Re: [PATCH 1/1 v2] Added exe field to audit core dump signal log
Ping.. On Thursday 21 November 2013 08:14 AM, Paul Davies C wrote: Currently when the coredump signals are logged by the audit system , the actual path to the executable is not logged. Without details of exe , the system admin may not have an exact idea on what program failed. This patch changes the audit_log_task() so that the path to the exe is also logged. Signed-off-by: Paul Davies C pauldavi...@gmail.com --- kernel/auditsc.c |8 1 file changed, 8 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..53ecc02 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab) kuid_t auid, uid; kgid_t gid; unsigned int sessionid; + struct mm_struct *mm = current-mm; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_task_context(ab); audit_log_format(ab, pid=%d comm=, current-pid); audit_log_untrustedstring(ab, current-comm); + if (mm) { + down_read(mm-mmap_sem); + if (mm-exe_file) + audit_log_d_path(ab, exe=, mm-exe_file-f_path); + up_read(mm-mmap_sem); + } else + audit_log_format(ab, exe=(null)); } static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/1 v1] Added exe field to audit core dump signal log
This patch addresses the issue of dissappearing exe field that was raised by William in the previous discussion on this patch. On Thursday 21 November 2013 07:43 AM, Paul Davies C wrote: Currently when the coredump signals are logged by the audit system , the actual path to the executable is not logged. Without details of exe , the system admin may not have an exact idea on what program failed. This patch changes the audit_log_task() so that the path to the exe is also logged. Signed-off-by: Paul Davies C pauldavi...@gmail.com --- kernel/auditsc.c |8 1 file changed, 8 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..4abae3d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab) kuid_t auid, uid; kgid_t gid; unsigned int sessionid; + struct mm_struct *mm = current-mm; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_task_context(ab); audit_log_format(ab, pid=%d comm=, current-pid); audit_log_untrustedstring(ab, current-comm); + if (mm) { + down_read(mm-mmap_sem); + if (mm-exe_file) + audit_log_d_path(ab, exe=, mm-exe_file-f_path); + up_read(mm-mmap_sem); + } else + audit_log_format(ab, exe=null); } static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 1/1 v2] Added exe field to audit core dump signal log
Currently when the coredump signals are logged by the audit system , the actual path to the executable is not logged. Without details of exe , the system admin may not have an exact idea on what program failed. This patch changes the audit_log_task() so that the path to the exe is also logged. Signed-off-by: Paul Davies C pauldavi...@gmail.com --- kernel/auditsc.c |8 1 file changed, 8 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..53ecc02 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab) kuid_t auid, uid; kgid_t gid; unsigned int sessionid; + struct mm_struct *mm = current-mm; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_task_context(ab); audit_log_format(ab, pid=%d comm=, current-pid); audit_log_untrustedstring(ab, current-comm); + if (mm) { + down_read(mm-mmap_sem); + if (mm-exe_file) + audit_log_d_path(ab, exe=, mm-exe_file-f_path); + up_read(mm-mmap_sem); + } else + audit_log_format(ab, exe=(null)); } static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -- 1.7.9.5 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/1 v2] Added exe field to audit core dump signal log
Resending the patch since I forgot to add the brackets around null in v1. On Thursday 21 November 2013 08:14 AM, Paul Davies C wrote: Currently when the coredump signals are logged by the audit system , the actual path to the executable is not logged. Without details of exe , the system admin may not have an exact idea on what program failed. This patch changes the audit_log_task() so that the path to the exe is also logged. Signed-off-by: Paul Davies C pauldavi...@gmail.com --- kernel/auditsc.c |8 1 file changed, 8 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..53ecc02 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab) kuid_t auid, uid; kgid_t gid; unsigned int sessionid; + struct mm_struct *mm = current-mm; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_task_context(ab); audit_log_format(ab, pid=%d comm=, current-pid); audit_log_untrustedstring(ab, current-comm); + if (mm) { + down_read(mm-mmap_sem); + if (mm-exe_file) + audit_log_d_path(ab, exe=, mm-exe_file-f_path); + up_read(mm-mmap_sem); + } else + audit_log_format(ab, exe=(null)); } static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 1/1] Added exe field to audit core dump signal log
Currently when the coredump signals are logged by the audit system , the actual path to the executable is not logged. Without details of exe , the system admin may not have an exact idea on what program failed. This patch changes the audit_log_task() so that the path to the exe is also logged. Signed-off-by: Paul Davies C pauldavi...@gmail.com --- kernel/auditsc.c |7 +++ 1 file changed, 7 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..988de72 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab) kuid_t auid, uid; kgid_t gid; unsigned int sessionid; + struct mm_struct *mm = current-mm; auid = audit_get_loginuid(current); sessionid = audit_get_sessionid(current); @@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_task_context(ab); audit_log_format(ab, pid=%d comm=, current-pid); audit_log_untrustedstring(ab, current-comm); + if (mm) { + down_read(mm-mmap_sem); + if (mm-exe_file) + audit_log_d_path(ab, exe=, mm-exe_file-f_path); + up_read(mm-mmap_sem); + } } static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -- 1.7.9.5 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: SIGXCPU and Auditd
