lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200520185922.vnutg5z3hwp7grjm@madcap2.tricolour.ca>
Date:   Wed, 20 May 2020 14:59:22 -0400
From:   Richard Guy Briggs <rgb@...hat.com>
To:     Steve Grubb <sgrubb@...hat.com>
Cc:     linux-audit@...hat.com, Paul Moore <paul@...l-moore.com>,
        fw@...len.de, LKML <linux-kernel@...r.kernel.org>,
        netfilter-devel@...r.kernel.org, twoerner@...hat.com,
        Eric Paris <eparis@...isplace.org>, tgraf@...radead.org
Subject: Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record
 to cover async unregister

On 2020-05-20 14:51, Steve Grubb wrote:
> On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> > On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs <rgb@...hat.com> wrote:
> > > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > > Some table unregister actions seem to be initiated by the kernel to
> > > > garbage collect unused tables that are not initiated by any userspace
> > > > actions.  It was found to be necessary to add the subject credentials
> > > > to cover this case to reveal the source of these actions.  A sample
> > > > record:
> > > > 
> > > > The uid, auid, tty, ses and exe fields have not been included since
> > > > they
> > > > are in the SYSCALL record and contain nothing useful in the non-user
> > > > context.
> > > > 
> > > >   type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
> > > >   family=bridge entries=0 op=unregister pid=153
> > > >   subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> >
> > FWIW, that record looks good.
> 
> It's severely broken
> 
> cat log.file
> type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat 
> family=bridge entries=0 op=unregister pid=153 
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> 
> ausearch -if log.file --format text
> At 19:33:40 12/31/1969  did-unknown 
> 
> ausearch -if log.file --format csv
> NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
> error normalizing NETFILTER_CFG
> ,NETFILTER_CFG,12/31/1969,19:33:40,0,,,,,,,,,,
> 
> This is unusable. This is why the bug was filed in the first place.

Have you applied this patchset?
	https://www.redhat.com/archives/linux-audit/2020-May/msg00072.html

AUDIT_EVENT_LISTENER is also broken without this first patch.

> -Steve
> 
> > > > Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> > > 
> > > Self-NACK.  I forgot to remove cred and tty declarations.

- RGB

--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