Re: auditd fails to start on FC6 system, newer kernels effect?
Hi, Just a quick update on this in case any one was curious...turns out that the audit system was not in his kernel config. Its working now. -Steve On Monday 19 November 2007 01:23:25 pm Stephen Smalley wrote: On Sat, 2007-11-17 at 04:31 -0500, Gene Heskett wrote: Greetings; FC6 system, uptodate, kernel 2.6.24-rc3, but this has existed since I re-enabled selinux in permissive mode just to see what complained. The manpage says to use the -f option for foreground troubleshooting, so here goes: [EMAIL PROTECTED] linux-2.6.24-rc3]# man auditd [EMAIL PROTECTED] linux-2.6.24-rc3]# which auditd /sbin/auditd [EMAIL PROTECTED] linux-2.6.24-rc3]# auditd -f Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log log_format_parser called with: RAW priority_boost_parser called with: 3 flush_parser called with: INCREMENTAL freq_parser called with: 20 num_logs_parser called with: 4 dispatch_parser called with: /sbin/audispd qos_parser called with: lossy max_log_size_parser called with: 5 max_log_size_action_parser called with: ROTATE space_left_parser called with: 75 space_action_parser called with: SYSLOG action_mail_acct_parser called with: root admin_space_left_parser called with: 50 admin_space_left_action_parser called with: SUSPEND disk_full_action_parser called with: SUSPEND disk_error_action_parser called with: SUSPEND Started dispatcher: /sbin/audispd pid: 7828 type=DAEMON_START msg=audit(1195291550.719:1106) auditd start, ver=1.4.2, format=raw, auid=4294967295 pid=7824 res=success, auditd pid=7824 config_manager init complete Error setting audit daemon pid (Connection refused) type=DAEMON_ABORT msg=audit(1195291550.720:1107) auditd error halt, auid=4294967295 pid=7824 res=failed, auditd pid=7824 Unable to set audit pid, exiting The audit daemon is exiting. Error setting audit daemon pid (Connection refused) [EMAIL PROTECTED] linux-2.6.24-rc3]# Connection refused sounds as if something else isn't running that should be, but no direct clue, so what else needs to run too, before auditd? More of a question for linux-audit (cc'd). Offhand, I'd guess that the ECONNREFUSED is coming from the netlink code, but I don't know why. Running it under strace might be illuminating. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[RFC PATCH] New audit message for NetLabel static/fallback labels
Those of you who follow the SELinux and/or LSM mailing lists know there is work currently underway to provide static or fallback network peer labels for use when traditional labeled networking (CIPSO or Labeled IPsec) is not present. For the same reasons that NetLabel or Labeled IPsec configuration changes are considered auditable events, configuring the static/fallback labels should likely be treated as an auditable event as well. The patch below is part of a larger patchset which contains this new functionality which has already been posted many times to the SELinux and LSM lists. Those interested in the patchset are encouraged to look into the archives of those mailing lists or check out the git tree here: * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing I'm posting this patch to the audit list for comments/review as it contains all of the audit related changes and I'd like to sort out any issues the audit community may have sooner rather than later. Please take a few minutes to look over the changes, most importantly the new message types and either send me mail or preferably send mail straight to the audit list. For reference, here are four examples of the new message types pulled from a Fedora Rawhide machine running this patch: * adding new fallback label using network interface lo and address 127.0.0.0/8 type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * adding new fallback label using the default network interface and address 192.168.0.10 type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for network interface lo and address 127.0.0.0/8 type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for the defaul network interface and address 192.168.0.10 type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH] New audit message for NetLabel static/fallback labels
Paul Moore wrote: Those of you who follow the SELinux and/or LSM mailing lists know there is work currently underway to provide static or fallback network peer labels for use when traditional labeled networking (CIPSO or Labeled IPsec) is not present. For the same reasons that NetLabel or Labeled IPsec configuration changes are considered auditable events, configuring the static/fallback labels should likely be treated as an auditable event as well. The patch below is part of a larger patchset which contains this new functionality which has already been posted many times to the SELinux and LSM lists. Those interested in the patchset are encouraged to look into the archives of those mailing lists or check out the git tree here: * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing I'm posting this patch to the audit list for comments/review as it contains all of the audit related changes and I'd like to sort out any issues the audit community may have sooner rather than later. Please take a few minutes to look over the changes, most importantly the new message types and either send me mail or preferably send mail straight to the audit list. For reference, here are four examples of the new message types pulled from a Fedora Rawhide machine running this patch: * adding new fallback label using network interface lo and address 127.0.0.0/8 type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 At the risk of being nit-picky, it seems like the convention for network addresses is either separate address and netmask fields, or the combined address/bits-in-netmask notation. For example, ifconfig (on ubuntu, anyway) uses the former for IPv4 and the later for IPv6 addresses. loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host These audit records separate the two values but use the bits-in-netmask instead of the netmask in dot notation, which seems inconsistent to me. Seems like the audit record above should either have an address of 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0. -- ljk * adding new fallback label using the default network interface and address 192.168.0.10 type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for network interface lo and address 127.0.0.0/8 type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for the defaul network interface and address 192.168.0.10 type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Missing audit information in xfrm_audit_common_policyinfo()?
I just noticed that the IPsec auditing code does not appear to audit the netmask for the selector source and destination addresses in xfrm_audit_common_policyinfo(). Before I threw a patch together I thought I would check to see if there was a reason for this that I am missing ... -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH] New audit message for NetLabel static/fallback labels
On Wednesday 21 November 2007 4:26:57 pm Paul Moore wrote: On Wednesday 21 November 2007 4:21:26 pm Linda Knippers wrote: Paul Moore wrote: For reference, here are four examples of the new message types pulled from a Fedora Rawhide machine running this patch: * adding new fallback label using network interface lo and address 127.0.0.0/8 type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 At the risk of being nit-picky, it seems like the convention for network addresses is either separate address and netmask fields, or the combined address/bits-in-netmask notation. For example, ifconfig (on ubuntu, anyway) uses the former for IPv4 and the later for IPv6 addresses. loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host These audit records separate the two values but use the bits-in-netmask instead of the netmask in dot notation, which seems inconsistent to me. Seems like the audit record above should either have an address of 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0. I agree in that I like seeing the netmask attached to the address, but when I posed the question earlier to the list there was concern that this would cause breakage in the tools. I just thought of something, would you be more comfortable if I changed the name from 'daddr_mask' to 'daddr_prefixlen'? The more I think about this, the more I like the idea of 'daddr_prefixlen', I'm going to go and make that change. Although I'm still unclear of how people would like to see the netmask information - part of the address or separate. For what it is worth I think we are going to need to augment the existing IPsec SPD audit messages to include this information as well (see my other mail). -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit