Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
On Thu, Feb 15, 2018 at 5:51 PM, Paul Moore wrote: > On Thu, Feb 15, 2018 at 1:16 AM, Kees Cook wrote: >> On Wed, Feb 14, 2018 at 6:33 PM, Richard Guy Briggs wrote: >>> On 2018-02-14 09:51, Kees Cook wrote: On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote: > Audit link denied events emit disjointed records when audit is disabled. > No records should be emitted when audit is disabled. > > See: https://github.com/linux-audit/audit-kernel/issues/21 > Signed-off-by: Richard Guy Briggs > --- > kernel/audit.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 227db99..4c3fd24 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, > const struct path *link) > struct audit_buffer *ab; > struct audit_names *name; > > + if (!audit_enabled || audit_dummy_context()) > + return; > + > name = kzalloc(sizeof(*name), GFP_NOFS); > if (!name) > return; Doesn't this means errors here would be silent if audit isn't enabled? I don't that; sysadmins should see this notification regardless of the audit state... >>> >>> This is a user error and not a system error, so I would think if system >>> auditing is disabled, they don't care about this kind of error. >> >> It could indicate an attack attempt... > > We get beat up by several folks when we emit audit records with audit > disabled, and they have a very valid point. > > I'm not arguing that the information isn't useful, I'm arguing that if > you are interested in the sort of information that audit provides you > should enable audit. :) FYI, merged into audit/next. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
On Thu, Feb 15, 2018 at 1:16 AM, Kees Cook wrote: > On Wed, Feb 14, 2018 at 6:33 PM, Richard Guy Briggs wrote: >> On 2018-02-14 09:51, Kees Cook wrote: >>> On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote: >>> > Audit link denied events emit disjointed records when audit is disabled. >>> > No records should be emitted when audit is disabled. >>> > >>> > See: https://github.com/linux-audit/audit-kernel/issues/21 >>> > Signed-off-by: Richard Guy Briggs >>> > --- >>> > kernel/audit.c | 3 +++ >>> > 1 file changed, 3 insertions(+) >>> > >>> > diff --git a/kernel/audit.c b/kernel/audit.c >>> > index 227db99..4c3fd24 100644 >>> > --- a/kernel/audit.c >>> > +++ b/kernel/audit.c >>> > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, >>> > const struct path *link) >>> > struct audit_buffer *ab; >>> > struct audit_names *name; >>> > >>> > + if (!audit_enabled || audit_dummy_context()) >>> > + return; >>> > + >>> > name = kzalloc(sizeof(*name), GFP_NOFS); >>> > if (!name) >>> > return; >>> >>> Doesn't this means errors here would be silent if audit isn't enabled? >>> I don't that; sysadmins should see this notification regardless of the >>> audit state... >> >> This is a user error and not a system error, so I would think if system >> auditing is disabled, they don't care about this kind of error. > > It could indicate an attack attempt... We get beat up by several folks when we emit audit records with audit disabled, and they have a very valid point. I'm not arguing that the information isn't useful, I'm arguing that if you are interested in the sort of information that audit provides you should enable audit. :) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
On Wed, Feb 14, 2018 at 6:33 PM, Richard Guy Briggs wrote: > On 2018-02-14 09:51, Kees Cook wrote: >> On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote: >> > Audit link denied events emit disjointed records when audit is disabled. >> > No records should be emitted when audit is disabled. >> > >> > See: https://github.com/linux-audit/audit-kernel/issues/21 >> > Signed-off-by: Richard Guy Briggs >> > --- >> > kernel/audit.c | 3 +++ >> > 1 file changed, 3 insertions(+) >> > >> > diff --git a/kernel/audit.c b/kernel/audit.c >> > index 227db99..4c3fd24 100644 >> > --- a/kernel/audit.c >> > +++ b/kernel/audit.c >> > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, >> > const struct path *link) >> > struct audit_buffer *ab; >> > struct audit_names *name; >> > >> > + if (!audit_enabled || audit_dummy_context()) >> > + return; >> > + >> > name = kzalloc(sizeof(*name), GFP_NOFS); >> > if (!name) >> > return; >> >> Doesn't this means errors here would be silent if audit isn't enabled? >> I don't that; sysadmins should see this notification regardless of the >> audit state... > > This is a user error and not a system error, so I would think if system > auditing is disabled, they don't care about this kind of error. It could indicate an attack attempt... -Kees > > Steve? > >> -Kees > > - RGB > > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 -- Kees Cook Pixel Security -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
On 2018-02-14 09:51, Kees Cook wrote: > On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote: > > Audit link denied events emit disjointed records when audit is disabled. > > No records should be emitted when audit is disabled. > > > > See: https://github.com/linux-audit/audit-kernel/issues/21 > > Signed-off-by: Richard Guy Briggs > > --- > > kernel/audit.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 227db99..4c3fd24 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, > > const struct path *link) > > struct audit_buffer *ab; > > struct audit_names *name; > > > > + if (!audit_enabled || audit_dummy_context()) > > + return; > > + > > name = kzalloc(sizeof(*name), GFP_NOFS); > > if (!name) > > return; > > Doesn't this means errors here would be silent if audit isn't enabled? > I don't that; sysadmins should see this notification regardless of the > audit state... This is a user error and not a system error, so I would think if system auditing is disabled, they don't care about this kind of error. Steve? > -Kees - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs wrote: > Audit link denied events emit disjointed records when audit is disabled. > No records should be emitted when audit is disabled. > > See: https://github.com/linux-audit/audit-kernel/issues/21 > Signed-off-by: Richard Guy Briggs > --- > kernel/audit.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 227db99..4c3fd24 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, const > struct path *link) > struct audit_buffer *ab; > struct audit_names *name; > > + if (!audit_enabled || audit_dummy_context()) > + return; > + > name = kzalloc(sizeof(*name), GFP_NOFS); > if (!name) > return; Doesn't this means errors here would be silent if audit isn't enabled? I don't that; sysadmins should see this notification regardless of the audit state... -Kees -- Kees Cook Pixel Security -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[RFC PATCH ghak21 1/4] audit: make ANOM_LINK obey audit_enabled and audit_dummy_context
Audit link denied events emit disjointed records when audit is disabled. No records should be emitted when audit is disabled. See: https://github.com/linux-audit/audit-kernel/issues/21 Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 227db99..4c3fd24 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, const struct path *link) struct audit_buffer *ab; struct audit_names *name; + if (!audit_enabled || audit_dummy_context()) + return; + name = kzalloc(sizeof(*name), GFP_NOFS); if (!name) return; -- 1.8.3.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit