* Re: Auditd misses accept syscalls from sshd
From: Nathan Cooprider @ 2016-12-02 21:42 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit
In-Reply-To: <CAHC9VhS3EhCcaWX5pC9a2LXZA=BHn=dWQzCcpRUOm776JTCkKQ@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1802 bytes --]
On Fri, Dec 2, 2016 at 4:26 PM Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Dec 2, 2016 at 3:43 PM, Nathan Cooprider
> <ncooprider@yankeehacker.com> wrote:
> > Auditd seems to miss accept syscalls from ssh on Ubuntu 14. I tried
> versions
> > 2.3.2 and 2.4.5 of the daemon with kernel versions 3.13.0-96 and
> 4.4.0-47.
> > In all cases the accept syscall (43) failed to show up until after I
> > restarted the ssh daemon. It's especially weird because I don't see this
> > problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am seeing this
> or
> > where to look?
> >
> > I found a similar question in the archives, but it seems to do with the
> > architecture size and not OS versions:
> > https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
> >
> > I also posted this question on Stack Overflow:
> >
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-have-inconsistent-behavior-in-linux-audit-framework
>
> I'm not really very aware of what Ubuntu is doing wrt to their default
> audit configuration, but this really sounds like you need to add
> 'audit=1' to the kernel command line.
>
> --
> paul moore
> www.paul-moore.com
Thanks for the suggestion. I'm getting other audit events from sshd without
restarting ssh. It's just the accept syscalls that do not show up until
after I restart ssh:
type=SYSCALL msg=audit(1480714641.465:54): arch=c000003e syscall=43
success=yes exit=5 a0=3 a1=7ffce3b031b0 a2=7ffce3b0319c a3=0 items=0 ppid=1
pid=2602 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
key=(null)
I think that indicates the kernel is sending up audit messages. My question
is why the above message fails to come up until after I've restarted ssh.
[-- Attachment #1.2: Type: text/html, Size: 3185 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Auditd misses accept syscalls from sshd
From: Paul Moore @ 2016-12-02 21:26 UTC (permalink / raw)
To: Nathan Cooprider; +Cc: linux-audit
In-Reply-To: <CAMMwpch6UvX71gnX2_+fohBxhtS=fyV-=2NhtAvQeY8fi5W8Lg@mail.gmail.com>
On Fri, Dec 2, 2016 at 3:43 PM, Nathan Cooprider
<ncooprider@yankeehacker.com> wrote:
> Auditd seems to miss accept syscalls from ssh on Ubuntu 14. I tried versions
> 2.3.2 and 2.4.5 of the daemon with kernel versions 3.13.0-96 and 4.4.0-47.
> In all cases the accept syscall (43) failed to show up until after I
> restarted the ssh daemon. It's especially weird because I don't see this
> problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am seeing this or
> where to look?
>
> I found a similar question in the archives, but it seems to do with the
> architecture size and not OS versions:
> https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
>
> I also posted this question on Stack Overflow:
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-have-inconsistent-behavior-in-linux-audit-framework
I'm not really very aware of what Ubuntu is doing wrt to their default
audit configuration, but this really sounds like you need to add
'audit=1' to the kernel command line.
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: Auditd misses accept syscalls from sshd
From: Steve Grubb @ 2016-12-02 21:09 UTC (permalink / raw)
To: linux-audit
In-Reply-To: <CAMMwpch6UvX71gnX2_+fohBxhtS=fyV-=2NhtAvQeY8fi5W8Lg@mail.gmail.com>
On Friday, December 2, 2016 8:43:46 PM EST Nathan Cooprider wrote:
> Auditd seems to miss accept syscalls from ssh on Ubuntu 14.
Its not auditd, the kernel does all the work. Auditd acts a lot like a
specialized syslog. :-)
> I tried versions 2.3.2 and 2.4.5 of the daemon with kernel versions
> 3.13.0-96 and 4.4.0-47. In all cases the accept syscall (43) failed to show
> up until after I restarted the ssh daemon. It's especially weird because I
> don't see this problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am
> seeing this or where to look?
It works fine on my 4.8 kernel:
# uname -r
4.8.10-200.fc24.x86_64
# auditctl -a always,exit -F arch=b64 -S accept,accept4 -F exe=/usr/sbin/sshd -F key=test
# ssh localhost
# exit
# ausearch --start recent -k test -i
----
type=CONFIG_CHANGE msg=audit(12/02/2016 15:53:00.297:917) : auid=sgrubb ses=5
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key=test
list=exit res=yes
----
type=PROCTITLE msg=audit(12/02/2016 15:53:07.287:919) : proctitle=/usr/sbin/sshd
type=SOCKADDR msg=audit(12/02/2016 15:53:07.287:919) : saddr={ fam=inet6 laddr=::1 lport=52740 }
type=SYSCALL msg=audit(12/02/2016 15:53:07.287:919) : arch=x86_64
syscall=accept success=yes exit=5 a0=0x4 a1=0x7ffdd5bd06a0 a2=0x7ffdd5bd068c
a3=0x0 items=0 ppid=1 pid=1071 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
key=test
I don't know if there were any bug fixes that made it start working. I also
think I was doing some testing on kernels close to when the audit by
executable code first went upstream and I remember not getting the results I
wanted. I had other things to do and when I came back to it I could not
replicate the missing events. I had upgraded the kernel in the mean time.
Does using a newer kernel fix it for you?
-Steve
> I found a similar question in the archives, but it seems to do with the
> architecture size and not OS versions:
> https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
>
> I also posted this question on Stack Overflow:
> http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-hav
> e-inconsistent-behavior-in-linux-audit-framework
^ permalink raw reply
* Re: [PATCH 1/1] audit: Make AUDIT_KERNEL event conform to the specification
From: Paul Moore @ 2016-12-02 20:46 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <35255769.M5mior0TaQ@x2>
On Thu, Dec 1, 2016 at 3:02 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> The AUDIT_KERNEL event is not following name=value format. This causes
> some information to get lost. The event has been reformatted to follow
> the convention. Additionally the audit_enabled value was added for
> troubleshooting purposes. The following is an example of the new event:
>
> type=KERNEL audit(1480621249.833:1): state=initialized audit_enabled=0 res=1
>
> Signed-off-by: sgrubb <sgrubb@redhat.com>
> ---
> kernel/audit.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Looks reasonable. I fixed your name (sgrubb -> Steve Grubb) and
merged this into my next queue for after the upcoming merge window.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 910a7c1..91860d4 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1252,7 +1252,9 @@ static int __init audit_init(void)
> audit_enabled = audit_default;
> audit_ever_enabled |= !!audit_default;
>
> - audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
> + audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
> + "state=initialized audit_enabled=%u res=1",
> + audit_enabled);
>
> for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
> INIT_LIST_HEAD(&audit_inode_hash[i]);
> --
> 2.7.4
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Auditd misses accept syscalls from sshd
From: Nathan Cooprider @ 2016-12-02 20:43 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 741 bytes --]
Auditd seems to miss accept syscalls from ssh on Ubuntu 14. I tried
versions 2.3.2 and 2.4.5 of the daemon with kernel versions 3.13.0-96 and
4.4.0-47. In all cases the accept syscall (43) failed to show up until
after I restarted the ssh daemon. It's especially weird because I don't see
this problem on Ubuntu 16 (4.4.0-38). Any thoughts about why I am seeing
this or where to look?
I found a similar question in the archives, but it seems to do with the
architecture size and not OS versions:
https://www.redhat.com/archives/linux-audit/2015-January/msg00060.html
I also posted this question on Stack Overflow:
http://stackoverflow.com/questions/40940225/why-does-sshd-accept-syscall-have-inconsistent-behavior-in-linux-audit-framework
[-- Attachment #1.2: Type: text/html, Size: 1073 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: Florian Westphal @ 2016-12-02 0:09 UTC (permalink / raw)
To: Paul Moore; +Cc: Florian Westphal, linux-kernel, linux-audit, Eric Paris
In-Reply-To: <CAHC9VhT=FKEW9-U0bzsjTZPyi91rAb-HOaegGj9yEkrGNbAy8A@mail.gmail.com>
Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Nov 30, 2016 at 8:44 PM, Florian Westphal <fw@strlen.de> wrote:
> > Paul Moore <paul@paul-moore.com> wrote:
> >> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw@strlen.de> wrote:
> >> > allows better debugging as freeing audit buffers now always honors slub
> >> > debug hooks (e.g. object poisoning) and leak checker can detect the
> >> > free operation.
> >> >
> >> > Removal also results in a small speedup (using
> >> > single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
> >> >
> >> > super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
> >> > Before:
> >> > 294953
> >> > After:
> >> > 298013
> >> >
> >> > (alloc/free no longer serializes on spinlock, allocator can use percpu
> >> > pool).
> >> >
> >> > Signed-off-by: Florian Westphal <fw@strlen.de>
> >> > ---
> >> > kernel/audit.c | 53 ++++++++---------------------------------------------
> >> > 1 file changed, 8 insertions(+), 45 deletions(-)
> >>
> >> Sorry for the delay, I was hoping to have some time to play around
> >> with this and offer a more meaningful comment ... I've often wondered
> >> about converting audit_buffer, and audit_context for that matter, over
> >> to their own kmem_cache; have you considered that? Or was this
> >> proposed due to simplicity?
> >
> > Not sure I understand, you could still convert it on top of this.
> > (Although audit_buffer is just 24 bytes after this patch so it will
> > come from 32byte kmalloc slab).
>
> I'm not arguing against this patch, partly just musing out loud,
> partly just seeing if you had experimented with creating a
> audit_buffer specific kmem_cache (I'm guessing the answer here is
> "no"). If we do convert to a kmem_cache this patch would be the
> obvious first step.
It does convert to a kmem_cache, indirectly.
kmalloc() uses builtin_constant_size() magic to resolve the kmalloc to
kmem_cache_alloc, using the precreated kmalloc_caches[] in slab_common.c .
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: Paul Moore @ 2016-12-02 0:02 UTC (permalink / raw)
To: Florian Westphal; +Cc: linux-kernel, linux-audit, Eric Paris
In-Reply-To: <20161201014455.GD26507@breakpoint.cc>
On Wed, Nov 30, 2016 at 8:44 PM, Florian Westphal <fw@strlen.de> wrote:
> Paul Moore <paul@paul-moore.com> wrote:
>> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw@strlen.de> wrote:
>> > allows better debugging as freeing audit buffers now always honors slub
>> > debug hooks (e.g. object poisoning) and leak checker can detect the
>> > free operation.
>> >
>> > Removal also results in a small speedup (using
>> > single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
>> >
>> > super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
>> > Before:
>> > 294953
>> > After:
>> > 298013
>> >
>> > (alloc/free no longer serializes on spinlock, allocator can use percpu
>> > pool).
>> >
>> > Signed-off-by: Florian Westphal <fw@strlen.de>
>> > ---
>> > kernel/audit.c | 53 ++++++++---------------------------------------------
>> > 1 file changed, 8 insertions(+), 45 deletions(-)
>>
>> Sorry for the delay, I was hoping to have some time to play around
>> with this and offer a more meaningful comment ... I've often wondered
>> about converting audit_buffer, and audit_context for that matter, over
>> to their own kmem_cache; have you considered that? Or was this
>> proposed due to simplicity?
>
> Not sure I understand, you could still convert it on top of this.
> (Although audit_buffer is just 24 bytes after this patch so it will
> come from 32byte kmalloc slab).
I'm not arguing against this patch, partly just musing out loud,
partly just seeing if you had experimented with creating a
audit_buffer specific kmem_cache (I'm guessing the answer here is
"no"). If we do convert to a kmem_cache this patch would be the
obvious first step. I'd also want to cobble together some tests we
can use to measure performance. Using netperf is good, but I'd also
like to exercise the syscall records as it is probably easier to
isolate the audit subsystem that way.
> I don't think it makes sense to keep this DIY cache on top of slub
> cache.
I agree, there probably isn't much sense in keeping this around. In
case you're interested, I started tracking this on GitHub at the link
below:
* https://github.com/linux-audit/audit-kernel/issues/29
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH 2/2] audit: log binding and unbinding to netlink multicast
From: Paul Moore @ 2016-12-01 23:39 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <54837117.9EuYO5Hpme@x2>
On Wed, Nov 30, 2016 at 2:26 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Log information about programs connecting and disconnecting to the audit
> netlink multicast socket. This is needed so that during investigations a
> security officer can tell who or what had access to the audit trail. This
> helps to meet the FAU_SAR.2 requirement for Common Criteria.
>
> Signed-off-by: sgrubb <sgrubb@redhat.com>
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 31 +++++++++++++++++++++++++++----
> 2 files changed, 28 insertions(+), 4 deletions(-)
This needs an associated test for the audit-testsuite and a RFE page
on the wiki. I also created a GH issue since this is a CC issue and
something we want to track progress on, link below:
* https://github.com/linux-audit/audit-kernel/issues/28
Some more specific comments below ...
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 82e8aa5..e6dd046 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -111,6 +111,7 @@
> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
> +#define AUDIT_EVENT_LISTENER 1330 /* Task joined multicast read socket */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 22f8c3d..910a7c1 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1161,22 +1161,45 @@ void audit_log_task_simple(struct audit_buffer *ab,
> struct task_struct *tsk)
> }
> EXPORT_SYMBOL(audit_log_task_simple);
>
> +/* Log information about who is connecting to the audit multicast socket */
> +static void audit_log_multicast_bind(int group, const char *op, int err)
> +{
A bit of a nit, but it seems odd to call this "..._bind" when we use
it to log both bind and unbind events, maybe "..._op"/"..._status" or
something?
> + struct audit_buffer *ab;
> +
> + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
> + if (!ab)
> + return;
> +
> + audit_log_task_simple(ab, current);
Right now the only call to audit_log_task_simple() is the one above
and I'm not a fan of merging code like that, just open code
audit_log_task_simple() in the function above. If you need similar
functionality for use by other functions in the future you can
reintroduce audit_log_task_simple().
> + audit_log_format(ab, " nlnk-grp=%d op=%s res=%d", group, op, !err);
> + audit_log_end(ab);
> +}
> +
> /* Run custom bind function on netlink socket group connect or bind requests.
> */
> -static int audit_bind(struct net *net, int group)
> +static int audit_multicast_bind(struct net *net, int group)
> {
> + int err = 0;
> +
> if (!capable(CAP_AUDIT_READ))
> - return -EPERM;
> + err = -EPERM;
> + audit_log_multicast_bind(group, "connect", err);
>
> - return 0;
> + return err;
> +}
> +
> +static void audit_multicast_unbind(struct net *net, int group)
> +{
> + audit_log_multicast_bind(group, "disconnect", 0);
> }
>
> static int __net_init audit_net_init(struct net *net)
> {
> struct netlink_kernel_cfg cfg = {
> .input = audit_receive,
> - .bind = audit_bind,
> + .bind = audit_multicast_bind,
> .flags = NL_CFG_F_NONROOT_RECV,
> .groups = AUDIT_NLGRP_MAX,
> + .unbind = audit_multicast_unbind,
> };
>
> struct audit_net *aunet = net_generic(net, audit_net_id);
> --
> 2.7.4
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
^ permalink raw reply
* [PATCH 1/1] audit: Make AUDIT_KERNEL event conform to the specification
From: Steve Grubb @ 2016-12-01 20:02 UTC (permalink / raw)
To: linux-audit
The AUDIT_KERNEL event is not following name=value format. This causes
some information to get lost. The event has been reformatted to follow
the convention. Additionally the audit_enabled value was added for
troubleshooting purposes. The following is an example of the new event:
type=KERNEL audit(1480621249.833:1): state=initialized audit_enabled=0 res=1
Signed-off-by: sgrubb <sgrubb@redhat.com>
---
kernel/audit.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 910a7c1..91860d4 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1252,7 +1252,9 @@ static int __init audit_init(void)
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
- audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
+ audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL,
+ "state=initialized audit_enabled=%u res=1",
+ audit_enabled);
for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
INIT_LIST_HEAD(&audit_inode_hash[i]);
--
2.7.4
^ permalink raw reply related
* Re: Auditd cause high CPU and high Load
From: Edward Bailey @ 2016-12-01 14:50 UTC (permalink / raw)
To: Steve Grubb, linux-audit; +Cc: Minh Tien Nguyen
In-Reply-To: <1971735.NS9UXEdAuI@x2>
[-- Attachment #1.1: Type: text/plain, Size: 1210 bytes --]
We ran into exactly the same issue with the update to 6.8. Using flush and
setting freq to 300 fixed the issue we were experiencing.
Ed
On Thu, Dec 1, 2016 at 9:00 AM Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> On Thursday, December 1, 2016 11:59:47 AM EST Minh Tien Nguyen wrote:
> > My name is Nguyen Minh Tien. I came from Singapore. I am working as a
> > developer for Garena LTD. Last week, I met a problem with Audit on our
> > product servers. The Auditd process had caused of some pick time on our
> > server. In that times, system CPU cost a lot, around 100%. And the Load
> > average is over 30. We have tried to find the root cause and have failed.
> > Could you help us for that case?
> >
> > The servers, which meet the performance issue, use Redhat 6.8 and their
> > kernel is 2.6.32.
>
> You might want to check the flush setting for /etc/audit/auditd.conf. I
> would
> recommend using incremental and set the freq to something like 200 or 500.
> Using sync or data will kill performance, but the event is written to disk
> before processing the next event.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
[-- Attachment #1.2: Type: text/html, Size: 2212 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Auditd cause high CPU and high Load
From: Minh Tien Nguyen @ 2016-12-01 14:07 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
In-Reply-To: <1971735.NS9UXEdAuI@x2>
[-- Attachment #1.1: Type: text/plain, Size: 1210 bytes --]
He Steve Grubb.
Nice to heard from you. Thank you so much for your help. We will try to set
that config and see the result.
Thanks & best regards.
On Thu, Dec 1, 2016 at 9:57 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> On Thursday, December 1, 2016 11:59:47 AM EST Minh Tien Nguyen wrote:
> > My name is Nguyen Minh Tien. I came from Singapore. I am working as a
> > developer for Garena LTD. Last week, I met a problem with Audit on our
> > product servers. The Auditd process had caused of some pick time on our
> > server. In that times, system CPU cost a lot, around 100%. And the Load
> > average is over 30. We have tried to find the root cause and have failed.
> > Could you help us for that case?
> >
> > The servers, which meet the performance issue, use Redhat 6.8 and their
> > kernel is 2.6.32.
>
> You might want to check the flush setting for /etc/audit/auditd.conf. I
> would
> recommend using incremental and set the freq to something like 200 or 500.
> Using sync or data will kill performance, but the event is written to disk
> before processing the next event.
>
> -Steve
>
--
Best regards
_________________________
Nguyen Minh Tien - SA Team
email: nguyenmt@garena.com
[-- Attachment #1.2: Type: text/html, Size: 1926 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: Auditd cause high CPU and high Load
From: Steve Grubb @ 2016-12-01 13:57 UTC (permalink / raw)
To: linux-audit; +Cc: Minh Tien Nguyen
In-Reply-To: <CAHSvBsOyo0g1zu-1nwPuiQNhRfZ_L9MaEGx_eFe9sFYb8=pB2Q@mail.gmail.com>
Hello,
On Thursday, December 1, 2016 11:59:47 AM EST Minh Tien Nguyen wrote:
> My name is Nguyen Minh Tien. I came from Singapore. I am working as a
> developer for Garena LTD. Last week, I met a problem with Audit on our
> product servers. The Auditd process had caused of some pick time on our
> server. In that times, system CPU cost a lot, around 100%. And the Load
> average is over 30. We have tried to find the root cause and have failed.
> Could you help us for that case?
>
> The servers, which meet the performance issue, use Redhat 6.8 and their
> kernel is 2.6.32.
You might want to check the flush setting for /etc/audit/auditd.conf. I would
recommend using incremental and set the freq to something like 200 or 500.
Using sync or data will kill performance, but the event is written to disk
before processing the next event.
-Steve
^ permalink raw reply
* Auditd cause high CPU and high Load
From: Minh Tien Nguyen @ 2016-12-01 3:59 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 599 bytes --]
Dear Audit team.
My name is Nguyen Minh Tien. I came from Singapore. I am working as a
developer for Garena LTD. Last week, I met a problem with Audit on our
product servers. The Auditd process had caused of some pick time on our
server. In that times, system CPU cost a lot, around 100%. And the Load
average is over 30. We have tried to find the root cause and have failed.
Could you help us for that case?
The servers, which meet the performance issue, use Redhat 6.8 and their
kernel is 2.6.32.
--
Best regards
_________________________
Nguyen Minh Tien - SA Team
email: nguyenmt@garena.com
[-- Attachment #1.2: Type: text/html, Size: 832 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: Florian Westphal @ 2016-12-01 1:44 UTC (permalink / raw)
To: Paul Moore; +Cc: Florian Westphal, linux-kernel, linux-audit, Eric Paris
In-Reply-To: <CAHC9VhTC+VJZNWE8bfxYEWazi4Kpk_sEwhzr6danM5ogE3G+LA@mail.gmail.com>
Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw@strlen.de> wrote:
> > allows better debugging as freeing audit buffers now always honors slub
> > debug hooks (e.g. object poisoning) and leak checker can detect the
> > free operation.
> >
> > Removal also results in a small speedup (using
> > single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
> >
> > super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
> > Before:
> > 294953
> > After:
> > 298013
> >
> > (alloc/free no longer serializes on spinlock, allocator can use percpu
> > pool).
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
> > kernel/audit.c | 53 ++++++++---------------------------------------------
> > 1 file changed, 8 insertions(+), 45 deletions(-)
>
> Sorry for the delay, I was hoping to have some time to play around
> with this and offer a more meaningful comment ... I've often wondered
> about converting audit_buffer, and audit_context for that matter, over
> to their own kmem_cache; have you considered that? Or was this
> proposed due to simplicity?
Not sure I understand, you could still convert it on top of this.
(Although audit_buffer is just 24 bytes after this patch so it will
come from 32byte kmalloc slab).
I don't think it makes sense to keep this DIY cache on top of slub
cache.
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: William Roberts @ 2016-12-01 0:19 UTC (permalink / raw)
To: Florian Westphal; +Cc: linux-audit, linux-kernel
In-Reply-To: <1479215774-29810-1-git-send-email-fw@strlen.de>
[-- Attachment #1.1: Type: text/plain, Size: 4742 bytes --]
On Nov 29, 2016 07:10, "Florian Westphal" <fw@strlen.de> wrote:
>
> allows better debugging as freeing audit buffers now always honors slub
> debug hooks (e.g. object poisoning) and leak checker can detect the
> free operation.
>
> Removal also results in a small speedup (using
> single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
>
> super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
> Before:
> 294953
> After:
> 298013
A bigger number is better? Sorry for the html Gmail app on Android won't
let me switch.
>
> (alloc/free no longer serializes on spinlock, allocator can use percpu
> pool).
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> kernel/audit.c | 53 ++++++++---------------------------------------------
> 1 file changed, 8 insertions(+), 45 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index f1ca11613379..396868dc523a 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -131,13 +131,6 @@ static int audit_net_id;
> /* Hash for inode-based rules */
> struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
>
> -/* The audit_freelist is a list of pre-allocated audit buffers (if more
> - * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
> - * being placed on the freelist). */
> -static DEFINE_SPINLOCK(audit_freelist_lock);
> -static int audit_freelist_count;
> -static LIST_HEAD(audit_freelist);
> -
> static struct sk_buff_head audit_skb_queue;
> /* queue of skbs to send to auditd when/if it comes back */
> static struct sk_buff_head audit_skb_hold_queue;
> @@ -164,17 +157,11 @@ DEFINE_MUTEX(audit_cmd_mutex);
> * should be at least that large. */
> #define AUDIT_BUFSIZ 1024
>
> -/* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
> - * audit_freelist. Doing so eliminates many kmalloc/kfree calls. */
> -#define AUDIT_MAXFREE (2*NR_CPUS)
> -
> -/* The audit_buffer is used when formatting an audit record. The caller
> - * locks briefly to get the record off the freelist or to allocate the
> - * buffer, and locks briefly to send the buffer to the netlink layer or
> +/* The audit_buffer is used when formatting an audit record.
> + * The caller locks briefly to send the buffer to the netlink layer or
> * to place it on a transmit queue. Multiple audit_buffers can be in
> * use simultaneously. */
> struct audit_buffer {
> - struct list_head list;
> struct sk_buff *skb; /* formatted skb ready to send */
> struct audit_context *ctx; /* NULL or associated context */
> gfp_t gfp_mask;
> @@ -1247,43 +1234,22 @@ __setup("audit_backlog_limit=",
audit_backlog_limit_set);
>
> static void audit_buffer_free(struct audit_buffer *ab)
> {
> - unsigned long flags;
> -
> if (!ab)
> return;
>
> kfree_skb(ab->skb);
> - spin_lock_irqsave(&audit_freelist_lock, flags);
> - if (audit_freelist_count > AUDIT_MAXFREE)
> - kfree(ab);
> - else {
> - audit_freelist_count++;
> - list_add(&ab->list, &audit_freelist);
> - }
> - spin_unlock_irqrestore(&audit_freelist_lock, flags);
> + kfree(ab);
> }
>
> static struct audit_buffer * audit_buffer_alloc(struct audit_context
*ctx,
> gfp_t gfp_mask, int type)
> {
> - unsigned long flags;
> - struct audit_buffer *ab = NULL;
> + struct audit_buffer *ab;
> struct nlmsghdr *nlh;
>
> - spin_lock_irqsave(&audit_freelist_lock, flags);
> - if (!list_empty(&audit_freelist)) {
> - ab = list_entry(audit_freelist.next,
> - struct audit_buffer, list);
> - list_del(&ab->list);
> - --audit_freelist_count;
> - }
> - spin_unlock_irqrestore(&audit_freelist_lock, flags);
> -
> - if (!ab) {
> - ab = kmalloc(sizeof(*ab), gfp_mask);
> - if (!ab)
> - goto err;
> - }
> + ab = kmalloc(sizeof(*ab), gfp_mask);
> + if (!ab)
> + return NULL;
>
> ab->ctx = ctx;
> ab->gfp_mask = gfp_mask;
> @@ -1294,13 +1260,10 @@ static struct audit_buffer *
audit_buffer_alloc(struct audit_context *ctx,
>
> nlh = nlmsg_put(ab->skb, 0, 0, type, 0, 0);
> if (!nlh)
> - goto out_kfree_skb;
> + goto err;
>
> return ab;
>
> -out_kfree_skb:
> - kfree_skb(ab->skb);
> - ab->skb = NULL;
> err:
> audit_buffer_free(ab);
> return NULL;
> --
> 2.7.3
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
[-- Attachment #1.2: Type: text/html, Size: 6473 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply
* Re: [PATCH] audit: remove the audit freelist
From: Paul Moore @ 2016-12-01 0:04 UTC (permalink / raw)
To: Florian Westphal; +Cc: linux-kernel, linux-audit, Eric Paris
In-Reply-To: <1479215774-29810-1-git-send-email-fw@strlen.de>
On Tue, Nov 15, 2016 at 8:16 AM, Florian Westphal <fw@strlen.de> wrote:
> allows better debugging as freeing audit buffers now always honors slub
> debug hooks (e.g. object poisoning) and leak checker can detect the
> free operation.
>
> Removal also results in a small speedup (using
> single rule 'iptables -A INPUT -i lo -j AUDIT --type drop'):
>
> super_netperf 4 -H 127.0.0.1 -l 360 -t UDP_RR -- -R 1 -m 64
> Before:
> 294953
> After:
> 298013
>
> (alloc/free no longer serializes on spinlock, allocator can use percpu
> pool).
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> kernel/audit.c | 53 ++++++++---------------------------------------------
> 1 file changed, 8 insertions(+), 45 deletions(-)
Sorry for the delay, I was hoping to have some time to play around
with this and offer a more meaningful comment ... I've often wondered
about converting audit_buffer, and audit_context for that matter, over
to their own kmem_cache; have you considered that? Or was this
proposed due to simplicity?
--
paul moore
www.paul-moore.com
^ permalink raw reply
* Re: [PATCH] netns: avoid disabling irq for netns id
From: David Miller @ 2016-11-30 21:12 UTC (permalink / raw)
To: pmoore; +Cc: netdev, linux-audit, xiyou.wangcong
In-Reply-To: <CAGH-Kgv0UpmDdaW=z8pa1VvmrcJeaA57uMneqNEgex6Xa8NSQw@mail.gmail.com>
From: Paul Moore <pmoore@redhat.com>
Date: Wed, 30 Nov 2016 15:35:46 -0500
> On Wed, Nov 30, 2016 at 2:58 PM, David Miller <davem@davemloft.net> wrote:
>> From: Paul Moore <pmoore@redhat.com>
>> Date: Tue, 29 Nov 2016 17:11:29 -0500
>>
>>> From: Paul Moore <paul@paul-moore.com>
>>>
>>> Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns
>>> id") now that we've fixed some audit multicast issues that caused
>>> problems with original attempt. Additional information, and history,
>>> can be found in the links below:
>>>
>>> * https://github.com/linux-audit/audit-kernel/issues/22
>>> * https://github.com/linux-audit/audit-kernel/issues/23
>>>
>>> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
>>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>>
>> This doesn't apply cleanly to the net-next tree, could you please
>> respin?
>
> As I mentioned in a reply to the patch posting, because this relies on
> a number of patches in the audit tree I've gone ahead and merged this
> patch into the audit#next branch. Unless you have any objections,
> I'll send this to Linus with the rest of the v4.10 audit patches.
That's fine with me.
^ permalink raw reply
* Re: [PATCH] netns: avoid disabling irq for netns id
From: Paul Moore @ 2016-11-30 20:35 UTC (permalink / raw)
To: David Miller; +Cc: netdev, linux-audit, xiyou.wangcong
In-Reply-To: <20161130.145822.727604546507312208.davem@davemloft.net>
On Wed, Nov 30, 2016 at 2:58 PM, David Miller <davem@davemloft.net> wrote:
> From: Paul Moore <pmoore@redhat.com>
> Date: Tue, 29 Nov 2016 17:11:29 -0500
>
>> From: Paul Moore <paul@paul-moore.com>
>>
>> Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns
>> id") now that we've fixed some audit multicast issues that caused
>> problems with original attempt. Additional information, and history,
>> can be found in the links below:
>>
>> * https://github.com/linux-audit/audit-kernel/issues/22
>> * https://github.com/linux-audit/audit-kernel/issues/23
>>
>> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>
> This doesn't apply cleanly to the net-next tree, could you please
> respin?
As I mentioned in a reply to the patch posting, because this relies on
a number of patches in the audit tree I've gone ahead and merged this
patch into the audit#next branch. Unless you have any objections,
I'll send this to Linus with the rest of the v4.10 audit patches.
--
paul moore
security @ redhat
^ permalink raw reply
* Re: [PATCH] netns: avoid disabling irq for netns id
From: David Miller @ 2016-11-30 19:58 UTC (permalink / raw)
To: pmoore; +Cc: netdev, linux-audit, xiyou.wangcong
In-Reply-To: <148045748887.22539.3188295553967836703.stgit@sifl>
From: Paul Moore <pmoore@redhat.com>
Date: Tue, 29 Nov 2016 17:11:29 -0500
> From: Paul Moore <paul@paul-moore.com>
>
> Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns
> id") now that we've fixed some audit multicast issues that caused
> problems with original attempt. Additional information, and history,
> can be found in the links below:
>
> * https://github.com/linux-audit/audit-kernel/issues/22
> * https://github.com/linux-audit/audit-kernel/issues/23
>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
This doesn't apply cleanly to the net-next tree, could you please
respin?
Thanks.
^ permalink raw reply
* [PATCH 0/2] audit: log binding and unbinding to netlink multicast socket
From: Steve Grubb @ 2016-11-30 19:23 UTC (permalink / raw)
To: linux-audit
Hello,
I am resurrecting this old patch. Its been cleaned up by adding a simple task
logging function which should, in the future, serve almost all kernel logging
needs. The cleaned up bind and unbind functions call it to create the preamble
and then finish with specific data items for bind/unbinding.
In essence, this patch logs connecting and disconnecting to the audit netlink
multicast socket. This is needed so that during investigations a security
officer can tell who or what had access to the audit trail. This helps to meet
the FAU_SAR.2 SFR for Common Criteria.
Sample output:
type=UNKNOWN[1330] audit(1480532106.644:2): pid=1 uid=0 auid=4294967295
tty=(none) ses=4294967295 subj=kernel comm="systemd" exe="/usr/lib/systemd/
systemd" nlnk-grp=1 op=connect res=1
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
---
^ permalink raw reply
* [PATCH 1/2] audit: create audit_log_task_simple function
From: Steve Grubb @ 2016-11-30 19:25 UTC (permalink / raw)
To: linux-audit
The audit subsystem has 2 general kinds of audit events, syscall auditing
and hardwired audit events. Syscall auditing records quite a lot about the
process because it doesn't know ahead of time what is important to the
current syscall. For hardwired events, the information recorded can be
greatly reduced.
This patch adds a new function, audit_log_task_simple, which should be used
for most cases because it sticks to what is necessary for "hardwired"
events. It provides pid, uid, auid, tty, session, context, comm, exe.
Signed-off-by: sgrubb <sgrubb@redhat.com>
---
include/linux/audit.h | 5 +++++
kernel/audit.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..eaf7615 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -159,6 +159,8 @@ static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk);
+extern void audit_log_task_simple(struct audit_buffer *ab,
+ struct task_struct *tsk);
extern int audit_update_lsm_rules(void);
@@ -213,6 +215,9 @@ static inline int audit_log_task_context(struct audit_buffer *ab)
static inline void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk)
{ }
+static inline void audit_log_task_simple(struct audit_buffer *ab,
+ struct task_struct *tsk)
+{ }
#define audit_enabled 0
#endif /* CONFIG_AUDIT */
diff --git a/kernel/audit.c b/kernel/audit.c
index a8a91bd..22f8c3d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1128,6 +1128,39 @@ static void audit_receive(struct sk_buff *skb)
mutex_unlock(&audit_cmd_mutex);
}
+/*
+ * This function logs the essential information needed to understand
+ * what or who is causing the event.
+ */
+void audit_log_task_simple(struct audit_buffer *ab, struct task_struct *tsk)
+{
+ const struct cred *cred;
+ char comm[sizeof(tsk->comm)];
+ struct tty_struct *tty;
+
+ if (!ab)
+ return;
+
+ /* tsk == current */
+ cred = current_cred();
+
+ tty = audit_get_tty(tsk);
+ audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
+ task_pid_nr(tsk),
+ from_kuid(&init_user_ns, cred->uid),
+ from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
+ tty ? tty_name(tty) : "(none)",
+ audit_get_sessionid(tsk));
+ audit_put_tty(tty);
+
+ audit_log_task_context(ab); /* subj= */
+ audit_log_format(ab, " comm=");
+ audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
+
+ audit_log_d_path_exe(ab, tsk->mm); /* exe= */
+}
+EXPORT_SYMBOL(audit_log_task_simple);
+
/* Run custom bind function on netlink socket group connect or bind requests. */
static int audit_bind(struct net *net, int group)
{
--
2.7.4
^ permalink raw reply related
* [PATCH 2/2] audit: log binding and unbinding to netlink multicast
From: Steve Grubb @ 2016-11-30 19:26 UTC (permalink / raw)
To: linux-audit
Log information about programs connecting and disconnecting to the audit
netlink multicast socket. This is needed so that during investigations a
security officer can tell who or what had access to the audit trail. This
helps to meet the FAU_SAR.2 requirement for Common Criteria.
Signed-off-by: sgrubb <sgrubb@redhat.com>
---
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 31 +++++++++++++++++++++++++++----
2 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 82e8aa5..e6dd046 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,7 @@
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
+#define AUDIT_EVENT_LISTENER 1330 /* Task joined multicast read socket */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 22f8c3d..910a7c1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1161,22 +1161,45 @@ void audit_log_task_simple(struct audit_buffer *ab,
struct task_struct *tsk)
}
EXPORT_SYMBOL(audit_log_task_simple);
+/* Log information about who is connecting to the audit multicast socket */
+static void audit_log_multicast_bind(int group, const char *op, int err)
+{
+ struct audit_buffer *ab;
+
+ ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
+ if (!ab)
+ return;
+
+ audit_log_task_simple(ab, current);
+ audit_log_format(ab, " nlnk-grp=%d op=%s res=%d", group, op, !err);
+ audit_log_end(ab);
+}
+
/* Run custom bind function on netlink socket group connect or bind requests.
*/
-static int audit_bind(struct net *net, int group)
+static int audit_multicast_bind(struct net *net, int group)
{
+ int err = 0;
+
if (!capable(CAP_AUDIT_READ))
- return -EPERM;
+ err = -EPERM;
+ audit_log_multicast_bind(group, "connect", err);
- return 0;
+ return err;
+}
+
+static void audit_multicast_unbind(struct net *net, int group)
+{
+ audit_log_multicast_bind(group, "disconnect", 0);
}
static int __net_init audit_net_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
- .bind = audit_bind,
+ .bind = audit_multicast_bind,
.flags = NL_CFG_F_NONROOT_RECV,
.groups = AUDIT_NLGRP_MAX,
+ .unbind = audit_multicast_unbind,
};
struct audit_net *aunet = net_generic(net, audit_net_id);
--
2.7.4
^ permalink raw reply related
* Re: [Patch net-next] audit: remove useless synchronize_net()
From: Cong Wang @ 2016-11-30 17:20 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Linux Kernel Network Developers, linux-audit, Paul Moore
In-Reply-To: <20161130091643.GA32562@madcap2.tricolour.ca>
On Wed, Nov 30, 2016 at 1:16 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2016-11-29 09:14, Cong Wang wrote:
>> netlink kernel socket is protected by refcount, not RCU.
>> Its rcv path is neither protected by RCU. So the synchronize_net()
>> is just pointless.
>
> If I understand correctly, xfrm_user_net_exit() usage of
> RCU_INIT_POINTER() and synchronize_net() is similarly pointless? Also
> net/phonet/socket.c? I probably modelled things based on the former...
Possibly, but xfrm case is slightly different, it has two copies of the pointer
to the netlink socket, also it uses exit_batch(). I need to double check.
Take a look at better examples, fib_front, genetlink, rtnetlink.
^ permalink raw reply
* Re: Problem regards event fields a0-a3 in audit logs
From: Steve Grubb @ 2016-11-30 15:10 UTC (permalink / raw)
To: linux-audit; +Cc: C.y
In-Reply-To: <CABYhOswoSALK3mJ3JoEakr_BYJUm+zcZWLk7qcJkWevZLyO67w@mail.gmail.com>
On Wednesday, November 30, 2016 4:40:01 PM EST C.y wrote:
> I looked into audit log and find myself having difficultly in understanding
> the event field a0-a3.
>
> I tried to look for answer but couldn't get any references for the
> following question:
> 1. What are the initial value of a0-a3, and
Whatever was passed as arguments for the current syscall.
> 2. Is there any way to get 5-th and above arguments?
Nope. There is only 1 syscall that I know of that has a security relevant
argument higher than what is recorded. This is mmap. What we do is record that
value in a special AUDIT_MMAP auxiliary record. If there were any other
syscalls that had security relevant arguments higher than the first 4 I suspect
we'd do the same thing again.
> Audit system reference from redhat (https://access.redhat.com/doc
> umentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_
> Guide/app-Audit_Reference.html) did mentioned that the first four arguments
> of system call are recorded, but didn't mentions what their initial value
> are when there a system call required less than four arguments.
> For example, what will the value of a1, a2, a3 be when the system call
> 'close' are invoked? ('close' only takes 1 argument
> http://man7.org/linux/man-pages/man2/close.2.html)
AFAIK, they are whatever is in memory. There is nothing that tells you they
are or are not valid. You would have to know that the syscall takes 2
arguments and just look at the first 2.
> At first I am guessing that they might contain the a1-a3's value from
> previous syscall record, so I starting doing some experiment on the audit
> log I have collected (https://drive.google.com/file
> /d/0B85cIbQMuvqDSHVGSHdDVjRWdHc/view):
>
> `$ ausyscall --dump | grep 6 | head -n 1 ` returns
> 6 close
>
> and below are part of my audit log that contains 2 syscall records:
> ...
> type=SYSCALL msg=audit(1479471647.440:197): arch=40000028 syscall=192
> per=800000 success=yes exit=1995763712 a0=76f4f000 a1=1000 a2=3 a3=812
> items=0 ppid=891 pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=3 comm="raspistill"
> exe="/opt/vc/bin/raspistill" key=(null)
> type=MMAP msg=audit(1479471647.440:197): fd=3 flags=0x812
> type=PROCTITLE msg=audit(1479471647.440:197): proctitle="-bash"
> type=SYSCALL msg=audit(1479471647.440:198): arch=40000028 syscall=6
> per=800000 success=yes exit=0 a0=3 a1=5 a2=76f31000 a3=0 items=0 ppid=891
> pid=907 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts0 ses=3 comm="raspistill" exe="/opt/vc/bin/raspistill" key=(null)
> ...
>
> the second syscall record show that the a1's value are somehow modified,
> which eventually proved that my guessing of that they will contain previous
> invoked syscall a1's value(1000) is wrong. That's how I got myself confused
> and write to seek for answer regards this question.
Best way to look at the records is ausearch -i.
> Second, I wonder if there are way for me to know the 5-th and above
> argument of a particular system call, i.e _llseek that takes 5 arguments?
Answered above.
-Steve
^ permalink raw reply
* Re: [Patch net-next] audit: remove useless synchronize_net()
From: Richard Guy Briggs @ 2016-11-30 9:16 UTC (permalink / raw)
To: Cong Wang; +Cc: netdev, linux-audit, pmoore
In-Reply-To: <1480439696-21818-1-git-send-email-xiyou.wangcong@gmail.com>
On 2016-11-29 09:14, Cong Wang wrote:
> netlink kernel socket is protected by refcount, not RCU.
> Its rcv path is neither protected by RCU. So the synchronize_net()
> is just pointless.
If I understand correctly, xfrm_user_net_exit() usage of
RCU_INIT_POINTER() and synchronize_net() is similarly pointless? Also
net/phonet/socket.c? I probably modelled things based on the former...
> Cc: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> ---
> kernel/audit.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 92c463d..67b9fbd8 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1172,9 +1172,8 @@ static void __net_exit audit_net_exit(struct net *net)
> audit_sock = NULL;
> }
>
> - RCU_INIT_POINTER(aunet->nlsk, NULL);
> - synchronize_net();
> netlink_kernel_release(sock);
> + aunet->nlsk = NULL;
> }
>
> static struct pernet_operations audit_net_ops __net_initdata = {
> --
> 2.1.0
>
- RGB
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox