[patch 058/209] audit: rework execve audit

Peter Zijlstra a.p.zijlstra at chello.nl
Fri Jul 27 22:24:13 UTC 2007 

On Sat, 2007-07-28 at 00:06 +0200, Peter Zijlstra wrote:
> On Fri, 2007-07-27 at 23:55 +0200, Peter Zijlstra wrote:
> > On Fri, 2007-07-27 at 16:57 -0400, Steve Grubb wrote:
> > 
> > > I don't know of anything special its a fully updated rawhide machine. I am not 
> > > running any tests, this is at the prompt in runlevel 3. I have audit=1 as a 
> > > boot parameter in grub.conf and very simple audit rules for that machine:
> > > 
> > > -D
> > > -b 256
> > > -a exit,always -S sethostname
> > > -w /etc/selinux/config
> > > 
> > > which is not exotic.


[root at opteron ~]# auditctl -D
No rules
[root at opteron ~]# auditctl -b 256
AUDIT_STATUS: enabled=0 flag=1 pid=0 rate_limit=0 backlog_limit=256 lost=0 backlog=0
[root at opteron ~]# auditctl -a exit,always -S sethostname
[root at opteron ~]# auditctl -w /etc/selinux/config
[root at opteron ~]# man auditd
[root at opteron ~]#  auditd -f
Config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit/audit.log
log_format_parser called with: RAW
priority_boost_parser called with: 3
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 4
dispatch_parser called with: /sbin/audispd
qos_parser called with: lossy
max_log_size_parser called with: 5
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
Started dispatcher: /sbin/audispd pid: 3375
type=DAEMON_START msg=audit(1185574384.343:9448) auditd start, ver=1.5.3, format=raw, auid=4294967295 pid=3373 res=success, auditd pid=3373
config_manager init complete
Init complete, auditd 1.5.3 listening for events
type=CONFIG_CHANGE msg=audit(1185574384.450:6): audit_enabled=1 old=0 by auid=4294967295 res=1
type=SYSCALL msg=audit(1185574406.346:7): arch=c000003e syscall=2 success=yes exit=3 a0=2ba34c4f61f6 a1=0 a2=1b6 a3=0 items=1 ppid=2903 pid=3376 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" key=(null)
type=CWD msg=audit(1185574406.346:7):  cwd="/"
type=PATH msg=audit(1185574406.346:7): item=0 name="/etc/selinux/config" inode=19989869 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=USER_ACCT msg=audit(1185574406.528:8): user pid=3376 uid=0 auid=4294967295 msg='PAM: accounting acct=root : exe="/usr/sbin/sshd" (hostname=192.168.0.32, addr=192.168.0.32, terminal=ssh res=success)'
...

-----------

when I pressed ctrl-c to try -a exit,always -S execve I found this on my serial console:

-----------
Kernel 2.6.23-rc1 on an x86_64

opteron.programming.kicks-ass.net login: 
[   75.452053] audit(1185574293.834:2): audit_backlog_limit=256 old=64 by auid=4294967295 res=1
[  120.237812] audit(1185574338.691:3): auid=4294967295 op=add rule key=(null) list=4 res=1
[  149.512552] audit(1185574368.012:4): auid=4294967295 op=add rule key=(null) list=4 res=1
[  165.816721] audit(1185574384.343:5): audit_pid=3373 old=0 by auid=4294967295
[  465.113754] Unable to handle kernel NULL pointer dereference at 0000000000000484 RIP:
[  465.119212]  [<ffffffff802785fc>] __audit_signal_info+0x3c/0x150
[  465.127628] PGD 79f32067 PUD 0
[  465.130772] Oops: 0000 [1] PREEMPT SMP
[  465.134614] CPU 1
[  465.136622] Modules linked in: nfsd exportfs autofs4 binfmt_misc ext2 sbs fan d
ock container battery ac nvram loop evbug evdev thermal psmouse i2c_piix4 processo
r button i2c_core sr_mod cdrom sg shpchp pci_hotplug sd_mod ext3 jbd mbcache ehci_
hcd ohci_hcd uhci_hcd usbcore
[  465.160924] Pid: 3151, comm: sshd Not tainted 2.6.23-rc1 #8
[  465.166465] RIP: 0010:[<ffffffff802785fc>]  [<ffffffff802785fc>] __audit_signal_info+0x3c/0x150
[  465.175128] RSP: 0018:ffff8100731e5be8  EFLAGS: 00010202
[  465.180408] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8100718b0000
[  465.187503] RDX: 0000000000000001 RSI: ffff810068614000 RDI: 0000000000000002
[  465.194600] RBP: ffff8100731e5bf8 R08: 0000000000000001 R09: 0000000000000000
[  465.201697] R10: 0000000000000001 R11: 0000000000000001 R12: ffff810068614000
[  465.208792] R13: ffff810068614000 R14: 0000000000000001 R15: ffff810074e77000
[  465.215888] FS:  00002b8c2dc90870(0000) GS:ffff810001102380(0000) knlGS:0000000000000000
[  465.223935] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  465.229649] CR2: 0000000000000484 CR3: 0000000037cfc000 CR4: 00000000000006e0
[  465.236745] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  465.243841] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  465.250936] Process sshd (pid: 3151, threadinfo ffff8100731e4000, task ffff8100718b0000)
[  465.258983] Stack:  0000000000000001 0000000000000002 ffff8100731e5c28 ffffffff80247788
[  465.266993]  0000000000200200 ffff810068614218 0000000000000002 ffff810068614000
[  465.274388]  ffff8100731e5c68 ffffffff80248bb6 ffff8100731e5c78 0000000000000246
[  465.281599] Call Trace:
[  465.284215]  [<ffffffff80247788>] check_kill_permission+0x88/0x160
[  465.290362]  [<ffffffff80248bb6>] group_send_sig_info+0x26/0x90
[  465.296249]  [<ffffffff80248eca>] __kill_pgrp_info+0x3a/0x70
[  465.301877]  [<ffffffff80248f37>] kill_pgrp_info+0x37/0x60
[  465.307332]  [<ffffffff80248f78>] kill_pgrp+0x18/0x20
[  465.312355]  [<ffffffff803a31ce>] n_tty_receive_buf+0x76e/0x1010
[  465.318331]  [<ffffffff80423ffc>] sock_aio_read+0x14c/0x160
[  465.323874]  [<ffffffff8025a0d6>] get_lock_stats+0x16/0x60
[  465.329328]  [<ffffffff8025a12e>] put_lock_stats+0xe/0x40
[  465.334696]  [<ffffffff8025a1c3>] lock_release_holdtime+0x63/0x80
[  465.340756]  [<ffffffff802535a9>] add_wait_queue+0x49/0x60
[  465.346213]  [<ffffffff803a537c>] pty_write+0x4c/0x60
[  465.351238]  [<ffffffff803a2935>] write_chan+0x255/0x380
[  465.356521]  [<ffffffff80233f80>] default_wake_function+0x0/0x10
[  465.362496]  [<ffffffff8039fca9>] tty_write+0x199/0x250
[  465.367690]  [<ffffffff803a26e0>] write_chan+0x0/0x380
[  465.372800]  [<ffffffff802ae0a4>] vfs_write+0xe4/0x190
[  465.377910]  [<ffffffff802ae770>] sys_write+0x50/0x90
[  465.382933]  [<ffffffff8020c1be>] system_call+0x7e/0x83
[  465.388131]
[  465.389610]
[  465.389610] Code: 8b 83 84 04 00 00 85 c0 74 53 48 8b 83 48 04 00 00 48 85 c0

More information about the Linux-audit mailing list