Audit link denied events emit disjointed records when audit is disabled.
No records should be emitted when audit is disabled.
See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 3 +++
1 file changed, 3 insertions(+)
Audit link denied events for symlinks were missing the parent PATH
record. Add it. Since the full pathname may not be available,
reconstruct it from the path in the nameidata supplied.
See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs
Audit link denied events generate duplicate PATH records which disagree
in different ways from symlink and hardlink denials.
audit_log_link_denied() should not directly generate PATH records.
While we're at it, remove the now useless struct path argument.
See:
Audit link denied events for symlinks had duplicate PATH records rather
than just updating the existing PATH record. Update the symlink's PATH
record with the current dentry and inode information.
See: https://github.com/linux-audit/audit-kernel/issues/21
Signed-off-by: Richard Guy Briggs
Audit link denied events were being unexpectedly produced in a disjoint
way when audit was disabled, and when they were expected, there were
duplicate PATH records. This patchset addresses both issues for
symlinks and hardlinks.
This was introduced with
commit
On 2018-03-08 19:50, Paul Moore wrote:
> On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote:
> > Audit link denied events for symlinks were missing the parent PATH
> > record. Add it. Since the full pathname may not be available,
> > reconstruct it from the path in the
On 2018-03-08 19:26, Paul Moore wrote:
> On Wed, Feb 14, 2018 at 11:18 AM, Richard Guy Briggs wrote:
> > Audit link denied events generate duplicate PATH records which disagree
> > in different ways from symlink and hardlink denials.
> > audit_log_link_denied() should not
On 2018-03-12 02:31, Richard Guy Briggs wrote:
> Audit link denied events were being unexpectedly produced in a disjoint
> way when audit was disabled, and when they were expected, there were
> duplicate PATH records. This patchset addresses both issues for
> symlinks and hardlinks.
>
> This was
On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote:
> Audit link denied events for symlinks had duplicate PATH records rather
> than just updating the existing PATH record. Update the symlink's PATH
> record with the current dentry and inode information.
>
> See:
I am using a Linux system (RHEL 6.9) with no audit rules set:
$ sudo auditctl -l
No rules
but some data is still populating the audit log file
/var/log/audit/audit.log
Are there processes (or kernel code) that generate their own audit events that
bypass the configured audit rules?
Thanks,
On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote:
> Audit link denied events generate duplicate PATH records which disagree
> in different ways from symlink and hardlink denials.
> audit_log_link_denied() should not directly generate PATH records.
> While we're at it,
Following the poor practice of replying to my own email :(
Apparently most of the data in audit.log is associated with PAM auditing.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
todd
On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote:
> Audit link denied events for symlinks were missing the parent PATH
> record. Add it. Since the full pathname may not be available,
> reconstruct it from the path in the nameidata supplied.
>
> See:
On Mon, Mar 12, 2018 at 11:17 AM, Steve Grubb wrote:
> On Mon, 12 Mar 2018 02:31:16 -0400
> Richard Guy Briggs wrote:
>
>> Audit link denied events were being unexpectedly produced in a
>> disjoint way when audit was disabled, and when they were expected,
>>
On Mon, Mar 12, 2018 at 11:26 AM, Richard Guy Briggs wrote:
> On 2018-03-12 11:12, Paul Moore wrote:
>> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote:
>> > Audit link denied events for symlinks had duplicate PATH records rather
>> > than just
On 2018-03-12 11:53, Paul Moore wrote:
> On Mon, Mar 12, 2018 at 11:26 AM, Richard Guy Briggs wrote:
> > On 2018-03-12 11:12, Paul Moore wrote:
> >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs
> >> wrote:
> >> > Audit link denied events for symlinks had
On 2018-03-12 11:12, Paul Moore wrote:
> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote:
> > Audit link denied events for symlinks had duplicate PATH records rather
> > than just updating the existing PATH record. Update the symlink's PATH
> > record with the current
On Mon, Mar 12, 2018 at 3:59 AM, Richard Guy Briggs wrote:
> On 2018-03-08 19:50, Paul Moore wrote:
...
>> (Point #2 is why I didn't merge patch 3/4, just include it in this
>> revised patch)
>
> On reviewing this, I'm not totally convinced the parent record is
> necessary to
On Mon, Mar 12, 2018 at 11:30 AM, Richard Guy Briggs wrote:
> On 2018-03-12 11:05, Paul Moore wrote:
>> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote:
>> > Audit link denied events generate duplicate PATH records which disagree
>> > in different ways
On Mon, Mar 12, 2018 at 11:52 AM, Richard Guy Briggs wrote:
> On 2018-03-12 11:53, Paul Moore wrote:
>> On Mon, Mar 12, 2018 at 11:26 AM, Richard Guy Briggs wrote:
>> > On 2018-03-12 11:12, Paul Moore wrote:
>> >> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy
On Mon, 12 Mar 2018 02:31:16 -0400
Richard Guy Briggs wrote:
> Audit link denied events were being unexpectedly produced in a
> disjoint way when audit was disabled, and when they were expected,
> there were duplicate PATH records. This patchset addresses both
> issues for
On 2018-03-12 11:05, Paul Moore wrote:
> On Mon, Mar 12, 2018 at 2:31 AM, Richard Guy Briggs wrote:
> > Audit link denied events generate duplicate PATH records which disagree
> > in different ways from symlink and hardlink denials.
> > audit_log_link_denied() should not directly
On 2018-03-12 22:30, Steve Grubb wrote:
> On Mon, 12 Mar 2018 11:55:32 -0700
> Todd Heberlein wrote:
>
> > Following the poor practice of replying to my own email :(
> >
> > Apparently most of the data in audit.log is associated with PAM
> > auditing.
> >
> >
On 2018-03-08 13:02, Mimi Zohar wrote:
> On Thu, 2018-03-08 at 06:21 -0500, Richard Guy Briggs wrote:
> > On 2018-03-05 09:24, Mimi Zohar wrote:
> > > On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote:
> > > > On 2018-03-05 08:43, Mimi Zohar wrote:
> > > > > Hi Richard,
> > > > >
> > >
On Mon, 12 Mar 2018 11:55:32 -0700
Todd Heberlein wrote:
> Following the poor practice of replying to my own email :(
>
> Apparently most of the data in audit.log is associated with PAM
> auditing.
>
>
Hi Richard,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on v4.16-rc5 next-20180309]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
26 matches
Mail list logo