[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit message types



On Tuesday 19 April 2005 11:23, Steve Grubb wrote:
> I wanted to start a discussion about an old topic that we last discussed
> back in December. The problem basically centers around the audit message
> type being too coarse to be of any real use.

Attached is my current working patch for people to review and comment on. It 
is not a final patch. I still need to review all messages to ensure we have 
everything that its supposed to be. The patch is against the .31 kernel will 
all my previous patches applied.

If there are no objections or concerns, I will finalize this patch and release 
matching user space tools.

-Steve
diff -ur linux-2.6.9.orig/include/linux/audit.h linux-2.6.9/include/linux/audit.h
--- linux-2.6.9.orig/include/linux/audit.h	2005-05-10 08:24:41.000000000 -0400
+++ linux-2.6.9/include/linux/audit.h	2005-05-10 08:24:11.000000000 -0400
@@ -34,18 +34,52 @@
 struct atomic_t;
 #endif
 
-/* Request and reply types */
+/* The netlink messages for the audit system is divided into blocks:
+ * 1000 - 1099 are for commanding the audit system
+ * 1100 - 1199 user space trusted application messages
+ * 1200 - 1299 messages internal to the audit daemon
+ * 1300 - 1399 audit event messages
+ * 1400 - 1499 SE Linux use
+ * 1500 - 1999 future use
+ * 2000 is for otherwise unclassified kernel audit messages
+ *
+ * Messages from 1000-1199 are bi-directional. 1200-1299 are exclusively user
+ * space. Anything over that is kernel --> user space communication.
+ */
 #define AUDIT_GET		1000	/* Get status */
 #define AUDIT_SET		1001	/* Set status (enable/disable/auditd) */
 #define AUDIT_LIST		1002	/* List filtering rules */
 #define AUDIT_ADD		1003	/* Add filtering rule */
 #define AUDIT_DEL		1004	/* Delete filtering rule */
 #define AUDIT_USER		1005	/* Send a message from user-space */
-#define AUDIT_LOGIN		1006	/* Define the login id and information */
+#define AUDIT_LOGIN		1006	/* /proc/pid/loginuid change event */
 #define AUDIT_WATCH_INS		1007	/* Insert file/dir watch entry */
 #define AUDIT_WATCH_REM		1008	/* Remove file/dir watch entry */
 #define AUDIT_WATCH_LIST	1009	/* List all watches */
-#define AUDIT_SIGNAL_INFO	1010	/* Get information about sender of signal*/
+#define AUDIT_SIGNAL_INFO	1010	/* Get info about sender of signal*/
+
+#define AUDIT_USER_AUTH		1100	/* User space authentication */
+#define AUDIT_USER_ACCT		1101	/* User space acct change */
+#define AUDIT_USER_MGMT		1102	/* User space acct management */
+#define AUDIT_CRED_ACQ		1103	/* User space credential acquired */
+#define AUDIT_CRED_DISP		1104	/* User space credential disposed */
+#define AUDIT_USER_START	1105	/* User space session start */ 
+#define AUDIT_USER_END		1106	/* User space session end */
+ 
+#define AUDIT_DAEMON_START      1200    /* Daemon startup record */
+#define AUDIT_DAEMON_END        1201    /* Daemon normal stop record */
+#define AUDIT_DAEMON_ABORT      1202    /* Daemon error stop record */
+#define AUDIT_DAEMON_CONFIG     1203    /* Daemon config change */
+
+#define AUDIT_SYSCALL		1300	/* Syscall event */
+#define AUDIT_FS_WATCH		1301	/* Filesystem watch event */
+#define AUDIT_PATH		1302	/* Filname path information */
+#define AUDIT_IPC		1303	/* IPC record */
+#define AUDIT_SOCKET		1304	/* Socket record */
+#define AUDIT_CONFIG_CHANGE	1305	/* Audit system configuration change */
+
+#define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
+#define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
 
 #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
 
@@ -284,11 +318,11 @@
 #ifdef CONFIG_AUDIT
 /* These are defined in audit.c */
 				/* Public API */
-extern void		    audit_log(struct audit_context *ctx,
+extern void		    audit_log(struct audit_context *ctx, int type,
 				      const char *fmt, ...)
-			    __attribute__((format(printf,2,3)));
+			    __attribute__((format(printf,3,4)));
 