Audit system do logs the core dump signals. It was a misunderstanding from my part that lead me to believe that audit does not log SIGXCPU. Sorry for the confusion. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] Fixed reason field in audit signal logging
The audit system logs the signals that leads to abnormal end of a process. However , as of now , it always states the reason for failure of a process as memory violation regardless of the signal delivered. This is due to the audit_core_dumps() function pass the reason for failure blindly to the audit_log_abend() as memory violation. This patch changes the audit_core_dumps() function as to pass on the right reason to the audit_log_abend based on the signal received. Signed-off-by:Paul Davies C --- kernel/auditsc.c | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..3cafd13 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2395,7 +2395,36 @@ void audit_core_dumps(long signr) ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); if (unlikely(!ab)) return; - audit_log_abend(ab, memory violation, signr); + + /*Identify the reason for failure based on signal delivered.*/ + switch (signr) { + case SIGABRT: + audit_log_abend(ab, received abort, signr); + break; + case SIGBUS: + audit_log_abend(ab, invalid pointer dereference, signr); + break; + case SIGFPE: + audit_log_abend(ab, invalid floating point instruction, signr); + break; + case SIGILL: + audit_log_abend(ab, illegal instruction, signr); + break; + case SIGSEGV: + audit_log_abend(ab, memory violation, signr); + break; + case SIGTRAP: + audit_log_abend(ab, bad instruction / debugger generated signal, signr); + break; + case SIGXCPU: + audit_log_abend(ab, cpu time violation, signr); + break; + case SIGXFSZ: + audit_log_abend(ab, file size violation, signr); + break; + default: + audit_log_abend(ab, not defined, signr); + } audit_log_end(ab); } -- 1.7.9.5 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] Fixed reason field in audit signal logging
So rather than logging the reason=memory violation when process ends abnormally due to any signal delivery , it will be be better if we leave reason=undefined . Your thoughts? On Thu, Nov 7, 2013 at 9:12 PM, Eric Paris epa...@redhat.com wrote: On Thu, 2013-11-07 at 10:05 -0500, Steve Grubb wrote: On Thursday, November 07, 2013 09:43:24 AM Eric Paris wrote: On Thu, 2013-11-07 at 19:09 +0530, Paul Davies C wrote: The audit system logs the signals that leads to abnormal end of a process. However , as of now , it always states the reason for failure of a process as memory violation regardless of the signal delivered. This is due to the audit_core_dumps() function pass the reason for failure blindly to the audit_log_abend() as memory violation. This patch changes the audit_core_dumps() function as to pass on the right reason to the audit_log_abend based on the signal received. Signed-off-by:Paul Davies C Acked-by: Eric Paris epa...@redhat.com But we really should wait for an Ack and thoughts from steve grubb I am confused. This is the abnormal end event I have: type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775 comm=aureport sig=11 Why / when did we start adding text explanations? We should not do that. We didn't have it before and it should not have been added. The signal number is enough to identify the problem. We started adding a reason when seccomp started sending ANOM_ABEND events as well. It doesn't do so with a signal. Agreed, the is/was a bad idea... If we did need a reason= field, all these strings with spaces will get separated on parsing. They should be like memory-violation or recieved- abort. And would it be better to hide this in the audit_log_abend function? I honestly don't understand why this was added. -Steve --- kernel/auditsc.c | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..3cafd13 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2395,7 +2395,36 @@ void audit_core_dumps(long signr) ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); if (unlikely(!ab)) return; - audit_log_abend(ab, memory violation, signr); + + /*Identify the reason for failure based on signal delivered.*/ + switch (signr) { + case SIGABRT: + audit_log_abend(ab, received abort, signr); + break; + case SIGBUS: + audit_log_abend(ab, invalid pointer dereference, signr); + break; + case SIGFPE: + audit_log_abend(ab, invalid floating point instruction, signr); + break; + case SIGILL: + audit_log_abend(ab, illegal instruction, signr); + break; + case SIGSEGV: + audit_log_abend(ab, memory violation, signr); + break; + case SIGTRAP: + audit_log_abend(ab, bad instruction / debugger generated signal, signr); + break; + case SIGXCPU: + audit_log_abend(ab, cpu time violation, signr); + break; + case SIGXFSZ: + audit_log_abend(ab, file size violation, signr); + break; + default: + audit_log_abend(ab, not defined, signr); + } audit_log_end(ab); } -- *Regards,* *Paul Davies C* vivafoss.blogspot.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] Fixed reason field in audit signal logging
