[PATCH] Enable splitting the logs to both auditd and kernel simultaneously
Eric Paris
eparis at parisplace.org
Fri May 24 18:48:35 UTC 2013
AGREED. gmail + multiple patches is a PITA.
http://git.infradead.org/users/eparis/audit.git
audit-for-3.11 branch.
careful, it may rebase!
On Fri, May 24, 2013 at 2:35 PM, William Roberts
<bill.c.roberts at gmail.com> wrote:
> By any chance do you have a public branch somewhere I can pull these patches
> from. Gmail and patches is a pain..
>
> Bill
>
>
> On Fri, May 24, 2013 at 10:29 AM, William Roberts <bill.c.roberts at gmail.com>
> wrote:
>>
>> Ok I can port on top of your series. The KConfig default is really nice,
>> as it allows for an ignorant userspace. However, I could nix that if its a
>> show stopper.
>>
>> Bill
>>
>>
>> On Fri, May 24, 2013 at 9:34 AM, Eric Paris <eparis at parisplace.org> wrote:
>>>
>>> On Wed, 2013-05-22 at 19:18 -0700, William Roberts wrote:
>>> > This need came about in Samsung's mobile products. Id like to see and
>>> > attempt to get this mainstreamed. Any feedback would be greatly
>>> > appreciated. Thanks.
>>>
>>> My first thought is that I just sent a patch to introduce a flexible
>>> on/off flipping of bits for audit system features. Rather timely, so we
>>> don't have to keep introducing message types. AUDIT_SET/AUDIT_GET
>>> certainly weren't well thought out in that way. I'd like your thoughts
>>> on those patches (really 1/7 does the heavy lifting 6/7 and 7/7 use
>>> it)
>>>
>>> I thinking porting on top of my series will result in your patch being
>>> about 10 lines.
>>>
>>> I also don't love the name. This isn't about splitting logs, it's about
>>> also logging to kmsg.
>>>
>>> Do we need the Kconfig default? I'd think we should be able to get this
>>> set early enough in userspace. Any messages before auditd are going to
>>> go to kmsg. I envision that we should be able to set features in the
>>> audit.rules so you should be able to turn this on before auditd starts
>>> and things would stop going to kmsg.
>>>
>>> But I don't see a problem with it. If you port on top of this series
>>> I'm ok with queuing for 3.11
>>>
>>> > On Wed, May 22, 2013 at 7:16 PM, William Roberts
>>> > <bill.c.roberts at gmail.com> wrote:
>>> > Allow the audit subsystem to send audit events to both the
>>> > kernel
>>> > message buffer and auditd at the same time.
>>> >
>>> > Signed-off-by: William Roberts <w.roberts at sta.samsung.com>
>>> > ---
>>> > include/uapi/linux/audit.h | 11 ++++++++++
>>> > init/Kconfig | 8 +++++++
>>> > kernel/audit.c | 52
>>> > ++++++++++++++++++++++++++++++++++++++++------
>>> > kernel/audit.h | 6 ++++++
>>> > 4 files changed, 71 insertions(+), 6 deletions(-)
>>> >
>>> > diff --git a/include/uapi/linux/audit.h
>>> > b/include/uapi/linux/audit.h
>>> > index 75cef3f..0af5d78 100644
>>> > --- a/include/uapi/linux/audit.h
>>> > +++ b/include/uapi/linux/audit.h
>>> > @@ -68,6 +68,8 @@
>>> > #define AUDIT_MAKE_EQUIV 1015 /* Append to watched
>>> > tree */
>>> > #define AUDIT_TTY_GET 1016 /* Get TTY auditing
>>> > status */
>>> > #define AUDIT_TTY_SET 1017 /* Set TTY auditing
>>> > status */
>>> > +#define AUDIT_LOGSPLIT_GET 1018 /* Get logsplit
>>> > status */
>>> > +#define AUDIT_LOGSPLIT_SET 1019 /* Set logsplit
>>> > status */
>>> >
>>> > #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages
>>> > mostly uninteresting to kernel */
>>> > #define AUDIT_USER_AVC 1107 /* We filter this
>>> > differently */
>>> > @@ -321,6 +323,10 @@ enum {
>>> > #define AUDIT_FAIL_PRINTK 1
>>> > #define AUDIT_FAIL_PANIC 2
>>> >
>>> > +/* Audit splitlog options */
>>> > +#define AUDIT_LOGSPLIT_OFF 0
>>> > +#define AUDIT_LOGSPLIT_ON 1
>>> > +
>>> > /* distinguish syscall tables */
>>> > #define __AUDIT_ARCH_64BIT 0x80000000
>>> > #define __AUDIT_ARCH_LE 0x40000000
>>> > @@ -374,6 +380,11 @@ struct audit_tty_status {
>>> > __u32 log_passwd; /* 1 = enabled, 0 =
>>> > disabled */
>>> > };
>>> >
>>> > +struct audit_logsplit_status {
>>> > + __u32 enabled; /* AUDIT_LOGSPLIT_ON
>>> > or
>>> > +
>>> > AUDIT_LOGSPLIT_OFF */
>>> > +};
>>> > +
>>> > /* audit_rule_data supports filter rules with both integer
>>> > and string
>>> > * fields. It corresponds with AUDIT_ADD_RULE,
>>> > AUDIT_DEL_RULE and
>>> > * AUDIT_LIST_RULES requests.
>>> > diff --git a/init/Kconfig b/init/Kconfig
>>> > index 9d3a788..52efca6 100644
>>> > --- a/init/Kconfig
>>> > +++ b/init/Kconfig
>>> > @@ -286,6 +286,14 @@ config AUDIT_LOGINUID_IMMUTABLE
>>> > one to drop potentially dangerous capabilites from
>>> > the login tasks,
>>> > but may not be backwards compatible with older init
>>> > systems.
>>> >
>>> > +config AUDIT_SPLITLOG
>>> > + bool "Split audit messages to userspace and kernel by
>>> > default"
>>> > + depends on AUDIT
>>> > + help
>>> > + Setting this to true will cause the audit messages
>>> > to be split
>>> > + by default to both the kernel message log and a
>>> > userspace audit
>>> > + daemon if registered.
>>> > +
>>> > source "kernel/irq/Kconfig"
>>> > source "kernel/time/Kconfig"
>>> >
>>> > diff --git a/kernel/audit.c b/kernel/audit.c
>>> > index 21c7fa6..ccd2f60 100644
>>> > --- a/kernel/audit.c
>>> > +++ b/kernel/audit.c
>>> > @@ -88,6 +88,9 @@ static int audit_default;
>>> > /* If auditing cannot proceed, audit_failure selects what
>>> > happens. */
>>> > static int audit_failure = AUDIT_FAIL_PRINTK;
>>> >
>>> > +/* Whether or not logsplit is enabled */
>>> > +static int audit_logsplit = AUDIT_SPLITLOG_INIT;
>>> > +
>>> > /*
>>> > * If audit records are to be written to the netlink socket,
>>> > audit_pid
>>> > * contains the pid of the auditd process and
>>> > audit_nlk_portid contains
>>> > @@ -343,6 +346,17 @@ static int audit_set_failure(int state)
>>> > return audit_do_config_change("audit_failure",
>>> > &audit_failure, state);
>>> > }
>>> >
>>> > +static int audit_set_logsplit(int state)
>>> > +{
>>> > + if (state != AUDIT_LOGSPLIT_OFF
>>> > + && state != AUDIT_LOGSPLIT_ON)
>>> > + return -EINVAL;
>>> > +
>>> > + return audit_do_config_change("audit_logsplit",
>>> > &audit_logsplit, state);
>>> > +}
>>> > +
>>> > +
>>> > +
>>> > /*
>>> > * Queue skbs to be sent to auditd when/if it comes back.
>>> > These skbs should
>>> > * already have been sent via prink/syslog and so if these
>>> > messages are dropped
>>> > @@ -361,11 +375,8 @@ static void audit_hold_skb(struct sk_buff
>>> > *skb)
>>> > kfree_skb(skb);
>>> > }
>>> >
>>> > -/*
>>> > - * For one reason or another this nlh isn't getting delivered
>>> > to the userspace
>>> > - * audit daemon, just send it to printk.
>>> > - */
>>> > -static void audit_printk_skb(struct sk_buff *skb)
>>> > +/* Just printks the skb, no audit_hold or free of any kind */
>>> > +static void __audit_printk_skb(struct sk_buff *skb)
>>> > {
>>> > struct nlmsghdr *nlh = nlmsg_hdr(skb);
>>> > char *data = nlmsg_data(nlh);
>>> > @@ -376,7 +387,14 @@ static void audit_printk_skb(struct
>>> > sk_buff *skb)
>>> > else
>>> > audit_log_lost("printk limit exceeded
>>> > \n");
>>> > }
>>> > -
>>> > +}
>>> > +/*
>>> > + * For one reason or another this nlh isn't getting delivered
>>> > to the userspace
>>> > + * audit daemon, just send it to printk.
