[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-audit
Subject: Getting the program name in audit messages
From: Steve Grubb <sgrubb () redhat ! com>
Date: 2005-03-31 21:30:43
Message-ID: 200503311630.43602.sgrubb () redhat ! com
[Download RAW message or body]
Hello,
This topic has already been discussed on the SE Linux mail list. Because the
attached patch affects the audit code, I want to put it out here for
discussion as well. I started with a patch to put the program name into avc
messages and Stephen Smalley changed the patch to put the processing in
audit_log_exit.
There is a minor problem in the SE Linux avc messages that makes it hard to
interpret what has failed. For example, if you have a shell script that tries
to read a file that's in a different context, you get a message with
exe=/bin/sh. This causes trouble tracking down the rogue script.
The attached patch against 2.6.11 changes the output of an AVC denial message
so that it looks like this:
type=KERNEL msg=audit(1112293183.500:1591315): item=0 name=/usr/X11R6/bin/id
inode=573518 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112293183.500:1591315): syscall=195 exit=-13 a0=9ef71e8
a1=bfe1e850 a2=b6cff4 a3=9ef71e8 items=1 pid=3583 loginuid=525 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=named exe=/bin/bash
type=KERNEL msg=audit(1112293183.500:1591315): avc: denied { search } for
name=bin dev=hda2 ino=573518 scontext=root:system_r:named_t
tcontext=system_u:object_r:bin_t tclass=dir
To get this, I deleted named, replaced it with a shell script that tries
to cat /etc/shadow. As you can see, it now says comm=named. You also get
the syscall information which could help policy writers correct problems
with less guessing. All around, its a plus for SE Linux.
How does this affect auditing? The audit record now has 2 new fields.
I put the following rules into the audit system:
-a entry,always -S execve
-a entry,always -S open
And within seconds got this:
type=KERNEL msg=audit(1112294058.648:2278762): syscall=5 exit=-2 a0=961f198
a1=18800 a2=2086b9 a3=18800 items=1 pid=3336 loginuid=525 uid=525 gid=525
euid=525 suid=525 fsuid=525 egid=525 sgid=525 fsgid=525 comm=gam_server
exe=/usr/libexec/gam_server
type=KERNEL msg=audit(1112294059.206:2279059): item=0 name=/dev/hdd inode=1357
dev=00:0d mode=060600 uid=525 gid=6 rdev=16:40
type=KERNEL msg=audit(1112294059.206:2279059): syscall=5 exit=4 a0=890b2f0
a1=8880 a2=0 a3=8880 items=1 pid=2744 loginuid=-1 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 comm=hald exe=/usr/sbin/hald
You now see what the exe's path is and what the program calls itself. This can
help interpret the audit messages since now you know that pid 2744 was the
hal daemon. So, I think this will be a big plus for auditing, too.
What do you guys think?
-Steve Grubb
["linux-2.6.11-audit-avc.patch" (text/x-diff)]
Note btw that with my changes to your original patch, you no longer need
to add a function prototype for audit_log_task_info to audit.h and you
can make it a static function, since it is only used internally within
auditsc.c at that point. Full updated patch below against 2.6.11 (not
relative to your original one). Retains the on-stack buffer since it
isn't large and the use of get_task_comm since it is consistent with
other code, although I'm not convinced it is necessary for accessing the
current->comm.
Index: linux-2.6/kernel/auditsc.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/kernel/auditsc.c,v
retrieving revision 1.3
diff -u -p -r1.3 auditsc.c
--- linux-2.6/kernel/auditsc.c 2 Mar 2005 14:40:50 -0000 1.3
+++ linux-2.6/kernel/auditsc.c 31 Mar 2005 13:36:30 -0000
@@ -577,6 +577,33 @@ static inline void audit_free_context(st
printk(KERN_ERR "audit: freed %d contexts\n", count);
}
+static void audit_log_task_info(struct audit_buffer *ab)
+{
+ char name[sizeof(current->comm)];
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma;
+
+ get_task_comm(name, current);
+ audit_log_format(ab, " comm=%s", name);
+
+ if (!mm)
+ return;
+
+ down_read(&mm->mmap_sem);
+ vma = mm->mmap;
+ while (vma) {
+ if ((vma->vm_flags & VM_EXECUTABLE) &&
+ vma->vm_file) {
+ audit_log_d_path(ab, "exe=",
+ vma->vm_file->f_dentry,
+ vma->vm_file->f_vfsmnt);
+ break;
+ }
+ vma = vma->vm_next;
+ }
+ up_read(&mm->mmap_sem);
+}
+
static void audit_log_exit(struct audit_context *context)
{
int i;
@@ -606,6 +633,7 @@ static void audit_log_exit(struct audit_
context->gid,
context->euid, context->suid, context->fsuid,
context->egid, context->sgid, context->fsgid);
+ audit_log_task_info(ab);
audit_log_end(ab);
for (i = 0; i < context->name_count; i++) {
ab = audit_log_start(context);
Index: linux-2.6/security/selinux/avc.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/avc.c,v
retrieving revision 1.53
diff -u -p -r1.53 avc.c
--- linux-2.6/security/selinux/avc.c 14 Mar 2005 19:52:45 -0000 1.53
+++ linux-2.6/security/selinux/avc.c 30 Mar 2005 21:11:32 -0000
@@ -532,7 +532,6 @@ void avc_audit(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
struct av_decision *avd, int result, struct avc_audit_data *a)
{
- struct task_struct *tsk = current;
struct inode *inode = NULL;
u32 denied, audited;
struct audit_buffer *ab;
@@ -556,39 +555,6 @@ void avc_audit(u32 ssid, u32 tsid,
audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
avc_dump_av(ab, tclass,audited);
audit_log_format(ab, " for ");
- if (a && a->tsk)
- tsk = a->tsk;
- if (tsk && tsk->pid) {
- struct mm_struct *mm;
- struct vm_area_struct *vma;
- audit_log_format(ab, " pid=%d", tsk->pid);
- if (tsk == current)
- mm = current->mm;
- else
- mm = get_task_mm(tsk);
- if (mm) {
- if (down_read_trylock(&mm->mmap_sem)) {
- vma = mm->mmap;
- while (vma) {
- if ((vma->vm_flags & VM_EXECUTABLE) &&
- vma->vm_file) {
- audit_log_d_path(ab, "exe=",
- vma->vm_file->f_dentry,
- vma->vm_file->f_vfsmnt);
- break;
- }
- vma = vma->vm_next;
- }
- up_read(&mm->mmap_sem);
- } else {
- audit_log_format(ab, " comm=%s", tsk->comm);
- }
- if (tsk != current)
- mmput(mm);
- } else {
- audit_log_format(ab, " comm=%s", tsk->comm);
- }
- }
if (a) {
switch (a->type) {
case AVC_AUDIT_DATA_IPC:
--
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic