1. 01 Feb, 2008 4 commits
  2. 29 Jan, 2008 1 commit
  3. 21 Oct, 2007 2 commits
    • Al Viro's avatar
      [PATCH] audit: watching subtrees · 74c3cbe3
      Al Viro authored
      
      
      New kind of audit rule predicates: "object is visible in given subtree".
      The part that can be sanely implemented, that is.  Limitations:
      	* if you have hardlink from outside of tree, you'd better watch
      it too (or just watch the object itself, obviously)
      	* if you mount something under a watched tree, tell audit
      that new chunk should be added to watched subtrees
      	* if you umount something in a watched tree and it's still mounted
      elsewhere, you will get matches on events happening there.  New command
      tells audit to recalculate the trees, trimming such sources of false
      positives.
      
      Note that it's _not_ about path - if something mounted in several places
      (multiple mount, bindings, different namespaces, etc.), the match does
      _not_ depend on which one we are using for access.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      74c3cbe3
    • Al Viro's avatar
      [PATCH] pass dentry to audit_inode()/audit_inode_child() · 5a190ae6
      Al Viro authored
      
      
      makes caller simpler *and* allows to scan ancestors
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5a190ae6
  4. 10 Oct, 2007 1 commit
    • Joy Latten's avatar
      [XFRM]: xfrm audit calls · ab5f5e8b
      Joy Latten authored
      
      
      This patch modifies the current ipsec audit layer
      by breaking it up into purpose driven audit calls.
      
      So far, the only audit calls made are when add/delete
      an SA/policy. It had been discussed to give each
      key manager it's own calls to do this, but I found
      there to be much redundnacy since they did the exact
      same things, except for how they got auid and sid, so I
      combined them. The below audit calls can be made by any
      key manager. Hopefully, this is ok.
      Signed-off-by: default avatarJoy Latten <latten@austin.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab5f5e8b
  5. 24 Aug, 2007 1 commit
  6. 22 Jul, 2007 2 commits
  7. 16 Jul, 2007 1 commit
    • Miloslav Trmac's avatar
      Audit: add TTY input auditing · 522ed776
      Miloslav Trmac authored
      Add TTY input auditing, used to audit system administrator's actions.  This is
      required by various security standards such as DCID 6/3 and PCI to provide
      non-repudiation of administrator's actions and to allow a review of past
      actions if the administrator seems to overstep their duties or if the system
      becomes misconfigured for unknown reasons.  These requirements do not make it
      necessary to audit TTY output as well.
      
      Compared to an user-space keylogger, this approach records TTY input using the
      audit subsystem, correlated with other audit events, and it is completely
      transparent to the user-space application (e.g.  the console ioctls still
      work).
      
      TTY input auditing works on a higher level than auditing all system calls
      within the session, which would produce an overwhelming amount of mostly
      useless audit events.
      
      Add an "audit_tty" attribute, inherited across fork ().  Data read from TTYs
      by process with the attribute is sent to the audit subsystem by the kernel.
      The audit netlink interface is extended to allow modifying the audit_tty
      attribute, and to allow sending explanatory audit events from user-space (for
      example, a shell might send an event containing the final command, after the
      interactive command-line editing and history expansion is performed, which
      might be difficult to decipher from the TTY input alone).
      
      Because the "audit_tty" attribute is inherited across fork (), it would be set
      e.g.  for sshd restarted within an audited session.  To prevent this, the
      audit_tty attribute is cleared when a process with no open TTY file
      descriptors (e.g.  after daemon startup) opens a TTY.
      
      See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html
      
       for a
      more detailed rationale document for an older version of this patch.
      
