[PATCH ghak21 V2 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context

Audit link denied events emit disjointed records when audit is disabled. No records should be emitted when audit is disabled. See: https://github.com/linux-audit/audit-kernel/issues/21 Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+)

[PATCH ghak21 V2 4/4] audit: add parent of refused symlink to audit_names

Audit link denied events for symlinks were missing the parent PATH record. Add it. Since the full pathname may not be available, reconstruct it from the path in the nameidata supplied. See: https://github.com/linux-audit/audit-kernel/issues/21 Signed-off-by: Richard Guy Briggs

[PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record

Audit link denied events generate duplicate PATH records which disagree in different ways from symlink and hardlink denials. audit_log_link_denied() should not directly generate PATH records. While we're at it, remove the now useless struct path argument. See:

[PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names

Audit link denied events for symlinks had duplicate PATH records rather than just updating the existing PATH record. Update the symlink's PATH record with the current dentry and inode information. See: https://github.com/linux-audit/audit-kernel/issues/21 Signed-off-by: Richard Guy Briggs

[PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

Audit link denied events were being unexpectedly produced in a disjoint way when audit was disabled, and when they were expected, there were duplicate PATH records. This patchset addresses both issues for symlinks and hardlinks. This was introduced with commit

Re: [RFC PATCH ghak21 4/4] audit: add parent of refused symlink to audit_names

On 2018-03-08 19:50, Paul Moore wrote: > On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: > > Audit link denied events for symlinks were missing the parent PATH > > record. Add it. Since the full pathname may not be available, > > reconstruct it from the path in the

Re: [RFC PATCH ghak21 2/4] audit: link denied should not directly generate PATH record

On 2018-03-08 19:26, Paul Moore wrote: > On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote: > > Audit link denied events generate duplicate PATH records which disagree > > in different ways from symlink and hardlink denials. > > audit_log_link_denied() should not

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

On 2018-03-12 02:31, Richard Guy Briggs wrote: > Audit link denied events were being unexpectedly produced in a disjoint > way when audit was disabled, and when they were expected, there were > duplicate PATH records. This patchset addresses both issues for > symlinks and hardlinks. > > This was

Re: [PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names

On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: > Audit link denied events for symlinks had duplicate PATH records rather > than just updating the existing PATH record. Update the symlink's PATH > record with the current dentry and inode information. > > See:

audit events w/o audit rules?

I am using a Linux system (RHEL 6.9) with no audit rules set: $ sudo auditctl -l No rules but some data is still populating the audit log file /var/log/audit/audit.log Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules? Thanks,

Re: [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record

On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: > Audit link denied events generate duplicate PATH records which disagree > in different ways from symlink and hardlink denials. > audit_log_link_denied() should not directly generate PATH records. > While we're at it,

Re: audit events w/o audit rules?

Following the poor practice of replying to my own email :( Apparently most of the data in audit.log is associated with PAM auditing. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit todd

Re: [PATCH ghak21 V2 4/4] audit: add parent of refused symlink to audit_names

On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: > Audit link denied events for symlinks were missing the parent PATH > record. Add it. Since the full pathname may not be available, > reconstruct it from the path in the nameidata supplied. > > See:

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

On Mon, Mar 12, 2018 at 11:17 AM, Steve Grubb wrote: > On Mon, 12 Mar 2018 02:31:16 -0400 > Richard Guy Briggs wrote: > >> Audit link denied events were being unexpectedly produced in a >> disjoint way when audit was disabled, and when they were expected, >>

Re: [PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names

On Mon, Mar 12, 2018 at 11:26 AM, Richard Guy Briggs wrote: > On 2018-03-12 11:12, Paul Moore wrote: >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: >> > Audit link denied events for symlinks had duplicate PATH records rather >> > than just

Re: [PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names

On 2018-03-12 11:53, Paul Moore wrote: > On Mon, Mar 12, 2018 at 11:26 AM, Richard Guy Briggs wrote: > > On 2018-03-12 11:12, Paul Moore wrote: > >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs > >> wrote: > >> > Audit link denied events for symlinks had

Re: [PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names

On 2018-03-12 11:12, Paul Moore wrote: > On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: > > Audit link denied events for symlinks had duplicate PATH records rather > > than just updating the existing PATH record. Update the symlink's PATH > > record with the current

Re: [RFC PATCH ghak21 4/4] audit: add parent of refused symlink to audit_names

On Mon, Mar 12, 2018 at 3:59 AM, Richard Guy Briggs wrote: > On 2018-03-08 19:50, Paul Moore wrote: ... >> (Point #2 is why I didn't merge patch 3/4, just include it in this >> revised patch) > > On reviewing this, I'm not totally convinced the parent record is > necessary to

Re: [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record

On Mon, Mar 12, 2018 at 11:30 AM, Richard Guy Briggs wrote: > On 2018-03-12 11:05, Paul Moore wrote: >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: >> > Audit link denied events generate duplicate PATH records which disagree >> > in different ways

Re: [PATCH ghak21 V2 3/4] audit: add refused symlink to audit_names

On Mon, Mar 12, 2018 at 11:52 AM, Richard Guy Briggs wrote: > On 2018-03-12 11:53, Paul Moore wrote: >> On Mon, Mar 12, 2018 at 11:26 AM, Richard Guy Briggs wrote: >> > On 2018-03-12 11:12, Paul Moore wrote: >> >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy

Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records

On Mon, 12 Mar 2018 02:31:16 -0400 Richard Guy Briggs wrote: > Audit link denied events were being unexpectedly produced in a > disjoint way when audit was disabled, and when they were expected, > there were duplicate PATH records. This patchset addresses both > issues for

Re: [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record

On 2018-03-12 11:05, Paul Moore wrote: > On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote: > > Audit link denied events generate duplicate PATH records which disagree > > in different ways from symlink and hardlink denials. > > audit_log_link_denied() should not directly

Re: audit events w/o audit rules?

On 2018-03-12 22:30, Steve Grubb wrote: > On Mon, 12 Mar 2018 11:55:32 -0700 > Todd Heberlein wrote: > > > Following the poor practice of replying to my own email :( > > > > Apparently most of the data in audit.log is associated with PAM > > auditing. > > > >

Re: [PATCH] audit: add containerid support for IMA-audit

On 2018-03-08 13:02, Mimi Zohar wrote: > On Thu, 2018-03-08 at 06:21 -0500, Richard Guy Briggs wrote: > > On 2018-03-05 09:24, Mimi Zohar wrote: > > > On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote: > > > > On 2018-03-05 08:43, Mimi Zohar wrote: > > > > > Hi Richard, > > > > > > > >

Re: audit events w/o audit rules?

On Mon, 12 Mar 2018 11:55:32 -0700 Todd Heberlein wrote: > Following the poor practice of replying to my own email :( > > Apparently most of the data in audit.log is associated with PAM > auditing. > >

Re: [PATCH ghak21 V2 2/4] audit: link denied should not directly generate PATH record

Hi Richard, Thank you for the patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on v4.16-rc5 next-20180309] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: