[PATCH] Auditd shutdown credentials
Steve Grubb
sgrubb at redhat.com
Wed Apr 27 20:36:28 UTC 2005
On Wednesday 27 April 2005 16:09, Chris Wright wrote:
> Thanks, that does fix pure spoofing. It's still just a best guess since
> it could be pid from one thread and uid from another (simple spinlock
> would at least guarantee consistency).
We don't have a requirement to protect against malicious acts. Policy can be
written that locks down who can send a signal to auditd. The initscripts do
not use threads. Besides, if you are root, you can change your own loginuid
to anything you want. Why bother with threads?
> If it were queued, you'd be able to replay the history (at a cost).
This would be using a scud missile to kill a mosquito. The signals are not
queued, so what would I do with the extra ones? When would I even read them?
On start up? Its not needed.
> I might have gotten mixed up since this audit.h is different from mine,
> but it looks like this symbol is declared for CONFIG_AUDIT, whereas
> definition is under CONFIG_AUDITSYSCALL
You're right...this could be a problem depending on your file. I'm using the
latest 2.6.9 kernel from David's yum repo like was requested. The function
prototype is under CONFIG_AUDIT and the macro is in the else clause. The
function definition is has no ifdefs around it and its in auditsc.c. Is
something wrong?
> > @@ -429,6 +435,12 @@
> > NETLINK_CB(skb).pid,
> > uid, seq, data);
> > break;
> > + case AUDIT_TERM_INFO:
> > + term_data.uid = audit_kill_uid;
> > + term_data.pid = audit_kill_pid;
> > + audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TERM_INFO,
> > + 0, 0, &term_data, sizeof(term_data));
>
> Hmmm, there's still room trouble here. The queue could be full, or you'd
> still need to drain all messages.
What queue? audit_send_reply does a netlink unicast.
> So you can guarantee that if you read
> until queue is empty you either got this message, or it was dropped (not
> the best guarantee).
The corresponding user space code reads the netlink socket until it gets the
AUDIT_TERM_INFO packet.
> Would some trivially simple sysfs file help you?
That depends on whether something is wrong above.
> > @@ -572,6 +584,8 @@
> > audit_panic("cannot initialize netlink socket");
> >
> > audit_initialized = 1;
> > + audit_kill_uid = -1;
> > + audit_kill_pid = -1;
>
> These can go at declaration
OK.
> > + if (unlikely(audit_pid && t->pid == audit_pid)) {
> > + if (sig == SIGTERM || sig == SIGKILL) {
>
> It's impossible to use on SIGKILL, since auditd can't catch that signal.
I thought about that after I sent the patch...already changed that. :)
> Any reason this should be unavailable when syscall auditing is off?
No.
> Perhaps it should be in audit core, and then make the pid/uid bits
> static again.
Can't without getting the full definition of audit_context - which is local to
auditsc.c. Is it time to move that into the header? I suspect it was local to
auditsc to keep people from manipulating it all over the place.
Thanks for looking this over.
-Steve
More information about the Linux-audit
mailing list