Re: [PATCH] MIPS: use current instead of task in syscall_get_arch
On 04/11/2014 03:43 AM, Richard Guy Briggs wrote: On 14/04/10, Eric Paris wrote: In commit 6e345746 Markos started using task to determine 64bit vs 32bit instead of it being completely CONFIG based. In commit 5e937a9a we dropped the 'task' argument to syscall_get_arch() across the entire system. This obviously results in a build failure when Linus's and the audit tree were merged. This patch should be applied as part of the merge conflict, as both sides of the merge are correct and the failure happens AT the merge. The fix is simple. The task is always current. Use current. Signed-off-by: Eric Paris Cc: markos.chand...@imgtec.com Cc: Paul Burton Cc: James Hogan Cc: linux-m...@linux-mips.org Signed-off-by: Richard Guy Briggs Looks good to me. Thanks for taking care of that. Reviewed-by: Markos Chandras -- markos -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: libauparse exporting clear_config()
On Friday, April 11, 2014 08:54:37 AM Laurent Bigonville wrote: > Le Thu, 10 Apr 2014 07:25:42 -0400, > > Steve Grubb a écrit : > > On Thursday, April 10, 2014 09:06:11 AM Laurent Bigonville wrote: > > > With 2.3.5, libauparse is exporting a new symbol (clear_config()) > > > > > > It seems that all the other symbols are prefixed with either > > > auparse_ or audit_, so is this expected? > > > > No, this was not expected. It should be an internal use only > > function. Is this causing any symbol collision in a known program? > > Searching[0] quickly in the code that is present in the debian archive, > I see that at least lxc has the same function name, but I didn't > encounter collision myself. Thanks for checking this. I don't think lxr would be using auparse, so I think we are safe. That said, the fix is to add the following: void clear_config(struct daemon_conf *config) hidden; to auparse/internal.h and then recompile. It's already in svn and will be in the next release, which should be in the next week or so. > Apparently libaudit also has some symbols that are not prefixed > by audit_[1], but these seems a bit less generic than "clear_config()" Thanks. I don't see anything here likely to cause a collision. -Steve > [0] http://codesearch.debian.net/ > [1] > http://anonscm.debian.org/gitweb/?p=collab-maint/audit.git;a=blob;f=debian/l > ibaudit1.symbols;h=1d1af3e008ab7858b3e6996563a9a9a5b4aa7723;hb=HEAD -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Repository of audit events
Hi Mimi, On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > > > Missing INTEGRITY_RULE > > > > IMA with an 'audit' rule generates INTEGRITY_RULE messages. For those of us not really up on IMA and just want to generate the event to add to our collection, any tips on doing this? > > Missing INTEGRITY_DATA > > Failure to collect or appraise file data. > (Requires the filesystem to be labeled w/security.ima and integrity > appraisal enabled.) How would I cause this event to be generated if I wanted to see it? > > Missing INTEGRITY_HASH > > Not used. OK, I'll mark that deprecated. > > Missing INTEGRITY_METADATA > > Before updating/removing 'security.evm' the xattr or modifying file > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid, > i_mode, FSUUID, i_generation), EVM verifies the existing value. > (Requires the filesystem to be labeled w/security.evm and integrity > appraisal enabled.) How to get it? > > Missing INTEGRITY_STATUS > > Errors related to the IMA policy. How to get it? Thanks, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Repository of audit events
On Fri, 2014-04-11 at 10:07 -0400, Steve Grubb wrote: > Hi Mimi, > > On Thursday, April 10, 2014 11:36:15 PM Mimi Zohar wrote: > > On Wed, 2014-04-09 at 18:26 -0700, Peter Moody wrote: > > > On Wed, Apr 09 2014 at 10:19, Steve Grubb wrote: > > > > Missing INTEGRITY_RULE > > > > > > IMA with an 'audit' rule generates INTEGRITY_RULE messages. > > For those of us not really up on IMA and just want to generate the event to > add to our collection, any tips on doing this? Requires CONFIG_INTEGRITY_AUDIT=y to be configured and loading an IMA policy* containing an audit rule (eg. audit func=BPRM_CHECK mask=MAY_EXEC). *Directions below for loading a policy. > > > Missing INTEGRITY_DATA > > > > Failure to collect or appraise file data. > > (Requires the filesystem to be labeled w/security.ima and integrity > > appraisal enabled.) > > How would I cause this event to be generated if I wanted to see it? Requires both CONFIG_IMA=y and CONFIG_IMA_APPRAISE=y to be enabled and loading an IMA policy containing a measurement/appraisal rule (eg. measure func=BPRM_CHECK, measure func=FILE_CHECK mask=MAY_READ uid=0, audit func=BPRM_CHECK mask=MAY_EXEC). Both the boot command line options 'ima_tcb' and 'ima_appraise_tcb' have these rules. Unlabeled filesystems would require the additional boot command line option 'ima_appraise=fix'. > > > Missing INTEGRITY_HASH > > > > Not used. > > OK, I'll mark that deprecated. > > > > Missing INTEGRITY_METADATA > > > > Before updating/removing 'security.evm' the xattr or modifying file > > metadata included in the HMAC calculation(eg. i_ino, i_uid, i_gid, > > i_mode, FSUUID, i_generation), EVM verifies the existing value. > > (Requires the filesystem to be labeled w/security.evm and integrity > > appraisal enabled.) > > How to get it? In addition to the IMA/IMA-appraisal config options, requires CONFIG_EVM=y. Assuming you've created an EVM key and loaded it, EVM is enabled. (dracut has an EVM module.) Unlabeled filesystems would require the additional boot command line option 'ima_evm=fix'. > > > Missing INTEGRITY_STATUS > > > > Errors related to the IMA policy. > > How to get it? Directions for loading a policy: to load a policy or replace the boot command line 'ima_tcb'/'ima_appraisal_tcb' policies, cat the new policy to /sys/kernel/security/ima/config. The IMA LTP testsuite has examples. Mimi -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
audit 2.3.6 released
I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Add an option to auditctl to interpret a0 - a3 of syscall rules when listing - Improve ARM and AARCH64 support (AKASHI Takahiro) - Add ausearch --checkpoint feature (Burn Alting) - Add --arch option to ausearch - Improve too long config line in audispd, auditd, and auparse (#1071580) - Fix aulast to accept the new AUDIT_LOGIN record format - Remove clear_config symbol in auparse I decided to go ahead and release this one because of some concern about an unintended symbol popping up in the auparse ABI. This release include a bunch of new stuff. You can now add a '-i' to the listing command of auditctl and it will interpret a0-a3 if they are included in any rules. There is new support for arm as mentioned in an email a few weeks ago. If you were compiling --with-armeb, you now need to change to --with-arm. Cross compile support is not yet in place. There is a new checkpoint feature to ausearch. What it does is give you all the events that have occurred since the last checkpoint. Ausearch now has a --arch search option just in case you needed to find i386 events on a x86_64 machine. There were a number of cleanups to the code as well. Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH_v8 0/2] arm64: Add audit support
On 03/15/2014 01:49 AM, AKASHI Takahiro wrote: (Please apply this patch after my ftrace patch to resolve some conflict on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though) This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*). There are some prerequisites for this patch to work correctly: * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch * "audit: generic compat system call audit support" patch * "arm64: __NR_* definitions for compat syscalls" patch from Catalin * "arm64: make a single hook to syscall_trace() for all syscall features" patch * "arm64: split syscall_trace() into separate functions for enter/exit" patch * "arm64: Add regs_return_value() in syscall.h" patch * "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h" patch * userspace audit tool (v2.3.2 + my patch for arm64) and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c without the patch from [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint; My question: do you need all 7 patches from arm64: Add ftrace support as well for this audit patch to work, or just this 7/7 patch ? Please review them as well for better understandings. This code was tested on both 32-bit and 64-bit LE userland in the following two ways: 1) basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace 2) audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories. Changes v7 -> v8: * aligned with the change in "audit: generic compat system call audit support" v5 [1/2] * aligned with the change in "arm64: split syscall_trace() into separate functions for enter/exit" v5 [2/2] Changes v6 -> v7: * changed an include file in syscall.h from to [1/2] * aligned with the patch, "arm64: split syscall_trace() into separate functions for enter/exit" [2/2] Changes v5 -> v6: * removed and put "arm64: Add regs_return_value() in syscall.h" patch into a separate set * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v3 [1/2] Changes v4 -> v5: * rebased to 3.14-rcX * added a guard against TIF_SYSCALL_AUDIT [3/3] * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v2 [3/3] Changes v3 -> v4: * Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features" * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch Changes v2 -> v3: * Remove asm/audit.h. See "generic compat syscall audit support" patch v4 * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB. * Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch Changes v1 -> v2: * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h. * Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6] * Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support". AKASHI Takahiro (2): arm64: Add audit support arm64: audit: Add audit hook in syscall_trace_enter/exit() arch/arm64/Kconfig | 2 ++ arch/arm64/include/asm/syscall.h | 15 +++ arch/arm64/kernel/ptrace.c | 7 +++ include/uapi/linux/audit.h | 1 + 4 files changed, 25 insertions(+) -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
