Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records
On Mon, Mar 12, 2018 at 11:17 AM, Steve Grubb wrote: > On Mon, 12 Mar 2018 02:31:16 -0400 > Richard Guy Briggs wrote: > >> Audit link denied events were being unexpectedly produced in a >> disjoint way when audit was disabled, and when they were expected, >> there were duplicate PATH records. This patchset addresses both >> issues for symlinks and hardlinks. >> >> This was introduced with >> commit b24a30a7305418ff138ff51776fc555ec57c011a >> ("audit: fix event coverage of AUDIT_ANOM_LINK") >> commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc >> ("fs: add link restriction audit reporting") >> >> Here are the resulting events: >> >> symlink: >> type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) : >> proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018 >> 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27 >> mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 >> obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none >> cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018 >> 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27 >> mode=link,777 ouid=rgb ogid=rgb rdev=00:00 >> obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none >> cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018 >> 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018 >> 02:21:49.578:310) : arch=x86_64 syscall=stat success=no >> exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8 >> a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root >> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root >> fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls >> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) >> type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) : >> op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root >> suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 >> comm=ls exe=/usr/bin/ls > > So, if we now only emit the ANOM_LINK event when audit is enabled, we > should get rid of all the duplicate information in that record. The > SYSCALL record has all that information. As discussed previously, I'm not going to merge any patches which remove fields from existing records. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records
On Mon, 12 Mar 2018 02:31:16 -0400 Richard Guy Briggs wrote: > Audit link denied events were being unexpectedly produced in a > disjoint way when audit was disabled, and when they were expected, > there were duplicate PATH records. This patchset addresses both > issues for symlinks and hardlinks. > > This was introduced with > commit b24a30a7305418ff138ff51776fc555ec57c011a > ("audit: fix event coverage of AUDIT_ANOM_LINK") > commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc > ("fs: add link restriction audit reporting") > > Here are the resulting events: > > symlink: > type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) : > proctitle=ls ./my-passwd type=PATH msg=audit(03/12/2018 > 02:21:49.578:310) : item=1 name=/tmp/ inode=13529 dev=00:27 > mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 > obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none > cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018 > 02:21:49.578:310) : item=0 name=./my-passwd inode=17090 dev=00:27 > mode=link,777 ouid=rgb ogid=rgb rdev=00:00 > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none > cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018 > 02:21:49.578:310) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018 > 02:21:49.578:310) : arch=x86_64 syscall=stat success=no > exit=EACCES(Permission denied) a0=0x7ffd79950dda a1=0x563f658a03c8 > a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 auid=root > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root > fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) : > op=follow_link ppid=552 pid=629 auid=root uid=root gid=root euid=root > suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 > comm=ls exe=/usr/bin/ls So, if we now only emit the ANOM_LINK event when audit is enabled, we should get rid of all the duplicate information in that record. The SYSCALL record has all that information. -Steve > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no > hardlink: type=PROCTITLE msg=audit(03/12/2018 > 02:24:39.813:314) : proctitle=ln test test-ln type=PATH > msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp inode=13529 > dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 > obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none > cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(03/12/2018 > 02:24:39.813:314) : item=0 name=test inode=18112 dev=00:27 > mode=file,700 ouid=root ogid=root rdev=00:00 > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none > cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/12/2018 > 02:24:39.813:314) : cwd=/tmp type=SYSCALL msg=audit(03/12/2018 > 02:24:39.813:314) : arch=x86_64 syscall=linkat success=no > exit=EPERM(Operation not permitted) a0=0xff9c a1=0x7ffccba77629 > a2=0xff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 auid=rgb > uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb > fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat > ppid=605 pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb > egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no > > See: https://github.com/linux-audit/audit-kernel/issues/21 > See also: https://github.com/linux-audit/audit-kernel/issues/51 > > Richard Guy Briggs (4): > audit: make ANOM_LINK obey audit_enabled and audit_dummy_context > audit: link denied should not directly generate PATH record > audit: add refused symlink to audit_names > audit: add parent of refused symlink to audit_names > > fs/namei.c| 5 +++-- > include/linux/audit.h | 9 + > kernel/audit.c| 43 > --- 3 files changed, 40 > insertions(+), 17 deletions(-) > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH ghak21 V2 0/4] audit: address ANOM_LINK excess records
On 2018-03-12 02:31, Richard Guy Briggs wrote: > Audit link denied events were being unexpectedly produced in a disjoint > way when audit was disabled, and when they were expected, there were > duplicate PATH records. This patchset addresses both issues for > symlinks and hardlinks. > > This was introduced with > commit b24a30a7305418ff138ff51776fc555ec57c011a > ("audit: fix event coverage of AUDIT_ANOM_LINK") > commit a51d9eaa41866ab6b4b6ecad7b621f8b66ece0dc > ("fs: add link restriction audit reporting") > > Here are the resulting events: > > symlink: > type=PROCTITLE msg=audit(03/12/2018 02:21:49.578:310) : proctitle=ls > ./my-passwd > type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=1 name=/tmp/ > inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 > obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none > cap_fe=0 cap_fver=0 > type=PATH msg=audit(03/12/2018 02:21:49.578:310) : item=0 name=./my-passwd > inode=17090 dev=00:27 mode=link,777 ouid=rgb ogid=rgb rdev=00:00 > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none > cap_fi=none cap_fe=0 cap_fver=0 > type=CWD msg=audit(03/12/2018 02:21:49.578:310) : cwd=/tmp > type=SYSCALL msg=audit(03/12/2018 02:21:49.578:310) : arch=x86_64 > syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffd79950dda > a1=0x563f658a03c8 a2=0x563f658a03c8 a3=0x79950d00 items=2 ppid=552 pid=629 > auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root > sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > type=ANOM_LINK msg=audit(03/12/2018 02:21:49.578:310) : op=follow_link > ppid=552 pid=629 auid=root uid=root gid=root euid=root suid=root fsuid=root > egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=ls exe=/usr/bin/ls > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no > > hardlink: > type=PROCTITLE msg=audit(03/12/2018 02:24:39.813:314) : proctitle=ln test > test-ln > type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=1 name=/tmp > inode=13529 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 > obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none > cap_fe=0 cap_fver=0 > type=PATH msg=audit(03/12/2018 02:24:39.813:314) : item=0 name=test > inode=18112 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none > cap_fi=none cap_fe=0 cap_fver=0 > type=CWD msg=audit(03/12/2018 02:24:39.813:314) : cwd=/tmp > type=SYSCALL msg=audit(03/12/2018 02:24:39.813:314) : arch=x86_64 > syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xff9c > a1=0x7ffccba77629 a2=0xff9c a3=0x7ffccba7762e items=2 ppid=605 pid=638 > auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb > fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > type=ANOM_LINK msg=audit(03/12/2018 02:24:39.813:314) : op=linkat ppid=605 > pid=638 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb > sgid=rgb fsgid=rgb tty=pts0 ses=4 comm=ln exe=/usr/bin/ln > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no > > See: https://github.com/linux-audit/audit-kernel/issues/21 > See also: https://github.com/linux-audit/audit-kernel/issues/51 > > Richard Guy Briggs (4): > audit: make ANOM_LINK obey audit_enabled and audit_dummy_context > audit: link denied should not directly generate PATH record > audit: add refused symlink to audit_names > audit: add parent of refused symlink to audit_names > > fs/namei.c| 5 +++-- > include/linux/audit.h | 9 + > kernel/audit.c| 43 --- > 3 files changed, 40 insertions(+), 17 deletions(-) > > -- Changelog: v2: - remove now supperfluous struct path * parameter from audit_log_link_denied() - refactor audit_log_symlink_denied() to properly free memory (pathname, filename) > 1.8.3.1 > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit