BUG: ANOM_LINK record duplicates fields about audit-kernel HOT 14 CLOSED

@sgrubb I assume removing these fields from the ANOM_LINK record will not break your tools?

from audit-kernel.

It does something both ways. I'm getting memory leaks because its finding fields in ANOM_LINK without freeing them when it gets to the SYSCALL record. It doesn't seem to hurt it when the fields are removed. Reviewing the situation, looks like this event is emitted even when the audit system is disabled. What you get is two disjointed events:

type=ANOM_LINK msg=audit(1476471010.971:1028): op=follow_link ppid=2339 pid=9994 auid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=0
type=PATH msg=audit(1476471010.971:1029): item=0 name="/tmp/my-passwd" inode=668511 dev=00:26 mode=0120777 ouid=4325 ogid=4325 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL

This seems wrong also. And there is no CWD record in case it was relative.

from audit-kernel.

I don't want to remove fields from existing records, but I agree that it is odd that ANOM_LINK records are being generated when the audit system is disabled, that's clearly a bug. I haven't looked into the missing CWD record enough to have an opinion yet.

Quick summary: we need to fix the ANOM_LINK records ignoring the audit enabled/disabled state and investigate why a CWD record is not being emitted.

@rgbriggs I'm assigning this to you, feel free to object - you know where to find me.

from audit-kernel.

Its even more of a mess if audit is enabled. You get anom_link, path, syscall, cwd, path. This event should be thrown away and redone from scratch.

from audit-kernel.

It appears there are at least the following tasks involved with this issue, listed in order:

1. Fix ANOM_LINK record generation to honor the audit enabled/disabled flag.

2. Document what information should be contained in an ANOM_LINK record, and why (see the RFE template on the audit-kernel wiki).

3. Evaluate how to meet the requirements from #2, and draft a patch[set] to implement the changes.

from audit-kernel.

Another clue something is wrong is that there are two PATH records both labelled "item=0", one missing inode information. It looks like the audit context timestamp and event ID are being reused, so either it should register a file of interest with audit_inode() and ride on the syscall, or generate its own local audit_context and discard it immediately after.

from audit-kernel.

There is no CWD record because the PATH record is being generated directly rather than going through the context->audit_names list via audit_inode() that generates the event in audit_log_exit(). It could be generated as an autonomous event, but would make far more sense to make it an auxiliary record to a syscall record.

from audit-kernel.

A test for hard links reveals existing records are adequate and the extra PATH record is an unnecessary duplicate that consumes resources (and may confuse the parser).

type=PROCTITLE msg=audit(02/13/2018 06:49:36.439:244) : proctitle=ln test test-ln
type=PATH msg=audit(02/13/2018 06:49:36.439:244) : item=1 name=/tmp inode=13324 dev=00:27 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(02/13/2018 06:49:36.439:244) : item=0 name=test inode=17792 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(02/13/2018 06:49:36.439:244) : cwd=/tmp
type=SYSCALL msg=audit(02/13/2018 06:49:36.439:244) : arch=x86_64 syscall=linkat success=no exit=EPERM(Operation not permitted) a0=0xffffff9c a1=0x7ffc987e8628 a2=0xffffff9c a3=0x7ffc987e862d items=2 ppid=582 pid=605 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PATH msg=audit(02/13/2018 06:49:36.439:244) : item=0 name=/tmp/test inode=17792 dev=00:27 mode=file,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=ANOM_LINK msg=audit(02/13/2018 06:49:36.439:244) : op=linkat ppid=582 pid=605 auid=rgb uid=rgb gid=rgb euid=rgb suid=rgb fsuid=rgb egid=rgb sgid=rgb fsgid=rgb tty=pts0 ses=3 comm=ln exe=/usr/bin/ln subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=no

Test to replicate for hardlinks:

# As root:
cd /tmp
touch test
chmod 700 test
# As unpriveleged user:
ln test test-ln
# As root:
ausearch -i --start recent

from audit-kernel.

Introduced with:
commit b24a30a
("audit: fix event coverage of AUDIT_ANOM_LINK")
commit a51d9ea
("fs: add link restriction audit reporting")

from audit-kernel.

Posted v1 patch upstream:
https://www.redhat.com/archives/linux-audit/2018-February/msg00029.html
https://lkml.org/lkml/2018/2/14/540

Passes ausearch-test and audit-testsuite.

from audit-kernel.

Posted V2 patchset upstream:
https://www.redhat.com/archives/linux-audit/2018-March/msg00065.html
https://lkml.org/lkml/2018/3/12/41
Passes ausearch-test and audit-testsuite.
Patch 2 has been updated to remove the unnecessary struct path parameter.
Patch 4 may not be necessary since the CWD record is present.

from audit-kernel.

Posted v3 patchset upstream:
https://lkml.org/lkml/2018/3/14/47
https://www.redhat.com/archives/linux-audit/2018-March/msg00103.html
Rebase on audit/next and drop previously accepted patches.

from audit-kernel.

Posted v4 patchset upstream
https://www.redhat.com/archives/linux-audit/2018-March/msg00135.html
https://lkml.org/lkml/2018/3/21/166
Fix misplaced audit_log_link_denied() parameter count fix.

from audit-kernel.

Merged via a few different patches: ea841ba 94b9d9b 45b578f 15564ff

from audit-kernel.