > The servers, which meet the performance issue, use Redhat 6.8 and their
> > kernel is 2.6.32.
>
> You might want to check the flush setting for /etc/audit/auditd.conf. I
> would
> recommend using incremental and set the freq to something like 200 or 500.
> Using sync or data will kill performance, but the event is written to disk
> before processing the next event.
>
> -Steve
>
--
Best regards
_________________________
Nguyen Minh Tien - SA Team
email: nguyenmt@garena.com
[-- Attachment #1.2: Type: text/html, Size: 1926 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Auditd cause high CPU and high Load
From: Edward Bailey @ 2016-12-01 14:50 UTC (permalink / raw)
To: Steve Grubb, linux-audit; +Cc: Minh Tien Nguyen
In-Reply-To: <1971735.NS9UXEdAuI@x2>
[-- Attachment #1.1: Type: text/plain, Size: 1210 bytes --]
We ran into exactly the same issue with the update to 6.8. Using flush and
setting freq to 300 fixed the issue we were experiencing.
Ed
On Thu, Dec 1, 2016 at 9:00 AM Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> On Thursday, December 1, 2016 11:59:47 AM EST Minh Tien Nguyen wrote:
> > My name is Nguyen Minh Tien. I came from Singapore. I am working as a
> > developer for Garena LTD. Last week, I met a problem with Audit on our
> > product servers. The Auditd process had caused of some pick time on our
> > server. In that times, system CPU cost a lot, around 100%. And the Load
> > average is over 30. We have tried to find the root cause and have failed.
> > Could you help us for that case?
> >
> > The servers, which meet the performance issue, use Redhat 6.8 and their
> > kernel is 2.6.32.
>
> You might want to check the flush setting for /etc/audit/auditd.conf. I
> would
> recommend using incremental and set the freq to something like 200 or 500.
> Using sync or data will kill performance, but the event is written to disk
> before processing the next event.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
[-- Attachment #1.2: Type: text/html, Size: 2212 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* [PATCH 1/1] audit: Make AUDIT_KERNEL event conform to the specification
From: Steve Grubb @ 2016-12-01 20:02 UTC (permalink / raw)
To: linux-audit
The AUDIT_KERNEL event is not following name=value format. This causes
some information to get lost. The event has been reformatted to follow
the convention. Additionally the audit_enabled value was added for
troubleshooting purposes. The following is an example of the new event:
type=KERNEL audit(1480621249.833:1): state=initialized audit_enabled=0 res=1
Signed-off-by: sgrubb <sgrubb@redhat.com>
---
kernel/audit.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 910a7c1..91860d4 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1252,7 +1252,9 @@ static int __init audit_init(void)
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
- audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
+ audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
+ "state=initialized audit_enabled=%u res=1",
+ audit_enabled);
for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
INIT_LIST_HEAD(&audit_inode_hash[i]);
--
2.7.4
^ permalink raw reply related
* Re: [PATCH 2/2] audit: log binding and unbinding to netlink multicast
From: Paul Moore @ 2016-12-01 23:39 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <54837117.9EuYO5Hpme@x2>
On Wed, Nov 30, 2016 at 2:26 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Log information about programs connecting and disconnecting to the audit
> netlink multicast socket. This is needed so that during investigations a
> security officer can tell who or what had access to the audit trail. This
> helps to meet the FAU_SAR.2 requirement for Common Criteria.
>
> Signed-off-by: sgrubb <sgrubb@redhat.com>
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 31 +++++++++++++++++++++++++++----
> 2 files changed, 28 insertions(+), 4 deletions(-)
This needs an associated test for the audit-testsuite and a RFE page
on the wiki. I also created a GH issue since this is a CC issue and
something we want to track progress on, link below:
* https://github.com/linux-audit/audit-kernel/issues/28
Some more specific comments below ...
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 82e8aa5..e6dd046 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -111,6 +111,7 @@
> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
> +#define AUDIT_EVENT_LISTENER 1330 /* Task joined multicast read socket */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 22f8c3d..910a7c1 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1161,22 +1161,45 @@ void audit_log_task_simple(struct audit_buffer *ab,
> struct task_struct *tsk)
> }
> EXPORT_SYMBOL(audit_log_task_simple);
>
> +/* Log information about who is connecting to the audit multicast socket */
> +static void audit_log_multicast_bind(int group, const char *op, int err)
> +{
A bit of a nit, but it seems odd to call this "..._bind" when we use
it to log both bind and unbind events, maybe "..._op"/"..._status" or
something?
> + struct audit_buffer *ab;
> +
> + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
> + if (!ab)
> + return;
> +
> + audit_log_task_simple(ab, current);
Right now the only call to audit_log_task_simple() is the one above
and I'm not a fan of merging code like that, just open code
audit_log_task_simple() in the function above. If you need similar
functionality for use by other functions in the future you can
reintroduce audit_log_task_simple().
> + audit_log_format(ab, " nlnk-grp=%d op=%s res=%d", group, op, !err);
> + audit_log_end(ab);
> +}
> +
> /* Run custom bind function on netlink socket group connect or bind requests.
> */
> -static int audit_bind(struct net *net, int group)
> +static int audit_multicast_bind(struct net *net, int group)
> {
> + int err = 0;
> +
> if (!capable(CAP_AUDIT_READ))
> - return -EPERM;
> + err = -EPERM;
> + audit_log_multicast_bind(group, "connect", err);
>
> - return 0;
> + return err;
> +}
> +
> +static void audit_multicast_unbind(struct net *net, int group)
> +{
> + audit_log_multicast_bind(group, "disconnect", 0);
> }
>
> static int __net_init audit_net_init(struct net *net)
> {
> struct netlink_kernel_cfg cfg = {
> .input = audit_receive,
> - .bind = audit_bind,
> + .bind = audit_multicast_bind,
> .flags = NL_CFG_F_NONROOT_RECV,
> .groups = AUDIT_NLGRP_MAX,
> + .unbind = audit_multicast_unbind,
> };
>
> struct audit_net *aunet = net_generic(net, audit_net_id);
> --
> 2.7.4
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: Paul Moore @ 2016-12-02 0:02 UTC (permalink / raw)
To: Florian Westphal; +Cc: linux-kernel, linux-audit, Eric Paris
In-Reply-To: <20161201014455.GD26507@breakpoint.cc>
On Wed, Nov 30, 2016 at 8:44 PM, Florian Westphal <fw@strlen.de> wrote:
> Paul Moore <paul@paul-moore.com> wrote:
>> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw@strlen.de> wrote:
>> > allows better debugging as freeing audit buffers now always honors slub
>> > debug hooks (e.g. object poisoning) and leak checker can detect the
>> > free operation.
>> >
>> > Removal also results in a small speedup (using
>> > single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
>> >
>> > super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
>> > Before:
>> > 294953
>> > After:
>> > 298013
>> >
>> > (alloc/free no longer serializes on spinlock, allocator can use percpu
>> > pool).
>> >
>> > Signed-off-by: Florian Westphal <fw@strlen.de>
>> > ---
>> > kernel/audit.c | 53 ++++++++---------------------------------------------
>> > 1 file changed, 8 insertions(+), 45 deletions(-)
>>
>> Sorry for the delay, I was hoping to have some time to play around
>> with this and offer a more meaningful comment ... I've often wondered
>> about converting audit_buffer, and audit_context for that matter, over
>> to their own kmem_cache; have you considered that? Or was this
>> proposed due to simplicity?
>
> Not sure I understand, you could still convert it on top of this.
> (Although audit_buffer is just 24 bytes after this patch so it will
> come from 32byte kmalloc slab).
I'm not arguing against this patch, partly just musing out loud,
partly just seeing if you had experimented with creating a
audit_buffer specific kmem_cache (I'm guessing the answer here is
"no"). If we do convert to a kmem_cache this patch would be the
obvious first step. I'd also want to cobble together some tests we
can use to measure performance. Using netperf is good, but I'd also
like to exercise the syscall records as it is probably easier to
isolate the audit subsystem that way.
> I don't think it makes sense to keep this DIY cache on top of slub
> cache.
I agree, there probably isn't much sense in keeping this around. In
case you're interested, I started tracking this on GitHub at the link
below:
* https://github.com/linux-audit/audit-kernel/issues/29
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: Florian Westphal @ 2016-12-02 0:09 UTC (permalink / raw)
To: Paul Moore; +Cc: Florian Westphal, linux-kernel, linux-audit, Eric Paris
In-Reply-To: <CAHC9VhT=FKEW9-U0bzsjTZPyi91rAb-HOaegGj9yEkrGNbAy8A@mail.gmail.com>
Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Nov 30, 2016 at 8:44 PM, Florian Westphal <fw@strlen.de> wrote:
> > Paul Moore <paul@paul-moore.com> wrote:
> >> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw@strlen.de> wrote:
> >> > allows better debugging as freeing audit buffers now always honors slub
> >> > debug hooks (e.g. object poisoning) and leak checker can detect the
> >> > free operation.
