Repository of audit events
All, Does there exist a repository of audit events that could be used to test changes to the audit parsing code? Although turning on -a always,exit -F arch=b32 -S all and -a always,exit -F arch=b64 -S all for a while does tend to generate a lot of audit, but it's clearly not exhaustive so I am hoping we have some repositories that are shareable and one can test against. Rgds -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: How do I get complete list of audit event types
Someone might look for this info in the future... AUDIT_ADD_GROUPUser space group added AUDIT_ADD_USERUser space user account added AUDIT_ANOM_ABENDProcess ended abnormally AUDIT_ANOM_ACCESS_FS Access of file or dir AUDIT_ANOM_ADD_ACCT Adding an acct AUDIT_ANOM_AMTU_FAIL AMTU failure AUDIT_ANOM_CRYPTO_FAIL Crypto system test failure AUDIT_ANOM_DEL_ACCT Deleting an acct AUDIT_ANOM_EXEC Execution of file AUDIT_ANOM_LOGIN_ACCT Login attempted to watched acct AUDIT_ANOM_LOGIN_FAILURES Failed login limit reached AUDIT_ANOM_LOGIN_LOCATION Login from forbidden location AUDIT_ANOM_LOGIN_SESSIONS Max concurrent sessions reached AUDIT_ANOM_LOGIN_TIME Login attempted at bad time AUDIT_ANOM_MAX_DAC Max DAC failures reached AUDIT_ANOM_MAX_MAC Max MAC failures reached AUDIT_ANOM_MK_EXEC Make an executable AUDIT_ANOM_MOD_ACCT Changing an acct AUDIT_ANOM_PROMISCUOUSDevice changed promiscuous mode AUDIT_ANOM_RBAC_FAIL RBAC self test failure AUDIT_ANOM_RBAC_INTEGRITY_FAIL RBAC file integrity failure AUDIT_ANOM_ROOT_TRANS User became root AUDIT_AVCSE Linux avc denial or grant AUDIT_AVC_PATHdentry, vfsmount pair from avc AUDIT_BPRM_FCAPSInformation about fcaps increasing perms AUDIT_CAPSETRecord showing argument to sys_capset AUDIT_CHGRP_IDUser space group ID changed AUDIT_CHUSER_IDChanged user ID supplemental data AUDIT_CONFIG_CHANGEAudit system configuration change AUDIT_CRED_ACQUser space credential acquired AUDIT_CRED_DISPUser space credential disposed AUDIT_CRED_REFRUser space credential refreshed AUDIT_CRYPTO_FAILURE_USERFail decrypt,encrypt,randomiz AUDIT_CRYPTO_KEY_USERCreate,delete,negotiate AUDIT_CRYPTO_LOGINLogged in as crypto officer AUDIT_CRYPTO_LOGOUTLogged out from crypto AUDIT_CRYPTO_PARAM_CHANGE_USERCrypto attribute change AUDIT_CRYPTO_REPLAY_USERCrypto replay detected AUDIT_CRYPTO_SESSIONRecord parameters set during AUDIT_CRYPTO_TEST_USERCrypto test results AUDIT_CWDCurrent working directory AUDIT_DAC_CHECKUser space DAC check results AUDIT_DAEMON_ABORTDaemon error stop record AUDIT_DAEMON_ACCEPTAuditd accepted remote connection AUDIT_DAEMON_CLOSEAuditd closed remote connection AUDIT_DAEMON_CONFIGDaemon config change AUDIT_DAEMON_ENDDaemon normal stop record AUDIT_DAEMON_RESUMEAuditd should resume logging AUDIT_DAEMON_ROTATEAuditd should rotate logs AUDIT_DAEMON_STARTDaemon startup record AUDIT_DEL_GROUPUser space group deleted AUDIT_DEL_USERUser space user account deleted AUDIT_EOEEnd of multi-record event AUDIT_EXECVEexecve arguments AUDIT_FD_PAIRaudit record for pipe AUDIT_FS_RELABELFilesystem relabeled AUDIT_GRP_AUTHAuthentication for group password AUDIT_INTEGRITY_DATA #ifndef AUDIT_INTEGRITY_DATA Data integrity verification Data integrity verification AUDIT_INTEGRITY_HASHIntegrity HASH type Integrity HASH type AUDIT_INTEGRITY_METADATAMetadata integrity verification AUDIT_INTEGRITY_PCRPCR invalidation msgs PCR invalidation msgs AUDIT_INTEGRITY_RULEPolicy rule policy rule AUDIT_INTEGRITY_STATUSIntegrity enable status Integrity enable status AUDIT_IPCIPC record AUDIT_IPC_SET_PERMIPC new permissions record type AUDIT_KERNELAsynchronous audit record. NOT A REQUEST. AUDIT_KERNEL_OTHERFor use by 3rd party modules AUDIT_LABEL_LEVEL_CHANGEObject's level was changed AUDIT_LABEL_OVERRIDEAdmin is overriding a label AUDIT_LOGINDefine the login id and information AUDIT_MAC_CIPSOV4_ADDNetLabel: add CIPSOv4 DOI entry AUDIT_MAC_CIPSOV4_DELNetLabel: del CIPSOv4 DOI entry AUDIT_MAC_CONFIG_CHANGEChanges to booleans AUDIT_MAC_IPSEC_ADDSANot used AUDIT_MAC_IPSEC_ADDSPDNot used AUDIT_MAC_IPSEC_DELSANot used AUDIT_MAC_IPSEC_DELSPDNot used AUDIT_MAC_IPSEC_EVENTAudit an IPSec event AUDIT_MAC_MAP_ADDNetLabel: add LSM domain mapping AUDIT_MAC_MAP_DELNetLabel: del LSM domain mapping AUDIT_MAC_POLICY_LOADPolicy file load AUDIT_MAC_STATUSChanged enforcing,permissive,off AUDIT_MAC_UNLBL_STCADDNetLabel: add a static label AUDIT_MAC_UNLBL_STCDELNetLabel: del a static label AUDIT_MMAP #ifndef AUDIT_MMAP Descriptor and flags in mmap Record showing descriptor and flags in mmap AUDIT_MQ_GETSETATTRPOSIX MQ get AUDIT_MQ_NOTIFYPOSIX MQ notify record type AUDIT_MQ_OPENPOSIX MQ open record type AUDIT_MQ_SENDRECVPOSIX MQ send AUDIT_NETFILTER_CFG #ifndef AUDIT_NETFILTER_CFG Netfilter chain modifications Netfilter chain modifications AUDIT_NETFILTER_PKT #ifndef AUDIT_NETFILTER_PKT Packets traversing netfilter chains Packets traversing netfilter chains AUDIT_OBJ_PIDptrace target AUDIT_PATHFilename path information AUDIT_RESP_ACCT_LOCKUser acct was locked AUDIT_RESP_ACCT_LOCK_TIMEDUser acct locked for time
Re: How do I get complete list of audit event types
On Apr 9, 2014, at 8:24 AM, Satish Chandra Kilaru iam.kil...@gmail.com wrote: Someone might look for this info in the future... AUDIT_ADD_GROUPUser space group added AUDIT_ADD_USERUser space user account added AUDIT_ANOM_ABENDProcess ended abnormally “ ... Thanks!!! Todd -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Repository of audit events
On Apr 8, 2014, at 11:25 PM, Burn Alting b...@swtf.dyndns.org wrote: All, Does there exist a repository of audit events that could be used to test changes to the audit parsing code? Although turning on -a always,exit -F arch=b32 -S all and -a always,exit -F arch=b64 -S all for a while does tend to generate a lot of audit, but it's clearly not exhaustive so I am hoping we have some repositories that are shareable and one can test against. If anyone has links, please share with the lists. I would appreciate the data sources as well. I’ve started adding Linux audit analysis to my Mac-based tools, and more data for testing is always appreciated. Todd -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Repository of audit events
To the best of my knowledge there is no way to generate every record type. I did send sgrubb the beginnings of me trying to write a suite of programs to exercise some of them for hopeful eventual inclusion in the auparse checker tool... I really think such a thing would be useful... On Wed, 2014-04-09 at 16:25 +1000, Burn Alting wrote: All, Does there exist a repository of audit events that could be used to test changes to the audit parsing code? Although turning on -a always,exit -F arch=b32 -S all and -a always,exit -F arch=b64 -S all for a while does tend to generate a lot of audit, but it's clearly not exhaustive so I am hoping we have some repositories that are shareable and one can test against. Rgds -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH for v3.14] AUDIT: Allow login in non-init namespaces
On Sunday, March 30, 2014 07:07:54 PM Eric Paris wrote: It its possible to configure your PAM stack to refuse login if audit messages (about the login) were unable to be sent. This is common in many distros and thus normal configuration of many containers. The PAM modules determine if audit is enabled/disabled in the kernel based on the return value from sending an audit message on the netlink socket. If userspace gets back ECONNREFUSED it believes audit is disabled in the kernel. If it gets any other error else it refuses to let the login proceed. This is a requirement. I do not advocate tricking user space. If you do, I might have to fix the bug you created. What should be done is have some discussion about the problem so that everyone involved has some chance to discuss the problem. -Steve Just about ever since the introduction of namespaces the kernel audit subsystem has returned EPERM if the task sending a message was not in the init user or pid namespace. So many forms of containers have never worked if audit was enabled in the kernel. BUT if the container was not in net_init then the kernel network code would send ECONNREFUSED (instead of the audit code sending EPERM). Thus by pure accident/dumb luck/bug if an admin configured the PAM stack to reject all logins that didn't talk to audit, but then ran the login untility in the non-init_net namespace, it would work!! Clearly this was a bug, but it is a bug some people expected. With the introduction of network namespace support in 3.14-rc1 the two bugs stopped cancelling each other out. Now, containers in the non-init_net namespace refused to let users log in (just like PAM was configfured!) Obviously some people were not happy that what used to let users log in, now didn't! This fix is kinda hacky. We return ECONNREFUSED for all non-init relevant namespaces. That means that not only will the old broken non-init_net setups continue to work, now the broken non-init_pid or non-init_user setups will 'work'. They don't really work, since audit isn't logging things. But it's what most users want. In 3.15 we should have patches to support not only the non-init_net (3.14) namespace but also the non-init_pid and non-init_user namespace. So all will be right in the world. This just opens the doors wide open on 3.14 and hopefully makes users happy, if not the audit system... Reported-by: Andre Tomt an...@tomt.net Reported-by: Adam Richter adam_richter2...@yahoo.com Signed-off-by: Eric Paris epa...@redhat.com --- kernel/audit.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 3392d3e..95a20f3 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -608,9 +608,19 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) int err = 0; /* Only support the initial namespaces for now. */ + /* + * We return ECONNREFUSED because it tricks userspace into thinking + * that audit was not configured into the kernel. Lots of users + * configure their PAM stack (because that's what the distro does) + * to reject login if unable to send messages to audit. If we return + * ECONNREFUSED the PAM stack thinks the kernel does not have audit + * configured in and will let login proceed. If we return EPERM + * userspace will reject all logins. This should be removed when we + * support non init namespaces!! + */ if ((current_user_ns() != init_user_ns) || (task_active_pid_ns(current) != init_pid_ns)) - return -EPERM; + return -ECONNREFUSED; switch (msg_type) { case AUDIT_LIST: -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Repository of audit events
All, I'll start going through these references to see how complete (based on current mainstream Linux deployments) a set of events I can get and report back. Regards Burn On Wed, 2014-04-09 at 13:19 -0400, Steve Grubb wrote: On Wednesday, April 09, 2014 04:25:26 PM Burn Alting wrote: Does there exist a repository of audit events that could be used to test changes to the audit parsing code? I don't have one. My count is that there are 144 known events. I created a testing tool, ausearch-test, that is located here: http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz It can mine your audit logs for one example of each kind of event to a file that can later be used for testing. I have run it over and over from various machines and doing stuff to provoke events such as the IMA events. Running the aucoverage utility against my database shows I am missing 68. Of those, 18 are in the ANOM_ category which is a place-holder for events to be used in a IDS plugin still under development. There are 13 missing in the RESP_ category because the IPS plugin is not using them yet. So, that leaves 37 real events that I don't have in my collection. This is the list of events I have never been able to generate: Missing AVC_PATH Missing CHUSER_ID Missing CRYPTO_FAILURE_USER Missing CRYPTO_LOGIN Missing CRYPTO_LOGOUT Missing CRYPTO_PARAM_CHANGE_USER Missing CRYPTO_REPLAY_USER Missing CRYPTO_TEST_USER Missing DAC_CHECK Missing DAEMON_ABORT Missing INTEGRITY_DATA Missing INTEGRITY_HASH Missing INTEGRITY_METADATA Missing INTEGRITY_RULE Missing INTEGRITY_STATUS Missing LABEL_OVERRIDE Missing MAC_CIPSOV4_ADD Missing MAC_CIPSOV4_DEL Missing MAC_IPSEC_ADDSA Missing MAC_IPSEC_ADDSPD Missing MAC_IPSEC_DELSA Missing MAC_IPSEC_DELSPD Missing MAC_IPSEC_EVENT Missing MAC_MAP_ADD Missing MAC_MAP_DEL Missing MAC_UNLBL_STCADD Missing MAC_UNLBL_STCDEL Missing NETFILTER_PKT Missing ROLE_MODIFY Missing ROLE_REMOVE Missing SELINUX_ERR Missing USER_LABELED_EXPORT Missing USER_MAC_CONFIG_CHANGE Missing USER_MAC_POLICY_LOAD Missing USER_MGMT Missing USER_SELINUX_ERR Missing USER_UNLABELED_EXPORT Although turning on -a always,exit -F arch=b32 -S all and -a always,exit -F arch=b64 -S all There is a test suite, audit-test, that you might want to know about. Its used for Common Criteria certifications and can be found here: http://sourceforge.net/projects/audit-test/ It can supposedly exercise the system to generate events. But I don't know if it removes audit logs between tests to make finding the event under test easier to find or not. But I have been thinking using it might be the best way to get the events I am missing. I know that you'll never get them all. Some are unused. Some have been deprecated. Some can only be generated when using SE Linux in MLS mode with labelled networking and printing. The Integrity events that I am missing are in the IMA subsystem. I can see them in the kernel, but I have no idea how to make them come out. for a while does tend to generate a lot of audit, but it's clearly not exhaustive so I am hoping we have some repositories that are shareable and one can test against. For an exhaustive collection, you'd probable want to run without SE Linux enabled, with targeted policy, with MLS policy, and probably with other LSM's than SE Linux. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH for v3.14] AUDIT: Allow login in non-init namespaces
On Wed, Apr 9, 2014 at 5:08 PM, Steve Grubb sgr...@redhat.com wrote: This is a requirement. I do not advocate tricking user space. It's not about tricking user space. This is how we used to behave. ECONNREFUSED is what you got in a non-init namespace. So this is a *regression fix*, not some kind of trick. And there is absolutely nothing to discuss about regression fixes. If people want to start auditing non-init namespaces, go right ahead. But it will *not* happen by breaking old behavior that people depended on. Linus -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Repository of audit events
On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: Missing INTEGRITY_RULE IMA with an 'audit' rule generates INTEGRITY_RULE messages. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit