New field to auditd.conf file

Richard Guy Briggs rgb at redhat.com
Fri Apr 29 02:47:52 UTC 2016 

On 16/04/28, Deepika Sundar wrote:
> Thank you for all replies and Sorry, I am new to this audit subsystem field.
> 
> I am facing the problem in the initial stage itself that,Where to add the
> new field in the source code, as per my work understanding in the below
> code,Is it possible to fine tune by adding new field say,*"APPLICATION ID" *in
> that structure.
> 
> If not possible, What is the impact ? *OR*
> Is it possible to add a new member without any impact?
> Please Suggest me with some IDEA where new field in audit structure can be
> added and It should not break compatibility.Provide Documentation where I
> can refer to do.
> Once I am clear with the method I can Share the code to review.

There is a list of technical resources at:
	http://people.redhat.com/sgrubb/audit/
with a section on "Specs".

In particular, please see:
	http://people.redhat.com/sgrubb/audit/audit-events.txt
	http://people.redhat.com/sgrubb/audit/audit-parse.txt

I don't understand what this is below...

>  Kernel/audit.c
> 
> void audit_log_task_info
> <http://lxr.free-electrons.com/ident?i=audit_log_task_info>(struct
> audit_buffer <http://lxr.free-electrons.com/ident?i=audit_buffer> *ab,
> struct task_struct <http://lxr.free-electrons.com/ident?i=task_struct>
> *tsk <http://lxr.free-electrons.com/ident?i=tsk>)
> 
> 1873 <http://lxr.free-electrons.com/source/kernel/audit.c#L1873> {1874
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1874>
> const struct cred <http://lxr.free-electrons.com/ident?i=cred> *cred
> <http://lxr.free-electrons.com/ident?i=cred>;1875
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1875>
> char comm <http://lxr.free-electrons.com/ident?i=comm>[sizeof(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->comm
> <http://lxr.free-electrons.com/ident?i=comm>)];1876
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1876>
> char *tty <http://lxr.free-electrons.com/ident?i=tty>;1877
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1877> 1878
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1878>         if
> (!ab)1879 <http://lxr.free-electrons.com/source/kernel/audit.c#L1879>
>                return;1880
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1880> 1881
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1881>
> */* tsk == current */*1882
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1882>
> cred <http://lxr.free-electrons.com/ident?i=cred> = current_cred
> <http://lxr.free-electrons.com/ident?i=current_cred>();1883
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1883> 1884
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1884>
> spin_lock_irq <http://lxr.free-electrons.com/ident?i=spin_lock_irq>(&tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1885
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1885>         if
> (tsk <http://lxr.free-electrons.com/ident?i=tsk>->signal && tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
> <http://lxr.free-electrons.com/ident?i=tty> && tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
> <http://lxr.free-electrons.com/ident?i=tty>->name
> <http://lxr.free-electrons.com/ident?i=name>)1886
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1886>
>      tty <http://lxr.free-electrons.com/ident?i=tty> = tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->signal->tty
> <http://lxr.free-electrons.com/ident?i=tty>->name
> <http://lxr.free-electrons.com/ident?i=name>;1887
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1887>
> else1888 <http://lxr.free-electrons.com/source/kernel/audit.c#L1888>
>               tty <http://lxr.free-electrons.com/ident?i=tty> =
> *"(none)"*;1889
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1889>
> spin_unlock_irq
> <http://lxr.free-electrons.com/ident?i=spin_unlock_irq>(&tsk
> <http://lxr.free-electrons.com/ident?i=tsk>->sighand->siglock);1890
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1890> 1891
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1891>
> audit_log_format
> <http://lxr.free-electrons.com/ident?i=audit_log_format>(ab,1892
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1892>
>               *" ppid=%d pid=%d auid=%u uid=%u gid=%u"*1893
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1893>
>               *" euid=%u suid=%u fsuid=%u"*1894
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1894>
>               *" egid=%u sgid=%u fsgid=%u tty=%s ses=%u"*,1895
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1895>
>               task_ppid_nr
> <http://lxr.free-electrons.com/ident?i=task_ppid_nr>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>),1896
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1896>
>               task_pid_nr
> <http://lxr.free-electrons.com/ident?i=task_pid_nr>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>),1897
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1897>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>,
> audit_get_loginuid
> <http://lxr.free-electrons.com/ident?i=audit_get_loginuid>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>)),1898
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1898>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->uid
> <http://lxr.free-electrons.com/ident?i=uid>),1899
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1899>
>               from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->gid
> <http://lxr.free-electrons.com/ident?i=gid>),1900
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1900>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->euid),1901
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1901>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->suid),1902
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1902>
>               from_kuid
> <http://lxr.free-electrons.com/ident?i=from_kuid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->fsuid),1903
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1903>
>               from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->egid),1904
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1904>
>               from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->sgid),1905
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1905>
>               from_kgid
> <http://lxr.free-electrons.com/ident?i=from_kgid>(&init_user_ns
> <http://lxr.free-electrons.com/ident?i=init_user_ns>, cred
> <http://lxr.free-electrons.com/ident?i=cred>->fsgid),1906
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1906>    +
>                tty <http://lxr.free-electrons.com/ident?i=tty>,
> audit_get_sessionid
> <http://lxr.free-electrons.com/ident?i=audit_get_sessionid>(tsk
> <http://lxr.free-electrons.com/ident?i=tsk>),*ApplicationID............);
> *1907 <http://lxr.free-electrons.com/source/kernel/audit.c#L1907> 1908
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1908>
> audit_log_format
> <http://lxr.free-electrons.com/ident?i=audit_log_format>*(ab, **"
> comm="**);
> *1909 <http://lxr.free-electrons.com/source/kernel/audit.c#L1909>
>    audit_log_untrustedstring
> <http://lxr.free-electrons.com/ident?i=audit_log_untrustedstring>*(ab,
> *get_task_comm <http://lxr.free-electrons.com/ident?i=get_task_comm>*(*comm
> <http://lxr.free-electrons.com/ident?i=comm>*, *tsk
> <http://lxr.free-electrons.com/ident?i=tsk>*));
> *1910 <http://lxr.free-electrons.com/source/kernel/audit.c#L1910> 1911
> <http://lxr.free-electrons.com/source/kernel/audit.c#L1911>
> audit_log_d_path_exe
> <http://lxr.free-electrons.com/ident?i=audit_log_d_path_exe>*(ab, *tsk
> <http://lxr.free-electrons.com/ident?i=tsk>*->mm);
> *1912 <http://lxr.free-electrons.com/source/kernel/audit.c#L1912>
>    audit_log_task_context
> <http://lxr.free-electrons.com/ident?i=audit_log_task_context>*(ab);
> *1913 <http://lxr.free-electrons.com/source/kernel/audit.c#L1913>* }*
> 
> 
> 
> 
> 
> On Tue, Apr 26, 2016 at 6:07 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > On 16/04/25, Deepika Sundar wrote:
> > > I wanted to add the namespace information in the audit record for example
> > > pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside
> > > Audit structure?
> >
> > We've been looking at this issue for several years now and don't have an
> > obvious solution yet.  There has been discussion on this list.  It is on
> > the radar:
> >
> >         https://bugzilla.redhat.com/show_bug.cgi?id=1045666
> >
> >
> > > On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore at redhat.com> wrote:
> > > > As we've already mentioned several times, we can make no guarantees
> > > > regarding functionality or compatibility without seeing your code.
> > > > While it may be frustrating, this is how Open Source development
> > > > works.
> > > >
> > > > If you are interested in our help you will need to describe, in
> > > > detail, what you are trying to do and ideally post your existing code
> > > > so it can be reviewed.
> > > >
> > > > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
> > > > <sundar.deepika18 at gmail.com> wrote:
> > > > > Okay,If I update the Ausearch/aureport in order to aware of the new
> > > > field in
> > > > > the audit log structure can it be feasible one?
> > > > >
> > > > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb at redhat.com>
> > wrote:
> > > > >>
> > > > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> > > > >> > In general way,Is there any compatibility issues if audit log
> > > > structure
> > > > >> > gets modified?
> > > > >>
> > > > >> Yes, there can be problems if the log structure gets modified.
> > > > >> Ausearch/report
> > > > >> are highly optimized for an exact format.
> > > > >>
> > > > >> -Steve
> > > > >>
> > > > >>
> > > > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb at redhat.com>
> > > > wrote:
> > > > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > > > >> > > > As per my understanding audit log structure can be extendible
> > > > based
> > > > >> > > > on
> > > > >> > > > requirements and in my project I need to add the identifier
> > field
> > > > >> > > > for
> > > > >> > > > the
> > > > >> > > > application and as of now I couldn't able to revel the What
> > > > >> > > > application
> > > > >> > > > trying to develop to update.So,Is there any possibility that
> > > > without
> > > > >> > > > breaking any Compatibility issues I can do it ?
> > > > >> > >
> > > > >> > > I have no idea what you are doing so there is no guarantee that
> > it
> > > > >> > > won't
> > > > >> > > break
> > > > >> > > something. If your project is going to be released as open
> > source
> > > > its
> > > > >> > > generally best to collaborate with people so that problems can
> > be
> > > > >> > > pointed
> > > > >> > > out.
> > > > >> > > Otherwise you risk spending a lot of time on something only to
> > have
> > > > it
> > > > >> > > rejected.
> > > > >> > >
> > > > >> > > -Steve
> > > > >> > >
> > > > >> > > > OR If any compatibility issues please specify .
> > > > >> > > >
> > > > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <
> > paul at paul-moore.com>
> > > > >> > > > wrote:
> > > > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > > > >> > > > >
> > > > >> > > > > <sundar.deepika18 at gmail.com> wrote:
> > > > >> > > > > > In the same way, in the kernel side
> > > > >> > > > > > Can I able to add one new field to the audit log structure
> > > > >> > > > > > without
> > > > >> > > > >
> > > > >> > > > > breaking
> > > > >> > > > >
> > > > >> > > > > > Compatibility? If so,
> > > > >> > > > > >
> > > > >> > > > > >   1.How can I add new field without breaking
> > compatibility?
> > > > >> > > > > >
> > > > >> > > > > >      or
> > > > >> > > > > >
> > > > >> > > > > >   2.Is there any reserve field in audit log structure so
> > that
> > > > I
> > > > >> > > > > > can
> > > > >> > >
> > > > >> > > make
> > > > >> > >
> > > > >> > > > > use
> > > > >> > > > >
> > > > >> > > > > >     of it?
> > > > >> > > > >
> > > > >> > > > > You need to be more specific about what you are trying to
> > do.
> > > > >> > > > > Speaking generally, unless you work to get your changed
> > merged
> > > > >> > > > > into
> > > > >> > > > > the upstream kernel and userspace tools we cannot guarantee
> > > > >> > > > > present or
> > > > >> > > > > future compatibility.
> > > > >> > > > >
> > > > >> > > > > www.paul-moore.com
> > > >
> > > > paul moore
> >
> > - RGB

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list