Header definitions need to be external when building with -fno-common (which is
default in GCC 10).
(.text+0x0): multiple definition of `event_node_list'; ausearch.o (symbol from
plugin):(.text+0x0): first defined here
[ 60s]
/usr/lib64/gcc/x86_64-suse-linux/9/../../../../x86_64-suse-linux/bi
nt
> touch /mnt/file
> auditctl -w /mnt/file -p wax
> umount /mnt
> auditctl -D
>
>
> Grab our own reference in audit_remove_watch_rule() earlier to make sure
> mark does not get freed under us.
>
> CC: sta...@vger.kernel.org
> Reported-by: Tony Jones
> Sig
in that when audit_enabled=0 nothing is logged
> by the audit subsystem.
>
> The bulk of this patch is moving the CONFIG_AUDIT block ahead of the
> CONFIG_AUDITSYSCALL block in include/linux/audit.h; the only real
> code change was in the audit_seccomp() definition.
>
> Reported-by:
On 11/06/2015 01:36 PM, Tony Jones wrote:
> On 10/13/2015 12:19 PM, Paul Moore wrote:
>
>> Yes, if systemd is involved it enables audit; we've had some
>> discussions with the systemd folks about fixing that, but they haven't
>> gone very far. I&
On 10/13/2015 12:19 PM, Paul Moore wrote:
> Yes, if systemd is involved it enables audit; we've had some
> discussions with the systemd folks about fixing that, but they haven't
> gone very far. I'm still a little curious as to why
> audit_dummy_context() is false in this case, but I haven't look
On 10/13/2015 01:03 PM, Steve Grubb wrote:
>> No, it's the default audit.rules (-D, -b320). No actual rules loaded.
>> Let me add some instrumentation and figure out what's going on. auditd
>> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
>> during startup (at least on
On 10/13/2015 12:19 PM, Paul Moore wrote:
>> No, it's the default audit.rules (-D, -b320). No actual rules loaded.
>> Let me add some instrumentation and figure out what's going on. auditd
>> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
>> during startup (at least on
On 10/13/2015 09:11 AM, Paul Moore wrote:
> On Mon, Oct 12, 2015 at 4:45 PM, Kees Cook wrote:
>> On Mon, Oct 12, 2015 at 10:53 AM, Tony Jones wrote:
>>> From d6971ec9508244f7a1ab42f9ac4c59b7e1ca6145 Mon Sep 17 00:00:00 2001
>>> From: Tony Jones
>>> D
On 10/12/2015 08:40 AM, Paul Moore wrote:
> My apologies for the resend, I had the wrong email for Kees.
>
> On Monday, October 12, 2015 11:29:43 AM Paul Moore wrote:
>> On Friday, October 09, 2015 08:50:01 PM Tony Jones wrote:
>>> Hi.
>>>
>>> What is
Hi.
What is the expected handling of AUDIT_SECCOMP if audit_enabled == 0? Opera
browser makes use of a sandbox and if audit_enabled == 0 (and no auditd is
running) there is a lot of messages dumped to the klog. The fix to
__audit_seccomp() is trivial, similar to c2412d91c and I can send a pat
On 12/02/2014 01:27 PM, Richard Guy Briggs wrote:
> Since both ppc and ppc64 have LE variants which are now reported by uname, add
> that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC*LE
> variants.
>
> Without this, perf trace and auditctl fail.
>
> Mainline kernel reports
On 12/02/2014 12:29 PM, Steve Grubb wrote:
> On Tuesday, December 02, 2014 03:18:35 PM Paul Moore wrote:
>> On Monday, December 01, 2014 03:58:09 PM Tony Jones wrote:
>>> Mainline kernel reports ppc64le (per
>>> a0588015deab1844261b27a67ae6f5b910fe283
On 12/01/2014 02:09 PM, Steve Grubb wrote:
> Hi Tony,
>
> On Friday, August 29, 2014 01:16:00 PM Tony Jones wrote:
>> Add support for ppc64le.
>>
>> $ uname -a
>> Linux cabernet 3.12.26-3-default #1 SMP Mon Aug 18 15:07:30 UTC 2014
>> (d318f3a) ppc64le ppc64
Sorry, typo in the Subject:
Should have been "[PATCH] audit: add ppc64le mach support"
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Add support for ppc64le.
$ uname -a
Linux cabernet 3.12.26-3-default #1 SMP Mon Aug 18 15:07:30 UTC 2014 (d318f3a)
ppc64le ppc64le ppc64le GNU/Linux
Without this, perf trace and auditctl fail. There is no 32 bit (ppcle).
Signed-off-by: Tony Jones
---
Index: trunk/lib/libaudit.c
wrote:
>>>> On 2014-05-30 15:53:49, Steve Grubb wrote:
>>>>> On Wednesday, May 28, 2014 03:33:06 PM Tony Jones wrote:
>>>>>> This patch came from our L3 department. AppArmor LSM is logging using
>>>>>> the
>>>>>> com
On 06/03/2014 07:47 AM, Steve Grubb wrote:
> Yep. So, the question is really how to fix this. Should we have a different
> function that is swung in with #ifdef WITH_APPARMOR called parse_aa_avc? Then
> it can be tuned exactly for AppArmor's needs? Later, the kernel event number
> can be changed
On 05/29/2014 01:31 AM, Tyler Hicks wrote:
> I'm surprised that this patch makes ausearch work correctly for AppArmor
> AVC events. The first thing that parse_avc() does is look for the
> "avc: " term in the AVCs that SELinux generates. AppArmor's AVCs don't
> include that string, so an.avc_result
On 05/30/2014 02:00 PM, Steve Grubb wrote:
> This is a big mistake, IMHO. In theory, this is what should have happened:
> An access decisionl event should have been named in the 1500 block. It would
> then be free to include the field it needs in the order it needs. The
> ausearch
> would get
old,
Canonical apparently has patches for this; if this is true perhaps they can
post for inclusion.
Based-on-work-by: William Preston
Signed-off-by: Tony Jones
--- a/src/ausearch-parse.c 2014-05-21 14:45:22.0 +0200
+++ b/src/ausearch-parse.c 2014-05-21 14:53:55.0 +0
On 12/18/2013 01:07 PM, Tony Jones wrote:
> On 12/18/2013 12:38 PM, Eric Paris wrote:
>
>> He made the change in the upstream repo, because that's what you need
>> for certification purposes. Personally, I hate it, cause i don't give a
>> hoot about that and wo
On 12/18/2013 12:38 PM, Eric Paris wrote:
> He made the change in the upstream repo, because that's what you need
> for certification purposes. Personally, I hate it, cause i don't give a
> hoot about that and would rather things to be consistent, but that's the
> rational. A certifiable audit n
On 07/30/2013 01:25 PM, Steve Grubb wrote:
> On Tuesday, July 30, 2013 10:04:46 PM Laurent Bigonville wrote:
>> Hi,
>>
>> I would like to know the rational behind RefuseManualStop=yes in
>> auditd.service file.
>
> The short term "fix" is to force admins to use the service command which
> loads
ed message from Andreas Jaeger -
Date: Wed, 27 Apr 2011 08:43:00 +0200
From: Andreas Jaeger
To: linux-audit@redhat.com
Cc: Tony Jones
Subject: Fwd: Patch for using /proc/oom_score_adj with newer kernels
User-Agent: KMail/1.13.7 (Linux/2.6.37.6-0.0.30.67cfac5-desktop; KDE/4.6.2;
x86_64; ;
On Wed, Apr 27, 2011 at 03:12:23PM +0200, Jiri Kosina wrote:
> I don't see the patch in linux-next as of today. As it has been acked by
> subsystem maintainer, I have picked it up into my tree ("retransmission
> mode").
>
> If anyone has any objections, please let me know. Thanks.
I spoke to Er
t;cred rather than tsk->real_cred.
2. Since tsk is current (or tsk is being created by copy_process) access to
tsk->cred without rcu read lock is possible. At the request of the audit
maintainer, a new flag has been added to audit_filter_rules in order to make
this explicit and guide
tsk->cred rather than tsk->real_cred. Also, since
tsk is current (or tsk is being created by copy_process) direct access to
tsk->cred is possible.
Signed-off-by: Tony Jones
---
kernel/auditsc.c | 18 ++
1 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/
On Tue, Mar 08, 2011 at 06:02:53PM +, David Howells wrote:
> Tony Jones wrote:
>
> > Commit c69e8d9c01db added calls to get_task_cred and put_cred in
> > audit_filter_rules. Profiling with a large number of audit rules active on
> > the exit chain shows that we are s
can create an alternate patch doing this if required.
Signed-off-by: Tony Jones
---
kernel/auditsc.c | 24 +---
1 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f49a031..4a930a1 100644
--- a/kernel/auditsc.c
+++ b
On Tue, May 05, 2009 at 03:50:01PM -0400, Paul Moore wrote:
> No problem. As far as I'm aware the discussion never went beyond this thread
> as I was unable to recreate the problem with the (then) current kernels but
> it
> may not be a bad idea to get the arch folks and perhaps lkml involved
On Tue, May 05, 2009 at 03:20:52PM -0400, Paul Moore wrote:
> On Tuesday 05 May 2009 03:07:36 pm Tony Jones wrote:
> > On Tue, May 05, 2009 at 02:22:04PM -0400, Paul Moore wrote:
> > > I believe Matt Anderson (CC'd) reported the bug you are referring to and
> > > t
On Tue, May 05, 2009 at 02:22:04PM -0400, Paul Moore wrote:
> I believe Matt Anderson (CC'd) reported the bug you are referring to and the
> workaround I posted seemed to fix the issue for him. I've stopped looking
I'll check it out, I see the commit: 6d208da89aabee8502debe842832ca0ab298d16d
T
On Tue, Apr 07, 2009 at 11:44:09PM -0300, Klaus Heinrich Kiwi wrote:
> On Tue, 2009-04-07 at 11:34 -0400, Paul Moore wrote:
> > Does anyone have any thoughts?
>
> I remember debugging an issue with the incorrect return value being
> audited for a syscall. It was s390[x] specific and only occurred
On Tue, Apr 07, 2009 at 11:34:35AM -0400, Paul Moore wrote:
> While doing some testing on Fedora 10 using the 2.6.27.5-117.fc10.x86_64
> kernel I stumbled across a rather odd problem: somewhere between the end of
> sys_sendto() and audit_syscall_exit() the syscall's return value was changing
> r
This was filed as a bug in our bugzilla.
works : cat /var/log/audit/audit.log | ausearch -i -if /dev/stdin | cat
doesnt: tail -f /var/log/audit/audit.log | ausearch -i -if /dev/stdin | cat
Obviously it's a contrived example, they have more interesting processes each
side of the filter. Issue is
On Sat, Sep 13, 2008 at 02:32:54PM -0400, Steve Grubb wrote:
> On Thursday 11 September 2008 19:39:27 Steve Grubb wrote:
> > I've just released a new version of the audit daemon.
>
> There will be a 1.7.7 release early next week. It will include the GSSAPI
> patch sent yesterday and a fix to a tc
On Mon, May 12, 2008 at 11:19:46AM -0400, Steve Grubb wrote:
> > Strings should be either always hex encoded, or always escaped
> > (preferably the latter).
>
> The issue that always dominates any thinking about the audit system is how to
> save diskspace. So, whenever a string has no naughty cha
Scott Ehrlich wrote:
> Hello to all:
> I have Snare Agent and audit 1.5.2 running on a CentOS 5.0 box and a RHEL
> 5.0 server. I ideally would like audit logs to be sent to both the
> system's local audit.log file and to a log server. I reviewed the
> /etc/audit/auditd.conf file and tried to play
On Thu, Nov 01, 2007 at 10:33:52AM -0400, Steve Grubb wrote:
> On Monday 29 October 2007 07:15:30 pm Tony Jones wrote:
> > On Mon, Oct 29, 2007 at 06:04:31PM -0400, Steve Grubb wrote:
> > > So when audit is re-enabled, how do you make that task auditable?
> >
>
On Mon, Oct 29, 2007 at 06:04:31PM -0400, Steve Grubb wrote:
> If the child does not have the TIF_SYSCALL_AUDIT flag, it never goes into
> audit_syscall_entry. It becomes unauditable.
True but a task where current->audit_context == NULL is going to immediately
BUG out in audit_syscall_entry. Thi
On Sat, Oct 27, 2007 at 10:21:39AM -0400, Steve Grubb wrote:
> On Friday 26 October 2007 04:42:28 pm Tony Jones wrote:
> > Thread flag TIF_SYSCALL_AUDIT is not cleared for new children when audit
> > context creation has been disabled (auditctl -e0). This can cause new
> > c
From: Tony Jones <[EMAIL PROTECTED]>
Minor performance enhancement.
Thread flag TIF_SYSCALL_AUDIT is not cleared for new children when audit
context creation has been disabled (auditctl -e0). This can cause new children
forked from a parent created when audit was enabled to not ta
Removing a watched file will oops if audit is disabled (auditctl -e 0).
To reproduce:
- auditctl -e 1
- touch /tmp/foo
- auditctl -w /tmp/foo
- auditctl -e 0
- rm /tmp/foo (or mv)
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
---
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
On Wed, May 30, 2007 at 09:01:37PM -0600, Michael Folsom wrote:
> Tony:
>
> Here's the guts of the first message in the original thread and the
> replies I got
>
> Essentially what I'm not seeing in the audit.log file is the USER_END
> statement after a ssh session is terminated. For my
On Tue, May 29, 2007 at 04:03:50PM -0600, Michael Folsom wrote:
> Checked and SLES10/SLED10 SP1 rc2 and rc3 are both running openssh 4.2p1-18.
>
> Looks like monitoring logouts won't happen in Suse Enterprise land
> till SSH get reved to a newer version!
We added patches to generate the appropria
Is there a list of which userspace packages have been modified in Fedora to
add calls to the audit system? I thought I had them all but I didn't :-)
Thanks!
Tony
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thu, Feb 15, 2007 at 10:44:29AM -0500, [EMAIL PROTECTED] wrote:
> On Wed, 14 Feb 2007 16:06:08 PST, Tony Jones said:
> > It would be nice if there could be some form of source code control for
> > the changes that occur between revisions of the userspace tools.
> >
I brought this up on #audit but the conversation didn't go anywhere.
It would be nice if there could be some form of source code control for
the changes that occur between revisions of the userspace tools.
Is development internally to RedHat done using any form of source code
control? Or is the
On Wed, Nov 29, 2006 at 04:04:41AM +0100, Adrian Bunk wrote:
> > I recall the opinion at the time was that it was considered useful to allow
>
> "it was considered" = "you were the one person who said this"
Actually I believe Steve Grubb also said it so the above is factually
incorrect :)
> > t
On Tue, Nov 28, 2006 at 07:27:02PM +, David Woodhouse wrote:
> On Tue, 2006-11-28 at 11:18 -0800, Tony Jones wrote:
> > I recall the opinion at the time was that it was considered useful to allow
> > third party modules to generate audit messages. Has anything changed?
&g
On Tue, Nov 28, 2006 at 02:28:48AM +0100, Adrian Bunk wrote:
> This patch removes the following unused EXPORT_SYMBOL's:
> - audit_log_start
> - audit_log_end
> - audit_log_format
> - audit_log
>
> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
>
> ---
>
> This patch was already sent on:
> - 20 A
On Fri, Apr 21, 2006 at 08:13:52PM -0400, Steve Grubb wrote:
> On Friday 21 April 2006 17:21, Amy Griffis wrote:
> > linux-audit (cc'd) will likely want to review these changes.
>
> Yes, I second that. Tony, please cc audit patches to linux-audit mail list so
> we can see them. That said, I did t
On Fri, Apr 21, 2006 at 11:27:55AM +0200, Adrian Bunk wrote:
> > > -EXPORT_SYMBOL(audit_log_start);
> > > -EXPORT_SYMBOL(audit_log_end);
> > > -EXPORT_SYMBOL(audit_log_format);
> > > -EXPORT_SYMBOL(audit_log);
> >
> > It would seem useful to allow out of tree modules (even if they never have
> > a
On Thu, Apr 20, 2006 at 11:05:21PM +0200, Adrian Bunk wrote:
> This patch removes the following unused EXPORT_SYMBOL's:
> - audit_log_start
> - audit_log_end
> - audit_log_format
> - audit_log
>
> Signed-off-by: Adrian Bunk <[EMAIL PROTECTED]>
>
> --- linux-2.6.17-rc1-mm3-full/kernel/audit.c.old
54 matches
Mail list logo
