lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <cover.1438764903.git.rgb@redhat.com>
Date:	Wed,  5 Aug 2015 05:25:04 -0400
From:	Richard Guy Briggs <rgb@...hat.com>
To:	linux-audit@...hat.com, linux-kernel@...r.kernel.org
Cc:	Richard Guy Briggs <rgb@...hat.com>, sgrubb@...hat.com,
	pmoore@...hat.com, eparis@...hat.com, peter@...3.com
Subject: [PATCH V8 0/3] audit by executable name

Please see the accompanying userspace patchset:
	https://www.redhat.com/archives/linux-audit/2015-July/thread.html
	[[PATCH V2] 0/2] Log on the future execution of a path
The userspace interface is not expected to change appreciably unless something
important has been overlooked.  Setting and deleting rules works as expected.
	
If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.


Here's a sample run:
Test for addition, trigger and deletion of tree executable rule:
# auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1
----

# /usr/bin/touch /tmp/test
----
time->Sat Jul 11 10:41:50 2015
type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374
type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1436629310.757:44712):  cwd="/root"
type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree"
----

# auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1
----


Revision history:
v8: Re-spin due to mods to:
	"audit: save signal match info in case entry passed in is the one deleted"

v7: Add Audit Feature Bitmap macro AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH to
      AUDIT_FEATURE_BITMAP_ALL.
    Split out new patch to use macros for unset inode and device values.
    Remove BUG() usage in stubs.
    Rename audit_mark_free() to audit_fsnotify_mark_free().
    Remove unused audit_get_mark() and audit_put_mark() functions.
    Rework ino and dev comparisons and assignments, using macros and existing
      funcs and eliminating temp variables.
    Move audit_update_mark() above its first usage.
    Move contents of kernel/audit_exe.c to kernel/audit_watch.c.
    Merge patch 3 with 1, merge patch 4 with 1 and 3 and rewrite the patch descriptions.
    Split out patch to audit by executable children.

v6: Explicitly declare prototypes as external.
    Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch, lsm_field.
    Rebased on v4.1.
    Rename audit_remove_mark_rule() called from audit_mark_handle_event() to
      audit_autoremove_mark_rule() to avoid confusion with
      audit_remove_{watch,tree}_rule() usage.
    Add audit_remove_mark_rule() to provide similar interface as
      audit_remove_{watch,tree}_rule().
    Simplify stubs to defines.
    Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in keeping with
      the naming convention of inotify_free_mark(), dnotify_free_mark(),
      fanotify_free_mark(), audit_watch_free_mark().
    Return -ENOMEM rather than null in case of memory allocation failure for
      audit_mark in audit_alloc_mark().
    Rename audit_free_mark() to audit_mark_free() to avoid association with
      {i,d,fa}notify_free_mark() and audit_watch_free_mark().
    Clean up exe with similar interface as watch and tree.
    Clean up audit exe mark just before audit_free_rule() rather than in it to
      avoid mutex in software interrupt context.
    Fixed bug in audit_dupe_exe() that returned error rather than valid pointer.

v5: Revert patch "Let audit_free_rule() take care of calling
    audit_remove_mark()." since it caused a group mark deadlock.
    https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html

v4: Re-order and squash down fixups
    Fix audit_dup_exe() to copy pathname string before calling audit_alloc_mark().
    https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html

v3: Rationalize and rename some function names and clean up get/put and free code.
    Rename several "watch" references to "mark".
    Rename audit_remove_rule() to audit_remove_mark_rule().
    Let audit_free_rule() take care of calling audit_remove_mark().
    Put audit_alloc_mark() arguments in same order as watch, tree and inode.
    Move the access to the entry for audit_match_signal() to the beginning
     of the function in case the entry found is the same one passed in.
     This will enable it to be used by audit_remove_mark_rule().
    https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html

v2: Misguided attempt to add in audit_exe similar to watches
    https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html

v1.5: eparis' switch to fsnotify
    https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
    https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html

v1: Change to path interface instead of inode
    https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html

v0: Peter Moodie's original patches
    https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html


Future step:
Get full-path notify working.

Richard Guy Briggs (3):
  audit: clean simple fsnotify implementation
  audit: implement audit by executable
  audit: add audit by children of executable path

 include/linux/audit.h      |    1 +
 include/uapi/linux/audit.h |    6 +-
 kernel/Makefile            |    2 +-
 kernel/audit.h             |   18 ++++
 kernel/audit_fsnotify.c    |  215 ++++++++++++++++++++++++++++++++++++++++++++
 kernel/audit_tree.c        |    2 +
 kernel/audit_watch.c       |   31 +++++++
 kernel/auditfilter.c       |   57 +++++++++++-
 kernel/auditsc.c           |   14 +++
 9 files changed, 342 insertions(+), 4 deletions(-)
 create mode 100644 kernel/audit_fsnotify.c

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