>>> > + */
>>> > +static void audit_printk_skb(struct sk_buff *skb)
>>> > +{
>>> > + __audit_printk_skb(skb);
>>> > audit_hold_skb(skb);
>>> > }
>>> >
>>> > @@ -590,6 +608,8 @@ static int audit_netlink_ok(struct sk_buff
>>> > *skb, u16 msg_type)
>>> > case AUDIT_SIGNAL_INFO:
>>> > case AUDIT_TTY_GET:
>>> > case AUDIT_TTY_SET:
>>> > + case AUDIT_LOGSPLIT_GET:
>>> > + case AUDIT_LOGSPLIT_SET:
>>> > case AUDIT_TRIM:
>>> > case AUDIT_MAKE_EQUIV:
>>> > if (!capable(CAP_AUDIT_CONTROL))
>>> > @@ -843,7 +863,24 @@ static int audit_receive_msg(struct
>>> > sk_buff *skb, struct nlmsghdr *nlh)
>>> > spin_unlock(&tsk->sighand->siglock);
>>> > break;
>>> > }
>>> > + case AUDIT_LOGSPLIT_GET: {
>>> > + struct audit_logsplit_status s;
>>> > + s.enabled = audit_logsplit;
>>> > + audit_send_reply(NETLINK_CB(skb).portid, seq,
>>> > + AUDIT_LOGSPLIT_GET, 0, 0, &s,
>>> > sizeof(s));
>>> > + break;
>>> > + }
>>> > + case AUDIT_LOGSPLIT_SET: {
>>> > + struct audit_logsplit_status *s;
>>> > + if (nlh->nlmsg_len < sizeof(struct
>>> > audit_logsplit_status))
>>> > + return -EINVAL;
>>> > + s = data;
>>> > + err = audit_set_logsplit(s->enabled);
>>> > + break;
>>> > + }
>>> > +
>>> > default:
>>> > + printk(KERN_ERR "Unkown audit command");
>>> > err = -EINVAL;
>>> > break;
>>> > }
>>> > @@ -1670,6 +1707,9 @@ void audit_log_end(struct audit_buffer
>>> > *ab)
>>> > nlh->nlmsg_len = ab->skb->len - NLMSG_HDRLEN;
>>> >
>>> > if (audit_pid) {
>>> > + if (audit_logsplit ==
>>> > AUDIT_LOGSPLIT_ON)
>>> > + __audit_printk_skb(ab->skb);
>>> > +
>>> > skb_queue_tail(&audit_skb_queue,
>>> > ab->skb);
>>> > wake_up_interruptible(&kauditd_wait);
>>> > } else {
>>> > diff --git a/kernel/audit.h b/kernel/audit.h
>>> > index 1c95131..ef43bb1 100644
>>> > --- a/kernel/audit.h
>>> > +++ b/kernel/audit.h
>>> > @@ -321,4 +321,10 @@ extern struct list_head
>>> > *audit_killed_trees(void);
>>> > #define audit_filter_inodes(t,c) AUDIT_DISABLED
>>> > #endif
>>> >
>>> > +#ifdef CONFIG_AUDIT_SPLITLOG
>>> > +#define AUDIT_SPLITLOG_INIT AUDIT_LOGSPLIT_ON
>>> > +#else
>>> > +#define AUDIT_SPLITLOG_INIT AUDIT_LOGSPLIT_OFF
>>> > +#endif
>>> > +
>>> > extern struct mutex audit_cmd_mutex;
>>> > --
>>> > 1.8.2.2
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Respectfully,
>>> >
>>> > William C Roberts
>>> >
>>> >
>>> > --
>>> > Linux-audit mailing list
>>> > Linux-audit at redhat.com
>>> > https://www.redhat.com/mailman/listinfo/linux-audit
>>>
>>>
>>
>>
>>
>> --
>> Respectfully,
>>
>> William C Roberts
>>
>
>
>
> --
> Respectfully,
>
> William C Roberts
>
More information about the Linux-audit
mailing list