-extern struct audit_buffer *audit_log_start(struct audit_context *ctx);
+extern struct audit_buffer *audit_log_start(struct audit_context *ctx,int type);
 extern void		    audit_log_format(struct audit_buffer *ab,
 					     const char *fmt, ...)
 			    __attribute__((format(printf,2,3)));
@@ -314,8 +348,8 @@
 					     void *payload, int size);
 extern void		    audit_log_lost(const char *message);
 #else
-#define audit_log(t,f,...) do { ; } while (0)
-#define audit_log_start(t) ({ NULL; })
+#define audit_log(c,t,f,...) do { ; } while (0)
+#define audit_log_start(c,t) ({ NULL; })
 #define audit_log_vformat(b,f,a) do { ; } while (0)
 #define audit_log_format(b,f,...) do { ; } while (0)
 #define audit_log_end(b) do { ; } while (0)
diff -ur linux-2.6.9.orig/kernel/audit.c linux-2.6.9/kernel/audit.c
--- linux-2.6.9.orig/kernel/audit.c	2005-05-10 08:24:46.000000000 -0400
+++ linux-2.6.9/kernel/audit.c	2005-05-10 08:24:11.000000000 -0400
@@ -242,7 +242,8 @@
 {
 	int old		 = audit_rate_limit;
 	audit_rate_limit = limit;
-	audit_log(NULL, "audit_rate_limit=%d old=%d by auid %u",
+	audit_log(NULL, AUDIT_CONFIG_CHANGE, 
+			"audit_rate_limit=%d old=%d by auid %u",
 			audit_rate_limit, old, loginuid);
 	return old;
 }
@@ -251,7 +252,8 @@
 {
 	int old		 = audit_backlog_limit;
 	audit_backlog_limit = limit;
-	audit_log(NULL, "audit_backlog_limit=%d old=%d by auid %u",
+	audit_log(NULL, AUDIT_CONFIG_CHANGE,
+			"audit_backlog_limit=%d old=%d by auid %u",
 			audit_backlog_limit, old, loginuid);
 	return old;
 }
@@ -262,8 +264,9 @@
 	if (state != 0 && state != 1)
 		return -EINVAL;
 	audit_enabled = state;
-	audit_log(NULL, "audit_enabled=%d old=%d by auid %u",
-		  audit_enabled, old, loginuid);
+	audit_log(NULL, AUDIT_CONFIG_CHANGE,
+			"audit_enabled=%d old=%d by auid %u",
+			audit_enabled, old, loginuid);
 	return old;
 }
 
@@ -275,8 +278,9 @@
 	    && state != AUDIT_FAIL_PANIC)
 		return -EINVAL;
 	audit_failure = state;
-	audit_log(NULL, "audit_failure=%d old=%d by auid %u",
-		  audit_failure, old, loginuid);
+	audit_log(NULL, AUDIT_CONFIG_CHANGE,
+			"audit_failure=%d old=%d by auid %u",
+			audit_failure, old, loginuid);
 	return old;
 }
 
@@ -387,7 +391,8 @@
 		if (status_get->mask & AUDIT_STATUS_PID) {
 			int old   = audit_pid;
 			audit_pid = status_get->pid;
-			audit_log(NULL, "audit_pid=%d old=%d by auid %u",
+			audit_log(NULL, AUDIT_CONFIG_CHANGE,
+				"audit_pid=%d old=%d by auid %u",
 				  audit_pid, old, loginuid);
 		}
 		if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
@@ -397,7 +402,7 @@
 							loginuid);
 		break;
 	case AUDIT_USER:
-		ab = audit_log_start(NULL);
+		ab = audit_log_start(NULL, AUDIT_USER);
 		if (!ab)
 			break;	/* audit_panic has been called */
 		audit_log_format(ab,
@@ -407,7 +412,6 @@
 				 (int)(nlh->nlmsg_len
 				       - ((char *)data - (char *)nlh)),
 				 loginuid, (char *)data);
-		audit_set_type(ab, AUDIT_USER);
 		audit_set_pid(ab, pid);
 		audit_log_end(ab);
 		break;
@@ -538,7 +542,7 @@
 
 	audit_initialized = 1;
 	audit_enabled = audit_default;
-	audit_log(NULL, "initialized");
+	audit_log(NULL, AUDIT_KERNEL, "initialized");
 	return 0;
 }
 
@@ -565,7 +569,7 @@
 
 	audit_initialized = 1;
 	audit_enabled = audit_default;
-	audit_log(NULL, "initialized");
+	audit_log(NULL, AUDIT_KERNEL, "initialized");
 	return 0;
 }
 #endif
@@ -605,7 +609,7 @@
 }
 
 static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
-						int gfp_mask)
+						int gfp_mask, int type)
 {
 	unsigned long flags;
 	struct audit_buffer *ab = NULL;
@@ -633,7 +637,7 @@
 
 	ab->ctx   = ctx;
 	nlh = (struct nlmsghdr *)skb_put(ab->skb, NLMSG_SPACE(0));
-	nlh->nlmsg_type = AUDIT_KERNEL;
+	nlh->nlmsg_type = type;
 	nlh->nlmsg_flags = 0;
 	nlh->nlmsg_pid = 0;
 	nlh->nlmsg_seq = 0;
@@ -649,7 +653,7 @@
  * syscall, then the syscall is marked as auditable and an audit record
  * will be written at syscall exit.  If there is no associated task, tsk
  * should be NULL. */
-struct audit_buffer *audit_log_start(struct audit_context *ctx)
+struct audit_buffer *audit_log_start(struct audit_context *ctx, int type)
 {
 	struct audit_buffer	*ab	= NULL;
 	struct timespec		t;
@@ -670,7 +674,7 @@
 		return NULL;
 	}
 
-	ab = audit_buffer_alloc(ctx, GFP_ATOMIC);
+	ab = audit_buffer_alloc(ctx, GFP_ATOMIC, type);
 	if (!ab) {
 		audit_log_lost("out of memory in audit_log_start");
 		return NULL;
@@ -877,12 +881,12 @@
 /* Log an audit record.  This is a convenience function that calls
  * audit_log_start, audit_log_vformat, and audit_log_end.  It may be
  * called in any context. */
-void audit_log(struct audit_context *ctx, const char *fmt, ...)
+void audit_log(struct audit_context *ctx, int type, const char *fmt, ...)
 {
 	struct audit_buffer *ab;
 	va_list args;
 
-	ab = audit_log_start(ctx);
+	ab = audit_log_start(ctx, type);
 	if (ab) {
 		va_start(args, fmt);
 		audit_log_vformat(ab, fmt, args);
diff -ur linux-2.6.9.orig/kernel/auditfs.c linux-2.6.9/kernel/auditfs.c
--- linux-2.6.9.orig/kernel/auditfs.c	2005-05-10 08:24:46.000000000 -0400
+++ linux-2.6.9/kernel/auditfs.c	2005-05-10 08:24:11.000000000 -0400
@@ -384,7 +384,8 @@
 
 	/* __d_lookup will attach the audit data, if nd.last exists. */
 	dput(d_lookup(nd.dentry, &nd.last));
-	audit_log(NULL, "auid %u added a watch\n", loginuid);
+	audit_log(NULL, AUDIT_CONFIG_CHANGE, "auid %u added a watch\n", 
+			loginuid);
 
 audit_insert_watch_release:
 	path_release(&nd);
@@ -418,7 +419,8 @@
 	audit_destroy_wentry(wentry);
 	audit_wentry_put(wentry);
 	write_unlock(&data->lock);
-	audit_log(NULL, "auid %u removed a watch\n", loginuid);
+	audit_log(NULL, AUDIT_CONFIG_CHANGE, "auid %u removed a watch\n", 
+			loginuid);
 
 	ret = 0;
 
diff -ur linux-2.6.9.orig/kernel/auditsc.c linux-2.6.9/kernel/auditsc.c
--- linux-2.6.9.orig/kernel/auditsc.c	2005-05-10 08:24:46.000000000 -0400
+++ linux-2.6.9/kernel/auditsc.c	2005-05-10 08:24:11.000000000 -0400
@@ -298,7 +298,8 @@
 			err = audit_add_rule(entry, &audit_entlist);
 		if (!err && (flags & AUDIT_AT_EXIT))
 			err = audit_add_rule(entry, &audit_extlist);
-		audit_log(NULL, "auid %u added an audit rule\n", loginuid);
+		audit_log(NULL, AUDIT_CONFIG_CHANGE, 
+				"auid %u added an audit rule\n", loginuid);
 		break;
 	case AUDIT_DEL:
 		flags =((struct audit_rule *)data)->flags;
@@ -308,7 +309,8 @@
 			err = audit_del_rule(data, &audit_entlist);
 		if (!err && (flags & AUDIT_AT_EXIT))
 			err = audit_del_rule(data, &audit_extlist);
-		audit_log(NULL, "auid %u removed an audit rule\n", loginuid);
+		audit_log(NULL, AUDIT_CONFIG_CHANGE,
+				"auid %u removed an audit rule\n", loginuid);
 		break;
 	default:
 		return -EINVAL;
@@ -657,12 +659,14 @@
 	up_read(&mm->mmap_sem);
 }
 
+extern void audit_set_type(struct audit_buffer *ab, int type);
+
 static void audit_log_exit(struct audit_context *context)
 {
 	int i;
 	struct audit_buffer *ab;
 
-	ab = audit_log_start(context);
+	ab = audit_log_start(context, AUDIT_SYSCALL);
 	if (!ab)
 		return;		/* audit_panic has been called */
 	audit_log_format(ab, "syscall=%d", context->major);
@@ -694,7 +698,7 @@
 	while (context->aux) {
 		struct audit_aux_data *aux;
 
-		ab = audit_log_start(context);
+		ab = audit_log_start(context, AUDIT_KERNEL);
 		if (!ab)
 			continue; /* audit_panic has been called */
 
@@ -705,6 +709,8 @@
 		switch (aux->type) {
 		case AUDIT_AUX_IPCPERM: {
 			struct audit_aux_data_ipcctl *axi = (void *)aux;
+
+			audit_set_type(ab, AUDIT_IPC);
 			audit_log_format(ab, 
 					 " qbytes=%lx uid=%d gid=%d mode=%x",
 					 axi->qbytes, axi->uid, axi->gid, axi->mode);
@@ -713,6 +719,7 @@
 
 		case AUDIT_AUX_WATCH: {
 			struct audit_aux_data_watched *axi = (void *)aux;
+			audit_set_type(ab, AUDIT_FS_WATCH);
 			audit_log_format(ab, " watch=");
 			audit_log_untrustedstring(ab, axi->wentry->w_watch->name);
 			audit_log_format(ab,
@@ -733,7 +740,7 @@
 	}
 
 	for (i = 0; i < context->name_count; i++) {
-		ab = audit_log_start(context);
+		ab = audit_log_start(context, AUDIT_PATH);
 		if (!ab)
 			continue; /* audit_panic has been called */
 		audit_log_format(ab, "item=%d", i);
@@ -1037,20 +1044,17 @@
 	}
 }
 
-extern int audit_set_type(struct audit_buffer *ab, int type);
-
 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
 {
 	if (task->audit_context) {
 		struct audit_buffer *ab;
 
-		ab = audit_log_start(NULL);
+		ab = audit_log_start(NULL, AUDIT_LOGIN);
 		if (ab) {
 			audit_log_format(ab, "login pid=%d uid=%u "
 				"old loginuid=%u new loginuid=%u",
 				task->pid, task->uid, 
 				task->audit_context->loginuid, loginuid);
-			audit_set_type(ab, AUDIT_LOGIN);
 			audit_log_end(ab);
 		}
 		task->audit_context->loginuid = loginuid;
diff -ur linux-2.6.9.orig/security/selinux/avc.c linux-2.6.9/security/selinux/avc.c
--- linux-2.6.9.orig/security/selinux/avc.c	2005-05-10 08:24:51.000000000 -0400
+++ linux-2.6.9/security/selinux/avc.c	2005-05-10 08:24:11.000000000 -0400
@@ -204,7 +204,7 @@
 	avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
 					     0, SLAB_PANIC, NULL, NULL);
 
-	audit_log(current->audit_context, "AVC INITIALIZED\n");
+	audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n");
 }
 
 int avc_get_hash_stats(char *page)
@@ -511,7 +511,7 @@
 			return;
 	}
 
-	ab = audit_log_start(current->audit_context);
+	ab = audit_log_start(current->audit_context, AUDIT_AVC);
 	if (!ab)
 		return;		/* audit_panic has been called */
 	audit_log_format(ab, "avc:  %s ", denied ? "denied" : "granted");
diff -ur linux-2.6.9.orig/security/selinux/nlmsgtab.c linux-2.6.9/security/selinux/nlmsgtab.c
--- linux-2.6.9.orig/security/selinux/nlmsgtab.c	2005-05-10 08:24:51.000000000 -0400
+++ linux-2.6.9/security/selinux/nlmsgtab.c	2005-05-10 08:27:26.507095128 -0400
@@ -98,6 +98,13 @@
 	{ AUDIT_WATCH_INS,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
 	{ AUDIT_WATCH_REM,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
 	{ AUDIT_WATCH_LIST,	NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
+	{ AUDIT_USER_AUTH,	NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
+	{ AUDIT_USER_ACCT,	NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
+	{ AUDIT_USER_MGMT,	NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
+	{ AUDIT_CRED_ACQ,	NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
+	{ AUDIT_CRED_DISP,	NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
+	{ AUDIT_USER_START,	NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
+	{ AUDIT_USER_END,	NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
 };
 
 
diff -ur linux-2.6.9.orig/security/selinux/ss/services.c linux-2.6.9/security/selinux/ss/services.c
--- linux-2.6.9.orig/security/selinux/ss/services.c	2005-05-10 08:24:51.000000000 -0400
+++ linux-2.6.9/security/selinux/ss/services.c	2005-05-10 08:24:11.000000000 -0400
@@ -579,7 +579,7 @@
 		goto out;
 	if (context_struct_to_string(newcontext, &n, &nlen) < 0)
 		goto out;
-	audit_log(current->audit_context,
+	audit_log(current->audit_context, AUDIT_SELINUX_ERR,
 		  "security_compute_sid:  invalid context %s"
 		  " for scontext=%s"
 		  " tcontext=%s"

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]