* [[PATCH V2] 0/2] Log on the future execution of a path
@ 2015-07-14 15:46 Richard Guy Briggs
2015-07-14 15:46 ` [[PATCH V2] 1/2] userspace: audit: log " Richard Guy Briggs
2015-07-14 15:46 ` [[PATCH V2] 2/2] Allow monitoring of any activity on an executable with a specific path Richard Guy Briggs
0 siblings, 2 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2015-07-14 15:46 UTC (permalink / raw
To: linux-audit; +Cc: Richard Guy Briggs, pmoody
This is a part of Peter Moody, my and Eric Paris' work to implement
audit by executable name.
Please see the accompanying kernel patchset:
https://www.redhat.com/archives/linux-audit/2015-July/thread.html
[PATCH V6 0/4] audit by executable name
If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.
Here's a sample run:
Test for addition, trigger and deletion of tree executable rule:
# auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1
----
# /usr/bin/touch /tmp/test
----
time->Sat Jul 11 10:41:50 2015
type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374
type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1436629310.757:44712): cwd="/root"
type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree"
----
# auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1
----
Revision history:
v2: Allow exe or exe_children field alone without watch or syscall
v1: change to path interface instead of inode
https://www.redhat.com/archives/linux-audit/2014-May/msg00019.html
v0: Peter Moodie's original patches
https://www.redhat.com/archives/linux-audit/2012-August/msg00034.html
Next step:
Get full-path notify working.
Richard Guy Briggs (2):
userspace: audit: log on the future execution of a path
Allow monitoring of any activity on an executable with a specific
path.
trunk/lib/errormsg.h | 4 ++--
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 11 ++++++++++-
trunk/lib/libaudit.h | 7 ++++++-
trunk/lib/private.h | 1 +
trunk/src/auditctl-listing.c | 8 +++++++-
trunk/src/auditctl.c | 8 +++++++-
7 files changed, 35 insertions(+), 6 deletions(-)
^ permalink raw reply [flat|nested] 3+ messages in thread
* [[PATCH V2] 1/2] userspace: audit: log on the future execution of a path
2015-07-14 15:46 [[PATCH V2] 0/2] Log on the future execution of a path Richard Guy Briggs
@ 2015-07-14 15:46 ` Richard Guy Briggs
2015-07-14 15:46 ` [[PATCH V2] 2/2] Allow monitoring of any activity on an executable with a specific path Richard Guy Briggs
1 sibling, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2015-07-14 15:46 UTC (permalink / raw
To: linux-audit; +Cc: Richard Guy Briggs, pmoody
Enable creation of rules to monitor for the execution of a path in the future.
For example, to log occurances of touch(1)ing a file in /tmp, use:
-a always,exit -F dir=/tmp -F exe=/usr/sbin/touch -F key=touch_tmp
The command:
touch /tmp/test
should generate a log message that can be verified by:
ausearch --start recent -k touch_tmp
Similarly, use "exe_children=" in the place of "exe=" to detect the case for
any descendent processes.
Based-on-work-by: Peter Moody <pmoody@google.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/fieldtab.h | 2 ++
trunk/lib/libaudit.c | 5 +++++
trunk/lib/libaudit.h | 7 ++++++-
trunk/src/auditctl-listing.c | 8 +++++++-
5 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index a4fea66..8d72bd8 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -51,7 +51,7 @@ static const struct msg_tab err_msgtab[] = {
{ -15, 2, "-F unknown errno -"},
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
- { -18, 1, "" }, // Unused
+ { -18, 1, "only takes = operator" },
{ -19, 0, "Key field needs a watch or syscall given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index dd7474c..c458c32 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -66,3 +66,5 @@ _S(AUDIT_ARG3, "a3" )
_S(AUDIT_FILTERKEY, "key" )
+_S(AUDIT_EXE, "exe" )
+_S(AUDIT_EXE_CHILDREN, "exe_children" )
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index dddfd0b..d7da4ec 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -1395,6 +1395,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
case AUDIT_FILTERKEY:
+ case AUDIT_EXE_CHILDREN:
+ case AUDIT_EXE:
+ if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) &&
+ op != AUDIT_EQUAL)
+ return -18;
if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded))
return -19;
vlen = strlen(v);
diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
index 05ee91e..1d3a697 100644
--- a/trunk/lib/libaudit.h
+++ b/trunk/lib/libaudit.h
@@ -274,6 +274,12 @@ extern "C" {
#ifndef AUDIT_FIELD_COMPARE
#define AUDIT_FIELD_COMPARE 111
#endif
+#ifndef AUDIT_EXE
+#define AUDIT_EXE 112
+#endif
+#ifndef AUDIT_EXE_CHILDREN
+#define AUDIT_EXE_CHILDREN 113
+#endif
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
@@ -580,4 +586,3 @@ extern void audit_rule_free_data(struct audit_rule_data *rule);
#endif
#endif
-
diff --git a/trunk/src/auditctl-listing.c b/trunk/src/auditctl-listing.c
index 1dc9729..339dec7 100644
--- a/trunk/src/auditctl-listing.c
+++ b/trunk/src/auditctl-listing.c
@@ -63,7 +63,8 @@ int key_match(const struct audit_rule_data *r)
}
if (((field >= AUDIT_SUBJ_USER && field <= AUDIT_OBJ_LEV_HIGH)
&& field != AUDIT_PPID) || field == AUDIT_WATCH ||
- field == AUDIT_DIR || field == AUDIT_FILTERKEY) {
+ field == AUDIT_DIR || field == AUDIT_FILTERKEY
+ || field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) {
boffset += r->values[i];
}
}
@@ -357,6 +358,11 @@ static void print_rule(const struct audit_rule_data *r)
&r->buf[boffset]);
boffset += r->values[i];
+ } else if (field == AUDIT_EXE || field == AUDIT_EXE_CHILDREN) {
+ printf(" -F exe%s=%.*s",
+ field == AUDIT_EXE_CHILDREN ? "_children" : "",
+ r->values[i], &r->buf[boffset]);
+ boffset += r->values[i];
} else if (field == AUDIT_FILTERKEY) {
char *rkey, *ptr, *saved=NULL;
if (asprintf(&rkey, "%.*s", r->values[i],
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [[PATCH V2] 2/2] Allow monitoring of any activity on an executable with a specific path.
2015-07-14 15:46 [[PATCH V2] 0/2] Log on the future execution of a path Richard Guy Briggs
2015-07-14 15:46 ` [[PATCH V2] 1/2] userspace: audit: log " Richard Guy Briggs
@ 2015-07-14 15:46 ` Richard Guy Briggs
1 sibling, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2015-07-14 15:46 UTC (permalink / raw
To: linux-audit; +Cc: Richard Guy Briggs, pmoody
Allow rules to be created that are not accompanied by a file or directory
watch, nor by a syscall specification.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
trunk/lib/errormsg.h | 2 +-
trunk/lib/libaudit.c | 12 ++++++++----
trunk/lib/private.h | 1 +
trunk/src/auditctl.c | 8 +++++++-
4 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/trunk/lib/errormsg.h b/trunk/lib/errormsg.h
index 8d72bd8..2624567 100644
--- a/trunk/lib/errormsg.h
+++ b/trunk/lib/errormsg.h
@@ -52,7 +52,7 @@ static const struct msg_tab err_msgtab[] = {
{ -16, 2, "-F unknown file type - " },
{ -17, 1, "can only be used with exit and entry filter list" },
{ -18, 1, "only takes = operator" },
- { -19, 0, "Key field needs a watch or syscall given prior to it" },
+ { -19, 0, "Key field needs a watch, syscall or exe path given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
{ -22, 2, "-F missing field name before operator for" },
diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
index d7da4ec..b06c76b 100644
--- a/trunk/lib/libaudit.c
+++ b/trunk/lib/libaudit.c
@@ -82,6 +82,7 @@ static const struct nv_list failure_actions[] =
int _audit_permadded = 0;
int _audit_archadded = 0;
int _audit_syscalladded = 0;
+int _audit_exeadded = 0;
unsigned int _audit_elf = 0U;
static struct libaudit_conf config;
@@ -1397,10 +1398,13 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_FILTERKEY:
case AUDIT_EXE_CHILDREN:
case AUDIT_EXE:
- if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE) &&
- op != AUDIT_EQUAL)
- return -18;
- if (field == AUDIT_FILTERKEY && !(_audit_syscalladded || _audit_permadded))
+ if ((field == AUDIT_EXE_CHILDREN || field == AUDIT_EXE)) {
+ if (op != AUDIT_EQUAL)
+ return -18;
+ _audit_exeadded = 1;
+ }
+ if (field == AUDIT_FILTERKEY
+ && !(_audit_syscalladded || _audit_permadded || _audit_exeadded))
return -19;
vlen = strlen(v);
if (field == AUDIT_FILTERKEY &&
diff --git a/trunk/lib/private.h b/trunk/lib/private.h
index a0e3e35..7d7fd13 100644
--- a/trunk/lib/private.h
+++ b/trunk/lib/private.h
@@ -131,6 +131,7 @@ extern int audit_send_user_message(int fd, int type, hide_t hide_err,
extern int _audit_permadded;
extern int _audit_archadded;
extern int _audit_syscalladded;
+extern int _audit_exeadded;
extern unsigned int _audit_elf;
hidden_proto(audit_send_user_message);
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index b084b1a..40e9812 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -73,6 +73,7 @@ static int reset_vars(void)
_audit_syscalladded = 0;
_audit_permadded = 0;
_audit_archadded = 0;
+ _audit_exeadded = 0;
_audit_elf = 0;
add = AUDIT_FILTER_UNSET;
del = AUDIT_FILTER_UNSET;
@@ -821,6 +822,11 @@ static int setopt(int count, int lineno, char *vars[])
if (rule_new->fields[rule_new->field_count-1] ==
AUDIT_PERM)
_audit_permadded = 1;
+ if ((rule_new->fields[rule_new->field_count-1] ==
+ AUDIT_EXE) ||
+ (rule_new->fields[rule_new->field_count-1] ==
+ AUDIT_EXE_CHILDREN))
+ _audit_exeadded = 1;
}
break;
@@ -908,7 +914,7 @@ static int setopt(int count, int lineno, char *vars[])
}
break;
case 'k':
- if (!(_audit_syscalladded || _audit_permadded ) ||
+ if (!(_audit_syscalladded || _audit_permadded || _audit_exeadded) ||
(add==AUDIT_FILTER_UNSET &&
del==AUDIT_FILTER_UNSET)) {
audit_msg(LOG_ERR,
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-07-14 15:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-14 15:46 [[PATCH V2] 0/2] Log on the future execution of a path Richard Guy Briggs
2015-07-14 15:46 ` [[PATCH V2] 1/2] userspace: audit: log " Richard Guy Briggs
2015-07-14 15:46 ` [[PATCH V2] 2/2] Allow monitoring of any activity on an executable with a specific path Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.