So we must drop the reason field for abnormal end due to signal delivery. On Thu, Nov 7, 2013 at 9:23 PM, Eric Paris epa...@redhat.com wrote: On Thu, 2013-11-07 at 21:21 +0530, Paul Davies C wrote: So rather than logging the reason=memory violation when process ends abnormally due to any signal delivery , it will be be better if we leave reason=undefined . reason=memory_violation or invalid_pointer etc although maybe it should be just 'signal'... and you can get the signal number from the record Your thoughts? On Thu, Nov 7, 2013 at 9:12 PM, Eric Paris epa...@redhat.com wrote: On Thu, 2013-11-07 at 10:05 -0500, Steve Grubb wrote: On Thursday, November 07, 2013 09:43:24 AM Eric Paris wrote: On Thu, 2013-11-07 at 19:09 +0530, Paul Davies C wrote: The audit system logs the signals that leads to abnormal end of a process. However , as of now , it always states the reason for failure of a process as memory violation regardless of the signal delivered. This is due to the audit_core_dumps() function pass the reason for failure blindly to the audit_log_abend() as memory violation. This patch changes the audit_core_dumps() function as to pass on the right reason to the audit_log_abend based on the signal received. Signed-off-by:Paul Davies C Acked-by: Eric Paris epa...@redhat.com But we really should wait for an Ack and thoughts from steve grubb I am confused. This is the abnormal end event I have: type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775 comm=aureport sig=11 Why / when did we start adding text explanations? We should not do that. We didn't have it before and it should not have been added. The signal number is enough to identify the problem. We started adding a reason when seccomp started sending ANOM_ABEND events as well. It doesn't do so with a signal. Agreed, the is/was a bad idea... If we did need a reason= field, all these strings with spaces will get separated on parsing. They should be like memory-violation or recieved- abort. And would it be better to hide this in the audit_log_abend function? I honestly don't understand why this was added. -Steve --- kernel/auditsc.c | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..3cafd13 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2395,7 +2395,36 @@ void audit_core_dumps(long signr) ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); if (unlikely(!ab)) return; - audit_log_abend(ab, memory violation, signr); + + /*Identify the reason for failure based on signal delivered.*/ + switch (signr) { + case SIGABRT: + audit_log_abend(ab, received abort, signr); + break; + case SIGBUS: + audit_log_abend(ab, invalid pointer dereference, signr); + break; + case SIGFPE: + audit_log_abend(ab, invalid floating point instruction, signr); + break; + case SIGILL: + audit_log_abend(ab, illegal instruction, signr); + break; + case SIGSEGV: + audit_log_abend(ab, memory violation, signr); + break; + case SIGTRAP: + audit_log_abend(ab, bad instruction / debugger generated signal, signr); + break; + case SIGXCPU: + audit_log_abend(ab, cpu time violation, signr); + break; + case SIGXFSZ: + audit_log_abend(ab, file size violation, signr); + break; + default
[PATCH] Dropped audit_log_abend()
The audit_log_abend() is used only by the audit_core_dumps(). Thus there is no need of maintaining the audit_log_abend() as a separate function. This patch drops the audit_log_abend() and pushes its functionalities back to the audit_core_dumps(). Apart from that the reason field is also dropped from being logged since the reason can be deduced from the signal number. Signed-off-by: Paul Davies C pauldavi...@gmail.com --- kernel/auditsc.c | 10 ++ 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 9845cb3..f2aa62a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2368,13 +2368,6 @@ static void audit_log_task(struct audit_buffer *ab) audit_log_untrustedstring(ab, current-comm); } -static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr) -{ - audit_log_task(ab); - audit_log_format(ab, reason=); - audit_log_string(ab, reason); - audit_log_format(ab, sig=%ld, signr); -} /** * audit_core_dumps - record information about processes that end abnormally * @signr: signal value @@ -2395,7 +2388,8 @@ void audit_core_dumps(long signr) ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND); if (unlikely(!ab)) return; - audit_log_abend(ab, memory violation, signr); + audit_log_task(ab); + audit_log_format(ab, sig=%ld, signr); audit_log_end(ab); } -- 1.7.9.5 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
SIGXCPU and Auditd
Hi, Is there any way to make the *auditd system to log the SIGXCPU signal*? As of now , without writing any specific rules, SIGSEGV is getting logged. In my log I found lines as below : / type=ANOM_ABEND msg=audit(1383644379.989:88): auid=1000 uid=1000 gid=1000 ses=5 pid=2688 comm=chrome reason=memory violation sig=11/ -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: SIGXCPU and Auditd
In the man page it is written that *core dump on SIGXCPU **can fail* . That is probably the reason why it is not logged. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit