[RFC] TTY auditing
Hello, the attached patches propose a way to audit administrative commands. Summary --- A per-process audit TTY input attribute is added. The attribute is inherited across fork (). A new PAM module is used to turn the attribute on or off on login. Data read from TTYs by processes with the attribute is sent to the audit subsystem by the kernel. Optionally, user-space applications can send advisory audit events describing the meaning of the TTY input. Fundamental limitations --- Only TTY input is logged, so an administrator may execute unknown code by downloading shell scripts over the network. The act of downloading the shell script would be audited, however. For GUI or a complex TUI applications (e.g. emacs or mc), auditing the TTY input probably does not save enough information to reproduce the sequence of executed commands. If necessary, these applications may be extended to send advisory audit events. (Any approach to administrative action auditing would have to extend these applications). Why auditing needs to be done by the kernel --- If system call auditing is not an option, there are simply too many applications that can be used to perform non-trivial administrative tasks that would have to be extended. All shells, most programming language interpreters, awk, m4, ... . In the worst case, the user might be using a proprietary shell. The system should also be able to handle at least the trivial workarounds like (cat | sh). So, if we can't audit the program actions (system calls), and we can't in general modify the programs themselves, the only remaining option is to audit the inputs to the programs - TTY input. This could be done in user-space by running all administrative sessions in a pseudo-TTY and auditing the data sent to the pseudo-TTY. Unfortunately that's not transparent enough, and changes behavior (after logging on to a text console, /dev/stdin is not a VT and can't be used to send VT ioctls - for a simple example, see /etc/profile.d/lang.sh on Fedora/RHEL). Auditing processes, not TTYs If actions of ordinary users are not audited, after (su -) there are both administrative and non-administrative processes with the TTY open. The answer to the question should this particular byte of input to the TTY be audited depends on whether the byte is processed by an administrative process, not on whether the TTY is /dev/tty1 or a PTY representing a ssh connection, or on whether an administrative process has ever been executed on the TTY since last hangup. Audit event generation based on a process-inherited flag has one additional advantage: If root within a (su -) session runs (su - unprivileged user), root's actions as the unprivileged user are audited. A potential problem with is approach is unwanted auditing of TTY input to system daemons run (or restarted) by an administrator; if the administrator restarts an *getty daemon, all inputs to the daemon would be audited. As a special hack, opening a TTY in a process that has no TTY currently open automatically disables the audit TTY input flag. Closing the current TTY and opening another one does not really make any sense in a regular application, but daemons which close all file descriptors on startup would be handled by the hack. If the hack doesn't handle a specific daemon automatically, the daemon could either be modified to disable auditing, or its startup scripts could explicitly close TTYs to activate the hack. Semantics of the logged data The data is not logged byte by byte; a per-process buffer of data to be audited is kept, collecting the characters as they are read by the application. The contents of the buffer are audited if: - the buffer is full - ICANON is enabled and an EOL or EOF character is delivered to the application (delivering EOF doesn't actually provide any bytes) - ICANON is enabled or disabled - auditing TTY input is disabled for the process - the process exits - the process sends an advisory TTY input audit event. Thus, for applications using ICANON, input is audited line by line. For applications not using ICANON (e.g. uses readline), it is audited in blocks of N_TTY_BUF bytes. If the application is not using ICANON, it may send advisory messages; in that case, each command is audited using both the kernel's audit events containing the exact tty input (e.g. C-r up RET) and the advisory message (e.g. yum upgrade), and the raw input is always audited before the advisory messages. As a special case, input read when the TTY is using ICANON without ECHO is _not_ audited, to avoid storing passwords in the audit log. On the other hand, non-ICANON input is always audited (e.g. vim/emacs/mc input) in full. Note that passwords may still be audited if they are echoed, e.g. when sending CREATE USER commands to a SQL server. Attached code - - a kernel patch, against
Re: [PATCH] dist target fixes
Hello, John D. Ramsdell napsal(a): diff -ur a/audit-1.5.6/Makefile.am b/audit-1.5.6/Makefile.am --- a/audit-1.5.6/Makefile.am 2007-06-27 06:19:18.0 -0400 +++ b/audit-1.5.6/Makefile.am 2007-07-30 07:53:45.0 -0400 @@ -21,9 +21,14 @@ # Rickard E. (Rik) Faith [EMAIL PROTECTED] # -SUBDIRS = lib auparse src/mt src audisp swig bindings init.d docs system-config-audit -EXTRA_DIST = ChangeLog AUTHORS NEWS README sample.rules contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/skeleton.c README-install audit.spec -CONFIG_CLEAN_FILES = Makefile.in aclocal.m4* config.h.* configure debug*.list config/* +SUBDIRS = lib auparse src/mt src audisp swig bindings init.d docs\ +system-config-audit +EXTRA_DIST = ChangeLog AUTHORS NEWS README sample.rules \ +contrib/capp.rules contrib/nispom.rules contrib/lspp.rules \ +contrib/skeleton.c contrib/avc_snap contrib/avc_syslog \ +system-config-audit.lang README-install audit.spec system-config-audit.lang is generated by %install when building the rpm, and should not be in the tarball at all. diff -ur a/audit-1.5.6/system-config-audit/Makefile.am b/audit-1.5.6/system-config-audit/Makefile.am --- a/audit-1.5.6/system-config-audit/Makefile.am 2007-07-25 14:25:05.0 -0400 +++ b/audit-1.5.6/system-config-audit/Makefile.am 2007-07-30 07:49:09.0 -0400 @@ -58,11 +58,21 @@ CLEANFILES = $(applications_DATA) $(bin_SCRIPTS) $(nodist_pkgdata_PYTHON) \ admin/system-config-audit-server.console DISTCLEANFILES = intltool-extract intltool-merge intltool-update -EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \ - admin/intltool-update.in admin/system-config-audit-server.console.in \ - admin/system-config-audit-server.pam \ - src/settings.py.in src/system-config-audit.in \ - system-config-audit.desktop.in +EXTRA_DIST = admin/intltool-extract.in admin/intltool-merge.in \ + admin/intltool-update.in\ + admin/system-config-audit-server.console.in \ + admin/system-config-audit-server.pam src/settings.py.in \ + src/system-config-audit.in system-config-audit.desktop.in \ + m4/codeset.m4 m4/gettext.m4 m4/glibc21.m4 m4/glibc2.m4 \ + m4/iconv.m4 m4/intdiv0.m4 m4/intldir.m4 m4/intl.m4 \ + m4/intmax.m4 m4/inttypes_h.m4 m4/inttypes.m4\ + m4/inttypes-pri.m4 m4/isc-posix.m4 m4/lcmessage.m4 \ + m4/lib-ld.m4 m4/lib-link.m4 m4/lib-prefix.m4 m4/lock.m4 \ + m4/longdouble.m4 m4/longlong.m4 m4/nls.m4 m4/po.m4 \ + m4/printf-posix.m4 m4/progtest.m4 m4/signed.m4 m4/size_max.m4 \ + m4/stdint_h.m4 m4/uintmax_t.m4 m4/ulonglong.m4 \ + m4/visibility.m4 m4/wchar_t.m4 m4/wint_t.m4 m4/xsize.m4 A better solution is to change s-c-audit/autogen.sh (and to distribute the autogen.sh files): diff -urN audit-1.5.6/system-config-audit/autogen.sh audit/system-config-audit/autogen.sh --- audit-1.5.6/system-config-audit/autogen.sh 2007-06-27 12:44:22.0 +0200 +++ audit/system-config-audit/autogen.sh2007-07-30 16:21:05.0 +0200 @@ -6,7 +6,7 @@ intltoolize --force rm admin/po -aclocal +aclocal -I m4 autoconf -Wall autoheader -Wall automake -Wall --add-missing This will add only the .m4 files that are used by system-config-audit to the tarball, not all .m4 files provided by gettext. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] Renumber AUDIT_TTY_[GS]ET
Renumber AUDIT_TTY_[GS]ET to avoid a conflict with netlink message types already used in the wild. From: Miloslav Trmac [EMAIL PROTECTED] Renumber AUDIT_TTY_[GS]ET to avoid a conflict with netlink message types already used in the wild. Signed-off-by: Miloslav Trmac [EMAIL PROTECTED] --- audit.h |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 4bbd860..d6579df 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -63,8 +63,8 @@ #define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */ #define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */ #define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */ -#define AUDIT_TTY_GET 1014 /* Get TTY auditing status */ -#define AUDIT_TTY_SET 1015 /* Set TTY auditing status */ +#define AUDIT_TTY_GET 1016 /* Get TTY auditing status */ +#define AUDIT_TTY_SET 1017 /* Set TTY auditing status */ #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ #define AUDIT_USER_AVC 1107 /* We filter this differently */ -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Audit rules keys
Henning, Arthur C. (CSL) napsal(a): Copy NISPOM.rules to /etc/audit/audit.rules Using system-config-audit, I create a rule for the SYSCALL kill with a key of kill Save the configuration. Get the described error. Thanks for your report. The attached patch, to be included in s-c-audit 0.4.3, should fix the problem. Mirek diff -r f457891036d2 -r d27e1fc8660b src/audit_rules.py --- a/src/audit_rules.py Tue Aug 28 18:28:52 2007 +0200 +++ b/src/audit_rules.py Tue Aug 28 18:29:14 2007 +0200 @@ -347,13 +347,18 @@ class Field(object): self.op = self.OP_EQ self.value = self.get_field_type(self.var).parse_value(string, self.op) -def option_text(self): -'''Return a string representing this field as an auditctl option.''' +def option_text(self, rule): +'''Return a string representing this field as an auditctl option. + +Use rule to determine the correct syntax. + +''' val = self._value_text() if self.var == audit.AUDIT_FILTERKEY: assert self.op == self.OP_EQ return '-k %s' % val -elif self.var == audit.AUDIT_PERM: +elif (self.var == audit.AUDIT_PERM and + len([f for f in rule.fields if f.var == audit.AUDIT_WATCH]) == 1): assert self.op == self.OP_EQ return '-p %s' % val else: @@ -443,16 +448,21 @@ class Rule(object): o.append('-w %s' % watches[0].value) watch_used = True # Add fields before syscalls because -F arch=... may change the meaning -# of syscall names +# of syscall names. But add AUDIT_FILTERKEY only after -S, auditctl +# stubbornly insists on that order. for f in self.fields: -if f.var != audit.AUDIT_WATCH or not watch_used: -o.append(f.option_text()) +if (f.var != audit.AUDIT_FILTERKEY and +(f.var != audit.AUDIT_WATCH or not watch_used)): +o.append(f.option_text(self)) if list is not rules.exclude_rules: for s in self.syscalls: if s == self.SYSCALLS_ALL: o.append('-S all') else: o.append('-S %s' % util.syscall_string(s, self.machine)) +for f in self.fields: +if f.var == audit.AUDIT_FILTERKEY: +o.append(f.option_text(self)) return ' '.join(o) def __eq__(self, rule): -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] Audit: EINTR instead of kernel private return codes in audit records
Steve Grubb napsal(a): On Wednesday 14 November 2007 15:22:08 Eric Paris wrote: + if (unlikely((return_code == -ERESTART_RESTARTBLOCK) || +(return_code == -ERESTARTNOHAND) || +(return_code == -ERESTARTSYS) || +(return_code == -ERESTARTNOINTR))) Would it be more efficient to say: if (unlikely(return_code = -ERESTARTSYS return_code = -ERESTART_RESTARTBLOCK)) That gets it down to 2 compares and 1 logical op. gcc performs this transformation automatically. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] Fix (make check)
Hello, (make check) currently builds tests against libaudit headers installed system-wide; if no headers are installed, the build fails. The attached patch fixes the build. Mirek diff -urN audit/auparse/test/Makefile.am audit-1.6.2/auparse/test/Makefile.am --- audit/auparse/test/Makefile.am 2007-08-27 22:03:43.0 +0200 +++ audit-1.6.2/auparse/test/Makefile.am 2007-11-04 05:50:07.0 +0100 @@ -24,7 +24,7 @@ check_SCRIPTS = auparse_test.py EXTRA_DIST = auparse_test.ref -INCLUDES = -I.. +INCLUDES = -I.. -I../../lib auparse_test_SOURCES = auparse_test.c auparse_test_LDFLAGS = -static -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] ausearch improvements
then be used to scan logs, files, or buffers for something of interest. The op parameter specifies the desired comparison. Legal op values are \fI\fR, \fI=\fR, \fI=\fR, \fI\fR and \fI=\fR. The left operand of the comparison operator is the timestamp of the examined event, the right operand is specified by the sec and milli parameters. + +The how value determines how this search condition will be stored internally. The possible values are: +.RS +.TP +.I AUSEARCH_RULE_CLEAR +When this is used, it clears any previous search condition and inserts it as the first one. +.TP +.I AUSEARCH_RULE_OR +When this is used, it means that the results of its evaluation will be ored with other search conditions. +.TP +.I AUSEARCH_RULE_AND +When this is used, it means that the results of its evaluation will be anded with other search conditions. +.RE + +All search conditions must be the same type, you cannot mix and and or. + +.SH RETURN VALUE + +Returns -1 if an error occurs; otherwise, 0 for success. + +.SH APPLICATION USAGE + +Use +.BR ausearch_add_item (3) +and +.BR ausearch_add_interpreted_item (3) +to add conditions that check audit record fields. + +.SH SEE ALSO + +.BR ausearch_add_item (3), +.BR ausearch_add_interpreted_item (3), +.BR ausearch_add_regex (3), +.BR ausearch_set_stop (3), +.BR ausearch_clear (3), +.BR ausearch_next_event (3). + +.SH AUTHOR +Miloslav Trmac diff -urN audit/docs/Makefile.am audit-1.6.2/docs/Makefile.am --- audit/docs/Makefile.am 2007-09-18 17:31:41.0 +0200 +++ audit-1.6.2/docs/Makefile.am 2007-11-09 10:12:03.0 +0100 @@ -43,8 +43,9 @@ auparse_get_type.3 auparse_init.3 auparse_interpret_field.3 \ auparse_next_event.3 auparse_next_field.3 auparse_next_record.3 \ auparse_node_compare.3 auparse_reset.3 auparse_timestamp_compare.3 \ -aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_regex.3 \ -ausearch_clear.3 ausearch_next_event.3 ausearch_set_stop.3 \ +aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_interpreted_item.3 \ +ausearch_add_timestamp_item.3 ausearch_add_regex.3 ausearch_clear.3 \ +ausearch_next_event.3 ausearch_set_stop.3 \ autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ audispd.8 audispd.conf.5 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Kernel audit output is inconsistent, hard to parse
Hello, John Dennis napsal(a): The current formatting of the record timestamp (e.g. audit(.mmm:iii) is inconsistent with all other name/value pairs. It should be seconds=sss milliseconds=mmm serial=iii, this allows parsing to be regular and consistent. Isn't this unnecessarily verbose? Just time=sss.mmm serial=iii would be smaller, easier to read - and it would allow using better time precision in the future. It's a judgment call over when and how to introduce change and the anticipated impact. If this change is implemented, we should use the opportunity to clean up other inconsistencies in audit messages - e.g. different messages use success, res and result fields to record whether the audited operation was successful. Also note that similar changes are necessary in user-space, e.g. type=USER_ERR ...: ... msg='PAM: bad_ident acct=? : exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=? res=failed)' contains name-value pairs within a value, using both pairs of quotes. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] Fix error handing when searching for an interpreted value
Hello, auparse would crash if there was an interpreted filter item defined and the field could not be interpreted (e.g. it had an invalid format). The attached patch modifies auparse to use the raw value in such cases. Mirek diff -ur audit/auparse/auparse.c audit-1.6.6/auparse/auparse.c --- audit/auparse/auparse.c 2007-11-19 19:44:04.0 +0100 +++ audit-1.6.6/auparse/auparse.c 2008-01-31 09:41:02.0 +0100 @@ -899,9 +899,10 @@ if (search_op == AUSEARCH_EXISTS) return 1; + val = NULL; if ((rule-search_op AUSEARCH_INTERPRETED) != 0) val = nvlist_interp_cur_val(r); - else + if (val == NULL) val = nvlist_get_cur_val(r-nv); rc = strcmp(rule-v.field.val, val); if (search_op == AUSEARCH_EQUAL) -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] Fix __attribute__((hidden)) use
