Re: [PATCH 1/1 v2] Added exe field to audit core dump signal log
Ping..
On Thursday 21 November 2013 08:14 AM, Paul Davies C wrote:
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c |8
1 file changed, 8 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..53ecc02 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current-mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, pid=%d comm=, current-pid);
audit_log_untrustedstring(ab, current-comm);
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=, mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ } else
+ audit_log_format(ab, exe=(null));
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/1 v1] Added exe field to audit core dump signal log
This patch addresses the issue of dissappearing exe field that was
raised by William in the previous discussion on this patch.
On Thursday 21 November 2013 07:43 AM, Paul Davies C wrote:
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c |8
1 file changed, 8 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..4abae3d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current-mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, pid=%d comm=, current-pid);
audit_log_untrustedstring(ab, current-comm);
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=, mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ } else
+ audit_log_format(ab, exe=null);
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 1/1 v2] Added exe field to audit core dump signal log
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c |8
1 file changed, 8 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..53ecc02 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current-mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, pid=%d comm=, current-pid);
audit_log_untrustedstring(ab, current-comm);
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=, mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ } else
+ audit_log_format(ab, exe=(null));
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
1.7.9.5
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/1 v2] Added exe field to audit core dump signal log
Resending the patch since I forgot to add the brackets around null in v1.
On Thursday 21 November 2013 08:14 AM, Paul Davies C wrote:
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c |8
1 file changed, 8 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..53ecc02 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current-mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,13 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, pid=%d comm=, current-pid);
audit_log_untrustedstring(ab, current-comm);
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=, mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ } else
+ audit_log_format(ab, exe=(null));
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 1/1] Added exe field to audit core dump signal log
Currently when the coredump signals are logged by the audit system , the
actual path to the executable is not logged. Without details of exe , the
system admin may not have an exact idea on what program failed.
This patch changes the audit_log_task() so that the path to the exe is also
logged.
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c |7 +++
1 file changed, 7 insertions(+)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..988de72 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2353,6 +2353,7 @@ static void audit_log_task(struct audit_buffer *ab)
kuid_t auid, uid;
kgid_t gid;
unsigned int sessionid;
+ struct mm_struct *mm = current-mm;
auid = audit_get_loginuid(current);
sessionid = audit_get_sessionid(current);
@@ -2366,6 +2367,12 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_task_context(ab);
audit_log_format(ab, pid=%d comm=, current-pid);
audit_log_untrustedstring(ab, current-comm);
+ if (mm) {
+ down_read(mm-mmap_sem);
+ if (mm-exe_file)
+ audit_log_d_path(ab, exe=, mm-exe_file-f_path);
+ up_read(mm-mmap_sem);
+ }
}
static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
--
1.7.9.5
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: SIGXCPU and Auditd
Audit system do logs the core dump signals. It was a misunderstanding from my part that lead me to believe that audit does not log SIGXCPU. Sorry for the confusion. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] Fixed reason field in audit signal logging
The audit system logs the signals that leads to abnormal end of a process.
However , as of now , it always states the reason for failure of a process as
memory violation regardless of the signal delivered. This is due to the
audit_core_dumps() function pass the reason for failure blindly to the
audit_log_abend() as memory violation.
This patch changes the audit_core_dumps() function as to pass on the right
reason to the audit_log_abend based on the signal received.
Signed-off-by:Paul Davies C
---
kernel/auditsc.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..3cafd13 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2395,7 +2395,36 @@ void audit_core_dumps(long signr)
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
if (unlikely(!ab))
return;
- audit_log_abend(ab, memory violation, signr);
+
+ /*Identify the reason for failure based on signal delivered.*/
+ switch (signr) {
+ case SIGABRT:
+ audit_log_abend(ab, received abort, signr);
+ break;
+ case SIGBUS:
+ audit_log_abend(ab, invalid pointer dereference,
signr);
+ break;
+ case SIGFPE:
+ audit_log_abend(ab, invalid floating point
instruction, signr);
+ break;
+ case SIGILL:
+ audit_log_abend(ab, illegal instruction, signr);
+ break;
+ case SIGSEGV:
+ audit_log_abend(ab, memory violation, signr);
+ break;
+ case SIGTRAP:
+ audit_log_abend(ab, bad instruction / debugger
generated signal, signr);
+ break;
+ case SIGXCPU:
+ audit_log_abend(ab, cpu time violation, signr);
+ break;
+ case SIGXFSZ:
+ audit_log_abend(ab, file size violation, signr);
+ break;
+ default:
+ audit_log_abend(ab, not defined, signr);
+ }
audit_log_end(ab);
}
--
1.7.9.5
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] Fixed reason field in audit signal logging
So rather than logging the reason=memory violation when process ends
abnormally due to any signal delivery , it will be be better if we leave
reason=undefined .
Your thoughts?
On Thu, Nov 7, 2013 at 9:12 PM, Eric Paris epa...@redhat.com wrote:
On Thu, 2013-11-07 at 10:05 -0500, Steve Grubb wrote:
On Thursday, November 07, 2013 09:43:24 AM Eric Paris wrote:
On Thu, 2013-11-07 at 19:09 +0530, Paul Davies C wrote:
The audit system logs the signals that leads to abnormal end of a
process.
However , as of now , it always states the reason for failure of a
process
as memory violation regardless of the signal delivered. This is
due to
the audit_core_dumps() function pass the reason for failure blindly
to
the audit_log_abend() as memory violation.
This patch changes the audit_core_dumps() function as to pass on the
right
reason to the audit_log_abend based on the signal received.
Signed-off-by:Paul Davies C
Acked-by: Eric Paris epa...@redhat.com
But we really should wait for an Ack and thoughts from steve grubb
I am confused. This is the abnormal end event I have:
type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325 uid=0 gid=0
ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775 comm=aureport
sig=11
Why / when did we start adding text explanations? We should not do that.
We
didn't have it before and it should not have been added. The signal
number is
enough to identify the problem.
We started adding a reason when seccomp started sending ANOM_ABEND
events as well. It doesn't do so with a signal. Agreed, the is/was
a bad idea...
If we did need a reason= field, all these strings with spaces will get
separated on parsing. They should be like memory-violation or
recieved-
abort. And would it be better to hide this in the audit_log_abend
function? I
honestly don't understand why this was added.
-Steve
---
kernel/auditsc.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..3cafd13 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2395,7 +2395,36 @@ void audit_core_dumps(long signr)
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
if (unlikely(!ab))
return;
- audit_log_abend(ab, memory violation, signr);
+
+ /*Identify the reason for failure based on signal delivered.*/
+ switch (signr) {
+ case SIGABRT:
+ audit_log_abend(ab, received abort, signr);
+ break;
+ case SIGBUS:
+ audit_log_abend(ab, invalid pointer dereference,
signr);
+ break;
+ case SIGFPE:
+ audit_log_abend(ab, invalid floating point
instruction,
signr);
+ break;
+ case SIGILL:
+ audit_log_abend(ab, illegal instruction, signr);
+ break;
+ case SIGSEGV:
+ audit_log_abend(ab, memory violation, signr);
+ break;
+ case SIGTRAP:
+ audit_log_abend(ab, bad instruction / debugger
generated
signal,
signr); + break;
+ case SIGXCPU:
+ audit_log_abend(ab, cpu time violation, signr);
+ break;
+ case SIGXFSZ:
+ audit_log_abend(ab, file size violation, signr);
+ break;
+ default:
+ audit_log_abend(ab, not defined, signr);
+ }
audit_log_end(ab);
}
--
*Regards,*
*Paul Davies C*
vivafoss.blogspot.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] Fixed reason field in audit signal logging
So we must drop the reason field for abnormal end due to signal delivery.
On Thu, Nov 7, 2013 at 9:23 PM, Eric Paris epa...@redhat.com wrote:
On Thu, 2013-11-07 at 21:21 +0530, Paul Davies C wrote:
So rather than logging the reason=memory violation when process ends
abnormally due to any signal delivery , it will be be better if we
leave reason=undefined .
reason=memory_violation or invalid_pointer etc
although maybe it should be just 'signal'... and you can get the signal
number from the record
Your thoughts?
On Thu, Nov 7, 2013 at 9:12 PM, Eric Paris epa...@redhat.com wrote:
On Thu, 2013-11-07 at 10:05 -0500, Steve Grubb wrote:
On Thursday, November 07, 2013 09:43:24 AM Eric Paris wrote:
On Thu, 2013-11-07 at 19:09 +0530, Paul Davies C wrote:
The audit system logs the signals that leads to abnormal
end of a process.
However , as of now , it always states the reason for
failure of a process
as memory violation regardless of the signal
delivered. This is due to
the audit_core_dumps() function pass the reason for
failure blindly to
the audit_log_abend() as memory violation.
This patch changes the audit_core_dumps() function as to
pass on the right
reason to the audit_log_abend based on the signal
received.
Signed-off-by:Paul Davies C
Acked-by: Eric Paris epa...@redhat.com
But we really should wait for an Ack and thoughts from
steve grubb
I am confused. This is the abnormal end event I have:
type=ANOM_ABEND msg=audit(1303339663.307:142): auid=4325
uid=0 gid=0 ses=1
subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=3775
comm=aureport sig=11
Why / when did we start adding text explanations? We should
not do that. We
didn't have it before and it should not have been added. The
signal number is
enough to identify the problem.
We started adding a reason when seccomp started sending
ANOM_ABEND
events as well. It doesn't do so with a signal. Agreed, the
is/was
a bad idea...
If we did need a reason= field, all these strings with
spaces will get
separated on parsing. They should be like memory-violation
or recieved-
abort. And would it be better to hide this in the
audit_log_abend function? I
honestly don't understand why this was added.
-Steve
---
kernel/auditsc.c | 31 ++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..3cafd13 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2395,7 +2395,36 @@ void audit_core_dumps(long signr)
ab = audit_log_start(NULL, GFP_KERNEL,
AUDIT_ANOM_ABEND);
if (unlikely(!ab))
return;
- audit_log_abend(ab, memory violation, signr);
+
+ /*Identify the reason for failure based on signal
delivered.*/
+ switch (signr) {
+ case SIGABRT:
+ audit_log_abend(ab, received abort,
signr);
+ break;
+ case SIGBUS:
+ audit_log_abend(ab, invalid pointer
dereference, signr);
+ break;
+ case SIGFPE:
+ audit_log_abend(ab, invalid floating
point instruction,
signr);
+ break;
+ case SIGILL:
+ audit_log_abend(ab, illegal
instruction, signr);
+ break;
+ case SIGSEGV:
+ audit_log_abend(ab, memory
violation, signr);
+ break;
+ case SIGTRAP:
+ audit_log_abend(ab, bad instruction /
debugger generated
signal,
signr); + break;
+ case SIGXCPU:
+ audit_log_abend(ab, cpu time
violation, signr);
+ break;
+ case SIGXFSZ:
+ audit_log_abend(ab, file size
violation, signr);
+ break;
+ default
[PATCH] Dropped audit_log_abend()
The audit_log_abend() is used only by the audit_core_dumps(). Thus there is no
need of maintaining the audit_log_abend() as a separate function.
This patch drops the audit_log_abend() and pushes its functionalities back to
the audit_core_dumps(). Apart from that the reason field is also dropped
from being logged since the reason can be deduced from the signal number.
Signed-off-by: Paul Davies C pauldavi...@gmail.com
---
kernel/auditsc.c | 10 ++
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9845cb3..f2aa62a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2368,13 +2368,6 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_untrustedstring(ab, current-comm);
}
-static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
-{
- audit_log_task(ab);
- audit_log_format(ab, reason=);
- audit_log_string(ab, reason);
- audit_log_format(ab, sig=%ld, signr);
-}
/**
* audit_core_dumps - record information about processes that end abnormally
* @signr: signal value
@@ -2395,7 +2388,8 @@ void audit_core_dumps(long signr)
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
if (unlikely(!ab))
return;
- audit_log_abend(ab, memory violation, signr);
+ audit_log_task(ab);
+ audit_log_format(ab, sig=%ld, signr);
audit_log_end(ab);
}
--
1.7.9.5
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
SIGXCPU and Auditd
Hi, Is there any way to make the *auditd system to log the SIGXCPU signal*? As of now , without writing any specific rules, SIGSEGV is getting logged. In my log I found lines as below : / type=ANOM_ABEND msg=audit(1383644379.989:88): auid=1000 uid=1000 gid=1000 ses=5 pid=2688 comm=chrome reason=memory violation sig=11/ -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: SIGXCPU and Auditd
In the man page it is written that *core dump on SIGXCPU **can fail* . That is probably the reason why it is not logged. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
