Re: [PATCH]: revised make xfrm_audit_log more generic patch
On Tuesday 24 July 2007 12:33:26 pm Joy Latten wrote: > > It also wouldn't hurt to change the text being sent to this function to > > have a hyphen instead of a space, so "SPD delete" becomes "SPD-delete". > > This keeps the parser happy. > > Steve, more for my education, should all entries have this sort of > syntax, that is, a hyphen in it? Only if its something that is important to have associated in reports. More that 1 or 2 hyphens is probably not good. > I imagine some entries might be a bit more wordy and so I was wondering > ahead of time how to do it. The audit logs should be short as possible but contain everything necessary. You can have language in the record that makes it more understandable for people reading the raw record, but it won't necessarily be picked up by report parsers for searching or presentation. If you want me to help review the choices, let me know offline and we can work through it. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH]: revised make xfrm_audit_log more generic patch
On Tue, 2007-07-24 at 11:04 -0400, Steve Grubb wrote: > It also wouldn't hurt to change the text being sent to this function to have > a > hyphen instead of a space, so "SPD delete" becomes "SPD-delete". This keeps > the parser happy. > Steve, more for my education, should all entries have this sort of syntax, that is, a hyphen in it? I imagine some entries might be a bit more wordy and so I was wondering ahead of time how to do it. Thanks!! Joy -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH]: revised make xfrm_audit_log more generic patch
On Tue, 2007-07-24 at 11:04 -0400, Steve Grubb wrote: > > + audit_log_format(audit_buf, "%s: auid=%u", buf, auid); > > > > if (sid != 0 && > > security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) > > The operation in buf will not be parsed by the user space tools. Let's > use "op=%s " where you have "%s: " above. Audit record fields are name=value > and fields separated by spaces. "op" is what we are using in other places to > mean operation. > > I know its a change from the records above, but we previously had some detail > about what operation was being performed by the record type and this did not > matter so much. Now that we only have one event type, the meaning of the > event being recorded needs to be parsable and in a field. > > It also wouldn't hurt to change the text being sent to this function to have > a > hyphen instead of a space, so "SPD delete" becomes "SPD-delete". This keeps > the parser happy. > > This patch otherwise looks good. Sounds good. I will make the changes and resend. Thanks!! Joy -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH]: revised make xfrm_audit_log more generic patch
Hi,
I think we need just one other minor tweak.
On Monday 23 July 2007 17:46:05 Joy Latten wrote:
> @@ -2154,44 +2168,23 @@ EXPORT_SYMBOL(xfrm_bundle_ok);
> /* Audit addition and deletion of SAs and ipsec policy */
>
> void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
> - struct xfrm_policy *xp, struct xfrm_state *x)
> + u16 family, xfrm_address_t saddr, xfrm_address_t
> daddr, + __be32 spi, __be32 flowlabel, struct
> xfrm_sec_ctx *sctx, + char *buf)
> {
> -
> char *secctx;
> u32 secctx_len;
> - struct xfrm_sec_ctx *sctx = NULL;
> struct audit_buffer *audit_buf;
> - int family;
> extern int audit_enabled;
>
> if (audit_enabled == 0)
> return;
>
> - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
> - type == AUDIT_MAC_IPSEC_DELSA) && !x);
> - BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
> - type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
> -
> audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
> type); if (audit_buf == NULL)
> return;
>
> - switch(type) {
> - case AUDIT_MAC_IPSEC_ADDSA:
> - audit_log_format(audit_buf, "SAD add: auid=%u", auid);
> - break;
> - case AUDIT_MAC_IPSEC_DELSA:
> - audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
> - break;
> - case AUDIT_MAC_IPSEC_ADDSPD:
> - audit_log_format(audit_buf, "SPD add: auid=%u", auid);
> - break;
> - case AUDIT_MAC_IPSEC_DELSPD:
> - audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
> - break;
> - default:
> - return;
> - }
> + audit_log_format(audit_buf, "%s: auid=%u", buf, auid);
>
> if (sid != 0 &&
> security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
The operation in buf will not be parsed by the user space tools. Let's
use "op=%s " where you have "%s: " above. Audit record fields are name=value
and fields separated by spaces. "op" is what we are using in other places to
mean operation.
I know its a change from the records above, but we previously had some detail
about what operation was being performed by the record type and this did not
matter so much. Now that we only have one event type, the meaning of the
event being recorded needs to be parsable and in a field.
It also wouldn't hurt to change the text being sent to this function to have a
hyphen instead of a space, so "SPD delete" becomes "SPD-delete". This keeps
the parser happy.
This patch otherwise looks good.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH]: revised make xfrm_audit_log more generic patch
On Mon, 23 Jul 2007, Joy Latten wrote: > Revised patch that modifies xfrm_audit_log() such that it > can accomodate auditing other ipsec events > besides add/delete of an SA or SPD entry. > > This patch differs from original in that it does > not remove existing ipsec audit defines so as > to not break existing audit apps. > > This is a small change to accomodate updating > ipsec protocol to RFCs 4301, 4302 and 4303 which > require auditing some ipsec events if auditing > is available. Please let me know if ok. > > Regards, > Joy > > Signed-off-by: Joy Latten <[EMAIL PROTECTED]> Acked-by: James Morris <[EMAIL PROTECTED]> -- James Morris <[EMAIL PROTECTED]> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH]: revised make xfrm_audit_log more generic patch
Revised patch that modifies xfrm_audit_log() such that it
can accomodate auditing other ipsec events
besides add/delete of an SA or SPD entry.
This patch differs from original in that it does
not remove existing ipsec audit defines so as
to not break existing audit apps.
This is a small change to accomodate updating
ipsec protocol to RFCs 4301, 4302 and 4303 which
require auditing some ipsec events if auditing
is available. Please let me know if ok.
Regards,
Joy
Signed-off-by: Joy Latten <[EMAIL PROTECTED]>
diff -urpN linux-2.6.22/include/linux/audit.h
linux-2.6.22.patch/include/linux/audit.h
--- linux-2.6.22/include/linux/audit.h 2007-07-23 14:35:28.0 -0500
+++ linux-2.6.22.patch/include/linux/audit.h2007-07-23 14:38:51.0
-0500
@@ -112,6 +112,7 @@
#define AUDIT_MAC_IPSEC_DELSA 1412/* Delete a XFRM state */
#define AUDIT_MAC_IPSEC_ADDSPD 1413/* Add a XFRM policy */
#define AUDIT_MAC_IPSEC_DELSPD 1414/* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_EVENT 1415/* Audit IPSec events */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG1799
diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h
--- linux-2.6.22/include/net/xfrm.h 2007-07-23 14:35:28.0 -0500
+++ linux-2.6.22.patch/include/net/xfrm.h 2007-07-23 14:38:51.0
-0500
@@ -427,9 +427,11 @@ struct xfrm_audit
#ifdef CONFIG_AUDITSYSCALL
extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
- struct xfrm_policy *xp, struct xfrm_state *x);
+ u16 family, xfrm_address_t saddr,
+ xfrm_address_t daddr, __be32 spi, __be32 flowid,
+ struct xfrm_sec_ctx *sctx, char *buf);
#else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0)
#endif /* CONFIG_AUDITSYSCALL */
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c 2007-07-08 18:32:17.0 -0500
+++ linux-2.6.22.patch/net/key/af_key.c 2007-07-23 14:38:51.0 -0500
@@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st
err = xfrm_state_update(x);
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ x->props.family, x->props.saddr, x->id.daddr,
+ x->id.spi, 0, x->security, "SAD add");
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk,
km_state_notify(x, &c);
out:
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x->props.family,
+ x->props.saddr, x->id.daddr, x->id.spi, 0,
+ x->security, "SAD delete");
+
xfrm_state_put(x);
return err;
@@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk,
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security, "SPD add");
if (err)
goto out;
@@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock *
return -ENOENT;
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security, "SPD delete");
if (err)
goto out;
@@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk,
if (delete) {
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+ xp->selector.family, xp->selector.saddr,
+ xp->selector.daddr, 0, 0, xp->security,
+ "SPD delete");
if (err)
goto out;
diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c
linux-2.6.22.patch/net/xfrm/xfrm_policy.c
--- linux-2.6.22/net/xfrm/xfrm_policy.c 2007-07-23 14:35:29.0 -0500
+++ linux-2.6.22