Hello, this patch fixes __attribute__ ((hidden)) use. The hidden_def(SYM)/hidden_proto(SYM) pair should be used for symbols that are a part of the public API; it creates hidden aliases (SYM_internal) for use within the shared library, which speeds up both dynamic linking and code execution. Symbols that are not in the public API should use hidden in the function declaration. This patch replaces all incorrect uses of hidden_def/hidden_proto by hidden (some uses in lib/private.h are left because these symbols used to be declared in libaudit.h). It also adds hidden_def/hidden_proto macros to those public symbols that are referenced from within the libraries. Mirek diff -ur audit/auparse/auditd-config.c audit-1.6.7/auparse/auditd-config.c --- audit/auparse/auditd-config.c 2008-01-07 20:10:34.0 +0100 +++ audit-1.6.7/auparse/auditd-config.c 2008-02-11 18:51:23.0 +0100 @@ -217,7 +217,6 @@ fclose(f); return 0; } -hidden_def(load_config); static char *get_line(FILE *f, char *buf) { @@ -418,5 +417,4 @@ free((void *)config-disk_full_exe); free((void *)config-disk_error_exe); } -hidden_def(free_config); diff -ur audit/auparse/auparse.c audit-1.6.7/auparse/auparse.c --- audit/auparse/auparse.c 2008-01-31 15:55:38.0 +0100 +++ audit-1.6.7/auparse/auparse.c 2008-02-11 18:44:22.0 +0100 @@ -484,6 +484,7 @@ au-search_where = AUSEARCH_STOP_EVENT; au-search_how = AUSEARCH_RULE_CLEAR; } +hidden_def(ausearch_clear) void auparse_destroy(auparse_state_t *au) { @@ -1062,7 +1063,7 @@ } } } - +hidden_def(auparse_next_event) /* Accessors to event data */ const au_event_t *auparse_get_timestamp(auparse_state_t *au) @@ -1167,6 +1168,7 @@ return 1; } +hidden_def(auparse_first_record) int auparse_next_record(auparse_state_t *au) @@ -1181,6 +1183,7 @@ else return 0; } +hidden_def(auparse_next_record) /* Accessors to record data */ @@ -1291,6 +1294,7 @@ } return NULL; } +hidden_def(auparse_find_field_next) /* Accessors to field data */ @@ -1314,6 +1318,7 @@ } return NULL; } +hidden_def(auparse_get_field_str) int auparse_get_field_int(auparse_state_t *au) diff -ur audit/auparse/auparse.h audit-1.6.7/auparse/auparse.h --- audit/auparse/auparse.h 2007-11-19 19:44:04.0 +0100 +++ audit-1.6.7/auparse/auparse.h 2008-02-11 18:46:07.0 +0100 @@ -32,10 +32,8 @@ /* Library type definitions */ -#ifndef AUPARSE_INTERNAL_HEADER /* opaque data type used for maintaining library state */ typedef struct opaque auparse_state_t; -#endif typedef void (*user_destroy)(void *user_data); typedef void (*auparse_callback_ptr)(auparse_state_t *au, diff -ur audit/auparse/data_buf.c audit-1.6.7/auparse/data_buf.c --- audit/auparse/data_buf.c 2007-09-16 18:14:26.0 +0200 +++ audit-1.6.7/auparse/data_buf.c 2008-02-11 17:05:39.0 +0100 @@ -142,7 +142,6 @@ } printf(\n); } -hidden_def(databuf_print); int databuf_init(DataBuf *db, size_t size, unsigned flags) { @@ -167,7 +166,6 @@ return 1; } -hidden_def(databuf_init); void databuf_free(DataBuf *db) { @@ -185,7 +183,6 @@ DATABUF_VALIDATE(db); } -hidden_def(databuf_free); char *databuf_export(DataBuf *db) { @@ -194,7 +191,6 @@ DATABUF_VALIDATE(db); return db-alloc_ptr; } -hidden_def(databuf_export); int databuf_append(DataBuf *db, const char *src, size_t src_size) { @@ -236,7 +232,6 @@ DATABUF_VALIDATE(db); return 1; } -hidden_def(databuf_append); int databuf_strcat(DataBuf *db, const char *str) { @@ -264,7 +259,6 @@ DATABUF_VALIDATE(db); return 1; } -hidden_def(databuf_strcat); int databuf_advance(DataBuf *db, size_t advance) { @@ -285,7 +279,6 @@ return -1; } } -hidden_def(databuf_advance); int databuf_compress(DataBuf *db) @@ -305,7 +298,6 @@ DATABUF_VALIDATE(db); return 1; } -hidden_def(databuf_compress); int databuf_reset(DataBuf *db) { @@ -316,7 +308,6 @@ if (debug) databuf_print(db, 1, databuf_reset() exit); return 1; } -hidden_def(databuf_reset); /*/ /*** Test Program **/ diff -ur audit/auparse/data_buf.h audit-1.6.7/auparse/data_buf.h --- audit/auparse/data_buf.h 2007-09-16 18:12:05.0 +0200 +++ audit-1.6.7/auparse/data_buf.h 2008-02-11 17:00:46.0 +0100 @@ -80,25 +80,14 @@ / Exported Functions ***/ /*/ -void databuf_print(DataBuf *db, int print_data, char *fmt, ...); -int databuf_init(DataBuf *db, size_t size, unsigned flags); -void databuf_free(DataBuf *db); -char *databuf_export(DataBuf *db); -int databuf_append(DataBuf *db, const char *src, size_t src_size); -int databuf_strcat(DataBuf *db, const char *str); -int
[PATCH] Fix acct quoting in audit_log_acct_message())
Hello, audit_log_acct_message() is currently quoting acct differently from all other users: it adds quotes to acct if it is represented in hexadecimal, not when it is represented as-is. The attached patch fixes it - but it also changes the format of some of the most-often used messages. It might be better to leave the message format alone, and add a special case to libauparse and other applications that parse the logs - I have no idea. Mirek diff -up audit-1.6.7/lib/audit_logging.c.quotes audit-1.6.7/lib/audit_logging.c --- audit-1.6.7/lib/audit_logging.c.quotes 2008-03-04 04:34:38.0 +0100 +++ audit-1.6.7/lib/audit_logging.c 2008-03-04 04:35:33.0 +0100 @@ -378,10 +378,10 @@ int audit_log_acct_message(int audit_fd, } if (enc) format = - op=%s acct=\%s\ exe=%s (hostname=%s, addr=%s, terminal=%s res=%s); + op=%s acct=%s exe=%s (hostname=%s, addr=%s, terminal=%s res=%s); else format = - op=%s acct=%s exe=%s (hostname=%s, addr=%s, terminal=%s res=%s); + op=%s acct=\%s\ exe=%s (hostname=%s, addr=%s, terminal=%s res=%s); snprintf(buf, sizeof(buf), format, op, user, pgname, -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] Fix acct quoting in audit_log_acct_message())
Tomas Mraz napsal(a): This proposal is just for starting the discussion. 1. Messages contain name=value pairs separated by spaces. 2. All names are just alphanumeric sequences. 3. Values can be either: a) byte sequences with the following special characters encoded as %XX where XX is hexadecimal value of the encoded byte. Special characters are: bytes with value = 0x20 or = 0x7F, '%', '(', ')', and '='. Perhaps we should reserve more characters for future features - at least '', '\'' and '\\', maybe everything but [a-zA-Z0-9_-]. From the previous thread - the currently used hexadecimal format is good for non-ASCII data (2 characters per byte instead of 3 bytes); It probably won't be better for most messages - perhaps it should be left as a third alternative, e.g. \xaa55abcdef. One more proposal: 4. If a value is undefined, the name=value pair is not present. Special values (?, (null), ) are never used to represent unknown field values. b) recursively embedded messages enclosed in '(' and ')' parentheses. type=USER_START msg=audit(1204632061.112:32361): user pid=10902 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' becomes: type=USER_START msg=(audit=1204632061.112:3236 src=user pid=10902 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=(op=PAM:session_open acct=root exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success)) [Should there be only one trailing )? ] Using msg for both the kernel and user-space part is ambiguous - perhaps kmsg/umsg or just k/u? Or, preferably, don't nest the kernel fields at all - the nesting carries no information. type=AVC msg=audit(1204601533.621:32307): avc: denied { read write } for pid=9822 comm=tmpwatch path=socket:[14038] dev=sockfs ino=14038 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket becomes: type=AVC msg=(audit=1204601533.621:32307 src=avc kind=denied acts=read:write pid=9822 comm=tmpwatch path=socket:[14038] dev=sockfs ino=14038 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket) (auparse already defines names for some of the fields, the names should be reused.) Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit-viewer event file question
Hello, - LC Bruzenak le...@magitekltd.com wrote: Is there a way to specify on the command line a way to tell the audit-viewer to read a specific raw event file? No. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit-viewer
- Dan Gruhn dan.gr...@groupw.com wrote: I have audit-viewer-0.4 and get the following error from make install Byte-compiling python modules... client.py dialog_base.py event_dialog.py event_source.py filters.py format_versions.py list_properties.py list_tab.py File /usr/local/share/audit-viewer/list_tab.py, line 558 store_data[column + 1] = l.pop(0) if l else '' ^ SyntaxError: invalid syntax Is it just me or should I try the 0.3 version? Please apply the attached patch against the src subdirectory. Mirek av.patch Description: Binary data -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit-viewer
Dan, - Dan Gruhn dan.gr...@groupw.com wrote: I'm having problems running audit-viewer and it appears that I am missing some packages like python-gtkextra, PyChart, and sexy-python. I don't have them available on RHEL 5.2 (or 5.3 for that matter) and have been trying to compile them. Oh, sorry about that - I completely forgot about the dependencies. For libsexy, take the Fedora 10 package, remove the dependencies on hunspell-en and enchant. For python-gtkextra and python-sexy rebuild the packages available in Fedora 10. pychart is available in EPEL. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit-viewer
Hello, - Dan Gruhn dan.gr...@groupw.com wrote: I am getting this error when audit viewer starts: # audit-viewer Error reading audit events: No such file or directory. Thinking that perhaps something is pointing to the wrong files, I attempted to use Window/Change event source.. . Then I get this: snip File /usr/local/share/audit-viewer/source_dialog.py, line 161, in __source_log_with_rotated_toggled self.source_log.set_active_iter(it) TypeError: iter should be a GtkTreeIter This crash is a bug in audit-viewer, I'll fix it for the next release. I'm not 100% sure, but I think the problem is caused by the fact that audit-viewer searches for audit logs in the --prefix subtree (as specified by configure). You can verify the used path by running (strings /your/prefix/libexec/audit-viewer-server-real |grep /log/audit); If it is not /var/log/audit, you'll need to rebuild audit-viewer, specifying --localstatedir=/var . I'll document the necessity to use --localstatedir. Thank you, Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit-viewer
Hello, - Dan Gruhn dan.gr...@groupw.com wrote: You are right, the path was /usr/local/var/log/audit. Once I recompiled with this change everything seems to be working. Does this default of --prefix subree make sense in any situation? I ask because perhaps a default of /var would more often produce the correct result. I personally use a different prefix for development and installation without root privileges - but I could of course use an extra option for that. In general, I don't think overriding localstatedir in audit-viewer is worth it. It violates user's expectations about ./configure behavior, and autoconf doesn't offer a clean way to override it anyway. After all, most users should (eventually) rely on their distribution to package audit-viewer for them. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] Add SELinux context and TTY name to AUDIT_TTY records
From: Miloslav Trmač m...@redhat.com Add SELinux context information and TTY name (consistent with the AUDIT_SYSCALL record) to AUDIT_TTY. An example record after applying this patch: type=TTY msg=audit(1237480806.220:22): tty pid=2601 uid=0 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 major=136 minor=1 tty=pts1 comm=bash data=6361740D (line wrapped, new fields are subj and tty.) Signed-off-by: Miloslav Trmač m...@redhat.com --- drivers/char/tty_audit.c | 57 - 1 file changed, 38 insertions(+), 19 deletions(-) audit-tty-more-fields.patch Description: Binary data -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] Don't crash on unknown S_IFMT file modes
Hello, ausearch -i and libauparse currently crash (access NULL) if a mode= field contains an unknown file type. Such records are generated by the kernel for IPC, e.g. node=jcdx156 type=IPC msg=audit(1237915952.720:2294): ouid=500 ogid=1106 mode=0600 obj=siterep_u:siterep_r:siterep_t:s0-s15:c0.c1023 The attached patch: * Modifies ausearch and libauparse to output the file format in octal if it is unknown. * Modifies libauparse to use the same interpreted field format as ausearch (without a space in the middle). * Modifies comma handling in libauparse to avoid a strcat() call. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] Don't crash on unknown S_IFMT file modes
- LC Bruzenak le...@magitekltd.com wrote: Thank you for this patch...wherever it may be. :) Ooops :/ Do you have a standard auparse test you use to track these down? No, I only have a small Python program to use auparse to interpret a supplied log file (attached). There is also (make check). Mirek audit-interpret.py Description: Binary data audit-ifmt.patch Description: Binary data -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] Don't crash on unknown S_IFMT file modes
- LC Bruzenak le...@magitekltd.com wrote: After applying this patch my build fails in the parse test section due to a difference of no space after a comma: -mode=040730 (dir, 730) +mode=040730 (dir,730) Do you think your changes would cause this? Yes, that change was intentional and documented in the patch. I forgot to run (make check) and update the test case. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Reactive rules (from juro....@gmail.com)
I planned to create a plugin which would extend the current audit capabilities adding a new type of rule - a reactive rule. This type of rule is different in the way that it watches for an event like an ordinary rule, however, when the event happens, it reacts to that adding or deleting other rules. For example, there is a reactive rule that watches for a certain user to login and as the reaction to the event, it adds the new rule that watches for file changes in the user's home dir. The problem with the plugin is that it would have to analyze every single message from the dispatcher, parse it and look for an appropriate rule in a rule set that caused this message was generated. The process of parsing every message isn't the right thing to do because of overheat. I suggest that a change should be done in the kernel. The events are filtered in it so that there is no need parsing the messages sent to the auditd and this solution wouldn't cause any increase in the load of the system caused by auditing. First of all, the syntax of the rules should be changed a bit to include reactive rules. It could look like this: rule1 rule2 { rule2_1 rule2_2 } rule3 When an event that rule2 watches for occurs, rule2_1 and rule2_2 will be added/removed to/from the rule set. The change in the syntax means a change in auditctl.c. Also, struct audit_rule_data needs to be altered to include some flag that makes it possible to recognize between the types of rules when passed to the kernel. Furthermore, ordinary rules are added/removed to/from the rule set as soon as the kernel receives a request from the user space. From the example above, rules rule2_1 and rule2_2 can't be added/removed to/from the rule set immediately because an event that matches rule2 must occur at first. Although, they must be saved in the kernel, for example, they could be kept in a list of type struct list_head and the associated reactive rule would keep a reference to this list. -- -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Fwd: Reactive rules proposal
From: Juraj Hlista juro@gmail.com I'm working on implementation of reactive rules into the audit. I've come up with a new type of rule (AUDIT_ALWAYS_REACT) which is almost the same as AUDIT_ALWAYS. The only difference is that the kernel generates one more message of type REACT_RULE when this rule is used. For instance, let's suppose that the reactive rule was added into the rule set with auditctl: auditctl -a exit,react -F path=/tmp/file -F perm=r then cat /tmp/file generates the following audit message: type=REACT_RULE msg=audit(1259164875.572:4): type=SYSCALL msg=audit(1259164875.572:4): arch=c03e syscall=2 success=yes exit=3 a0=7fffdf4389cb a1=0 a2=2 a3=0 items=1 ppid=1148 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0fsgid=0 tty=pts1 ses=4294967295 comm=cat exe=/bin/cat key=(null) type=CWD msg=audit(1259164875.572:4): cwd=/root type=PATH msg=audit(1259164875.572:4): item=0 name=/tmp/file inode=27872 dev=03:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 Also, I'm working on a plugin which watches for the messages of type REACT_RULE and makes decisions accordingly. This plugin has a configuration file which could look like this: variable = 0; action1 { exec program1 add/delete rule if (variable == 0) { exec program2 } } The problem is that the plugin needs to recognize what reactive rules have been reacted to. The kernel just generates messages without any identifier. In order to solve it, auditctl has to add an identifier to the reactive rule somehow, for example, using -k parameter: auditctl -a exit,react -k action1 -F path=/tmp/file -F perm=r Another solution would be creating a new parameter, for example, -k_react. Any suggestions? -- ---BeginMessage--- Ahoj, prosim o preposlanie prispevku do mailing listu, do ktoreho sa mi este nepodarilo prihlasit. Dakujem Juraj -- I'm working on implementation of reactive rules into the audit. I've come up with a new type of rule (AUDIT_ALWAYS_REACT) which is almost the same as AUDIT_ALWAYS. The only difference is that the kernel generates one more message of type REACT_RULE when this rule is used. For instance, let's suppose that the reactive rule was added into the rule set with auditctl: auditctl -a exit,react -F path=/tmp/file -F perm=r then cat /tmp/file generates the following audit message: type=REACT_RULE msg=audit(1259164875.572:4): type=SYSCALL msg=audit(1259164875.572:4): arch=c03e syscall=2 success=yes exit=3 a0=7fffdf4389cb a1=0 a2=2 a3=0 items=1 ppid=1148 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0fsgid=0 tty=pts1 ses=4294967295 comm=cat exe=/bin/cat key=(null) type=CWD msg=audit(1259164875.572:4): cwd=/root type=PATH msg=audit(1259164875.572:4): item=0 name=/tmp/file inode=27872 dev=03:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 Also, I'm working on a plugin which watches for the messages of type REACT_RULE and makes decisions accordingly. This plugin has a configuration file which could look like this: variable = 0; action1 { exec program1 add/delete rule if (variable == 0) { exec program2 } } The problem is that the plugin needs to recognize what reactive rules have been reacted to. The kernel just generates messages without any identifier. In order to solve it, auditctl has to add an identifier to the reactive rule somehow, for example, using -k parameter: auditctl -a exit,react -k action1 -F path=/tmp/file -F perm=r Another solution would be creating a new parameter, for example, -k_react. Any suggestions? -- ---End Message--- -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: print capability for audit-viewer?
- LC Bruzenak le...@magitekltd.com wrote: Is there any plan to add printing capability to the audit-viewer? Not currently; you can export any tab to HTML[1] and use a web browser (or perhaps (lynx -dump | lpr)) to print it. Is that an acceptable solution for you? Mirek [1] I have just noticed that list exports don't work, and a fix will be available in the next release. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: print capability for audit-viewer?
- LC Bruzenak le...@magitekltd.com wrote: Thanks for the reply. I tried the export, however it isn't the tab contents per se which have the important data for us. We have modified the event tab to include the entire raw event, because in our system, the really important data is in usually the application-submitted text. Adding an export functionality to the Event detail dialog should not be difficult, filed as https://fedorahosted.org/audit-viewer/ticket/12 . I also tried adding the other fields to the columns listing, however that particular test also had a different error. The first column was Date and when I tried to export that list, it failed to export the list. So I ran the audit-viewer from the command line and saw an error: TypeError: __date_column_event_text takes exactly 1 argument (2 given). [1] I have just noticed that list exports don't work, and a fix will be available in the next release. Was it the above or different? Yes, it was this one. The fix is also available at https://bugzilla.redhat.com/attachment.cgi?id=379614 . Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
audit-viewer-0.6 released
Hello, audit-viewer-0.6 is now available at https://fedorahosted.org/audit-viewer/wiki/AuditViewerDownloads . Changes: * Fix a crash when exporting an event list * Fix chart display * New or updated translations: - Asturian by Astur malditoas...@gmail.com - Danish by Kris Thomsen lakris...@gmail.com - French by Sam Friedmann sam.friedm...@redhat.com - Korean by Eunju Kim eu...@redhat.com - Russian by Yulia ypoya...@redhat.com - Simplified Chinese by CHAI Zhenhua watter1...@163.com Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] mapping of reactions
Hello, the code looks reasonable, some minor comments are below. I'll let Steve and others comment on the high-level design (just to point out a question, is it OK that auditctl will depend on sqlite?). Mirek - Juraj Hlista juro.hli...@gmail.com wrote: diff --git a/lib/libaudit.c b/lib/libaudit.c @@ -965,6 +983,14 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, strncpy(rule-buf[offset], v, vlen); break; + case AUDIT_REACTION: + /* string identifiers were converted to numbers */ + if (isdigit((char)*(v))) Nitpick: the isdigit argument should be cast to (unsigned char). diff --git a/lib/reactarray.c b/lib/reactarray.c snip +int react_array_init(struct react_array *a, unsigned int size) snip + a-str = (char **)malloc(size * sizeof(char *)); The return value of malloc() is not usually manually cast in C. + if (!a-str) + return 1; + + for (i = 0; i size; i++) + a-str[i] = NULL; You can just use calloc() to initialize a-str. snip +void react_array_free(struct react_array *a) snip + for (i = 0; i a-count; i++) { + if (a-str[i]) + free(a-str[i]); free(NULL) is OK, so the if ( ) is not necessary. +int react_array_insert(struct react_array *a, const char *s) +{ snip + a-str[a-count] = (char *)malloc((strlen(s) + 1) * sizeof(char)); + if (!a-str[a-count]) + return 1; + + strcpy(a-str[a-count], s); Using strdup() would be simpler. diff --git a/src/auditctl-reactsql.c b/src/auditctl-reactsql.c snip +enum { + SQL_CHECK_DB = 0, Just use string constants in the code directly, this indirection is difficult to follow. snip +void sql_print_error(sqlite3 *c, int err) snip + fprintf(stderr, SQLite error: %s\n, sql_errmsg[-err - 2]); The -2 is a bit difficult to follow... I'd just sacrifice the two additional empty entries in sql_errmsg. snip +int sql_number_to_reaction(sqlite3 *c, const int num, char **str) snip + *str = malloc((strlen(reaction) + 1) * sizeof(char)); + if (*str == NULL) { + sqlite3_finalize(find_str); + return -SQL_NO_MEMORY; + } + strcpy(*str, reaction); Use strdup (). snip +/* + * Add a reaction to the database - if 'num' is greater than SQL_OFFSET, + * a reaction identifier (string) is already in the database and only + * 'used' is incremented. If there is not such a reaction string, a new + * one is inserted into the database and 'used' is set to 1. + */ Using a separate variable for new/existing would be much cleaner than the magic SQL_OFFSET. Especially see how this implementation detail leaks into auditctl.c. snip +int sql_get_next_number(sqlite3 *c, const char *str) Here as well. diff --git a/src/auditctl.c b/src/auditctl.c @@ -917,6 +972,97 @@ static int setopt(int count, int lineno, char snip + if (num SQL_OFFSET) + asprintf(cmd, react=%u, num - SQL_OFFSET); + else + asprintf(cmd, react=%u, num); + if (cmd) { (...) + } else { + fprintf(stderr, + Out of memory adding reaction\n); + sql_close_database(conn); + return -4; + } If you reverse the if (cmd) here, the else {} branch becomes the default control flow, resulting in a bit simpler code. @@ -1022,6 +1168,7 @@ static int fileopt(const char *file) /* Parse it */ if (reset_vars()) { + free_vars(); I didn't look in detail, this does not match my understanding of reset_vars(); reset_vars() is supposed to reinitialize everything for a next command, not free everything. (The free(rule_new) call you moved from reset_vars() to free_vars() was at the beginning of reset_vars(), not at the end.) @@ -1382,6 +1569,25 @@ static int audit_print_reply(struct audit_reply snip + rc = sql_number_to_reaction(conn, + rep-ruledata-values[i], + str_react); + if (rc 0) { I think it's prefereble to print the number if the lookup fails, so that the admin can see at least something from the rule. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] audit: Reactive rules
Hello, - Juraj Hlista juro.hli...@gmail.com wrote: diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c @@ -415,7 +424,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, - int i; + int i, j = 0; + int k; @@ -425,7 +435,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, for (i = 0; i data-field_count; i++) { - struct audit_field *f = entry-rule.fields[i]; + struct audit_field *f = entry-rule.fields[i - j]; It would be more clear to have a source index (used for data), and a destination index (used for entry-rule.fields); j is currently a difference between the two. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] audit: speedup for syscalls when auditing is disabled
- Eric Paris epa...@redhat.com wrote: Add a new spot in the assembly which will call a function which will check if audit_n_rules 0 and if so will set TIF_SYSCALL_AUDIT and if not will clear TIF_SYSCALL_AUDIT? It might make things slightly worse on systems which explictly disable audit and the flag would always be clear on every task (like you did with the explicit rule) but I'm guessing might be a win on systems with no rules which are wasting time on the audit slow path. Is audit_n_rules a specific enough trigger? Right now, even if there are no rules configured at all, audit_log_start() while processing a syscall will mark that syscall for auditing, and all collected information about the syscall will be logged at syscall exit. Would the suggested change break this behavior? Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[patch RFC]: userspace crypto auditing, v2
Hello, I'm posting these patches for early review again; users of the code are not in the kernel yet. Changes since the previous version: - New record type CRYPTO_AUDIT_CRYPTO_KEY_VALUE, to implement basic level from CC - aureport handles events with multiple crypto records Record types This patch set keeps the original single AUDIT_CRYPTO_USERSPACE_OP record type. Here is a description of all kinds of events that can happen, to facilitate discussion of the requested record types. The following events cause creation of a CRYPTO_USERSPACE_OP record: * context_new: A new crypto context (within which integer IDs are allocated) was set up. Fields: context ID * context_del: A crypto context was destroyed. Fields: context ID * key_wrap: A key was wrapped using another key Fields: context ID, wrapping algorithm name, [wrapping key], wrapped key If wrapping key is not explicitly recorded, it is the storage master key * key_unwrap: A key was unwrapped using another key Fields: context ID, wrapping algorithm name, [wrapping key], wrapped key If wrapping key is not explicitly recorded, it is the storage master key * key_export: Key material was written to userspace Fields: context ID, key algorithm, key * key_import: Key material was read from userspace Fields: context ID, key algorithm, key * key_zeroize: Key object was cleared Fields: context ID, key algorithm, key CRYPTO_KEY_VALUE record may follow * key_gen: A key or key pair was generated Fields: context ID, key algorithm, key, [public key] One or two CRYPTO_KEY_VALUE records may follow * key_get_info: Information about a key was provided to userspace Fields: context ID, key algorithm, key * key_derive: A new key was derived from an existing key Fields: context ID, key algorithm, source key, new key * session_init: A new crypto operation context was created Fields: context ID, [session ID], operation name, algorithm, [key] session ID is missing for sessions that do not span more than one system call * session_op: An operation within a session was performed Fields: context ID, [session ID], operation name, algorithm, [input key] * session_final: A session was finished Fields: context ID, [session ID], operation name, algorithm In all of the above, key in Fields means integer key ID, longer-term ID byte string. Looking at the record types proposed earlier, AUDIT_CRYPTO_STORAGE_KEY could perhaps use AUDIT_CRYPTO_PARAM_CHANGE_KERN, and all of the key_* events above can use AUDIT_CRYPTO_KEY_KERN. There is no good match for the session_* events. I also think the KEY_VALUE data should use separate records to allow filtering them out while keeping the rest of the information - see below for rationale. Patch description - Three new records are defined; in each case output of records is caused by a syscall, and all other syscall-related data (process identity, syscall result) is audited in the usual records. AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is changed. AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a crypto operation. To disable auditing these records by default and to allow the users to selectively enable them using filters, a new filter field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can thus be enabled using (auditctl -a exit,always -F crypto_op!=0). AUDIT_CRYPTO_KEY_VALUE is used to record public key components when generating or zeroizing keys (as required for CC basic level auditing). The CRYPTO_KEY_VALUE record always immediately follows a CRYPTO_USERPACE_OP record that describes the performed operation. Unfortunately the key components can be quite large (a 4096-bit value results in a 1kB field in the record), but there does not seem to be any way to avoid this. It would probably be possible, as an optimization, to skip creating these records if the *_KEY_VALUE type is filtered out (-a type,never). Attached for review are: - A kernel patch - An userspace audit patch - A few example audit entries Mirektype=SYSCALL msg=audit(1283346629.795:12190): arch=c03e syscall=2 success=yes exit=3 a0=400b57 a1=2 a2=0 a3=7fffe965cd20 items=1 ppid=1269 pid=1338 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm=ncr-setkey exe=/home/mitr/cryptodev-linux/userspace/ncr-setkey subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CRYPTO_USERSPACE_OP msg=audit(1283346629.795:12190): crypto_op=context_new ctx=0 type=CWD msg=audit(1283346629.795:12190): cwd=/root type=PATH msg=audit(1283346629.795:12190): item=0 name=/dev/crypto inode=10233 dev=00:05 mode=020660 ouid=0 ogid=0 rdev=0a:3a obj=system_u:object_r:device_t:s0 type=CRYPTO_STORAGE_KEY msg=audit(1283346629.801:12191): key_size=16 type=SYSCALL msg=audit(1283346629.801:12191): arch=c03e syscall=16 success=yes exit=128 a0=3 a1=c01863ca a2=7fffe965d050 a3=7fffe965cd20
Re: [patch RFC]: userspace crypto auditing, v2
Hello, Thanks for the comments. - Eric Paris epa...@redhat.com wrote: A couple functions I think you can safely drop a level of indentation include audit_log_crypto_op(), audit_filter_rules(), and maybe log_crypto_op() needs a helper function to cut down the indentation? Maybe not. Fixed all of these. I really don't like %s in audit_log_format(). So unless its easy to prove that the string meets all the rules and always will meet the rules, please use audit_log_string() (and in this code I noticed that I could not verify 'operation' in this patch, which makes me very nervous. The callers ensure that the inputs are trusted, but I did have untrusted input there at least once, so it is indeed safer. Attached is an updated patch; in addition to the above changes, it also splits struct audit_crypto_op to three to avoid an union, making the code easier to read and more similar to other auxiliary data structures in auditsc.c. Mirekdiff --git a/include/linux/audit.h b/include/linux/audit.h index 3c7a358..cfb3363 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -122,6 +122,11 @@ #define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */ #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ +#define AUDIT_CRYPTO_STORAGE_KEY1600 /* Key storage key configured */ +#define AUDIT_CRYPTO_USERSPACE_OP 1601 /* User-space crypto operation */ +#define AUDIT_CRYPTO_KEY_VALUE 1602 /* Public values of a key, immediatelly + follows USERSPACE_OP. */ + #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG1799 #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */ @@ -207,6 +212,7 @@ #define AUDIT_OBJ_TYPE 21 #define AUDIT_OBJ_LEV_LOW 22 #define AUDIT_OBJ_LEV_HIGH 23 +#define AUDIT_CRYPTO_OP 24 /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ @@ -314,6 +320,20 @@ enum { #define AUDIT_PERM_READ 4 #define AUDIT_PERM_ATTR 8 +#define AUDIT_CRYPTO_OP_CONTEXT_NEW 1 +#define AUDIT_CRYPTO_OP_CONTEXT_DEL 2 +#define AUDIT_CRYPTO_OP_SESSION_INIT 3 +#define AUDIT_CRYPTO_OP_SESSION_OP 4 +#define AUDIT_CRYPTO_OP_SESSION_FINAL 5 +#define AUDIT_CRYPTO_OP_KEY_IMPORT 6 +#define AUDIT_CRYPTO_OP_KEY_EXPORT 7 +#define AUDIT_CRYPTO_OP_KEY_WRAP 8 +#define AUDIT_CRYPTO_OP_KEY_UNWRAP 9 +#define AUDIT_CRYPTO_OP_KEY_GEN 10 +#define AUDIT_CRYPTO_OP_KEY_DERIVE 11 +#define AUDIT_CRYPTO_OP_KEY_ZEROIZE 12 +#define AUDIT_CRYPTO_OP_KEY_GET_INFO 13 + struct audit_status { __u32 mask; /* Bit mask for valid entries */ __u32 enabled; /* 1 = enabled, 0 = disabled */ @@ -404,6 +424,12 @@ struct audit_field { void*lsm_rule; }; +struct audit_crypto_value { + char name; + void *value; + size_t value_size; +}; + #define AUDITSC_INVALID 0 #define AUDITSC_SUCCESS 1 #define AUDITSC_FAILURE 2 @@ -479,6 +505,12 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, const struct cred *new, const struct cred *old); extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old); +extern int __audit_log_crypto_op(int op, int context, int session, + const char *operation, const char *algorithm, + int key1, void *key1_id, size_t key1_id_size, + int key2, void *key2_id, size_t key2_id_size); +extern void __audit_log_crypto_values(const struct audit_crypto_value *values, + size_t num_values); static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) { @@ -532,6 +564,27 @@ static inline void audit_log_capset(pid_t pid, const struct cred *new, __audit_log_capset(pid, new, old); } +static inline int audit_log_crypto_op(int op, int context, int session, + const char *operation, + const char *algorithm, int key1, + void *key1_id, size_t key1_id_size, + int key2, void *key2_id, + size_t key2_id_size) +{ + if (likely(audit_dummy_context())) + return 0; + return __audit_log_crypto_op(op, context, session, operation, algorithm, + key1, key1_id, key1_id_size, key2, key2_id, + key2_id_size); +} + +static inline void audit_log_crypto_values(const struct audit_crypto_value *a, + size_t num_values) +{ + if (unlikely(!audit_dummy_context())) + __audit_log_crypto_values(a, num_values); +} + extern int audit_n_rules; extern int audit_signals; #else @@ -565,6 +618,8 @@ extern int audit_signals; #define audit_mq_getsetattr(d,s) ((void)0) #define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; }) #define audit_log_capset(pid, ncr, ocr) ((void)0) +#define audit_log_crypto_op(op, ctx, sess, k1, id1, size1, k2, id2, size2) (0) +#define audit_log_crypto_values(a, values, num_values) ((void)0) #define audit_ptrace(t) ((void)0) #define audit_n_rules 0 #define audit_signals 0 diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index a706040..a25a587 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -363,6 +363,7 @@ static
Re: tty events
Hello, - Robert Daniels robertdaniels2...@gmail.com wrote: I'm using pam_tty_audit and am collecting specific users, including root. When logged in as root, the tty events are sent to the plugin in near real-time. However, when logged in as a user, the events are cached someplace and are eventually flushed to the dispatcher/plugin. The other odd thing is the cached user events are in a single event, and is a collection of multiple tty commands stored into one chunk of data. I've looked at the source code but do not see where this caching takes place. For raw mode TTYs (e.g. the bash command-line editing environment, vi), newline is not a reliable command indicator, so the keystrokes are queued until the buffer (which is 4096 bytes) is full. Programs that accept something like commands should send USER_TTY records whenever a command is entered; this also flushes the buffer, creating the TTY record containing keystrokes to that point. If I remember correctly, this is implemented for bash and programs that use the readline library. The problem is that only programs running as root are allowed to send audit records from user-space, so the USER_TTY records sent from unprivileged programs are ignored and do not flush the buffer. I'd like to know if there is a setting to disable this caching and send the events in real time, or at least have a way to break these events up, and acquire a timestamp that matches when the events took place. I'm afraid there isn't currently a practical way to do this. (bash --noediting) does not use the raw mode, but I'd hardly consider that practical. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Problems with command args
- Jure Simsic jure.sim...@gmail.com wrote: Hi I need to audit some specific commands which have the following form cmd -arg1 -arg2 -query 'some query(args)' In audit log I get a record like: type=EXECVE msg=audit(1282117611.037:27469599): argv [0] =cmd argv [1] =-arg1 argv [2] =-arg2 argv [3] =-query argv [4] =737472626567696E73287468726561645F69642C227468726561645F69643D32333639383932662229 Now, I'd really need to get the last query argument in an understandable form. Is this possible or is this the way it is and I can't do it? (ausearch -i) , at least in recent versions. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
RFC: AF_ALG auditing
Hello, attached is an user-space patch that adds support for auditing uses of the AF_ALG protocol family developed by Herbert Xu to provide user-space access to kernel crypto accelerators. Kernel patches will follow. One new record is defined: AUDIT_CRYPTO_USERSPACE_OP. An audited event is always caused by a syscall, and all other syscall-related data (process identity, syscall result) is audited in the usual records. To disable auditing crypto by default and to allow the users to selectively enable them using filters, a new filter field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can thus be enabled using (auditctl -a exit,always -F crypto_op!=0). In addition to the user-space patch, attached are also a few example audit entries. Mirekdiff -urN audit/lib/crypto_ops_table.h audit-2.0.5/lib/crypto_ops_table.h --- audit/lib/crypto_ops_table.h 1970-01-01 01:00:00.0 +0100 +++ audit-2.0.5/lib/crypto_ops_table.h 2010-11-23 12:46:30.228156952 +0100 @@ -0,0 +1,28 @@ +/* crypto_ops_table.h -- + * Copyright 2010 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Miloslav TrmaÄ m...@redhat.com + */ + +_S(AUDIT_CRYPTO_OP_TFM_NEW,tfm_new) +_S(AUDIT_CRYPTO_OP_TFM_KEY_IMPORT, tfm_key_import) +_S(AUDIT_CRYPTO_OP_TFM_DEL,tfm_del) +_S(AUDIT_CRYPTO_OP_CTX_NEW,ctx_new) +_S(AUDIT_CRYPTO_OP_CTX_OP, ctx_op) +_S(AUDIT_CRYPTO_OP_CTX_DEL,ctx_del) diff -urN audit/lib/errormsg.h audit-2.0.5/lib/errormsg.h --- audit/lib/errormsg.h 2010-09-22 17:02:27.0 +0200 +++ audit-2.0.5/lib/errormsg.h 2010-11-23 12:42:32.914851919 +0100 @@ -54,5 +54,6 @@ { -19,0,Key field needs a watch or syscall given prior to it }, { -20,2,-F missing value after operation for }, { -21,2,-F value should be number for }, -{ -22,2,-F missing field name before operator for } +{ -22,2,-F missing field name before operator for }, +{ -23,2,-F unknown crypto_op - } }; diff -urN audit/lib/fieldtab.h audit-2.0.5/lib/fieldtab.h --- audit/lib/fieldtab.h 2010-09-22 17:02:27.0 +0200 +++ audit-2.0.5/lib/fieldtab.h 2010-11-23 12:49:30.583184463 +0100 @@ -55,6 +55,7 @@ _S(AUDIT_PERM, perm ) _S(AUDIT_DIR, dir ) _S(AUDIT_FILETYPE, filetype ) +_S(AUDIT_CRYPTO_OP,crypto_op) _S(AUDIT_ARG0, a0 ) _S(AUDIT_ARG1, a1 ) diff -urN audit/lib/libaudit.c audit-2.0.5/lib/libaudit.c --- audit/lib/libaudit.c 2010-09-22 17:02:27.0 +0200 +++ audit-2.0.5/lib/libaudit.c 2010-11-23 12:42:32.917851911 +0100 @@ -38,6 +38,8 @@ #include fcntl.h /* O_NOFOLLOW needs gnu defined */ #include limits.h /* for PATH_MAX */ +#include gen_tables.h +#include crypto_ops.h #include libaudit.h #include private.h #include errormsg.h @@ -1109,6 +,21 @@ else return -21; break; + case AUDIT_CRYPTO_OP: + if (flags != AUDIT_FILTER_EXIT) +return -7; + if (isdigit((unsigned char)*v)) +rule-values[rule-field_count] = + strtoul(v, NULL, 0); + else { +int op; + +if (crypto_op_s2i(v, op) != 0) + rule-values[rule-field_count] = op; +else + return -23; + } + break; case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) diff -urN audit/lib/libaudit.h audit-2.0.5/lib/libaudit.h --- audit/lib/libaudit.h 2010-09-22 17:02:27.0 +0200 +++ audit-2.0.5/lib/libaudit.h 2010-11-23 12:45:29.291347010 +0100 @@ -119,6 +119,7 @@ #endif #define AUDIT_FIRST_KERN_CRYPTO_MSG 1600 +#define AUDIT_CRYPTO_USERSPACE_OP 1600 /* User-space crypto operation */ #define AUDIT_LAST_KERN_CRYPTO_MSG 1699 #define AUDIT_FIRST_KERN_ANOM_MSG 1700 @@ -211,6 +212,14 @@ #define AUDIT_LAST_USER_MSG2 2999 #endif +#define AUDIT_CRYPTO_OP 109 + +#define AUDIT_CRYPTO_OP_TFM_NEW 1 +#define AUDIT_CRYPTO_OP_TFM_KEY_IMPORT 2 +#define AUDIT_CRYPTO_OP_TFM_DEL 3 +#define AUDIT_CRYPTO_OP_CTX_NEW 4 +#define AUDIT_CRYPTO_OP_CTX_OP 5 +#define AUDIT_CRYPTO_OP_CTX_DEL 6 /* This is related to the filterkey patch */ #define AUDIT_KEY_SEPARATOR 0x01 diff -urN audit/lib/Makefile.am
Re: Regarding bug 435682
Here's a patch for version 2.1.3 which solves bug 435682 ( https://bugzilla.redhat.com/show_bug.cgi?id=435682 ). Patched auditctl allows to specify files having spaces in ther names - just surround a filename with apostrophes. This patch also arbitrarily breaks handling of apostrophes and \xFF characters in filenames; it probably is a marginal improvement, but any change to the format should IMHO start with an explicit and consistent specification of how quoting is supposed to work in audit.rules, and then implementing exactly that. If we do have to change the file format to support spaces, let's do it, but let's also make sure that we don't need to change it again soon to fix different artifacts of the parser implementation. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Hello, - Original Message - Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue is that I just realized that prompt passwords are also logged, eg MySQL password or Spacewalk, etc. I can read them in plain text when doing aureport --tty -if /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log keystrokes when the prompt is hidden (inputting a password) Not auditing non-echoed input gives rogue users an ability to bypass auditing by starting an application that disables echo (e.g. to prompt for a password), and causing the application to terminate - the TTY will stay in the non-echoing mode, and future input will not be audited. That said, for some people it really may be more important not to audit passwords than to audit every possible input, and providing users an option to choose one or the other is technically quite simple. It's on my long-term to-do list, but I'm afraid I'm not expecting to work on this in the near future. If anyone else wants to look at it, the original version of the patches https://www.redhat.com/archives/linux-audit/2007-June/msg0.html does contain code to exclude non-echoed input in canonical mode: just forward-port the code dealing with the ICANON and ECHO flags, and add a sysctl to control the behavior. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Advice on enriching logs with user and group names before moving them to a central log repository
- Original Message - It might still be an idea to have auparse_get_uid(au) etc. I'm not 100% sure what you mean, but is perhaps auparse_interpret_field what you are looking for? It returns an intepreted (as opposed to raw) version of the field, e.g. a name instead of an UID. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: cross-compiling difficulty with on-the-fly gen/build/use paradigm
- Original Message - I'm having a problem trying to cross-compile audit. The problem is that gen_actiontabs_h is built using the cross-compiler (for ARM), and then it's asked to run on the host (x86_64). Is there a simple way around this? A complex way, perhaps? Extra points for simple! The simplest way for users of released tarballs would be to include the generated files inside the tarball - from a quick look that should be really simple, but it also doesn't help users of svn checkouts. Then there are two more complex ways: * Add the necessary build machinery: find a local C compiler, and use custom Make rules to build these tools. Unfortunately it seems that autotools don't provide a direct way to do this, some internet forums suggest creating a subdirectory with its own ./configure script that is configured to build for the build host even when cross-compiling. * Rewrite the gen_tables.c code in an interpreted language, e.g. Python or Perl - adds a build dependency on that language, but avoids this problem. In all of the cases above I'm worried about ABI differences - e.g. the build and host architecture having a different integer assigned to SHMGET or any of the other macros. I haven't checked whether that is really a problem, though. That might ultimately require the rewrite into an interpreted language (so that headers from the build and host systems wouldn't be mixed). Of course it would also always work to build the tables at run-time, but I suspect that would be a bit frowned upon. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Help on Audit Rules
- Original Message - So my question is why normal users audit event logs cant be captured as a type=USER_TTY , where as root logs can be captured similarway. USER_TTY is sent by the process that accepts the keyboard input. Unprivileged users are not allowed to send audit records (otherwise they would be able to fill the queue and/or the log partition, causing a DoS), so the USER_TTY record is discarded. Even for unprivileged users you should have the type=TTY records, although they are noticeably more difficult to interpret. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Questions about --with-alpha and --with-armeb configure flags
- Original Message - If I understand correctly it's only adding arch detection and syscall tables to ausyscall. Why are these syscall table conditional? To reduce the number of text relocations in libaudit. Libaudit links against a number of applications and text relocations eats memory and increases startup time. Is that really an issue with the current code? The gentab.c code was designed to avoid text relocations. At least on x86_64 (which, true, is especially well-designed for this), there are no text relocations in libaudit nor libauparse, whether --with-alpha or --with-armeb are used or not. In fact the number of relocations of any kind is exactly the same in both cases. Any one care to retest this on a different architecture, e.t. 32-bit x86? FWIW, at least the attached patch was necessary to build with --with-alpha --with-armeb. MirekIndex: lib/lookup_table.c === --- lib/lookup_table.c (revision 718) +++ lib/lookup_table.c (working copy) @@ -75,10 +75,10 @@ { MACH_S390X, AUDIT_ARCH_S390X }, { MACH_S390,AUDIT_ARCH_S390 }, #ifdef WITH_ALPHA -{ MACH_ALPHA, AUDIT_ARCH_ALPHA } +{ MACH_ALPHA, AUDIT_ARCH_ALPHA }, #endif #ifdef WITH_ARMEB -{ MACH_ARMEB, AUDIT_ARCH_ARMEB } +{ MACH_ARMEB, AUDIT_ARCH_ARMEB }, #endif }; #define AUDIT_ELF_NAMES (sizeof(elftab)/sizeof(elftab[0])) Index: lib/test/lookup_test.c === --- lib/test/lookup_test.c (revision 718) +++ lib/test/lookup_test.c (working copy) @@ -325,8 +325,11 @@ printf(Testing machinetab...\n); #define I2S(I) audit_machine_to_name(I) #define S2I(S) audit_name_to_machine(S) - TEST_I2S(t[i].s[0] == 'i' t[i].s[1] = '4' t[i].s[1] = '6' - strcmp(t[i].s + 2, 86) == 0); + TEST_I2S((t[i].s[0] == 'i' t[i].s[1] = '4' t[i].s[1] = '6' + strcmp(t[i].s + 2, 86) == 0) + || strcmp(t[i].s, armv5tejl) == 0 + || strcmp(t[i].s, armv6l) == 0 + || strcmp(t[i].s, armv7l) == 0); TEST_S2I(-1); #undef I2S #undef S2I -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Questions about --with-alpha and --with-armeb configure flags
- Original Message - Le Fri, 30 Nov 2012 09:05:19 -0500, Steve Grubb sgr...@redhat.com a écrit : On Friday, November 30, 2012 02:42:27 PM Laurent Bigonville wrote: Le Mon, 26 Nov 2012 12:21:55 -0500 (EST), Miloslav Trmac m...@redhat.com a écrit : FWIW, at least the attached patch was necessary to build with --with-alpha --with-armeb. Mirek I unfortunately still have a failure in the checks with both svn HEAD and 2.2.1 when passing --with-armeb Unexpected match `a1' FAIL: lookup_test An idea? Thanks for reporting this. Its fixed in trunk now. Thanks, arm support is now compiling. But it still failing with the same error if both --with-alpha and --with-armeb are enabled. Locally I fixed it by adding a srand(2) to the beginning of main() in lib/test/lookup_test.c. A real fix would probably involve replacing the /* Blindly assuming this will not generate a\ meaningful identifier. */\ comment with a code that detects such cases and ignores them. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit
Hello, - Original Message - But if user1 does log on, no commands are logged Are you talking about TTY or USER_TTY records, and are you checking immediately after entering the command, or after exiting the session? Unprivileged users are not allowed to send USER_TTY records as each command is entered, so the input read by unprivileged users is audited only when the (4 KB) buffer is flushed or the process (i.e. the shell) exits. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
- Original Message - I am resurrecting this old thread from last summer because I ran into the same issue and found the thread in the archives via Google. It would be very nice if everything could be logged except passwords. There is work being done. Sorry, I don't have more specifics as to availability, perhaps others do. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
- Original Message - Please do post the patch here when you have it worked out as I am very likely to miss it in the flood of kernel patches when it goes to/from Linus. Here you go. Given Steve's good question, this control method may change. Isn't icanon _true_ when the data is echoed? This patch would allow dropping the echoed data (i.e. commands), not the non-echoed data (i.e. passwords). (I might be mistaken and I haven't tested this.) Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
- Original Message - On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote: - Original Message - Please do post the patch here when you have it worked out as I am very likely to miss it in the flood of kernel patches when it goes to/from Linus. Here you go. Given Steve's good question, this control method may change. Isn't icanon _true_ when the data is echoed? This patch would allow dropping the echoed data (i.e. commands), not the non-echoed data (i.e. passwords). (I might be mistaken and I haven't tested this.) Apparently not. This is what took me longer than I initially thought necessary to get this working, rechecking my pam incantations along the way. I went back and actually removed my switch and just isolated icanon in the decision to abort the function to confirm how it worked, then inverted the test which is when it started working. Eric was right to start with. Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The latter is generated by bash and not relevant. Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because backspace works). When asking for passwords, the situation seems to be (ICANON !ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)). We definitely want to audit (ICANON ECHO); I'm not sure about the !ICANON cases - I suspect we want them audited as well. But that might need a more detailed look. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Thoughts on adding sd-journal as a log_format to auditd
- Original Message - 2) Write an audispd plugin that used the sd-journal API to store audit events in the journal. 3) Add sd-journal as a log format to auditd. Both of these will run into the problem recently discussed on this mailing list: the available methods to parse an audit records into fields are a bit imprecise/lossy because not all records keep the name=value format as expected. This can be OK if auparse is able to extract all the data you need/expect to process. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit icanon log switch
- Original Message - Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode to do this. This feature (icanon) can be used to avoid logging passwords by audit while still logging the rest of the command. There was an earlier discussion about the correctness of using ICANON for this. Is ICANON really the right variable? AFAICT the seeings are used like this: (cat) and other programs that just take standard input: ICANON ECHO (bash), (vi) and other interactive programs: !ICANON !ECHO password prompts: ICANON !ECHO and we want to exclude only password prompts. Mirk -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit