lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 20 May 2020 15:06:35 -0400
From:   Richard Guy Briggs <rgb@...hat.com>
To:     Steve Grubb <sgrubb@...hat.com>
Cc:     linux-audit@...hat.com, Paul Moore <paul@...l-moore.com>,
        fw@...len.de, LKML <linux-kernel@...r.kernel.org>,
        netfilter-devel@...r.kernel.org, twoerner@...hat.com,
        Eric Paris <eparis@...isplace.org>, tgraf@...radead.org
Subject: Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record
 to cover async unregister

On 2020-05-20 14:59, Richard Guy Briggs wrote:
> On 2020-05-20 14:51, Steve Grubb wrote:
> > On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> > > On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs <rgb@...hat.com> wrote:
> > > > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > > > Some table unregister actions seem to be initiated by the kernel to
> > > > > garbage collect unused tables that are not initiated by any userspace
> > > > > actions.  It was found to be necessary to add the subject credentials
> > > > > to cover this case to reveal the source of these actions.  A sample
> > > > > record:
> > > > > 
> > > > > The uid, auid, tty, ses and exe fields have not been included since
> > > > > they
> > > > > are in the SYSCALL record and contain nothing useful in the non-user
> > > > > context.
> > > > > 
> > > > >   type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
> > > > >   family=bridge entries=0 op=unregister pid=153
> > > > >   subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> > >
> > > FWIW, that record looks good.
> > 
> > It's severely broken
> > 
> > cat log.file
> > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat 
> > family=bridge entries=0 op=unregister pid=153 
> > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> > 
> > ausearch -if log.file --format text
> > At 19:33:40 12/31/1969  did-unknown 
> > 
> > ausearch -if log.file --format csv
> > NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
> > error normalizing NETFILTER_CFG
> > ,NETFILTER_CFG,12/31/1969,19:33:40,0,,,,,,,,,,
> > 
> > This is unusable. This is why the bug was filed in the first place.
> 
> Have you applied this patchset?
> 	https://www.redhat.com/archives/linux-audit/2020-May/msg00072.html
> 
> AUDIT_EVENT_LISTENER is also broken without this first patch.

And EVENT_LISTENER also needs this patch:
	https://github.com/linux-audit/audit-userspace/pull/114/commits/27daa6fca534b30199040d0ad05420a8331ab421

> > -Steve
> > 
> > > > > Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> > > > 
> > > > Self-NACK.  I forgot to remove cred and tty declarations.
> 
> - RGB

- RGB

--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