Comments (14)
@sgrubb I assume removing these fields from the ANOM_LINK record will not break your tools?
from audit-kernel.
It does something both ways. I'm getting memory leaks because its finding fields in ANOM_LINK without freeing them when it gets to the SYSCALL record. It doesn't seem to hurt it when the fields are removed. Reviewing the situation, looks like this event is emitted even when the audit system is disabled. What you get is two disjointed events:
type=ANOM_LINK msg=audit(1476471010.971:1028): op=follow_link ppid=2339 pid=9994 auid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=0
type=PATH msg=audit(1476471010.971:1029): item=0 name="/tmp/my-passwd" inode=668511 dev=00:26 mode=0120777 ouid=4325 ogid=4325 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL
This seems wrong also. And there is no CWD record in case it was relative.
from audit-kernel.
I don't want to remove fields from existing records, but I agree that it is odd that ANOM_LINK records are being generated when the audit system is disabled, that's clearly a bug. I haven't looked into the missing CWD record enough to have an opinion yet.
Quick summary: we need to fix the ANOM_LINK records ignoring the audit enabled/disabled state and investigate why a CWD record is not being emitted.
@rgbriggs I'm assigning this to you, feel free to object - you know where to find me.
from audit-kernel.
Its even more of a mess if audit is enabled. You get anom_link, path, syscall, cwd, path. This event should be thrown away and redone from scratch.
from audit-kernel.
It appears there are at least the following tasks involved with this issue, listed in order:
-
Fix ANOM_LINK record generation to honor the audit enabled/disabled flag.
-
Document what information should be contained in an ANOM_LINK record, and why (see the RFE template on the audit-kernel wiki).
-
Evaluate how to meet the requirements from #2, and draft a patch[set] to implement the changes.
from audit-kernel.
Another clue something is wrong is that there are two PATH records both labelled "item=0", one missing inode information. It looks like the audit context timestamp and event ID are being reused, so either it should register a file of interest with audit_inode() and ride on the syscall, or generate its own local audit_context and discard it immediately after.
from audit-kernel.
There is no CWD record because the PATH record is being generated directly rather than going through the context->audit_names list via audit_inode() that generates the event in audit_log_exit(). It could be generated as an autonomous event, but would make far more sense to make it an auxiliary record to a syscall record.
from audit-kernel.
A test for hard links reveals existing records are adequate and the extra PATH record is an unnecessary duplicate that consumes resources (and may confuse the parser).
type=PROCTITLE msg=audit(02/13/2018 06:49:36.439:244) : proctitle=ln test test-ln
type=PATH msg=audit(02/13/2018 06:49:36.439:244) : item=1 name=/tmp inode=13324 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/13/2018 06:49:36.439:244) : item=0 name=test inode=17792 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(02/13/2018 06:49:36.439:244) : cwd=/tmp
type=SYSCALL msg=audit(02/13/2018 06:49:36.439:244) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffc987e8628 a2=0xffffff9c a3=0x7ffc987e862d items=2 ppid=582 pid=605 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PATH msg=audit(02/13/2018 06:49:36.439:244) : item=0 name=/tmp/test inode=17792 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=ANOM_LINK msg=audit(02/13/2018 06:49:36.439:244) : op=linkat ppid=582 pid=605 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no
Test to replicate for hardlinks:
# As root:
cd /tmp
touch test
chmod 700 test
# As unpriveleged user:
ln test test-ln
# As root:
ausearch -i --start recent
from audit-kernel.
Introduced with:
commit b24a30a
("audit: fix event coverage of AUDIT_ANOM_LINK")
commit a51d9ea
("fs: add link restriction audit reporting")
from audit-kernel.
Posted v1 patch upstream:
https://www.redhat.com/archives/linux-audit/2018-February/msg00029.html
https://lkml.org/lkml/2018/2/14/540
Passes ausearch-test and audit-testsuite.
from audit-kernel.
Posted V2 patchset upstream:
https://www.redhat.com/archives/linux-audit/2018-March/msg00065.html
https://lkml.org/lkml/2018/3/12/41
Passes ausearch-test and audit-testsuite.
Patch 2 has been updated to remove the unnecessary struct path parameter.
Patch 4 may not be necessary since the CWD record is present.
from audit-kernel.
Posted v3 patchset upstream:
https://lkml.org/lkml/2018/3/14/47
https://www.redhat.com/archives/linux-audit/2018-March/msg00103.html
Rebase on audit/next and drop previously accepted patches.
from audit-kernel.
Posted v4 patchset upstream
https://www.redhat.com/archives/linux-audit/2018-March/msg00135.html
https://lkml.org/lkml/2018/3/21/166
Fix misplaced audit_log_link_denied() parameter count fix.
from audit-kernel.
Merged via a few different patches: ea841ba 94b9d9b 45b578f 15564ff
from audit-kernel.
Related Issues (20)
- BUG: rules with 'exit' filter do not generate any audit events HOT 16
- BUG: PATH record contains (null) for file descriptor operation HOT 2
- RFE: support filtering by openat2(2) oflags HOT 2
- Q: elogind stops incrementing session ID after some uptime HOT 4
- RFE: be able to filter out AVCs based on operation and "kmod" field HOT 6
- Q/BUG: process stuck in audit_backlog_wait for a longtime HOT 8
- RFE: improve filtering events by exe for containers HOT 2
- Q/BUG: cannot disable Ubuntu kernel's audit system via auditctl HOT 3
- Q: why does the kernel audit module not record the absolute path of the file HOT 8
- Q: adding system call monitoring rule on aarch64 fails HOT 2
- Q: pervasive security.capability xattr reads HOT 2
- RFE: clone3() syscall needs a dedicated record
- RFE: fsopen missing info
- RFE: fsconfig missing info
- BUG: error receiving audit netlink packet (No buffer space available) HOT 3
- BUG: audit init message shows 0-second timestamp on aarch64 HOT 2
- BUG: rename event has incorrect records HOT 1
- BUG: read event is not generated when reading is performed via a symlink HOT 1
- BUG: rename events on paths having special characters has incorrect records HOT 1
- BUG: auditctl reports incorrect architecture for 64-bit PPC HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-kernel.