Hello, attached is an user-space patch that adds support for auditing uses of the AF_ALG protocol family developed by Herbert Xu to provide user-space access to kernel crypto accelerators. Kernel patches will follow.
One new record is defined: AUDIT_CRYPTO_USERSPACE_OP. An audited event is
always caused by a syscall, and all other syscall-related data (process
identity, syscall result) is audited in the usual records.
To disable auditing crypto by default and to allow the users to selectively
enable them using filters, a new filter field AUDIT_CRYPTO_OP is defined;
auditing of all crypto operations can thus be enabled using (auditctl -a
exit,always -F crypto_op!=0).
In addition to the user-space patch, attached are also a few example audit
entries.
Mirekdiff -urN audit/lib/crypto_ops_table.h audit-2.0.5/lib/crypto_ops_table.h
--- audit/lib/crypto_ops_table.h 1970-01-01 01:00:00.000000000 +0100
+++ audit-2.0.5/lib/crypto_ops_table.h 2010-11-23 12:46:30.228156952 +0100
@@ -0,0 +1,28 @@
+/* crypto_ops_table.h --
+ * Copyright 2010 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Miloslav TrmaÄ <m...@redhat.com>
+ */
+
+_S(AUDIT_CRYPTO_OP_TFM_NEW, "tfm_new")
+_S(AUDIT_CRYPTO_OP_TFM_KEY_IMPORT, "tfm_key_import")
+_S(AUDIT_CRYPTO_OP_TFM_DEL, "tfm_del")
+_S(AUDIT_CRYPTO_OP_CTX_NEW, "ctx_new")
+_S(AUDIT_CRYPTO_OP_CTX_OP, "ctx_op")
+_S(AUDIT_CRYPTO_OP_CTX_DEL, "ctx_del")
diff -urN audit/lib/errormsg.h audit-2.0.5/lib/errormsg.h
--- audit/lib/errormsg.h 2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/errormsg.h 2010-11-23 12:42:32.914851919 +0100
@@ -54,5 +54,6 @@
{ -19, 0, "Key field needs a watch or syscall given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
- { -22, 2, "-F missing field name before operator for" }
+ { -22, 2, "-F missing field name before operator for" },
+ { -23, 2, "-F unknown crypto_op - " }
};
diff -urN audit/lib/fieldtab.h audit-2.0.5/lib/fieldtab.h
--- audit/lib/fieldtab.h 2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/fieldtab.h 2010-11-23 12:49:30.583184463 +0100
@@ -55,6 +55,7 @@
_S(AUDIT_PERM, "perm" )
_S(AUDIT_DIR, "dir" )
_S(AUDIT_FILETYPE, "filetype" )
+_S(AUDIT_CRYPTO_OP, "crypto_op" )
_S(AUDIT_ARG0, "a0" )
_S(AUDIT_ARG1, "a1" )
diff -urN audit/lib/libaudit.c audit-2.0.5/lib/libaudit.c
--- audit/lib/libaudit.c 2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/libaudit.c 2010-11-23 12:42:32.917851911 +0100
@@ -38,6 +38,8 @@
#include <fcntl.h> /* O_NOFOLLOW needs gnu defined */
#include <limits.h> /* for PATH_MAX */
+#include "gen_tables.h"
+#include "crypto_ops.h"
#include "libaudit.h"
#include "private.h"
#include "errormsg.h"
@@ -1109,6 +1111,21 @@
else
return -21;
break;
+ case AUDIT_CRYPTO_OP:
+ if (flags != AUDIT_FILTER_EXIT)
+ return -7;
+ if (isdigit((unsigned char)*v))
+ rule->values[rule->field_count] =
+ strtoul(v, NULL, 0);
+ else {
+ int op;
+
+ if (crypto_op_s2i(v, &op) != 0)
+ rule->values[rule->field_count] = op;
+ else
+ return -23;
+ }
+ break;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
diff -urN audit/lib/libaudit.h audit-2.0.5/lib/libaudit.h
--- audit/lib/libaudit.h 2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/libaudit.h 2010-11-23 12:45:29.291347010 +0100
@@ -119,6 +119,7 @@
#endif
#define AUDIT_FIRST_KERN_CRYPTO_MSG 1600
+#define AUDIT_CRYPTO_USERSPACE_OP 1600 /* User-space crypto operation */
#define AUDIT_LAST_KERN_CRYPTO_MSG 1699
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
@@ -211,6 +212,14 @@
#define AUDIT_LAST_USER_MSG2 2999
#endif
+#define AUDIT_CRYPTO_OP 109
+
+#define AUDIT_CRYPTO_OP_TFM_NEW 1
+#define AUDIT_CRYPTO_OP_TFM_KEY_IMPORT 2
+#define AUDIT_CRYPTO_OP_TFM_DEL 3
+#define AUDIT_CRYPTO_OP_CTX_NEW 4
+#define AUDIT_CRYPTO_OP_CTX_OP 5
+#define AUDIT_CRYPTO_OP_CTX_DEL 6
/* This is related to the filterkey patch */
#define AUDIT_KEY_SEPARATOR 0x01
diff -urN audit/lib/Makefile.am audit-2.0.5/lib/Makefile.am
--- audit/lib/Makefile.am 2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/Makefile.am 2010-11-23 12:42:32.921851901 +0100
@@ -37,7 +37,7 @@
libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO)
nodist_libaudit_la_SOURCES = $(BUILT_SOURCES)
-BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
+BUILT_SOURCES = actiontabs.h crypto_ops.h errtabs.h fieldtabs.h flagtabs.h \
ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
s390x_tables.h x86_64_tables.h
@@ -47,8 +47,8 @@
if USE_ARMEB
BUILT_SOURCES += armeb_tables.h
endif
-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
- gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
+noinst_PROGRAMS = gen_actiontabs_h gen_crypto_ops_h gen_errtabs_h \
+ gen_fieldtabs_h gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
gen_s390x_tables_h gen_x86_64_tables_h
@@ -77,6 +77,11 @@
./gen_armeb_tables_h --lowercase --i2s --s2i armeb_syscall > $@
endif
+gen_crypto_ops_h_SOURCES = gen_tables.c gen_tables.h crypto_ops_table.h
+gen_crypto_ops_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="crypto_ops_table.h"'
+crypto_ops.h: gen_crypto_ops_h Makefile
+ ./gen_crypto_ops_h --lowercase --s2i crypto_op > $@
+
gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h
gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"'
errtabs.h: gen_errtabs_h Makefile
diff -urN audit/lib/msg_typetab.h audit-2.0.5/lib/msg_typetab.h
--- audit/lib/msg_typetab.h 2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/msg_typetab.h 2010-11-23 12:44:00.963608651 +0100
@@ -122,6 +122,7 @@
_S(AUDIT_MAC_IPSEC_EVENT, "MAC_IPSEC_EVENT" )
_S(AUDIT_MAC_UNLBL_STCADD, "MAC_UNLBL_STCADD" )
_S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL" )
+_S(AUDIT_CRYPTO_USERSPACE_OP, "CRYPTO_USERSPACE_OP" )
_S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" )
_S(AUDIT_ANOM_ABEND, "ANOM_ABEND" )
_S(AUDIT_INTEGRITY_DATA, "INTEGRITY_DATA" )
diff -urN audit/src/aureport-output.c audit-2.0.5/src/aureport-output.c
--- audit/src/aureport-output.c 2010-09-22 17:02:21.000000000 +0200
+++ audit-2.0.5/src/aureport-output.c 2010-11-23 12:42:32.910851932 +0100
@@ -600,7 +600,7 @@
// auid type success event
printf("%s %s %s %lu\n",
aulookup_uid(l->s.loginuid, name, sizeof(name)),
- audit_msg_type_to_name(l->head->type),
+ audit_msg_type_to_name(l->cur->type),
aulookup_success(l->s.success),
l->e.serial);
break;
diff -urN audit/src/aureport-scan.c audit-2.0.5/src/aureport-scan.c
--- audit/src/aureport-scan.c 2010-09-22 17:02:21.000000000 +0200
+++ audit-2.0.5/src/aureport-scan.c 2010-11-23 12:42:32.912851925 +0100
@@ -420,8 +420,12 @@
case RPT_CRYPTO:
if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
AUDIT_LAST_KERN_CRYPTO_MSG)) {
- ilist_add_if_uniq(&sd.crypto_list,
- l->head->type, 0);
+ do
+ ilist_add_if_uniq(&sd.crypto_list,
+ l->cur->type, 0);
+ while (list_find_next_msg_range(l,
+ AUDIT_FIRST_KERN_CRYPTO_MSG,
+ AUDIT_LAST_KERN_CRYPTO_MSG));
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_CRYPTO_MSG,
@@ -663,7 +667,11 @@
if (list_find_msg_range(l,
AUDIT_FIRST_KERN_CRYPTO_MSG,
AUDIT_LAST_KERN_CRYPTO_MSG)) {
- print_per_event_item(l);
+ do
+ print_per_event_item(l);
+ while (list_find_next_msg_range(l,
+ AUDIT_FIRST_KERN_CRYPTO_MSG,
+ AUDIT_LAST_KERN_CRYPTO_MSG));
rc = 1;
} else {
if (list_find_msg_range(l,
diff -urN audit/src/ausearch-llist.c audit-2.0.5/src/ausearch-llist.c
--- audit/src/ausearch-llist.c 2010-09-22 17:02:21.000000000 +0200
+++ audit-2.0.5/src/ausearch-llist.c 2010-11-23 12:42:32.911851928 +0100
@@ -245,3 +245,22 @@
return NULL;
}
+
+lnode *list_find_next_msg_range(llist *l, int low, int high)
+{
+ register lnode *window;
+
+ if (high <= low)
+ return NULL;
+
+ window = l->cur->next;
+ while (window) {
+ if (window->type >= low && window->type <= high) {
+ l->cur = window;
+ return window;
+ } else
+ window = window->next;
+ }
+ return NULL;
+}
+
diff -urN audit/src/ausearch-llist.h audit-2.0.5/src/ausearch-llist.h
--- audit/src/ausearch-llist.h 2010-09-22 17:02:21.000000000 +0200
+++ audit-2.0.5/src/ausearch-llist.h 2010-11-23 12:42:32.913851922 +0100
@@ -107,5 +107,8 @@
/* Given two message types, find the first matching node */
lnode *list_find_msg_range(llist *l, int low, int high);
+/* Given two message types, find the next matching node */
+lnode *list_find_next_msg_range(llist *l, int low, int high);
+
#endif
audit-examples
Description: Binary data
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
