lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190409155728.dfp4qwseo6jxdmqr@madcap2.tricolour.ca>
Date:   Tue, 9 Apr 2019 11:57:28 -0400
From:   Richard Guy Briggs <rgb@...hat.com>
To:     Steve Grubb <sgrubb@...hat.com>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Linux-Audit Mailing List <linux-audit@...hat.com>,
        Paul Moore <paul@...l-moore.com>, omosnace@...hat.com,
        eparis@...isplace.org, ebiederm@...ssion.com, oleg@...hat.com
Subject: Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall

On 2019-04-09 17:37, Steve Grubb wrote:
> On Tue, 9 Apr 2019 10:02:59 -0400
> Richard Guy Briggs <rgb@...hat.com> wrote:
> 
> > On 2019-04-09 08:01, Steve Grubb wrote:
> > > On Mon,  8 Apr 2019 23:52:29 -0400 Richard Guy Briggs
> > > <rgb@...hat.com> wrote:  
> > > > When a process signals the audit daemon (shutdown, rotate, resume,
> > > > reconfig) but syscall auditing is not enabled, we still want to
> > > > know the identity of the process sending the signal to the audit
> > > > daemon.  
> > > 
> > > Why? If syscall auditing is disabled, then there is no requirement
> > > to provide anything. What is the real problem that you are seeing?  
> > 
> > Shutdown messages with -1 in them rather than the real values.
> 
> OK. We can fix that by patching auditd to see if auditing is enabled
> before requesting signal info. If auditing is disabled, the proper
> action is for the kernel to ignore any audit userspace messages except
> the configuration commands.

If auditing is disabled in the kernel, none of this is trackable.  It is
for those as yet unsupported arches that can run audit enabled but
without auditsyscall support.

Here's a current sample with CONFIG_AUDIT and ~CONFIG_AUDITSYSCALL
configured, note "auid=" and "pid=":

	killall -HUP auditd
	type=DAEMON_CONFIG msg=audit(2019-04-09 11:37:04.508:3266) op=reconfigure state=changed auid=unset pid=-1 subj=? res=success

	killall -TERM auditd
	type=DAEMON_END msg=audit(2019-04-09 11:51:50.441:5709) : op=terminate auid=unset pid=-1 subj=? res=success 
	
and the same with the patch applied:

	killall -HUP auditd
	type=DAEMON_CONFIG msg=audit(2019-04-09 11:42:40.851:8924) op=reconfigure state=changed auid=root pid=652 subj=? res=success

	killall -TERM auditd
	type=DAEMON_END msg=audit(2019-04-09 11:51:50.441:5709) : op=terminate auid=root pid=652 subj=? res=success 

The USR1 "rotate" and USR2 "resume" log messages need to be fixed in
userspace.

> -Steve

- RGB

--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