lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 23 Jan 2020 15:11:42 -0500
From:   Steve Grubb <sgrubb@...hat.com>
To:     linux-audit@...hat.com
Cc:     Richard Guy Briggs <rgb@...hat.com>,
        Paul Moore <paul@...l-moore.com>,
        Eric Paris <eparis@...isplace.org>, nhorman@...hat.com,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH ghak28 V4] audit: log audit netlink multicast bind and unbind events

On Thursday, January 23, 2020 11:13:49 AM EST Richard Guy Briggs wrote:
> Steve, can you say why this order should be the standard?  From:
>         http://people.redhat.com/sgrubb/audit/record-fields.html

The majority of events go down the path of:
pid,uid,auid,ses,subj,op,comm,exe,res

Which lands on the parse_user() function.

If for some reason we really wanted to stay on a "kernel" parser, then I'd 
recommend:
auid,uid,ses,subj,pid,comm,exe,op,res

which lands on the parse_kernel_anom() function.

Either of those have complete information and requires no syscall record.

-Steve


> I get:
>         SYSCALL/ANOM_LINK/FEATURE_CHANGE
>                 ppid    pid     auid    uid     gid     euid    suid   
> fsuid   egid    sgid    fsgid   tty     ses     comm    exe     subj
> ANOM_ABEND/SECCOMP
>                                 auid    uid     gid     ses     subj    pid
>     comm    exe LOGIN
>                 pid     uid     subj    old-auid        auid    tty    
> old-ses ses SYSTEM_BOOT/SYSTEM_SHUTDOWN
>                 pid     uid     auid    ses     subj    comm    exe
>         USER_LOGIN
>                 pid     uid     auid    ses     subj    uid     exe
>         DAEMON_START
>                                 auid    pid     uid     ses     subj
>         DAEMON_CONFIG/DAEMON_END
>                                 auid    pid     subj
>         ANOM_PROMISCUOUS
>                                 auid    uid     gid     ses
>         52msgs
>                 pid     uid     auid    ses     subj    *
>         CONFIG_CHANGE
>                                 auid    ses     subj
> 
> This new record is:
>         EVENT_LISTENER
>                 pid     uid     auid    tty     ses     subj    comm    exe
> 
> And using the search criteria following, I get no other matches:
>         /pid.*uid.*auid.*tty.*ses.*subj.*comm.*exe
> so this appears to be a new field order.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