On Thu, 19 Sep 2019 01:50:05 +
"Li,Rongqing" wrote:
> No need knobs, auditctl can change the backlog length and wait time.
> And it is helpless to change the backlog length if auditd is hung
> forever, as a task can be hung forever due to disk/filesystem's
> abnormal, etc
>
> I am saying the
On Wed, Sep 18, 2019 at 9:50 PM Li,Rongqing wrote:
> > -邮件原件-
> > 发件人: Paul Moore [mailto:p...@paul-moore.com]
> > 发送时间: 2019年9月18日 20:23
> > 收件人: Li,Rongqing
> > 抄送: Eric Paris ; linux-audit@redhat.com
> > 主题: Re: [PATCH][RFC] audit: set wait time to zero when audit failed
> >
> > On Tue
> -邮件原件-
> 发件人: Paul Moore [mailto:p...@paul-moore.com]
> 发送时间: 2019年9月18日 20:23
> 收件人: Li,Rongqing
> 抄送: Eric Paris ; linux-audit@redhat.com
> 主题: Re: [PATCH][RFC] audit: set wait time to zero when audit failed
>
> On Tue, Sep 17, 2019 at 9:07 PM Li,Rongqing wrote:
> > > -邮件原件
Signed-off-by: Richard Guy Briggs
---
src/auditd-event.c| 20 +++-
src/auditd-reconfig.c | 2 --
2 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index 1c93173fb30e..45f12fb31f01 100644
--- a/src/auditd-event.c
+++ b/src/
Add the ability to get and set the login uid and to get the session
id using an audit netlink message using message types AUDIT_GET_LOGINUID
1024, AUDIT_SET_LOGINUID 1025 and AUDIT_GET_SESSIONID 1026 in addition
to using the proc filesystem.
This switches over the audit_setloginuid(), audit_getlog
Add the ability to get and set the audit container identifier using an
audit netlink message using message types AUDIT_SET_CONTID 1023 and
AUDIT_GET_CONTID 1022 in addition to using the proc filesystem. The
message format includes the data structure:
struct audit_contid_status {
pid_t p
Since a process in a container could potentially signal the audit daemon
(reconfig, terminate, roll log, resume), that audit container identifier
information should be made available to the audit daemon to report the
full provenance of the signal. It is not possible to add it to the
existing audit
Add support to be able to set a capability to allow a task to set the
audit container identifier of descendants.
See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
Se
The CONTAINER_ID record contid field can contain comma-separated values
when accompanying a NETFILTER_PKT record. Records appeared interpreted
as such:
Wrong:
CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777
666,333
Right:
CONTAINER_ID msg=audit(2019-04-10 13:20:
Add support to ausearch for searching on the containerid field in
records.
Signed-off-by: Richard Guy Briggs
---
src/aureport-options.c | 1 +
src/ausearch-llist.c | 2 +
src/ausearch-llist.h | 1 +
src/ausearch-match.c | 3 +
src/ausearch-options.c | 47 +++-
src/ausearch
This defines the message number for the audit container identifier
information record should the kernel headers not be up to date and gives
the record number a name for printing.
See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/9
Signed-off-by: Richard Guy Briggs
---
auparse/auparse-defs.h | 3 ++-
auparse/interpret.c | 10 ++
auparse/normalize_record_map.h | 2 ++
auparse/typetab.h| 2 ++
bindings/python/auparse_python.c | 1 +
5 files changed, 17 insertions(+), 1 dele
Add the audit_get_containerid() call analogous to audit_getloginuid()
and audit_get_session() calls to get our own audit container identifier.
This is intended as a debug patch, not to be upstreamed.
Signed-off-by: Richard Guy Briggs
---
docs/Makefile.am | 2 +-
docs/audit_get_cont
This defines the message number for the audit container identifier
registration record should the kernel headers not be up to date, gives
the record number a name for printing and allows the record to be
interpreted since it is in the 1000 range like AUDIT_LOGIN.
See: https://github.com/linux-audi
Add support for audit kernel container identifiers to userspace tools.
The first and second add new record types. The third adds filter
support. The fourth and 5th start to add search support.
The 6th is to read the calling process' audit container identifier from
the /proc filesystem matching
A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.
Add support to libaudit and auditctl for
Add a /proc interface to capcontid for testing purposes. This isn't
intended to be merged upstream. Container orchestrators/engines are
expected to link to libaudit to use the functions audit_set_capcontid()
and audit_get_capcontid.
Signed-off-by: Richard Guy Briggs
---
fs/proc/base.c | 55 +++
Provide a mechanism similar to CAP_AUDIT_CONTROL to explicitly give a
process in a non-init user namespace the capability to set audit
container identifiers.
Use audit netlink message types AUDIT_GET_CAPCONTID 1027 and
AUDIT_SET_CAPCONTID 1028. The message format includes the data
structure:
stru
Track the parent container of a container to be able to filter and
report nesting.
Now that we have a way to track and check the parent container of a
container, fixup other patches, or squash all nesting fixes together.
fixup! audit: add container id
fixup! audit: log drop of contid on exit of l
Set an arbitrary limit on the depth of audit container identifier
nesting to limit abuse.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 21 +
kernel/audit.h | 2 ++
2 files changed, 23 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 848fd1c8c579..a
Add the ability to get and set the audit container identifier using an
audit netlink message using message types AUDIT_SET_CONTID 1023 and
AUDIT_GET_CONTID 1022 in addition to using the proc filesystem. The
message format includes the data structure:
struct audit_contid_status {
pid_t pi
Add the ability to get and set the login uid and to get the session id
using an audit netlink message using message types AUDIT_GET_LOGINUID
1024, AUDIT_SET_LOGINUID 1025 and AUDIT_GET_SESSIONID 1026 in addition
to using the proc filesystem.
Signed-off-by: Richard Guy Briggs
---
include/uapi/lin
Since the task_is_descendant() function is used in YAMA and in audit,
pull the function into kernel/core/sched.c
Signed-off-by: Richard Guy Briggs
---
include/linux/sched.h| 3 +++
kernel/audit.c | 33 -
kernel/sched/core.c | 33 +++
?fixup! audit: convert to contid list to check for orch/engine ownership
Require the target task to be a descendant of the container
orchestrator/engine.
You would only change the audit container ID from one set or inherited
value to another if you were nesting containers.
If changing the contid
Add audit container identifier auxiliary record(s) to NETFILTER_PKT
event standalone records. Iterate through all potential audit container
identifiers associated with a network namespace.
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
include/linux/a
Implement audit container identifier filtering using the AUDIT_CONTID
field name to send an 8-character string representing a u64 since the
value field is only u32.
Sending it as two u32 was considered, but gathering and comparing two
fields was more complex.
The feature indicator is AUDIT_FEATUR
Audit events could happen in a network namespace outside of a task
context due to packets received from the net that trigger an auditing
rule prior to being associated with a running task. The network
namespace could be in use by multiple containers by association to the
tasks in that network name
Add audit container identifier auxiliary record to user event standalone
records.
Signed-off-by: Richard Guy Briggs
Acked-by: Neil Horman
Reviewed-by: Ondrej Mosnacek
---
kernel/audit.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b/kernel/au
Standalone audit records have the timestamp and serial number generated
on the fly and as such are unique, making them standalone. This new
function audit_alloc_local() generates a local audit context that will
be used only for a standalone record and its auxiliary record(s). The
context is disca
Add audit container identifier support to the action of signalling the
audit daemon.
Since this would need to add an element to the audit_sig_info struct,
a new record type AUDIT_SIGNAL_INFO2 was created with a new
audit_sig_info2 struct. Corresponding support is required in the
userspace code to
Create a new audit record AUDIT_CONTAINER_ID to document the audit
container identifier of a process if it is present.
Called from audit_log_exit(), syscalls are covered.
A sample raw event:
type=SYSCALL msg=audit(1519924845.499:257): arch=c03e syscall=257
success=yes exit=3 a0=ff9c a1=5
Since we are tracking the life of each audit container indentifier, we
can match the creation event with the destruction event. Log the
destruction of the audit container identifier when the last process in
that container exits.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 32 ++
Set an arbitrary limit on the number of audit container identifiers to
limit abuse.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 8
kernel/audit.h | 4
2 files changed, 12 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 53d13d638c63..329916534dd2 100644
Add support for reading the audit container identifier from the proc
filesystem.
This is a read from the proc entry of the form
/proc/PID/audit_containerid where PID is the process ID of the task
whose audit container identifier is sought.
The read expects up to a u64 value (unset: 18446744073709
Implement kernel audit container identifier.
This patchset is a seventh based on the proposal document (V3)
posted:
https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
The first patch was the last patch from ghak81 that was absorbed into
this patchset since its primary
Store the audit container identifier in a refcounted kernel object that
is added to the master list of audit container identifiers. This will
allow multiple container orchestrators/engines to work on the same
machine without danger of inadvertantly re-using an existing identifier.
It will also all
The audit-related parameters in struct task_struct should ideally be
collected together and accessed through a standard audit API.
Collect the existing loginuid, sessionid and audit_context together in a
new struct audit_task_info called "audit" in struct task_struct.
Use kmem_cache to manage thi
Implement the proc fs write to set the audit container identifier of a
process, emitting an AUDIT_CONTAINER_OP record to document the event.
This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/audit_containerid where PID is the process ID of the
newly created
Containers are a userspace concept. The kernel knows nothing of them.
The Linux audit system needs a way to be able to track the container
provenance of events and actions. Audit needs the kernel's help to do
this.
The motivations are:
- A sysadmin needs to be able to filter unwanted, irreleva
On Tue, Sep 17, 2019 at 9:07 PM Li,Rongqing wrote:
> > -邮件原件-
> > 发件人: Paul Moore [mailto:p...@paul-moore.com]
> > 发送时间: 2019年9月18日 3:17
> > 收件人: Li,Rongqing
> > 抄送: Eric Paris ; linux-audit@redhat.com
> > 主题: Re: [PATCH][RFC] audit: set wait time to zero when audit failed
> >
> > On Mon,
40 matches
Mail list logo