Comments (30)
See issue #7 as a related issue.
from audit-kernel.
@pcmoore The title of this issue mentions debugfs kernel nodule. I see no such module in several distros but is appears to be a builtin. What distro exhibits this behaviour and how did you trace it to the debugfs kernel module? I am seeing this unwanted behaviour with the modprobe command on fs-nfs4 and nfsv4 services, but they are in use and am trying to figure out a way to trigger this behaviour on demand rather than depending on a reboot.
from audit-kernel.
@pcmoore I guess this also begs the larger question about the audit-testsuite being able to do reboot tests.
from audit-kernel.
Push a preliminiary commit to my fork for RFC:
rgbriggs/audit-testsuite@1b00d16
from audit-kernel.
@rgbriggs This is an old bug report taken from the Red Hat Bugzilla. I believe it originally came from @stevegrubb, perhaps he has more information he could share.
from audit-kernel.
@pcmoore I guess this also begs the larger question about the audit-testsuite being able to do reboot tests.
To follow up on our offline conversation - tests that doesn't easily fit within the automated audit-testsuite can be places in a tests_manual directory in the audit-testsuite.
from audit-kernel.
@pcmoore Here's an update moved to tests_manual with a readme: rgbriggs/audit-testsuite@045c239
from audit-kernel.
One more comment, let's just call it "syscall_module_path", we don't need the "spam" part at the end ;)
from audit-kernel.
Anything else?
from audit-kernel.
Update: rgbriggs/audit-testsuite@2d0004c
from audit-kernel.
Did you see the comments I made to the patch?
from audit-kernel.
To be clear, the comments were attached to rgbriggs/audit-testsuite@045c239.
from audit-kernel.
Ok, got those too... rgbriggs/audit-testsuite@7ff7ebc
from audit-kernel.
My previous comments about the rules still applies (comment added inline).
from audit-kernel.
Ok, updated rgbriggs/audit-testsuite@ab2bb3f
It will be of limited use on RHEL6 due to missing PROCTITLE record, but will still detect bug.
A more deterministic way of expressing the date/time to ausearch would help.
from audit-kernel.
@rgbriggs the test looks reasonable, want to create a audit-testuite PR?
from audit-kernel.
Ugh, I just noticed that is is based on my ghak7 test, so I'll rebase it to HEAD first.
from audit-kernel.
Ok, untangled from ghak7 test case... linux-audit/audit-testsuite#42
from audit-kernel.
Kernel patch posted upstream:
https://www.redhat.com/archives/linux-audit/2017-April/msg00011.html
https://www.redhat.com/archives/linux-audit/2017-April/msg00012.html
Userspace issue created:
linux-audit/audit-userspace#15
Userspace patch posted upstream:
https://www.redhat.com/archives/linux-audit/2017-April/msg00009.html
from audit-kernel.
Discussion about enabling DebugFS and TraceFS by default on production distributions.
https://github.com/linux-audit/audit-documentation/wiki/TraceFS-and-DebugFS-on-production-distributions
from audit-kernel.
Userspace patch v3 posted upstream:
https://www.redhat.com/archives/linux-audit/2017-June/msg00071.html
Update feature bitmap macro to reflect the filter name change.
https://www.redhat.com/archives/linux-audit/2017-June/msg00072.html
from audit-kernel.
Kernel patch ALT4 V3 posted upstream:
https://www.redhat.com/archives/linux-audit/2017-August/msg00073.html
from audit-kernel.
Merged patch 1/2 via 41e1f7b
from audit-kernel.
Tests brought up to date.
First test patch tests first kernel patch, second test patch tests second kernel patch:
linux-audit/audit-testsuite#42
from audit-kernel.
upstream in git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
41e1f7b audit: show fstype:pathname for entries with anonymous parents
3d7810b audit: filter PATH records keyed on filesystem magic
from audit-kernel.
Please put the file system type in a field all by itself called "fstype". You can just leave it as the hex magic number prepended with 0x and user space can do the lookup from there, Also, put it at the end of the record and it's OK if this field appears and disappears based on file system type. In general, this field will rarely appear and we can suppress the event generation with audit rules.
from audit-kernel.
The first problem is that this should be an untrusted field, so switch from audit_log_format() to audit_log_untrustedstring() would fix that.
I'm fine with creating and appending a field called fstype.
This still leaves us with a relative path that appears to be an absolute path which is arguably less correct. One way to be less misleading is to remove the leading "./" or "/" so that it isn't explicitly anchored on root or CWD and instead use another special symbol (this is essentially what the original patch does). Another suggestion was made to use the nametype field, instead of "NORMAL", make it "RELA", "NOMOUNT" or "NOMNTPT".
from audit-kernel.
Posted patchset v4 to add partial pathname, filesystem type and new file types to indicate anonymous entries, also fix memleak and don't trust filename:
https://lkml.org/lkml/2018/2/12/1
https://www.redhat.com/archives/linux-audit/2018-February/msg00020.html
from audit-kernel.
Since one of the two parts of the solution has been accepted upstream, I'm closing this issue to indicate the filter is done and pushing the other solution (giving a name to the anonymous PATH records) into a new issue to indicate partial completion. See: #108
from audit-kernel.
I don't have permission to close issues. Please close this issue.
from audit-kernel.
Related Issues (20)
- auditd memory leak HOT 1
- BUG: ILP32 (ARM's take on x32) is not audited properly HOT 18
- BUG: incorrect PARENT path when removing a folder with files HOT 8
- Q: can't add rules using '-a task,always -S fork' HOT 6
- RFE: provide a mechanism to shut down auditd with auid accountability via systemd HOT 1
- BUG: memory leak from __audit_log_kern_module() HOT 4
- BUG: rules with 'exit' filter do not generate any audit events HOT 16
- BUG: PATH record contains (null) for file descriptor operation HOT 2
- RFE: support filtering by openat2(2) oflags HOT 2
- Q: elogind stops incrementing session ID after some uptime HOT 4
- RFE: be able to filter out AVCs based on operation and "kmod" field HOT 6
- Q/BUG: process stuck in audit_backlog_wait for a longtime HOT 8
- RFE: improve filtering events by exe for containers HOT 2
- Q/BUG: cannot disable Ubuntu kernel's audit system via auditctl HOT 3
- Q: why does the kernel audit module not record the absolute path of the file HOT 8
- Q: adding system call monitoring rule on aarch64 fails HOT 2
- Q: pervasive security.capability xattr reads HOT 2
- RFE: clone3() syscall needs a dedicated record
- RFE: fsopen missing info
- RFE: fsconfig missing info
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-kernel.