On 2018-04-06 11:19, Steve Grubb wrote:
> On Friday, April 6, 2018 10:45:37 AM EDT Richard Guy Briggs wrote:
> > On 2018-04-06 10:32, Steve Grubb wrote:
> > > On Friday, April 6, 2018 4:43:00 AM EDT Ondrej Mosnacek wrote:
> > > > Current implementation of auditing by executable name only implements
> > > > the 'equal' operator. This patch extends it to also support the 'not
> > > > equal' operator.
> > > > 
> > > > See: https://github.com/linux-audit/audit-kernel/issues/53
> > > 
> > > What would an audit rule that uses this new capability look like?
> > 
> > auditctl -a exit,always ... -F exe!=/path/to/exec
> 
> Does this mean, audit the syscall for any application except the one 
> mentioned? If so, how does this compare to
> 
> auditctl -a exit,never ... -F exe=/path/to/exec
> auditctl -a exit,always ...

Two rules instead of one?

>  -Steve
> 
> > > > Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com>
> > > > ---
> > > > 
> > > > Hi Paul,
> > > > 
> > > > this turned out to be easier than I anticipated so I'm sending the
> > > > patch
> > > > already :) I hope I got everything right. Note that the userspace tools
> > > > also need to be updated to check the feature bit and allow/disallow the
> > > > operator based on that.
> > > > 
> > > > Ondrej
> > > > 
> > > >  include/uapi/linux/audit.h | 18 ++++++++++--------
> > > >  kernel/auditfilter.c       |  2 +-
> > > >  kernel/auditsc.c           |  2 ++
> > > >  3 files changed, 13 insertions(+), 9 deletions(-)
> > > > 
> > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > > index 4e61a9e05132..03393f7e8932 100644
> > > > --- a/include/uapi/linux/audit.h
> > > > +++ b/include/uapi/linux/audit.h
> > > > @@ -333,13 +333,14 @@ enum {
> > > > 
> > > >  #define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
> > > >  #define AUDIT_STATUS_LOST              0x0040
> > > > 
> > > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT     0x00000001
> > > > -#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
> > > > -#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH   0x00000004
> > > > -#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND    0x00000008
> > > > -#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER  0x00000010
> > > > -#define AUDIT_FEATURE_BITMAP_LOST_RESET                0x00000020
> > > > -#define AUDIT_FEATURE_BITMAP_FILTER_FS         0x00000040
> > > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT             0x00000001
> > > > +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME         0x00000002
> > > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH           0x00000004
> > > > +#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND            0x00000008
> > > > +#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER          0x00000010
> > > > +#define AUDIT_FEATURE_BITMAP_LOST_RESET                        
> > > > 0x00000020
> > > > +#define AUDIT_FEATURE_BITMAP_FILTER_FS                 0x00000040
> > > > +#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ       0x00000080
> > > > 
> > > >  #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT |
> > > >  \
> > > >  
> > > >                                   
> > > > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
> > > > 
> > > > @@ -347,7 +348,8 @@ enum {
> > > > 
> > > >                                   AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | 
> > > > \
> > > >                                   AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 
> > > > | \
> > > >                                   AUDIT_FEATURE_BITMAP_LOST_RESET | \
> > > > 
> > > > -                                 AUDIT_FEATURE_BITMAP_FILTER_FS)
> > > > +                                 AUDIT_FEATURE_BITMAP_FILTER_FS | \
> > > > +                                 
> > > > AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH_NEQ)
> > > > 
> > > >  /* deprecated: AUDIT_VERSION_* */
> > > >  #define AUDIT_VERSION_LATEST           AUDIT_FEATURE_BITMAP_ALL
> > > > 
> > > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > > > index d7a807e81451..a0c5a3ec6e60 100644
> > > > --- a/kernel/auditfilter.c
> > > > +++ b/kernel/auditfilter.c
> > > > @@ -426,7 +426,7 @@ static int audit_field_valid(struct audit_entry
> > > > *entry, struct audit_field *f) return -EINVAL;
> > > > 
> > > >                 break;
> > > >         
> > > >         case AUDIT_EXE:
> > > > -               if (f->op != Audit_equal)
> > > > +               if (f->op != Audit_not_equal && f->op != Audit_equal)
> > > > 
> > > >                         return -EINVAL;
> > > >                 
> > > >                 if (entry->rule.listnr != AUDIT_FILTER_EXIT)
> > > >                 
> > > >                         return -EINVAL;
> > > > 
> > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > > index 4e0a4ac803db..479c031ec54c 100644
> > > > --- a/kernel/auditsc.c
> > > > +++ b/kernel/auditsc.c
> > > > @@ -471,6 +471,8 @@ static int audit_filter_rules(struct task_struct
> > > > *tsk,
> > > > 
> > > >                         break;
> > > >                 
> > > >                 case AUDIT_EXE:
> > > >                         result = audit_exe_compare(tsk, rule->exe);
> > > > 
> > > > +                       if (f->op == Audit_not_equal)
> > > > +                               result = !result;
> > > > 
> > > >                         break;
> > > >                 
> > > >                 case AUDIT_UID:
> > > >                         result = audit_uid_comparator(cred->uid, f->op, 
> > > > f->uid);
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <r...@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635
> 
> 
> 
> 

- RGB

--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to