1. 30 Apr, 2013 1 commit
    • Eric Paris's avatar
      audit: fix event coverage of AUDIT_ANOM_LINK · b24a30a7
      Eric Paris authored
      The userspace audit tools didn't like the existing formatting of the
      AUDIT_ANOM_LINK event. It needed to be expanded to emit an AUDIT_PATH
      event as well, so this implements the change. The bulk of the patch is
      moving code out of auditsc.c into audit.c and audit.h for general use.
      It expands audit_log_name to include an optional "struct path" argument
      for the simple case of just needing to report a pathname. This also
      makes
      audit_log_task_info available when syscall auditing is not enabled,
      since
      it is needed in either case for process details.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarSteve Grubb <sgrubb@redhat.com>
      b24a30a7
  2. 12 Apr, 2013 1 commit
  3. 12 Oct, 2012 3 commits
  4. 18 Sep, 2012 2 commits
    • Eric W. Biederman's avatar
      userns: Convert audit to work with user namespaces enabled · cca080d9
      Eric W. Biederman authored
      - Explicitly format uids gids in audit messges in the initial user
        namespace. This is safe because auditd is restrected to be in
        the initial user namespace.
      
      - Convert audit_sig_uid into a kuid_t.
      
      - Enable building the audit code and user namespaces at the same time.
      
      The net result is that the audit subsystem now uses kuid_t and kgid_t whenever
      possible making it almost impossible to confuse a raw uid_t with a kuid_t
      preventing bugs.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      cca080d9
    • Eric W. Biederman's avatar
      audit: Add typespecific uid and gid comparators · ca57ec0f
      Eric W. Biederman authored
      The audit filter code guarantees that uid are always compared with
      uids and gids are always compared with gids, as the comparason
      operations are type specific.  Take advantage of this proper to define
      audit_uid_comparator and audit_gid_comparator which use the type safe
      comparasons from uidgid.h.
      
      Build on audit_uid_comparator and audit_gid_comparator and replace
      audit_compare_id with audit_compare_uid and audit_compare_gid.  This
      is one of those odd cases where being type safe and duplicating code
      leads to simpler shorter and more concise code.
      
      Don't allow bitmask operations in uid and gid comparisons in
      audit_data_to_entry.  Bitmask operations are already denined in
      audit_rule_to_entry.
      
      Convert constants in audit_rule_to_entry and audit_data_to_entry into
      kuids and kgids when appropriate.
      
      Convert the uid and gid field in struct audit_names to be of type
      kuid_t and kgid_t respectively, so that the new uid and gid comparators
      can be applied in a type safe manner.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      ca57ec0f
  5. 17 Jan, 2012 1 commit
  6. 30 Oct, 2010 1 commit
  7. 28 Jul, 2010 3 commits
  8. 24 Jun, 2009 3 commits
  9. 04 Jan, 2009 1 commit
    • Al Viro's avatar
      fixing audit rule ordering mess, part 1 · 0590b933
      Al Viro authored
      Problem: ordering between the rules on exit chain is currently lost;
      all watch and inode rules are listed after everything else _and_
      exit,never on one kind doesn't stop exit,always on another from
      being matched.
      
      Solution: assign priorities to rules, keep track of the current
      highest-priority matching rule and its result (always/never).
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0590b933
  10. 28 Apr, 2008 1 commit
    • Harvey Harrison's avatar
      [PATCH 1/2] audit: move extern declarations to audit.h · c782f242
      Harvey Harrison authored
      Leave audit_sig_{uid|pid|sid} protected by #ifdef CONFIG_AUDITSYSCALL.
      
      Noticed by sparse:
      kernel/audit.c:73:6: warning: symbol 'audit_ever_enabled' was not declared. Should it be static?
      kernel/audit.c:100:8: warning: symbol 'audit_sig_uid' was not declared. Should it be static?
      kernel/audit.c:101:8: warning: symbol 'audit_sig_pid' was not declared. Should it be static?
      kernel/audit.c:102:6: warning: symbol 'audit_sig_sid' was not declared. Should it be static?
      kernel/audit.c:117:23: warning: symbol 'audit_ih' was not declared. Should it be static?
      kernel/auditfilter.c:78:18: warning: symbol 'audit_filter_list' was not declared. Should it be static?
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c782f242
  11. 18 Apr, 2008 1 commit
  12. 21 Oct, 2007 1 commit
    • Al Viro's avatar
      [PATCH] audit: watching subtrees · 74c3cbe3
      Al Viro authored
      New kind of audit rule predicates: "object is visible in given subtree".
      The part that can be sanely implemented, that is.  Limitations:
      	* if you have hardlink from outside of tree, you'd better watch
      it too (or just watch the object itself, obviously)
      	* if you mount something under a watched tree, tell audit
      that new chunk should be added to watched subtrees
      	* if you umount something in a watched tree and it's still mounted
      elsewhere, you will get matches on events happening there.  New command
      tells audit to recalculate the trees, trimming such sources of false
      positives.
      
      Note that it's _not_ about path - if something mounted in several places
      (multiple mount, bindings, different namespaces, etc.), the match does
      _not_ depend on which one we are using for access.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      74c3cbe3
  13. 16 Jul, 2007 1 commit
    • Miloslav Trmac's avatar
      Audit: add TTY input auditing · 522ed776
      Miloslav Trmac authored
      Add TTY input auditing, used to audit system administrator's actions.  This is
      required by various security standards such as DCID 6/3 and PCI to provide
      non-repudiation of administrator's actions and to allow a review of past
      actions if the administrator seems to overstep their duties or if the system
      becomes misconfigured for unknown reasons.  These requirements do not make it
      necessary to audit TTY output as well.
      
      Compared to an user-space keylogger, this approach records TTY input using the
      audit subsystem, correlated with other audit events, and it is completely
      transparent to the user-space application (e.g.  the console ioctls still
      work).
      
      TTY input auditing works on a higher level than auditing all system calls
      within the session, which would produce an overwhelming amount of mostly
      useless audit events.
      
      Add an "audit_tty" attribute, inherited across fork ().  Data read from TTYs
      by process with the attribute is sent to the audit subsystem by the kernel.
      The audit netlink interface is extended to allow modifying the audit_tty
      attribute, and to allow sending explanatory audit events from user-space (for
      example, a shell might send an event containing the final command, after the
      interactive command-line editing and history expansion is performed, which
      might be difficult to decipher from the TTY input alone).
      
      Because the "audit_tty" attribute is inherited across fork (), it would be set
      e.g.  for sshd restarted within an audited session.  To prevent this, the
      audit_tty attribute is cleared when a process with no open TTY file
      descriptors (e.g.  after daemon startup) opens a TTY.
      
      See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a
      more detailed rationale document for an older version of this patch.
      
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: default avatarMiloslav Trmac <mitr@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      522ed776
  14. 11 May, 2007 1 commit
    • Amy Griffis's avatar
      [PATCH] audit signal recipients · e54dc243
      Amy Griffis authored
      When auditing syscalls that send signals, log the pid and security
      context for each target process. Optimize the data collection by
      adding a counter for signal-related rules, and avoiding allocating an
      aux struct unless we have more than one target process. For process
      groups, collect pid/context data in blocks of 16. Move the
      audit_signal_info() hook up in check_kill_permission() so we audit
      attempts where permission is denied.
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      e54dc243
  15. 11 Sep, 2006 1 commit
  16. 01 Jul, 2006 1 commit
    • Amy Griffis's avatar
      [PATCH] add rule filterkey · 5adc8a6a
      Amy Griffis authored
      Add support for a rule key, which can be used to tie audit records to audit
      rules.  This is useful when a watched file is accessed through a link or
      symlink, as well as for general audit log analysis.
      
      Because this patch uses a string key instead of an integer key, there is a bit
      of extra overhead to do the kstrdup() when a rule fires.  However, we're also
      allocating memory for the audit record buffer, so it's probably not that
      significant.  I went ahead with a string key because it seems more
      user-friendly.
      
      Note that the user must ensure that filterkeys are unique.  The kernel only
      checks for duplicate rules.
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hpd.com>
      5adc8a6a
  17. 20 Jun, 2006 4 commits
    • Amy Griffis's avatar
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis authored
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
      
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      
      Here's some sample output.
      
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9c937dcc
    • Amy Griffis's avatar
      [PATCH] audit: path-based rules · f368c07d
      Amy Griffis authored
      In this implementation, audit registers inotify watches on the parent
      directories of paths specified in audit rules.  When audit's inotify
      event handler is called, it updates any affected rules based on the
      filesystem event.  If the parent directory is renamed, removed, or its
      filesystem is unmounted, audit removes all rules referencing that
      inotify watch.
      
      To keep things simple, this implementation limits location-based
      auditing to the directory entries in an existing directory.  Given
      a path-based rule for /foo/bar/passwd, the following table applies:
      
          passwd modified -- audit event logged
          passwd replaced -- audit event logged, rules list updated
          bar renamed     -- rule removed
          foo renamed     -- untracked, meaning that the rule now applies to
      		       the new location
      
      Audit users typically want to have many rules referencing filesystem
      objects, which can significantly impact filtering performance.  This
      patch also adds an inode-number-based rule hash to mitigate this
      situation.
      
      The patch is relative to the audit git tree:
      http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
      and uses the inotify kernel API:
      http://lkml.org/lkml/2006/6/1/145Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f368c07d
    • Al Viro's avatar
      e1396065
    • Al Viro's avatar
      [PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES · 9044e6bc
      Al Viro authored
      We should not send a pile of replies while holding audit_netlink_mutex
      since we hold the same mutex when we receive commands.  As the result,
      we can get blocked while sending and sit there holding the mutex while
      auditctl is unable to send the next command and get around to receiving
      what we'd sent.
      
      Solution: create skb and put them into a queue instead of sending;
      once we are done, send what we've got on the list.  The former can
      be done synchronously while we are handling AUDIT_LIST or AUDIT_LIST_RULES;
      we are holding audit_netlink_mutex at that point.  The latter is done
      asynchronously and without messing with audit_netlink_mutex.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9044e6bc
  18. 01 May, 2006 1 commit
    • Darrel Goeddel's avatar
      [PATCH] support for context based audit filtering, part 2 · 3dc7e315
      Darrel Goeddel authored
      This patch provides the ability to filter audit messages based on the
      elements of the process' SELinux context (user, role, type, mls sensitivity,
      and mls clearance).  It uses the new interfaces from selinux to opaquely
      store information related to the selinux context and to filter based on that
      information.  It also uses the callback mechanism provided by selinux to
      refresh the information when a new policy is loaded.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3dc7e315
  19. 20 Mar, 2006 3 commits