'Getting the program name in audit messages'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Getting the program name in audit messages
From:       Steve Grubb <sgrubb () redhat ! com>
Date:       2005-03-31 21:30:43
Message-ID: 200503311630.43602.sgrubb () redhat ! com
[Download RAW message or body]

Hello,

This topic has already been discussed on the SE Linux mail list. Because the 
attached patch affects the audit code, I want to put it out here for 
discussion as well. I started with a patch to put the program name into avc 
messages and Stephen Smalley changed the patch to put the processing in 
audit_log_exit. 

There is a minor problem in the SE Linux avc messages that makes it hard to 
interpret what has failed. For example, if you have a shell script that tries 
to read a file that's in a different context, you get a message with 
exe=/bin/sh. This causes trouble tracking down the rogue script.

The attached patch against 2.6.11 changes the output of an AVC denial message 
so that it looks like this:

type=KERNEL msg=audit(1112293183.500:1591315): item=0 name=/usr/X11R6/bin/id 
inode=573518 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112293183.500:1591315): syscall=195 exit=-13 a0=9ef71e8 
a1=bfe1e850 a2=b6cff4 a3=9ef71e8 items=1 pid=3583 loginuid=525 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=named exe=/bin/bash
type=KERNEL msg=audit(1112293183.500:1591315): avc:  denied  { search } for  
name=bin dev=hda2 ino=573518 scontext=root:system_r:named_t 
tcontext=system_u:object_r:bin_t tclass=dir

To get this, I deleted named, replaced it with a shell script that tries
to cat /etc/shadow. As you can see, it now says comm=named. You also get
the syscall information which could help policy writers correct problems
with less guessing. All around, its a plus for SE Linux.

How does this affect auditing? The audit record now has 2 new fields.
I put the following rules into the audit system:

-a entry,always -S execve
-a entry,always -S open

And within seconds got this:

type=KERNEL msg=audit(1112294058.648:2278762): syscall=5 exit=-2 a0=961f198 
a1=18800 a2=2086b9 a3=18800 items=1 pid=3336 loginuid=525 uid=525 gid=525 
euid=525 suid=525 fsuid=525 egid=525 sgid=525 fsgid=525 comm=gam_server 
exe=/usr/libexec/gam_server
type=KERNEL msg=audit(1112294059.206:2279059): item=0 name=/dev/hdd inode=1357 
dev=00:0d mode=060600 uid=525 gid=6 rdev=16:40
type=KERNEL msg=audit(1112294059.206:2279059): syscall=5 exit=4 a0=890b2f0 
a1=8880 a2=0 a3=8880 items=1 pid=2744 loginuid=-1 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 comm=hald exe=/usr/sbin/hald

You now see what the exe's path is and what the program calls itself. This can 
help interpret the audit messages since now you know that pid 2744 was the 
hal daemon. So, I think this will be a big plus for auditing, too.

What do you guys think?

-Steve Grubb

["linux-2.6.11-audit-avc.patch" (text/x-diff)]

Note btw that with my changes to your original patch, you no longer need
to add a function prototype for audit_log_task_info to audit.h and you
can make it a static function, since it is only used internally within
auditsc.c at that point.  Full updated patch below against 2.6.11 (not
relative to your original one).  Retains the on-stack buffer since it
isn't large and the use of get_task_comm since it is consistent with
other code, although I'm not convinced it is necessary for accessing the
current->comm.

Index: linux-2.6/kernel/auditsc.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/kernel/auditsc.c,v
retrieving revision 1.3
diff -u -p -r1.3 auditsc.c
--- linux-2.6/kernel/auditsc.c	2 Mar 2005 14:40:50 -0000	1.3
+++ linux-2.6/kernel/auditsc.c	31 Mar 2005 13:36:30 -0000
@@ -577,6 +577,33 @@ static inline void audit_free_context(st
 		printk(KERN_ERR "audit: freed %d contexts\n", count);
 }
 
+static void audit_log_task_info(struct audit_buffer *ab)
+{
+	char name[sizeof(current->comm)];
+	struct mm_struct *mm = current->mm;
+	struct vm_area_struct *vma;
+
+	get_task_comm(name, current);
+	audit_log_format(ab, " comm=%s", name);
+
+	if (!mm)
+		return;
+
+	down_read(&mm->mmap_sem);
+	vma = mm->mmap;
+	while (vma) {
+		if ((vma->vm_flags & VM_EXECUTABLE) &&
+		    vma->vm_file) {
+			audit_log_d_path(ab, "exe=",
+					 vma->vm_file->f_dentry,
+					 vma->vm_file->f_vfsmnt);
+			break;
+		}
+		vma = vma->vm_next;
+	}
+	up_read(&mm->mmap_sem);
+}
+
 static void audit_log_exit(struct audit_context *context)
 {
 	int i;
@@ -606,6 +633,7 @@ static void audit_log_exit(struct audit_
 		  context->gid,
 		  context->euid, context->suid, context->fsuid,
 		  context->egid, context->sgid, context->fsgid);
+	audit_log_task_info(ab);
 	audit_log_end(ab);
 	for (i = 0; i < context->name_count; i++) {
 		ab = audit_log_start(context);
Index: linux-2.6/security/selinux/avc.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/avc.c,v
retrieving revision 1.53
diff -u -p -r1.53 avc.c
--- linux-2.6/security/selinux/avc.c	14 Mar 2005 19:52:45 -0000	1.53
+++ linux-2.6/security/selinux/avc.c	30 Mar 2005 21:11:32 -0000
@@ -532,7 +532,6 @@ void avc_audit(u32 ssid, u32 tsid,
                u16 tclass, u32 requested,
                struct av_decision *avd, int result, struct avc_audit_data *a)
 {
-	struct task_struct *tsk = current;
 	struct inode *inode = NULL;
 	u32 denied, audited;
 	struct audit_buffer *ab;
@@ -556,39 +555,6 @@ void avc_audit(u32 ssid, u32 tsid,
 	audit_log_format(ab, "avc:  %s ", denied ? "denied" : "granted");
 	avc_dump_av(ab, tclass,audited);
 	audit_log_format(ab, " for ");
-	if (a && a->tsk)
-		tsk = a->tsk;
-	if (tsk && tsk->pid) {
-		struct mm_struct *mm;
-		struct vm_area_struct *vma;
-		audit_log_format(ab, " pid=%d", tsk->pid);
-		if (tsk == current)
-			mm = current->mm;
-		else
-			mm = get_task_mm(tsk);
-		if (mm) {
-			if (down_read_trylock(&mm->mmap_sem)) {
-				vma = mm->mmap;
-				while (vma) {
-					if ((vma->vm_flags & VM_EXECUTABLE) &&
-					    vma->vm_file) {
-						audit_log_d_path(ab, "exe=",
-							vma->vm_file->f_dentry,
-							vma->vm_file->f_vfsmnt);
-						break;
-					}
-					vma = vma->vm_next;
-				}
-				up_read(&mm->mmap_sem);
-			} else {
-				audit_log_format(ab, " comm=%s", tsk->comm);
-			}
-			if (tsk != current)
-				mmput(mm);
-		} else {
-			audit_log_format(ab, " comm=%s", tsk->comm);
-		}
-	}
 	if (a) {
 		switch (a->type) {
 		case AVC_AUDIT_DATA_IPC:

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic