[PATCH V4 0/4] audit by executable name

Richard Guy Briggs rgb at redhat.com
Tue Sep 23 04:32:33 UTC 2014 

On 14/09/08, Eric Paris wrote:
> On Mon, 2014-09-08 at 14:53 -0400, Steve Grubb wrote:
> > Hell Richard,
> > 
> > On Sunday, August 24, 2014 06:34:04 PM Richard Guy Briggs wrote:
> > > This is a part of Peter Moody, my and Eric Paris' work to implement
> > > audit by executable name.
> > 
> > So, what's the status on this? Is it scheduled for the next upstream kernel? 
> > This is a feature that's been missing for a long time. Many people will find 
> > this useful.
> > 
> > Also, has anyone beside Richard been testing this?
> 
> I tested it when I wrote it.  But don't know about this patch series.
> Is that worth anything?   :)

Do you still have the test procedure and the results?

> > Thanks,
> > -Steve
> > 
> > > Please see the accompanying userspace patch:
> > > 	https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
> > > The userspace interface is not expected to change appreciably unless
> > > something important has been overlooked.  Setting and deleting rules works
> > > as expected.
> > > 
> > > If the path does not exist at rule creation time, it will be re-evaluated
> > > every time there is a change to the parent directory at which point the
> > > change in device and inode will be noted.
> > > 
> > > 
> > > Here's a test run:
> > > 
> > > # /usr/local/sbin/auditctl -a always,exit -F dir=/tmp -F exe=/bin/touch -F
> > > key=touch_tmp # /usr/local/sbin/ausearch --start recent -k touch_tmp
> > > time->Mon Jun 30 14:15:06 2014
> > > type=CONFIG_CHANGE msg=audit(1404152106.683:149): auid=0 ses=1
> > > subj=unconfined_u :unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule"
> > > key="touch_tmp" list=4 res =1
> > > 
> > > # /usr/local/sbin/auditctl -l
> > > -a always,exit -S all -F dir=/tmp -F exe=/bin/touch -F key=touch_tmp
> > > 
> > > # touch /tmp/test
> > > 
> > > # /usr/local/sbin/ausearch --start recent -k touch_tmp
> > > time->Wed Jul  2 12:18:47 2014
> > > type=UNKNOWN[1327] msg=audit(1404317927.319:132):
> > > proctitle=746F756368002F746D702F74657374 type=PATH
> > > msg=audit(1404317927.319:132): item=1 name="/tmp/test" inode=25997
> > > dev=00:20 mode=0100644 ouid=0 ogid=0 rdev=00:00
> > > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE type=PATH
> > > msg=audit(1404317927.319:132): item=0 name="/tmp/" inode=11144 dev=00:20
> > > mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
> > > nametype=PARENT type=CWD msg=audit(1404317927.319:132):  cwd="/root"
> > > type=SYSCALL msg=audit(1404317927.319:132): arch=c000003e syscall=2
> > > success=yes exit=3 a0=7ffffa403dd5 a1=941 a2=1b6 a3=34b65b2c6c items=2
> > > ppid=4321 pid=6436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch"
> > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="touch_tmp"
> > > 
> > > 
> > > Revision history:
> > > v4: Re-order and squash down fixups
> > >     Fix audit_dup_exe() to copy pathname string before calling
> > > audit_alloc_mark().
> > > 
> > > v3: Rationalize and rename some function names and clean up get/put and free
> > > code. Rename several "watch" references to "mark".
> > >     Rename audit_remove_rule() to audit_remove_mark_rule().
> > >     Let audit_free_rule() take care of calling audit_remove_mark().
> > >     Put audit_alloc_mark() arguments in same order as watch, tree and inode.
> > > Move the access to the entry for audit_match_signal() to the beginning of
> > > the function in case the entry found is the same one passed in. This will
> > > enable it to be used by audit_remove_mark_rule().
> > >     https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
> > > 
> > > v2: Misguided attempt to add in audit_exe similar to watches
> > >     https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
> > > 
> > > v1.5: eparis' switch to fsnotify
> > >     https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
> > >     https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
> > > 
> > > v1: Change to path interface instead of inode
> > >     https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
> > > 
> > > v0: Peter Moodie's original patches
> > >     https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
> > > 
> > > 
> > > Next step:
> > > Get full-path notify working.
> > > 
> > > 
> > > Eric Paris (3):
> > >   audit: implement audit by executable
> > >   audit: clean simple fsnotify implementation
> > >   audit: convert audit_exe to audit_fsnotify
> > > 
> > > Richard Guy Briggs (1):
> > >   audit: avoid double copying the audit_exe path string
> > > 
> > >  include/linux/audit.h      |    1 +
> > >  include/uapi/linux/audit.h |    2 +
> > >  kernel/Makefile            |    2 +-
> > >  kernel/audit.h             |   39 +++++++
> > >  kernel/audit_exe.c         |   49 +++++++++
> > >  kernel/audit_fsnotify.c    |  237
> > > ++++++++++++++++++++++++++++++++++++++++++++ kernel/auditfilter.c       |  
> > > 51 +++++++++-
> > >  kernel/auditsc.c           |   16 +++
> > >  8 files changed, 394 insertions(+), 3 deletions(-)
> > >  create mode 100644 kernel/audit_exe.c
> > >  create mode 100644 kernel/audit_fsnotify.c
> > 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list