Re: [RFC PATCH] New audit message for NetLabel static/fallback labels
On Wednesday 21 November 2007 4:26:57 pm Paul Moore wrote: > On Wednesday 21 November 2007 4:21:26 pm Linda Knippers wrote: > > Paul Moore wrote: > > > For reference, here are four examples of the new message types pulled > > > from a Fedora Rawhide machine running this patch: > > > > > > * adding new fallback label using network interface "lo" and > > >address "127.0.0.0/8" > > > > > >type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ > > > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > > > netif=lo daddr=127.0.0.0 daddr_mask=8 \ > > > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 > > > > At the risk of being nit-picky, it seems like the convention for network > > addresses is either separate address and netmask fields, or the combined > > address/bits-in-netmask notation. For example, ifconfig (on ubuntu, > > anyway) uses the former for IPv4 and the later for IPv6 addresses. > > > > loLink encap:Local Loopback > > inet addr:127.0.0.1 Mask:255.0.0.0 > > inet6 addr: ::1/128 Scope:Host > > > > These audit records separate the two values but use the bits-in-netmask > > instead of the netmask in dot notation, which seems inconsistent to me. > > Seems like the audit record above should either have an address of > > 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0. > > I agree in that I like seeing the netmask attached to the address, but when > I posed the question earlier to the list there was concern that this would > cause breakage in the tools. I just thought of something, would you be > more comfortable if I changed the name from 'daddr_mask' to > 'daddr_prefixlen'? The more I think about this, the more I like the idea of 'daddr_prefixlen', I'm going to go and make that change. Although I'm still unclear of how people would like to see the netmask information - part of the address or separate. For what it is worth I think we are going to need to augment the existing IPsec SPD audit messages to include this information as well (see my other mail). -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Missing audit information in xfrm_audit_common_policyinfo()?
I just noticed that the IPsec auditing code does not appear to audit the netmask for the selector source and destination addresses in xfrm_audit_common_policyinfo(). Before I threw a patch together I thought I would check to see if there was a reason for this that I am missing ... -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH] New audit message for NetLabel static/fallback labels
On Wednesday 21 November 2007 4:21:26 pm Linda Knippers wrote: > Paul Moore wrote: > > For reference, here are four examples of the new message types pulled > > from a Fedora Rawhide machine running this patch: > > > > * adding new fallback label using network interface "lo" and > >address "127.0.0.0/8" > > > >type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ > > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > > netif=lo daddr=127.0.0.0 daddr_mask=8 \ > > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 > > At the risk of being nit-picky, it seems like the convention for network > addresses is either separate address and netmask fields, or the combined > address/bits-in-netmask notation. For example, ifconfig (on ubuntu, > anyway) uses the former for IPv4 and the later for IPv6 addresses. > > loLink encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > > These audit records separate the two values but use the bits-in-netmask > instead of the netmask in dot notation, which seems inconsistent to me. > Seems like the audit record above should either have an address of > 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0. I agree in that I like seeing the netmask attached to the address, but when I posed the question earlier to the list there was concern that this would cause breakage in the tools. I just thought of something, would you be more comfortable if I changed the name from 'daddr_mask' to 'daddr_prefixlen'? -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH] New audit message for NetLabel static/fallback labels
Paul Moore wrote: > Those of you who follow the SELinux and/or LSM mailing lists know there is > work currently underway to provide static or fallback network peer labels for > use when traditional labeled networking (CIPSO or Labeled IPsec) is not > present. For the same reasons that NetLabel or Labeled IPsec configuration > changes are considered "auditable events", configuring the static/fallback > labels should likely be treated as an auditable event as well. > > The patch below is part of a larger patchset which contains this new > functionality which has already been posted many times to the SELinux and LSM > lists. Those interested in the patchset are encouraged to look into the > archives of those mailing lists or check out the git tree here: > > * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing > > I'm posting this patch to the audit list for comments/review as it contains > all of the audit related changes and I'd like to sort out any issues the > audit community may have sooner rather than later. Please take a few minutes > to look over the changes, most importantly the new message types and either > send me mail or preferably send mail straight to the audit list. > > For reference, here are four examples of the new message types pulled from a > Fedora Rawhide machine running this patch: > > * adding new fallback label using network interface "lo" and >address "127.0.0.0/8" > >type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > netif=lo daddr=127.0.0.0 daddr_mask=8 \ > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 At the risk of being nit-picky, it seems like the convention for network addresses is either separate address and netmask fields, or the combined address/bits-in-netmask notation. For example, ifconfig (on ubuntu, anyway) uses the former for IPv4 and the later for IPv6 addresses. loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host These audit records separate the two values but use the bits-in-netmask instead of the netmask in dot notation, which seems inconsistent to me. Seems like the audit record above should either have an address of 127.0.0.0/8 or an address of 127.0.0.0 and a netmask of 255.0.0.0. -- ljk > > * adding new fallback label using the default network interface and >address "192.168.0.10" > >type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \ > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > daddr=192.168.0.10 \ > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 > > * deleting the configuration for network interface "lo" and >address "127.0.0.0/8" > >type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \ > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > netif=lo daddr=127.0.0.0 daddr_mask=8 \ > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 > > * deleting the configuration for the defaul network interface and >address "192.168.0.10" > >type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \ > auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ > daddr=192.168.0.10 \ > sec_obj=system_u:object_r:unlabeled_t:s0 res=1 > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[RFC PATCH] New audit message for NetLabel static/fallback labels
Those of you who follow the SELinux and/or LSM mailing lists know there is work currently underway to provide static or fallback network peer labels for use when traditional labeled networking (CIPSO or Labeled IPsec) is not present. For the same reasons that NetLabel or Labeled IPsec configuration changes are considered "auditable events", configuring the static/fallback labels should likely be treated as an auditable event as well. The patch below is part of a larger patchset which contains this new functionality which has already been posted many times to the SELinux and LSM lists. Those interested in the patchset are encouraged to look into the archives of those mailing lists or check out the git tree here: * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing I'm posting this patch to the audit list for comments/review as it contains all of the audit related changes and I'd like to sort out any issues the audit community may have sooner rather than later. Please take a few minutes to look over the changes, most importantly the new message types and either send me mail or preferably send mail straight to the audit list. For reference, here are four examples of the new message types pulled from a Fedora Rawhide machine running this patch: * adding new fallback label using network interface "lo" and address "127.0.0.0/8" type=UNKNOWN[1416] msg=audit(1195671777.849:32): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * adding new fallback label using the default network interface and address "192.168.0.10" type=UNKNOWN[1416] msg=audit(1195671794.556:33): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for network interface "lo" and address "127.0.0.0/8" type=UNKNOWN[1417] msg=audit(1195671962.670:42): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ netif=lo daddr=127.0.0.0 daddr_mask=8 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 * deleting the configuration for the defaul network interface and address "192.168.0.10" type=UNKNOWN[1417] msg=audit(1195671983.994:43): netlabel: \ auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 \ daddr=192.168.0.10 \ sec_obj=system_u:object_r:unlabeled_t:s0 res=1 -- paul moore linux security @ hp -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[RFC PATCH] NetLabel: add auditing to the static labeling mechanism
This patch adds auditing support to the NetLabel static labeling mechanism.
---
include/linux/audit.h |2
net/netlabel/netlabel_unlabeled.c | 207 ++---
2 files changed, 195 insertions(+), 14 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index c687816..bdd6f5d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -115,6 +115,8 @@
#define AUDIT_MAC_IPSEC_ADDSPD 1413/* Not used */
#define AUDIT_MAC_IPSEC_DELSPD 1414/* Not used */
#define AUDIT_MAC_IPSEC_EVENT 1415/* Audit an IPSec event */
+#define AUDIT_MAC_UNLBL_STCADD 1416/* NetLabel: add a static label */
+#define AUDIT_MAC_UNLBL_STCDEL 1417/* NetLabel: del a static label */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG1799
diff --git a/net/netlabel/netlabel_unlabeled.c
b/net/netlabel/netlabel_unlabeled.c
index b71bedc..33556ee 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -143,6 +143,74 @@ static const struct nla_policy
netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1
};
/*
+ * Audit Helper Functions
+ */
+
+/**
+ * netlbl_unlbl_audit_addr4 - Audit an IPv4 address
+ * @audit_buf: audit buffer
+ * @dev: network interface
+ * @addr: IP address
+ * @mask: IP address mask
+ *
+ * Description:
+ * Write the IPv4 address and address mask, if necessary, to @audit_buf.
+ *
+ */
+static void netlbl_unlbl_audit_addr4(struct audit_buffer *audit_buf,
+const char *dev,
+__be32 addr, __be32 mask)
+{
+ u32 mask_val = ntohl(mask);
+
+ if (dev != NULL)
+ audit_log_format(audit_buf, " netif=%s", dev);
+ audit_log_format(audit_buf, " daddr=" NIPQUAD_FMT, NIPQUAD(addr));
+ if (mask_val != 0x) {
+ u32 mask_len = 0;
+ while (mask_val > 0) {
+ mask_val <<= 1;
+ mask_len++;
+ }
+ audit_log_format(audit_buf, " daddr_mask=%d", mask_len);
+ }
+}
+
+/**
+ * netlbl_unlbl_audit_addr6 - Audit an IPv6 address
+ * @audit_buf: audit buffer
+ * @dev: network interface
+ * @addr: IP address
+ * @mask: IP address mask
+ *
+ * Description:
+ * Write the IPv6 address and address mask, if necessary, to @audit_buf.
+ *
+ */
+static void netlbl_unlbl_audit_addr6(struct audit_buffer *audit_buf,
+const char *dev,
+const struct in6_addr *addr,
+const struct in6_addr *mask)
+{
+ if (dev != NULL)
+ audit_log_format(audit_buf, " netif=%s", dev);
+ audit_log_format(audit_buf, " daddr=" NIP6_FMT, NIP6(*addr));
+ if (ntohl(mask->s6_addr32[3]) != 0x) {
+ u32 mask_len = 0;
+ u32 mask_val;
+ int iter = -1;
+ while (ntohl(mask->s6_addr32[++iter]) == 0x)
+ mask_len += 32;
+ mask_val = ntohl(mask->s6_addr32[iter]);
+ while (mask_val > 0) {
+ mask_val <<= 1;
+ mask_len++;
+ }
+ audit_log_format(audit_buf, " daddr_mask=%d", mask_len);
+ }
+}
+
+/*
* Unlabeled Connection Hash Table Functions
*/
@@ -519,6 +587,7 @@ add_iface_failure:
* @mask: address mask in network byte order
* @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
* @secid: LSM secid value for the entry
+ * @audit_info: NetLabel audit information
*
* Description:
* Adds a new entry to the unlabeled connection hash table. Returns zero on
@@ -530,12 +599,18 @@ static int netlbl_unlhsh_add(struct net *net,
const void *addr,
const void *mask,
u32 addr_len,
-u32 secid)
+u32 secid,
+struct netlbl_audit *audit_info)
{
int ret_val;
int ifindex;
struct net_device *dev;
struct netlbl_unlhsh_iface *iface;
+ struct in_addr *addr4, *mask4;
+ struct in6_addr *addr6, *mask6;
+ struct audit_buffer *audit_buf = NULL;
+ char *secctx = NULL;
+ u32 secctx_len;
if (addr_len != sizeof(struct in_addr) &&
addr_len != sizeof(struct in6_addr))
@@ -562,13 +637,27 @@ static int netlbl_unlhsh_add(struct net *net,
goto unlhsh_add_return;
}
}
+ audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
+ audit_info);
switch (addr_len) {
case sizeof(struct in_addr):
- ret_val = netlbl_unlhsh_add_addr4(iface, addr, mask, secid);
+ addr4 = (struct in_addr *)addr;
+ mask4 = (struct in_addr *)mask;
Re: auditd fails to start on FC6 system, newer kernels effect?
Hi, Just a quick update on this in case any one was curious...turns out that the audit system was not in his kernel config. Its working now. -Steve On Monday 19 November 2007 01:23:25 pm Stephen Smalley wrote: > On Sat, 2007-11-17 at 04:31 -0500, Gene Heskett wrote: > > Greetings; > > > > FC6 system, uptodate, kernel 2.6.24-rc3, but this has existed since I > > re-enabled selinux in permissive mode just to see what complained. > > > > The manpage says to use the -f option for foreground troubleshooting, so > > here goes: > > > > [EMAIL PROTECTED] linux-2.6.24-rc3]# man auditd > > [EMAIL PROTECTED] linux-2.6.24-rc3]# which auditd > > /sbin/auditd > > [EMAIL PROTECTED] linux-2.6.24-rc3]# auditd -f > > Config file /etc/audit/auditd.conf opened for parsing > > log_file_parser called with: /var/log/audit/audit.log > > log_format_parser called with: RAW > > priority_boost_parser called with: 3 > > flush_parser called with: INCREMENTAL > > freq_parser called with: 20 > > num_logs_parser called with: 4 > > dispatch_parser called with: /sbin/audispd > > qos_parser called with: lossy > > max_log_size_parser called with: 5 > > max_log_size_action_parser called with: ROTATE > > space_left_parser called with: 75 > > space_action_parser called with: SYSLOG > > action_mail_acct_parser called with: root > > admin_space_left_parser called with: 50 > > admin_space_left_action_parser called with: SUSPEND > > disk_full_action_parser called with: SUSPEND > > disk_error_action_parser called with: SUSPEND > > Started dispatcher: /sbin/audispd pid: 7828 > > type=DAEMON_START msg=audit(1195291550.719:1106) auditd start, ver=1.4.2, > > format=raw, auid=4294967295 pid=7824 res=success, auditd pid=7824 > > config_manager init complete > > Error setting audit daemon pid (Connection refused) > > type=DAEMON_ABORT msg=audit(1195291550.720:1107) auditd error halt, > > auid=4294967295 pid=7824 res=failed, auditd pid=7824 > > Unable to set audit pid, exiting > > The audit daemon is exiting. > > Error setting audit daemon pid (Connection refused) > > [EMAIL PROTECTED] linux-2.6.24-rc3]# > > > > Connection refused sounds as if something else isn't running that should > > be, but no direct clue, so what else needs to run too, before auditd? > > More of a question for linux-audit (cc'd). Offhand, I'd guess that the > ECONNREFUSED is coming from the netlink code, but I don't know why. > Running it under strace might be illuminating. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
