bian kernel
packagers/maintainers, or doing a git-bisect of the Debian kernel if
you are comfortable with that sort of thing.
> On 26.04.2016 21:54, Paul Moore wrote:
>>>
>>>
>>> I cannot reproduce it on (one of) previous kernel version:
>>>
>>>
erested in data import/export
I think auditing the socket syscalls would provide a much more useful
set of records in the audit log.
Considering that one of the primary motivations for the audit
subsystem is to enable compliance with various security
specifications, let's get the ones we know about liste
On Wed, Feb 8, 2017 at 7:32 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-02-07 23:02, Paul Moore wrote:
>> On Tue, Feb 7, 2017 at 4:22 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2017-02-06 14:41, Paul Moore wrote:
>> >> On Sat
On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb <sgr...@redhat.com> wrote:
> On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote:
>> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > So while I'm not advocating this is what
On Sat, Feb 4, 2017 at 8:25 AM, Steve Grubb <sgr...@redhat.com> wrote:
> On Friday, February 3, 2017 6:44:16 PM EST Paul Moore wrote:
>> I'm still trying to understand what purpose this record actually
>> serves, and what requirements may exist. In an earlier thread
>>
ng this machine
> without a local endpoint?
I'm still waiting on more detailed requirements information from
Steve, but based on what we've heard so far, it seems that ignoring
forwarded traffic is a reasonable thing to do.
--
paul moore
security @ redhat
--
To unsubscribe from this list: send the
x audit subsystem simply logs system events, it does not
enforce security policy. I suggest you investigate the different
Linux firewall tools and LSMs, e.g. SELinux, as they should help you
accomplish what you describe.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send t
On Fri, Jan 20, 2017 at 9:49 AM, Steve Grubb <sgr...@redhat.com> wrote:
> On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote:
>> At this point I think it would be good to hear what requirements exist
>> for per-packet auditing. Steve, are there any current Common
t you can do in some cases is to link the packet to
the socket, and that isn't going to help you.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majo
On Thu, Feb 16, 2017 at 5:36 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-02-15 19:32, Paul Moore wrote:
>> On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2017-02-13 18:50, Paul Moore wrote:
>> >> On
(from what I can tell). As for the configuration complexity, I
think it is safe to say that any users of the NETFILTER_PKT record
already have a sufficiently complex system configuration and the added
complexity here may not be significant; in fact, the existing nfmark
configuration may be helpful
On Thu, Feb 23, 2017 at 12:35 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-02-23 12:14, Paul Moore wrote:
>> On Thu, Feb 23, 2017 at 12:13 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2017-02-23 12:06, Paul Moore wrote:
>> >> On
Ok, to clarify the implications, are you saying that handing a NULL
> pointer to "saddr=%pI4" will print "0.0.0.0" rather than "(none)" or "?"
My initial reaction is that if the packet is so badly
truncated/malformed that we don't have a full IP header than we shou
On Thu, Feb 23, 2017 at 12:13 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-02-23 12:06, Paul Moore wrote:
>> On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2017-02-23 11:57, Paul Moore wrote:
>> >> On
On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-02-23 11:57, Paul Moore wrote:
>> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2017-02-23 06:20, Florian Westphal wrote:
>> >>
ful proto
> helpful sport, dport
Assuming "proto" means the TCP/UDP/etc. then we should treat the
proto/ports as one block; you can't log the ports without logging
"proto".
> useless?frag
> useless?truncated
Yes, useless.
> helpful
On Thu, Feb 9, 2017 at 5:56 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> Hi Paul,
>
> On Wed, Feb 08, 2017 at 06:09:07PM -0500, Paul Moore wrote:
>> On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb <sgr...@redhat.com> wrote:
>> > On Tuesday, February 7, 2
On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-02-13 18:50, Paul Moore wrote:
>> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs <r...@redhat.com> wrote:
...
>> > helpful action, hook
>>
>> I haven't ch
On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-01-17 21:34, Richard Guy Briggs wrote:
>> On 2017-01-17 15:17, Paul Moore wrote:
>> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs <r...@redhat.com>
>> > wrote:
On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-01-18 07:32, Paul Moore wrote:
>> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2017-01-17 21:34, Richard Guy Briggs wrote:
>> >
packet's secmark should be recorded via a dedicated
field, e.g. "secmark", and not use the "subj" field (it isn't a
subject label in the traditional sense).
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
nter(skb, skb_network_offset(skb), sizeof(_iph),
>> > &_iph);
>>
>> This update is completely pointless.
>
> Its point is to be consistent with audit_ip6() and to prevent further
> time consumed by confusion and head-scratching. I know it is slightly
> sl
y) {
> + case NFPROTO_BRIDGE:
> + switch (eth_hdr(skb)->h_proto) {
> + case htons(ETH_P_IP):
> + fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
> + break;
> + case htons(ETH_P_IPV6):
> +
On Fri, Mar 3, 2017 at 8:22 AM, Florian Westphal <f...@strlen.de> wrote:
> Paul Moore <p...@paul-moore.com> wrote:
>> On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal <f...@strlen.de> wrote:
>> > Richard Guy Briggs <r...@redhat.com> wrote:
>> >>
hat means we need to tweak userspace a
bit, please work with Steve on that.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-03-01 17:19, Paul Moore wrote:
>> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2017-02-28 17:22, Paul Moore wrote:
>> >> On Sun, F
On Thu, Mar 2, 2017 at 9:00 PM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2017-03-02 19:16, Paul Moore wrote:
>> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs <r...@redhat.com> wrote:
>> > On 2017-03-01 17:19, Paul Moore wrote:
>> >> On Wed, M
;
> audit_log_end(ab);
> @@ -1209,7 +1210,7 @@ struct xt_table_info *xt_replace_table(struct xt_table
> *table,
> AUDIT_NETFILTER_CFGSOLO);
> if (ab) {
>
; + audit_log_format(ab, " family=%u table=%s
> entries=%u",
> +AF_BRIDGE, repl->name,
> + repl->nentries);
> + au
to go, but that idea needed to settle a bit more before
> seeing peer review.
>
> I'm also having doubts about two record types.
Richard and I had a discussion about this a week (or two?) ago and I'm
currently of the opinion that two record types are a mistake. I agree
that we need to
inode number (minus the
>> starting offset) in decimal, it was very clear what was happenning and
>> seemed worth sharing that debugging tool patch.
>
> If the appropriate device number and full inode number is included I
> don't have any deep problems with the idea. I
uid = uid;
> security_task_getsecid(tsk, _sig_sid);
A gentle reminder that you should try to make you patches as
"checkpatch clean" as possible (see scripts/checkpatch.pl). There are
several 80-char warnings, which aren't fatal, but the big no-no is
below:
ERROR:
ng or clearing? */
> if (uid_valid(loginuid)) {
> sessionid = (unsigned int)atomic_inc_return(_id);
> - if (unlikely(sessionid == (unsigned int)-1))
> + if (unlikely(sessionid == AUDIT_SID_UNSET))
> sessionid = (unsigned
> int)atomic_inc_return(_id);
> }
>
> --
> 1.8.3.1
>
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
| 12 +++
> 15 files changed, 64 insertions(+), 60 deletions(-)
Merged, but there was some fuzz due to the missing 1/5 patch and a
handfull of checkpatch.pl fixes. Please take a look at the commit in
the audit/next branch and if anything looks awry please send a patch
to fix it.
--
paul moore
www.paul
*tsk,
> int return_valid,
> long return_code)
> {
> - struct audit_context *context = tsk->audit_context;
> + struct audit_context *context = tsk->audit.ctx;
>
>
> Signed-off-by: Richard Guy Briggs <r...@redhat.com>
> ---
> include/linux/audit.h | 6 ++
> kernel/auditsc.c | 7 +++
> kernel/fork.c | 2 +-
> 3 files changed, 10 insertions(+), 5 deletions(-)
Merged with some minor fuzz.
--
paul moore
www.paul-
+-
> security/integrity/integrity_audit.c | 2 +-
> security/lsm_audit.c | 2 +-
> security/selinux/hooks.c | 4 +-
> security/selinux/selinuxfs.c | 6 +--
> security/selinux/ss/services.c | 12 +++---
> 21 files changed, 129 insertions(+),
t away loginuid accesses (which I think
is good), we should probably access it once, store it in a local
variable, perform the validity check on the local variable, then
commit the local variable to audit_sig_uid. I realize a TOCTOU
problem is unlikely here, but with this new layer of abstr
if (unlikely(sessionid == (unsigned int)-1))
>> + if (unlikely(sessionid == AUDIT_SID_UNSET))
>> sessionid = (unsigned
>> int)atomic_inc_return(_id);
>> }
>>
>> --
>> 1.8.3.1
>>
>> --
>> Linux-au
SID_UNSET,
> + .ctx= NULL,
> + },
> #endif
> #ifdef CONFIG_PERF_EVENTS
> .perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index f294e4a..b5d8bff 100644
> -
_uid(t);
>
> if (auditd_test_task(t) &&
> (sig == SIGTERM || sig == SIGHUP ||
> sig == SIGUSR1 || sig == SIGUSR2)) {
> audit_sig_pid = task_tgid_nr(current);
> - if (uid_valid(current->loginuid))
> -
audit_log_start(current->audit_context, GFP_KERNEL,
> + ab = audit_log_start(audit_context(), GFP_KERNEL,
> AUDIT_CONFIG_CHANGE);
> if (unlikely(!ab))
> return;
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
To uns
audit_kill_trees(>killed_trees);
>
> @@ -2071,8 +2104,8 @@ int audit_set_loginuid(kuid_t loginuid)
> sessionid = (unsigned
> int)atomic_inc_return(_id);
> }
>
> - task->sessionid = sessionid;
> - task->loginuid = loginuid;
> + task->audit->sessionid = sessionid;
> + task->audit->loginuid = loginuid;
> out:
> audit_log_set_loginuid(oldloginuid, loginuid, oldsessionid,
> sessionid, rc);
> return rc;
> diff --git a/kernel/fork.c b/kernel/fork.c
> index cd18448..92ab849 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1713,7 +1713,7 @@ static __latent_entropy struct task_struct
> *copy_process(
> p->start_time = ktime_get_ns();
> p->real_start_time = ktime_get_boot_ns();
> p->io_context = NULL;
> - audit_set_context(p, NULL);
> + p->audit = NULL;
> cgroup_fork(p);
> #ifdef CONFIG_NUMA
> p->mempolicy = mpol_dup(p->mempolicy);
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
43 matches
Mail list logo
