[PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
Richard Guy Briggs
rgb at redhat.com
Wed May 20 19:06:35 UTC 2020
On 2020-05-20 14:59, Richard Guy Briggs wrote:
> On 2020-05-20 14:51, Steve Grubb wrote:
> > On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> > > On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> > > > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > > > Some table unregister actions seem to be initiated by the kernel to
> > > > > garbage collect unused tables that are not initiated by any userspace
> > > > > actions. It was found to be necessary to add the subject credentials
> > > > > to cover this case to reveal the source of these actions. A sample
> > > > > record:
> > > > >
> > > > > The uid, auid, tty, ses and exe fields have not been included since
> > > > > they
> > > > > are in the SYSCALL record and contain nothing useful in the non-user
> > > > > context.
> > > > >
> > > > > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
> > > > > family=bridge entries=0 op=unregister pid=153
> > > > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> > >
> > > FWIW, that record looks good.
> >
> > It's severely broken
> >
> > cat log.file
> > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
> > family=bridge entries=0 op=unregister pid=153
> > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> >
> > ausearch -if log.file --format text
> > At 19:33:40 12/31/1969 did-unknown
> >
> > ausearch -if log.file --format csv
> > NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
> > error normalizing NETFILTER_CFG
> > ,NETFILTER_CFG,12/31/1969,19:33:40,0,,,,,,,,,,
> >
> > This is unusable. This is why the bug was filed in the first place.
>
> Have you applied this patchset?
> https://www.redhat.com/archives/linux-audit/2020-May/msg00072.html
>
> AUDIT_EVENT_LISTENER is also broken without this first patch.
And EVENT_LISTENER also needs this patch:
https://github.com/linux-audit/audit-userspace/pull/114/commits/27daa6fca534b30199040d0ad05420a8331ab421
> > -Steve
> >
> > > > > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > > >
> > > > Self-NACK. I forgot to remove cred and tty declarations.
>
> - RGB
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list