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: default avatarMiloslav Trmac <mitr@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      522ed776
  8. 11 May, 2007 5 commits
  9. 06 Mar, 2007 1 commit
  10. 18 Feb, 2007 1 commit
    • Al Viro's avatar
      [PATCH] AUDIT_FD_PAIR · db349509
      Al Viro authored
      
      
      Provide an audit record of the descriptor pair returned by pipe() and
      socketpair().  Rewritten from the original posted to linux-audit by
      John D. Ramsdell <ramsdell@mitre.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      db349509
  11. 07 Dec, 2006 1 commit
  12. 04 Oct, 2006 1 commit
  13. 30 Sep, 2006 1 commit
  14. 29 Sep, 2006 1 commit
  15. 11 Sep, 2006 2 commits
  16. 03 Aug, 2006 5 commits
  17. 01 Jul, 2006 3 commits
    • Al Viro's avatar
      [PATCH] audit syscall classes · b915543b
      Al Viro authored
      
      
      Allow to tie upper bits of syscall bitmap in audit rules to kernel-defined
      sets of syscalls.  Infrastructure, a couple of classes (with 32bit counterparts
      for biarch targets) and actual tie-in on i386, amd64 and ia64.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b915543b
    • Darrel Goeddel's avatar
      [PATCH] audit: rename AUDIT_SE_* constants · 3a6b9f85
      Darrel Goeddel authored
      
      
      This patch renames some audit constant definitions and adds
      additional definitions used by the following patch.  The renaming
      avoids ambiguity with respect to the new definitions.
      Signed-off-by: default avatarDarrel Goeddel <dgoeddel@trustedcs.com>
      
       include/linux/audit.h          |   15 ++++++++----
       kernel/auditfilter.c           |   50 ++++++++++++++++++++---------------------
       kernel/auditsc.c               |   10 ++++----
       security/selinux/ss/services.c |   32 +++++++++++++-------------
       4 files changed, 56 insertions(+), 51 deletions(-)
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3a6b9f85
    • Amy Griffis's avatar
      [PATCH] add rule filterkey · 5adc8a6a
      Amy Griffis authored
      
      
      Add support for a rule key, which can be used to tie audit records to audit
      rules.  This is useful when a watched file is accessed through a link or
      symlink, as well as for general audit log analysis.
      
      Because this patch uses a string key instead of an integer key, there is a bit
      of extra overhead to do the kstrdup() when a rule fires.  However, we're also
      allocating memory for the audit record buffer, so it's probably not that
      significant.  I went ahead with a string key because it seems more
      user-friendly.
      
      Note that the user must ensure that filterkeys are unique.  The kernel only
      checks for duplicate rules.
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hpd.com>
      5adc8a6a
  18. 20 Jun, 2006 7 commits
    • Amy Griffis's avatar
      [PATCH] log more info for directory entry change events · 9c937dcc
      Amy Griffis authored
      
      
      When an audit event involves changes to a directory entry, include
      a PATH record for the directory itself.  A few other notable changes:
      
          - fixed audit_inode_child() hooks in fsnotify_move()
          - removed unused flags arg from audit_inode()
          - added audit log routines for logging a portion of a string
      
      Here's some sample output.
      
      before patch:
      type=SYSCALL msg=audit(1149821605.320:26): arch=40000003 syscall=39 success=yes exit=0 a0=bf8d3c7c a1=1ff a2=804e1b8 a3=bf8d3c7c items=1 ppid=739 pid=800 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149821605.320:26):  cwd="/root"
      type=PATH msg=audit(1149821605.320:26): item=0 name="foo" parent=164068 inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      
      after patch:
      type=SYSCALL msg=audit(1149822032.332:24): arch=40000003 syscall=39 success=yes exit=0 a0=bfdd9c7c a1=1ff a2=804e1b8 a3=bfdd9c7c items=2 ppid=714 pid=777 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 comm="mkdir" exe="/bin/mkdir" subj=root:system_r:unconfined_t:s0-s0:c0.c255
      type=CWD msg=audit(1149822032.332:24):  cwd="/root"
      type=PATH msg=audit(1149822032.332:24): item=0 name="/root" inode=164068 dev=03:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0
      type=PATH msg=audit(1149822032.332:24): item=1 name="foo" inode=164010 dev=03:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_t:s0
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9c937dcc
    • Amy Griffis's avatar
      [PATCH] audit: path-based rules · f368c07d
      Amy Griffis authored
      In this implementation, audit registers inotify watches on the parent
      directories of paths specified in audit rules.  When audit's inotify
      event handler is called, it updates any affected rules based on the
      filesystem event.  If the parent directory is renamed, removed, or its
      filesystem is unmounted, audit removes all rules referencing that
      inotify watch.
      
      To keep things simple, this implementation limits location-based
      auditing to the directory entries in an existing directory.  Given
      a path-based rule for /foo/bar/passwd, the following table applies:
      
          passwd modified -- audit event logged
          passwd replaced -- audit event logged, rules list updated
          bar renamed     -- rule removed
          foo renamed     -- untracked, meaning that the rule now applies to
      		       the new location
      
      Audit users typically want to have many rules referencing filesystem
      objects, which can significantly impact filtering performance.  This
      patch also adds an inode-number-based rule hash to mitigate this
      situation.
      
      The patch is relative to the audit git tree:
      http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
      and uses the inotify kernel API:
      http://lkml.org/lkml/2006/6/1/145
      
      Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f368c07d
    • George C. Wilson's avatar
      [PATCH] Audit of POSIX Message Queue Syscalls v.2 · 20ca73bc
      George C. Wilson authored
      This patch adds audit support to POSIX message queues.  It applies cleanly to
      the lspp.b15 branch of Al Viro's git tree.  There are new auxiliary data
      structures, and collection and emission routines in kernel/auditsc.c.  New hooks
      in ipc/mqueue.c collect arguments from the syscalls.
      
      I tested the patch by building the examples from the POSIX MQ library tarball.
      Build them -lrt, not against the old MQ library in the tarball.  Here's the URL:
      http://www.geocities.com/wronski12/posix_ipc/libmqueue-4.41.tar.gz
      
      
      Do auditctl -a exit,always -S for mq_open, mq_timedsend, mq_timedreceive,
      mq_notify, mq_getsetattr.  mq_unlink has no new hooks.  Please see the
      corresponding userspace patch to get correct output from auditd for the new
      record types.
      
      [fixes folded]
      Signed-off-by: default avatarGeorge Wilson <ltcgcw@us.ibm.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      20ca73bc
    • Al Viro's avatar
      [PATCH] inline more audit helpers · d8945bb5
      Al Viro authored
      
      
      pull checks for ->audit_context into inlined wrappers
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d8945bb5
    • Linda Knippers's avatar
      [PATCH] update of IPC audit record cleanup · ac03221a
      Linda Knippers authored
      The following patch addresses most of the issues with the IPC_SET_PERM
      records as described in:
      https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html
      
      
      and addresses the comments I received on the record field names.
      
      To summarize, I made the following changes:
      
      1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM
         record is emitted in the failure case as well as the success case.
         This matches the behavior in sys_shmctl().  I could simplify the
         code in sys_msgctl() and semctl_down() slightly but it would mean
         that in some error cases we could get an IPC_SET_PERM record
         without an IPC record and that seemed odd.
      
      2. No change to the IPC record type, given no feedback on the backward
         compatibility question.
      
      3. Removed the qbytes field from the IPC record.  It wasn't being
         set and when audit_ipc_obj() is called from ipcperms(), the
         information isn't available.  If we want the information in the IPC
         record, more extensive changes will be necessary.  Since it only
         applies to message queues and it isn't really permission related, it
         doesn't seem worth it.
      
      4. Removed the obj field from the IPC_SET_PERM record.  This means that
         the kern_ipc_perm argument is no longer needed.
      
      5. Removed the spaces and renamed the IPC_SET_PERM field names.  Replaced iuid and
         igid fields with ouid and ogid in the IPC record.
      
      I tested this with the lspp.22 kernel on an x86_64 box.  I believe it
      applies cleanly on the latest kernel.
      
      -- ljk
      Signed-off-by: default avatarLinda Knippers <linda.knippers@hp.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      ac03221a
    • Al Viro's avatar
      [PATCH] add filtering by ppid · 3c66251e
      Al Viro authored
      
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3c66251e
    • Al Viro's avatar
      e1396065