> >> >
> >> > Removal also results in a small speedup (using
> >> > single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
> >> >
> >> > super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
> >> > Before:
> >> > 294953
> >> > After:
> >> > 298013
> >> >
> >> > (alloc/free no longer serializes on spinlock, allocator can use percpu
> >> > pool).
> >> >
> >> > Signed-off-by: Florian Westphal <fw@strlen.de>
> >> > ---
> >> > kernel/audit.c | 53 ++++++++---------------------------------------------
> >> > 1 file changed, 8 insertions(+), 45 deletions(-)
> >>
> >> Sorry for the delay, I was hoping to have some time to play around
> >> with this and offer a more meaningful comment ... I've often wondered
> >> about converting audit_buffer, and audit_context for that matter, over
> >> to their own kmem_cache; have you considered that? Or was this
> >> proposed due to simplicity?
> >
> > Not sure I understand, you could still convert it on top of this.
> > (Although audit_buffer is just 24 bytes after this patch so it will
> > come from 32byte kmalloc slab).
>
> I'm not arguing against this patch, partly just musing out loud,
> partly just seeing if you had experimented with creating a
> audit_buffer specific kmem_cache (I'm guessing the answer here is
> "no"). If we do convert to a kmem_cache this patch would be the
> obvious first step.
It does convert to a kmem_cache, indirectly.
kmalloc() uses builtin_constant_size() magic to resolve the kmalloc to
kmem_cache_alloc, using the precreated kmalloc_caches[] in slab_common.c .
^ permalink raw reply
* Auditd misses accept syscalls from sshd
From: Nathan Cooprider @ 2016-12-02 20:43 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 741 bytes --]
Auditd seems to miss accept syscalls from ssh on Ubuntu 14. I tried
versions 2.3.2 and 2.4.5 of the daemon with kernel versions 3.13.0-96 and
4.4.0-47. In all cases the accept syscall (43) failed to show up until
after I restarted the ssh daemon. It's especially weird because I don't see
this problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am seeing
this or where to look?
I found a similar question in the archives, but it seems to do with the
architecture size and not OS versions:
https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
I also posted this question on Stack Overflow:
http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-have-inconsistent-behavior-in-linux-audit-framework
[-- Attachment #1.2: Type: text/html, Size: 1073 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH 1/1] audit: Make AUDIT_KERNEL event conform to the specification
From: Paul Moore @ 2016-12-02 20:46 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <35255769.M5mior0TaQ@x2>
On Thu, Dec 1, 2016 at 3:02 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> The AUDIT_KERNEL event is not following name=value format. This causes
> some information to get lost. The event has been reformatted to follow
> the convention. Additionally the audit_enabled value was added for
> troubleshooting purposes. The following is an example of the new event:
>
> type=KERNEL audit(1480621249.833:1): state=initialized audit_enabled=0 res=1
>
> Signed-off-by: sgrubb <sgrubb@redhat.com>
> ---
> kernel/audit.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Looks reasonable. I fixed your name (sgrubb -> Steve Grubb) and
merged this into my next queue for after the upcoming merge window.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 910a7c1..91860d4 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1252,7 +1252,9 @@ static int __init audit_init(void)
> audit_enabled = audit_default;
> audit_ever_enabled |= !!audit_default;
>
> - audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
> + audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
> + "state=initialized audit_enabled=%u res=1",
> + audit_enabled);
>
> for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
> INIT_LIST_HEAD(&audit_inode_hash[i]);
> --
> 2.7.4
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: Auditd misses accept syscalls from sshd
From: Steve Grubb @ 2016-12-02 21:09 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <CAMMwpch6UvX71gnX2_+fohBxhtS=fyV-=2NhtAvQeY8fi5W8Lg@mail.gmail.com>
On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote:
> Auditd seems to miss accept syscalls from ssh on Ubuntu 14.
Its not auditd, the kernel does all the work. Auditd acts a lot like a
specialized syslog. :-)
> I tried versions 2.3.2 and 2.4.5 of the daemon with kernel versions
> 3.13.0-96 and 4.4.0-47. In all cases the accept syscall (43) failed to show
> up until after I restarted the ssh daemon. It's especially weird because I
> don't see this problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am
> seeing this or where to look?
It works fine on my 4.8 kernel:
# uname -r
4.8.10-200.fc24.x86_64
# auditctl -a always,exit -F arch=b64 -S accept,accept4 -F exe=/usr/sbin/sshd -F key=test
# ssh localhost
# exit
# ausearch --start recent -k test -i
----
type=CONFIG_CHANGE msg=audit(12/02/2016 15:53:00.297:917) : auid=sgrubb ses=5
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key=test
list=exit res=yes
----
type=PROCTITLE msg=audit(12/02/2016 15:53:07.287:919) : proctitle=/usr/sbin/sshd
type=SOCKADDR msg=audit(12/02/2016 15:53:07.287:919) : saddr={ fam=inet6 laddr=::1 lport=52740 }
type=SYSCALL msg=audit(12/02/2016 15:53:07.287:919) : arch=x86_64
syscall=accept success=yes exit=5 a0=0x4 a1=0x7ffdd5bd06a0 a2=0x7ffdd5bd068c
a3=0x0 items=0 ppid=1 pid=1071 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
key=test
I don't know if there were any bug fixes that made it start working. I also
think I was doing some testing on kernels close to when the audit by
executable code first went upstream and I remember not getting the results I
wanted. I had other things to do and when I came back to it I could not
replicate the missing events. I had upgraded the kernel in the mean time.
Does using a newer kernel fix it for you?
-Steve
> I found a similar question in the archives, but it seems to do with the
> architecture size and not OS versions:
> https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
>
> I also posted this question on Stack Overflow:
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-hav
> e-inconsistent-behavior-in-linux-audit-framework
^ permalink raw reply
* Re: Auditd misses accept syscalls from sshd
From: Paul Moore @ 2016-12-02 21:26 UTC (permalink / raw)
To: Nathan Cooprider; +Cc: linux-audit
In-Reply-To: <CAMMwpch6UvX71gnX2_+fohBxhtS=fyV-=2NhtAvQeY8fi5W8Lg@mail.gmail.com>
On Fri, Dec 2, 2016 at 3:43 PM, Nathan Cooprider
<ncooprider@yankeehacker.com> wrote:
> Auditd seems to miss accept syscalls from ssh on Ubuntu 14. I tried versions
> 2.3.2 and 2.4.5 of the daemon with kernel versions 3.13.0-96 and 4.4.0-47.
> In all cases the accept syscall (43) failed to show up until after I
> restarted the ssh daemon. It's especially weird because I don't see this
> problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am seeing this or
> where to look?
>
> I found a similar question in the archives, but it seems to do with the
> architecture size and not OS versions:
> https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
>
> I also posted this question on Stack Overflow:
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-have-inconsistent-behavior-in-linux-audit-framework
I'm not really very aware of what Ubuntu is doing wrt to their default
audit configuration, but this really sounds like you need to add
'audit=1' to the kernel command line.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: Auditd misses accept syscalls from sshd
From: Nathan Cooprider @ 2016-12-02 21:42 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit
In-Reply-To: <CAHC9VhS3EhCcaWX5pC9a2LXZA=BHn=dWQzCcpRUOm776JTCkKQ@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1802 bytes --]
On Fri, Dec 2, 2016 at 4:26 PM Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Dec 2, 2016 at 3:43 PM, Nathan Cooprider
> <ncooprider@yankeehacker.com> wrote:
> > Auditd seems to miss accept syscalls from ssh on Ubuntu 14. I tried
> versions
> > 2.3.2 and 2.4.5 of the daemon with kernel versions 3.13.0-96 and
> 4.4.0-47.
> > In all cases the accept syscall (43) failed to show up until after I
> > restarted the ssh daemon. It's especially weird because I don't see this
> > problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am seeing this
> or
> > where to look?
> >
> > I found a similar question in the archives, but it seems to do with the
> > architecture size and not OS versions:
> > https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
> >
> > I also posted this question on Stack Overflow:
> >
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-have-inconsistent-behavior-in-linux-audit-framework
>
> I'm not really very aware of what Ubuntu is doing wrt to their default
> audit configuration, but this really sounds like you need to add
> 'audit=1' to the kernel command line.
>
> --
> paul moore
> www.paul-moore.com
Thanks for the suggestion. I'm getting other audit events from sshd without
restarting ssh. It's just the accept syscalls that do not show up until
after I restart ssh:
type=SYSCALL msg=audit(1480714641.465:54): arch=c000003e syscall=43
success=yes exit=5 a0=3 a1=7ffce3b031b0 a2=7ffce3b0319c a3=0 items=0 ppid=1
pid=2602 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
key=(null)
I think that indicates the kernel is sending up audit messages. My question
is why the above message fails to come up until after I've restarted ssh.
[-- Attachment #1.2: Type: text/html, Size: 3185 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Auditd misses accept syscalls from sshd
From: Nathan Cooprider @ 2016-12-02 21:55 UTC (permalink / raw)
To: Steve Grubb, linux-audit
In-Reply-To: <3811129.XXtPaolnaT@x2>
[-- Attachment #1.1: Type: text/plain, Size: 2938 bytes --]
On Fri, Dec 2, 2016 at 4:09 PM Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote:
> > Auditd seems to miss accept syscalls from ssh on Ubuntu 14.
>
> Its not auditd, the kernel does all the work. Auditd acts a lot like a
> specialized syslog. :-)
>
>
> > I tried versions 2.3.2 and 2.4.5 of the daemon with kernel versions
> > 3.13.0-96 and 4.4.0-47. In all cases the accept syscall (43) failed to
> show
> > up until after I restarted the ssh daemon. It's especially weird because
> I
> > don't see this problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I
> am
> > seeing this or where to look?
>
> It works fine on my 4.8 kernel:
> # uname -r
> 4.8.10-200.fc24.x86_64
>
> # auditctl -a always,exit -F arch=b64 -S accept,accept4 -F
> exe=/usr/sbin/sshd -F key=test
>
> # ssh localhost
> # exit
>
> # ausearch --start recent -k test -i
> ----
> type=CONFIG_CHANGE msg=audit(12/02/2016 15:53:00.297:917) : auid=sgrubb
> ses=5
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule"
> key=test
> list=exit res=yes
> ----
> type=PROCTITLE msg=audit(12/02/2016 15:53:07.287:919) :
> proctitle=/usr/sbin/sshd
> type=SOCKADDR msg=audit(12/02/2016 15:53:07.287:919) : saddr={ fam=inet6
> laddr=::1 lport=52740 }
> type=SYSCALL msg=audit(12/02/2016 15:53:07.287:919) : arch=x86_64
> syscall=accept success=yes exit=5 a0=0x4 a1=0x7ffdd5bd06a0
> a2=0x7ffdd5bd068c
> a3=0x0 items=0 ppid=1 pid=1071 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
> comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> key=test
>
> I don't know if there were any bug fixes that made it start working. I also
> think I was doing some testing on kernels close to when the audit by
> executable code first went upstream and I remember not getting the results
> I
> wanted. I had other things to do and when I came back to it I could not
> replicate the missing events. I had upgraded the kernel in the mean time.
>
> Does using a newer kernel fix it for you?
>
> -Steve
>
> > I found a similar question in the archives, but it seems to do with the
> > architecture size and not OS versions:
> > https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
> >
> > I also posted this question on Stack Overflow:
> >
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-hav
> > e-inconsistent-behavior-in-linux-audit-framework
>
I just tried again and had the same problem:
vagrant@vagrant:~$ uname -a
Linux vagrant 4.4.0-51-generic #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
That's a newer version than I have on my Ubuntu 16 VM, which does
demonstrate the problem. It's also strange that restarting ssh then makes
the accept syscall events show up. Other sshd syscalls show up in auditd
before and after the ssh restart.
[-- Attachment #1.2: Type: text/html, Size: 4729 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Auditd misses accept syscalls from sshd
From: Paul Moore @ 2016-12-02 21:56 UTC (permalink / raw)
To: Nathan Cooprider; +Cc: linux-audit
In-Reply-To: <CAMMwpchN9FM2DCtH_JLb7UNfZ80FywgMdU_kjuXEBiiWF3px=w@mail.gmail.com>
On Fri, Dec 2, 2016 at 4:42 PM, Nathan Cooprider
<ncooprider@yankeehacker.com> wrote:
> On Fri, Dec 2, 2016 at 4:26 PM Paul Moore <paul@paul-moore.com> wrote:
>>
>> On Fri, Dec 2, 2016 at 3:43 PM, Nathan Cooprider
>> <ncooprider@yankeehacker.com> wrote:
>> > Auditd seems to miss accept syscalls from ssh on Ubuntu 14. I tried
>> > versions
>> > 2.3.2 and 2.4.5 of the daemon with kernel versions 3.13.0-96 and
>> > 4.4.0-47.
>> > In all cases the accept syscall (43) failed to show up until after I
>> > restarted the ssh daemon. It's especially weird because I don't see this
>> > problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am seeing this
>> > or
>> > where to look?
>> >
>> > I found a similar question in the archives, but it seems to do with the
>> > architecture size and not OS versions:
>> > https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
>> >
>> > I also posted this question on Stack Overflow:
>> >
>> > http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-have-inconsistent-behavior-in-linux-audit-framework
>>
>> I'm not really very aware of what Ubuntu is doing wrt to their default
>> audit configuration, but this really sounds like you need to add
>> 'audit=1' to the kernel command line.
>
> Thanks for the suggestion. I'm getting other audit events from sshd without
> restarting ssh. It's just the accept syscalls that do not show up until
> after I restart ssh:
>
> type=SYSCALL msg=audit(1480714641.465:54): arch=c000003e syscall=43
> success=yes exit=5 a0=3 a1=7ffce3b031b0 a2=7ffce3b0319c a3=0 items=0 ppid=1
> pid=2602 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
> key=(null)
>
> I think that indicates the kernel is sending up audit messages. My question
> is why the above message fails to come up until after I've restarted ssh.
If you haven't already, I would suggest opening an issue with
Ubuntu/Canonical; I'm not aware of any issues in current kernels that
would cause this and your testing on more modern Ubuntu flavors would
indicate current Ubuntu releases work correctly.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: Paul Moore @ 2016-12-02 21:59 UTC (permalink / raw)
To: Florian Westphal; +Cc: linux-kernel, linux-audit, Eric Paris
In-Reply-To: <20161202000904.GA31010@breakpoint.cc>
On Thu, Dec 1, 2016 at 7:09 PM, Florian Westphal <fw@strlen.de> wrote:
> Paul Moore <paul@paul-moore.com> wrote:
>> On Wed, Nov 30, 2016 at 8:44 PM, Florian Westphal <fw@strlen.de> wrote:
>> > Paul Moore <paul@paul-moore.com> wrote:
>> >> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw@strlen.de> wrote:
>> >> > allows better debugging as freeing audit buffers now always honors slub
>> >> > debug hooks (e.g. object poisoning) and leak checker can detect the
>> >> > free operation.
>> >> >
>> >> > Removal also results in a small speedup (using
>> >> > single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
>> >> >
>> >> > super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
>> >> > Before:
>> >> > 294953
>> >> > After:
>> >> > 298013
>> >> >
>> >> > (alloc/free no longer serializes on spinlock, allocator can use percpu
>> >> > pool).
>> >> >
>> >> > Signed-off-by: Florian Westphal <fw@strlen.de>
>> >> > ---
>> >> > kernel/audit.c | 53 ++++++++---------------------------------------------
>> >> > 1 file changed, 8 insertions(+), 45 deletions(-)
>> >>
>> >> Sorry for the delay, I was hoping to have some time to play around
>> >> with this and offer a more meaningful comment ... I've often wondered
>> >> about converting audit_buffer, and audit_context for that matter, over
>> >> to their own kmem_cache; have you considered that? Or was this
>> >> proposed due to simplicity?
>> >
>> > Not sure I understand, you could still convert it on top of this.
>> > (Although audit_buffer is just 24 bytes after this patch so it will
>> > come from 32byte kmalloc slab).
>>
>> I'm not arguing against this patch, partly just musing out loud,
>> partly just seeing if you had experimented with creating a
>> audit_buffer specific kmem_cache (I'm guessing the answer here is
>> "no"). If we do convert to a kmem_cache this patch would be the
>> obvious first step.
>
> It does convert to a kmem_cache, indirectly.
>
> kmalloc() uses builtin_constant_size() magic to resolve the kmalloc to
> kmem_cache_alloc, using the precreated kmalloc_caches[] in slab_common.c .
Yes, understood, I just think there may be some advantages (tracking,
etc.) to using a dedicated audit_buffer kmem_cache rather than the
system wide bucket.
--
paul moore
www.paul-moore.com
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox