Getting the program name in audit messages
Steve Grubb
sgrubb at redhat.com
Thu Mar 31 21:30:43 UTC 2005
Hello,
This topic has already been discussed on the SE Linux mail list. Because the
attached patch affects the audit code, I want to put it out here for
discussion as well. I started with a patch to put the program name into avc
messages and Stephen Smalley changed the patch to put the processing in
audit_log_exit.
There is a minor problem in the SE Linux avc messages that makes it hard to
interpret what has failed. For example, if you have a shell script that tries
to read a file that's in a different context, you get a message with
exe=/bin/sh. This causes trouble tracking down the rogue script.
The attached patch against 2.6.11 changes the output of an AVC denial message
so that it looks like this:
type=KERNEL msg=audit(1112293183.500:1591315): item=0 name=/usr/X11R6/bin/id
inode=573518 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1112293183.500:1591315): syscall=195 exit=-13 a0=9ef71e8
a1=bfe1e850 a2=b6cff4 a3=9ef71e8 items=1 pid=3583 loginuid=525 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=named exe=/bin/bash
type=KERNEL msg=audit(1112293183.500:1591315): avc: denied { search } for
name=bin dev=hda2 ino=573518 scontext=root:system_r:named_t
tcontext=system_u:object_r:bin_t tclass=dir
To get this, I deleted named, replaced it with a shell script that tries
to cat /etc/shadow. As you can see, it now says comm=named. You also get
the syscall information which could help policy writers correct problems
with less guessing. All around, its a plus for SE Linux.
How does this affect auditing? The audit record now has 2 new fields.
I put the following rules into the audit system:
-a entry,always -S execve
-a entry,always -S open
And within seconds got this:
type=KERNEL msg=audit(1112294058.648:2278762): syscall=5 exit=-2 a0=961f198
a1=18800 a2=2086b9 a3=18800 items=1 pid=3336 loginuid=525 uid=525 gid=525
euid=525 suid=525 fsuid=525 egid=525 sgid=525 fsgid=525 comm=gam_server
exe=/usr/libexec/gam_server
type=KERNEL msg=audit(1112294059.206:2279059): item=0 name=/dev/hdd inode=1357
dev=00:0d mode=060600 uid=525 gid=6 rdev=16:40
type=KERNEL msg=audit(1112294059.206:2279059): syscall=5 exit=4 a0=890b2f0
a1=8880 a2=0 a3=8880 items=1 pid=2744 loginuid=-1 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 comm=hald exe=/usr/sbin/hald
You now see what the exe's path is and what the program calls itself. This can
help interpret the audit messages since now you know that pid 2744 was the
hal daemon. So, I think this will be a big plus for auditing, too.
What do you guys think?
-Steve Grubb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux-2.6.11-audit-avc.patch
Type: text/x-diff
Size: 3656 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050331/335666ab/attachment.bin>
More information about the Linux-audit
mailing list