Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>

Peter Moody pmoody at google.com
Wed Mar 21 22:12:31 UTC 2012 

On Wed, Mar 21, 2012 at 2:36 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote:
>> This is against the 2.2 release.
>
> Thanks. I will apply this with probably a small change or two.
>
>> I wasn't able to get HEAD to compile (issues with mounttab.h that didn't want
>> to run down because this is such a small patch).
>
> For anyone not on Fedora, I would appreciate if you test what's in svn even if
> its just a quick build check. I am planning to release a new audit package soon.
> The changelog may look small, but there are thousands of lines of code added or
> modified. Its better to fix the headers before the release than after.

ubuntu lucid (10.04, admittedly a little old):

lib/gen_tables.c is missing an include for linux/fs.h
src/ausearch-report.c is missing includes for linux/fs.h and limits.h

refuses to build w/o these includes. builds and appears to work
correctly when they're added.

> The next audit release has a new feature that I hope everyone will appreciate.
> Ausearch and libauparse now has the ability to interpret the arguments being
> passed to certain syscalls. I did this for a little over 40 syscalls:


> So, now you get output like this:
>
> type=SYSCALL msg=audit(04/14/2011 20:18:28.953:3) : arch=x86_64 syscall=mmap
> success=yes exit=61440 a0=0xf000 a1=0x502 a2=PROT_READ|PROT_WRITE|PROT_EXEC
> a3=MAP_SHARED|MAP_FIXED items=0 ppid=603 pid=618 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=vbetool exe=/usr/sbin/vbetool
> subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null)
>
> type=SYSCALL msg=audit(04/14/2011 20:13:34.658:3118) : arch=x86_64 syscall=mount
> success=yes exit=0 a0=0x405b22 a1=0x405469 a2=0x405b22 a3=MS_REC|MS_PRIVATE
> items=1 ppid=3467 pid=3468 auid=sgrubb uid=sgrubb gid=sgrubb euid=root suid=root
> fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1 comm=fusermount
> exe=/bin/fusermount subj=unconfined_u:unconfined_r:unconfined_t:s0 key=export
>
> type=SYSCALL msg=audit(05/05/2011 19:01:46.559:205) : arch=x86_64 syscall=openat
> success=no exit=-13(Permission denied) a0=0x5 a1=0xd93660 a2=O_RDONLY|O_NOCTTY|
> O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=3831 pid=3832 auid=sgrubb uid=sgrubb
> gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb
> fsgid=sgrubb tty=pts2 ses=1 comm=find exe=/bin/find
> subj=unconfined_u:unconfined_r:unconfined_t:s0 key=access
>
> The idea is to reduce the need to go digging through header files to see what
> arguments were being passed to some common and/or security related syscalls. In
> the case where a uid/gid was being passed to the syscall, its now interpretted
> to the account name/group name.

Awesome! I had to implement something like this in post-processing for
signal generation.

Cheers,
peter

> -Steve



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the Linux-audit mailing list