2020-03-17 16:05:24

by Richard Guy Briggs

[permalink] [raw]
Subject: [PATCH ghak28 V7] audit: log audit netlink multicast bind and unbind events

Log information about programs connecting to and disconnecting from the
audit netlink multicast socket. This is needed so that during
investigations a security officer can tell who or what had access to the
audit trail. This helps to meet the FAU_SAR.2 requirement for Common
Criteria. Here is the systemd startup event:

type=PROCTITLE msg=audit(2020-02-18 15:26:50.775:10) : proctitle=/init
type=SYSCALL msg=audit(2020-02-18 15:26:50.775:10) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x19 a1=0x55645c369b70 a2=0xc a3=0x7fff9fedec24 items=0 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=kernel key=(null)
type=UNKNOWN[1335] msg=audit(2020-02-18 15:26:50.775:10) : pid=1 uid=root auid=unset tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1 op=connect res=yes

And the events from the test suite:

type=PROCTITLE msg=audit(2020-02-18 15:28:01.594:307) : proctitle=/usr/bin/perl -w amcast_joinpart/test
type=SYSCALL msg=audit(2020-02-18 15:28:01.594:307) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x558ebc428be0 a2=0xc a3=0x0 items=0 ppid=642 pid=645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=UNKNOWN[1335] msg=audit(2020-02-18 15:28:01.594:307) : pid=645 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes

type=PROCTITLE msg=audit(2020-03-17 11:35:31.474:344) : proctitle=/usr/bin/perl -w amcast_joinpart/test
type=SYSCALL msg=audit(2020-03-17 11:35:31.474:344) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_NETLINK a2=0x2 a3=0x7ffee21ca5f0 items=0 ppid=686 pid=689 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=3 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=UNKNOWN[1335] msg=audit(2020-03-17 11:35:31.474:344) : pid=689 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes

type=UNKNOWN[1335] msg=audit(2020-01-17 10:36:24.051:295) : pid=674 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes

Please see the upstream issue tracker at
https://github.com/linux-audit/audit-kernel/issues/28
With the feature description at
https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Socket-Join-Part
The testsuite support is at
https://github.com/rgbriggs/audit-testsuite/compare/ghak28-mcast-part-join
https://github.com/linux-audit/audit-testsuite/pull/93
And the userspace support patch is at
https://github.com/linux-audit/audit-userspace/pull/114

Signed-off-by: Richard Guy Briggs <[email protected]>

---
Note: subj attrs included due to missing syscall record for disconnect on close
Note: tried refactor of subj attrs, but this is yet another new order.

Changelog:
v7:
- rename audit_log_multicast_bind to audit_log_multicast

v6:
- rebased on 5.6-rc1 audit/next and audit log BPF
- updated patch description sample records

v5:
- rebased on 5.5-rc1 audit/next
- group bind/unbind ops
- add audit context
- justify message number skip
- check audit_enabled
- change field name from nlnk-grp to nl-mcgrp
- fix whitespace issues

v4:
- 2017-10-13 sgrubb
- squash to 1 patch
- rebase on KERN_MODULE event
- open code subj attrs

v3:
- 2016-11-30 sgrubb
- rebase on REPLACE event
- minimize audit_log_format calls
- rename audit_log_bind to audit_log_multicast_bind

v2:
- 2015-07-23 sgrubb
- spin off audit_log_task_simple in seperate patch

v1:
- 2014-10-07 rgb
---
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++----
2 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index a534d71e689a..9b6a973f4cc3 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -117,6 +117,7 @@
#define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */
#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
#define AUDIT_BPF 1334 /* BPF subsystem */
+#define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */

#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index b96331e1976d..612bd818f6d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1520,20 +1520,60 @@ static void audit_receive(struct sk_buff *skb)
audit_ctl_unlock();
}

+/* Log information about who is connecting to the audit multicast socket */
+static void audit_log_multicast(int group, const char *op, int err)
+{
+ const struct cred *cred;
+ struct tty_struct *tty;
+ char comm[sizeof(current->comm)];
+ struct audit_buffer *ab;
+
+ if (!audit_enabled)
+ return;
+
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER);
+ if (!ab)
+ return;
+
+ cred = current_cred();
+ tty = audit_get_tty();
+ audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
+ task_pid_nr(current),
+ from_kuid(&init_user_ns, cred->uid),
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ tty ? tty_name(tty) : "(none)",
+ audit_get_sessionid(current));
+ audit_put_tty(tty);
+ audit_log_task_context(ab); /* subj= */
+ audit_log_format(ab, " comm=");
+ audit_log_untrustedstring(ab, get_task_comm(comm, current));
+ audit_log_d_path_exe(ab, current->mm); /* exe= */
+ audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
+ audit_log_end(ab);
+}
+
/* Run custom bind function on netlink socket group connect or bind requests. */
-static int audit_bind(struct net *net, int group)
+static int audit_multicast_bind(struct net *net, int group)
{
+ int err = 0;
+
if (!capable(CAP_AUDIT_READ))
- return -EPERM;
+ err = -EPERM;
+ audit_log_multicast(group, "connect", err);
+ return err;
+}

- return 0;
+static void audit_multicast_unbind(struct net *net, int group)
+{
+ audit_log_multicast(group, "disconnect", 0);
}

static int __net_init audit_net_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
.input = audit_receive,
- .bind = audit_bind,
+ .bind = audit_multicast_bind,
+ .unbind = audit_multicast_unbind,
.flags = NL_CFG_F_NONROOT_RECV,
.groups = AUDIT_NLGRP_MAX,
};
--
1.8.3.1


2020-04-17 21:20:38

by Paul Moore

[permalink] [raw]
Subject: Re: [PATCH ghak28 V7] audit: log audit netlink multicast bind and unbind events

On Tue, Mar 17, 2020 at 12:04 PM Richard Guy Briggs <[email protected]> wrote:
>
> Log information about programs connecting to and disconnecting from the
> audit netlink multicast socket. This is needed so that during
> investigations a security officer can tell who or what had access to the
> audit trail. This helps to meet the FAU_SAR.2 requirement for Common
> Criteria. Here is the systemd startup event:
>
> type=PROCTITLE msg=audit(2020-02-18 15:26:50.775:10) : proctitle=/init
> type=SYSCALL msg=audit(2020-02-18 15:26:50.775:10) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x19 a1=0x55645c369b70 a2=0xc a3=0x7fff9fedec24 items=0 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=kernel key=(null)
> type=UNKNOWN[1335] msg=audit(2020-02-18 15:26:50.775:10) : pid=1 uid=root auid=unset tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1 op=connect res=yes
>
> And the events from the test suite:
>
> type=PROCTITLE msg=audit(2020-02-18 15:28:01.594:307) : proctitle=/usr/bin/perl -w amcast_joinpart/test
> type=SYSCALL msg=audit(2020-02-18 15:28:01.594:307) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x558ebc428be0 a2=0xc a3=0x0 items=0 ppid=642 pid=645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=UNKNOWN[1335] msg=audit(2020-02-18 15:28:01.594:307) : pid=645 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes
>
> type=PROCTITLE msg=audit(2020-03-17 11:35:31.474:344) : proctitle=/usr/bin/perl -w amcast_joinpart/test
> type=SYSCALL msg=audit(2020-03-17 11:35:31.474:344) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_NETLINK a2=0x2 a3=0x7ffee21ca5f0 items=0 ppid=686 pid=689 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=3 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> type=UNKNOWN[1335] msg=audit(2020-03-17 11:35:31.474:344) : pid=689 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
>
> type=UNKNOWN[1335] msg=audit(2020-01-17 10:36:24.051:295) : pid=674 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes

This patch looks fine to me, but this line is curious ... I'm assuming
this is just a stray/cut-n-paste-error from the last time you updated
the commit description? If so, just let me know and I can drop it
while merging, otherwise there is something odd going on ....

> Please see the upstream issue tracker at
> https://github.com/linux-audit/audit-kernel/issues/28
> With the feature description at
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Socket-Join-Part
> The testsuite support is at
> https://github.com/rgbriggs/audit-testsuite/compare/ghak28-mcast-part-join
> https://github.com/linux-audit/audit-testsuite/pull/93
> And the userspace support patch is at
> https://github.com/linux-audit/audit-userspace/pull/114
>
> Signed-off-by: Richard Guy Briggs <[email protected]>
>
> ---
> Note: subj attrs included due to missing syscall record for disconnect on close
> Note: tried refactor of subj attrs, but this is yet another new order.
>
> Changelog:
> v7:
> - rename audit_log_multicast_bind to audit_log_multicast
>
> v6:
> - rebased on 5.6-rc1 audit/next and audit log BPF
> - updated patch description sample records
>
> v5:
> - rebased on 5.5-rc1 audit/next
> - group bind/unbind ops
> - add audit context
> - justify message number skip
> - check audit_enabled
> - change field name from nlnk-grp to nl-mcgrp
> - fix whitespace issues
>
> v4:
> - 2017-10-13 sgrubb
> - squash to 1 patch
> - rebase on KERN_MODULE event
> - open code subj attrs
>
> v3:
> - 2016-11-30 sgrubb
> - rebase on REPLACE event
> - minimize audit_log_format calls
> - rename audit_log_bind to audit_log_multicast_bind
>
> v2:
> - 2015-07-23 sgrubb
> - spin off audit_log_task_simple in seperate patch
>
> v1:
> - 2014-10-07 rgb
> ---
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++----
> 2 files changed, 45 insertions(+), 4 deletions(-)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index a534d71e689a..9b6a973f4cc3 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -117,6 +117,7 @@
> #define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */
> #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
> #define AUDIT_BPF 1334 /* BPF subsystem */
> +#define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b96331e1976d..612bd818f6d7 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1520,20 +1520,60 @@ static void audit_receive(struct sk_buff *skb)
> audit_ctl_unlock();
> }
>
> +/* Log information about who is connecting to the audit multicast socket */
> +static void audit_log_multicast(int group, const char *op, int err)
> +{
> + const struct cred *cred;
> + struct tty_struct *tty;
> + char comm[sizeof(current->comm)];
> + struct audit_buffer *ab;
> +
> + if (!audit_enabled)
> + return;
> +
> + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER);
> + if (!ab)
> + return;
> +
> + cred = current_cred();
> + tty = audit_get_tty();
> + audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
> + task_pid_nr(current),
> + from_kuid(&init_user_ns, cred->uid),
> + from_kuid(&init_user_ns, audit_get_loginuid(current)),
> + tty ? tty_name(tty) : "(none)",
> + audit_get_sessionid(current));
> + audit_put_tty(tty);
> + audit_log_task_context(ab); /* subj= */
> + audit_log_format(ab, " comm=");
> + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> + audit_log_d_path_exe(ab, current->mm); /* exe= */
> + audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
> + audit_log_end(ab);
> +}
> +
> /* Run custom bind function on netlink socket group connect or bind requests. */
> -static int audit_bind(struct net *net, int group)
> +static int audit_multicast_bind(struct net *net, int group)
> {
> + int err = 0;
> +
> if (!capable(CAP_AUDIT_READ))
> - return -EPERM;
> + err = -EPERM;
> + audit_log_multicast(group, "connect", err);
> + return err;
> +}
>
> - return 0;
> +static void audit_multicast_unbind(struct net *net, int group)
> +{
> + audit_log_multicast(group, "disconnect", 0);
> }
>
> static int __net_init audit_net_init(struct net *net)
> {
> struct netlink_kernel_cfg cfg = {
> .input = audit_receive,
> - .bind = audit_bind,
> + .bind = audit_multicast_bind,
> + .unbind = audit_multicast_unbind,
> .flags = NL_CFG_F_NONROOT_RECV,
> .groups = AUDIT_NLGRP_MAX,
> };
> --
> 1.8.3.1
>


--
paul moore
http://www.paul-moore.com

2020-04-17 21:36:20

by Richard Guy Briggs

[permalink] [raw]
Subject: Re: [PATCH ghak28 V7] audit: log audit netlink multicast bind and unbind events

On 2020-04-17 17:18, Paul Moore wrote:
> On Tue, Mar 17, 2020 at 12:04 PM Richard Guy Briggs <[email protected]> wrote:
> >
> > Log information about programs connecting to and disconnecting from the
> > audit netlink multicast socket. This is needed so that during
> > investigations a security officer can tell who or what had access to the
> > audit trail. This helps to meet the FAU_SAR.2 requirement for Common
> > Criteria. Here is the systemd startup event:
> >
> > type=PROCTITLE msg=audit(2020-02-18 15:26:50.775:10) : proctitle=/init
> > type=SYSCALL msg=audit(2020-02-18 15:26:50.775:10) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x19 a1=0x55645c369b70 a2=0xc a3=0x7fff9fedec24 items=0 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=kernel key=(null)
> > type=UNKNOWN[1335] msg=audit(2020-02-18 15:26:50.775:10) : pid=1 uid=root auid=unset tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1 op=connect res=yes
> >
> > And the events from the test suite:
> >
> > type=PROCTITLE msg=audit(2020-02-18 15:28:01.594:307) : proctitle=/usr/bin/perl -w amcast_joinpart/test
> > type=SYSCALL msg=audit(2020-02-18 15:28:01.594:307) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x558ebc428be0 a2=0xc a3=0x0 items=0 ppid=642 pid=645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > type=UNKNOWN[1335] msg=audit(2020-02-18 15:28:01.594:307) : pid=645 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes
> >
> > type=PROCTITLE msg=audit(2020-03-17 11:35:31.474:344) : proctitle=/usr/bin/perl -w amcast_joinpart/test
> > type=SYSCALL msg=audit(2020-03-17 11:35:31.474:344) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_NETLINK a2=0x2 a3=0x7ffee21ca5f0 items=0 ppid=686 pid=689 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=3 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > type=UNKNOWN[1335] msg=audit(2020-03-17 11:35:31.474:344) : pid=689 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
> >
> > type=UNKNOWN[1335] msg=audit(2020-01-17 10:36:24.051:295) : pid=674 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
>
> This patch looks fine to me, but this line is curious ... I'm assuming
> this is just a stray/cut-n-paste-error from the last time you updated
> the commit description? If so, just let me know and I can drop it
> while merging, otherwise there is something odd going on ....

That last line is the result of close() from an earlier version of the
testsuite, rather than setsockopt(..., NETLINK_DROP_MEMBERSHIP, ...).

This is why we need the subject attributes, as noted in the first note
above the changelog below.

> > Please see the upstream issue tracker at
> > https://github.com/linux-audit/audit-kernel/issues/28
> > With the feature description at
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Socket-Join-Part
> > The testsuite support is at
> > https://github.com/rgbriggs/audit-testsuite/compare/ghak28-mcast-part-join
> > https://github.com/linux-audit/audit-testsuite/pull/93
> > And the userspace support patch is at
> > https://github.com/linux-audit/audit-userspace/pull/114
> >
> > Signed-off-by: Richard Guy Briggs <[email protected]>
> >
> > ---
> > Note: subj attrs included due to missing syscall record for disconnect on close
> > Note: tried refactor of subj attrs, but this is yet another new order.
> >
> > Changelog:
> > v7:
> > - rename audit_log_multicast_bind to audit_log_multicast
> >
> > v6:
> > - rebased on 5.6-rc1 audit/next and audit log BPF
> > - updated patch description sample records
> >
> > v5:
> > - rebased on 5.5-rc1 audit/next
> > - group bind/unbind ops
> > - add audit context
> > - justify message number skip
> > - check audit_enabled
> > - change field name from nlnk-grp to nl-mcgrp
> > - fix whitespace issues
> >
> > v4:
> > - 2017-10-13 sgrubb
> > - squash to 1 patch
> > - rebase on KERN_MODULE event
> > - open code subj attrs
> >
> > v3:
> > - 2016-11-30 sgrubb
> > - rebase on REPLACE event
> > - minimize audit_log_format calls
> > - rename audit_log_bind to audit_log_multicast_bind
> >
> > v2:
> > - 2015-07-23 sgrubb
> > - spin off audit_log_task_simple in seperate patch
> >
> > v1:
> > - 2014-10-07 rgb
> > ---
> > include/uapi/linux/audit.h | 1 +
> > kernel/audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++----
> > 2 files changed, 45 insertions(+), 4 deletions(-)
> >
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index a534d71e689a..9b6a973f4cc3 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -117,6 +117,7 @@
> > #define AUDIT_TIME_INJOFFSET 1332 /* Timekeeping offset injected */
> > #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
> > #define AUDIT_BPF 1334 /* BPF subsystem */
> > +#define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */
> >
> > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index b96331e1976d..612bd818f6d7 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1520,20 +1520,60 @@ static void audit_receive(struct sk_buff *skb)
> > audit_ctl_unlock();
> > }
> >
> > +/* Log information about who is connecting to the audit multicast socket */
> > +static void audit_log_multicast(int group, const char *op, int err)
> > +{
> > + const struct cred *cred;
> > + struct tty_struct *tty;
> > + char comm[sizeof(current->comm)];
> > + struct audit_buffer *ab;
> > +
> > + if (!audit_enabled)
> > + return;
> > +
> > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_EVENT_LISTENER);
> > + if (!ab)
> > + return;
> > +
> > + cred = current_cred();
> > + tty = audit_get_tty();
> > + audit_log_format(ab, "pid=%u uid=%u auid=%u tty=%s ses=%u",
> > + task_pid_nr(current),
> > + from_kuid(&init_user_ns, cred->uid),
> > + from_kuid(&init_user_ns, audit_get_loginuid(current)),
> > + tty ? tty_name(tty) : "(none)",
> > + audit_get_sessionid(current));
> > + audit_put_tty(tty);
> > + audit_log_task_context(ab); /* subj= */
> > + audit_log_format(ab, " comm=");
> > + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> > + audit_log_d_path_exe(ab, current->mm); /* exe= */
> > + audit_log_format(ab, " nl-mcgrp=%d op=%s res=%d", group, op, !err);
> > + audit_log_end(ab);
> > +}
> > +
> > /* Run custom bind function on netlink socket group connect or bind requests. */
> > -static int audit_bind(struct net *net, int group)
> > +static int audit_multicast_bind(struct net *net, int group)
> > {
> > + int err = 0;
> > +
> > if (!capable(CAP_AUDIT_READ))
> > - return -EPERM;
> > + err = -EPERM;
> > + audit_log_multicast(group, "connect", err);
> > + return err;
> > +}
> >
> > - return 0;
> > +static void audit_multicast_unbind(struct net *net, int group)
> > +{
> > + audit_log_multicast(group, "disconnect", 0);
> > }
> >
> > static int __net_init audit_net_init(struct net *net)
> > {
> > struct netlink_kernel_cfg cfg = {
> > .input = audit_receive,
> > - .bind = audit_bind,
> > + .bind = audit_multicast_bind,
> > + .unbind = audit_multicast_unbind,
> > .flags = NL_CFG_F_NONROOT_RECV,
> > .groups = AUDIT_NLGRP_MAX,
> > };
> > --
> > 1.8.3.1
> >
>
>
> --
> paul moore
> http://www.paul-moore.com
>
>
> --
> Linux-audit mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <[email protected]>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

2020-04-17 22:20:56

by Paul Moore

[permalink] [raw]
Subject: Re: [PATCH ghak28 V7] audit: log audit netlink multicast bind and unbind events

On Fri, Apr 17, 2020 at 5:34 PM Richard Guy Briggs <[email protected]> wrote:
> On 2020-04-17 17:18, Paul Moore wrote:
> > On Tue, Mar 17, 2020 at 12:04 PM Richard Guy Briggs <[email protected]> wrote:
> > >
> > > Log information about programs connecting to and disconnecting from the
> > > audit netlink multicast socket. This is needed so that during
> > > investigations a security officer can tell who or what had access to the
> > > audit trail. This helps to meet the FAU_SAR.2 requirement for Common
> > > Criteria. Here is the systemd startup event:
> > >
> > > type=PROCTITLE msg=audit(2020-02-18 15:26:50.775:10) : proctitle=/init
> > > type=SYSCALL msg=audit(2020-02-18 15:26:50.775:10) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x19 a1=0x55645c369b70 a2=0xc a3=0x7fff9fedec24 items=0 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=kernel key=(null)
> > > type=UNKNOWN[1335] msg=audit(2020-02-18 15:26:50.775:10) : pid=1 uid=root auid=unset tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1 op=connect res=yes
> > >
> > > And the events from the test suite:
> > >
> > > type=PROCTITLE msg=audit(2020-02-18 15:28:01.594:307) : proctitle=/usr/bin/perl -w amcast_joinpart/test
> > > type=SYSCALL msg=audit(2020-02-18 15:28:01.594:307) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x558ebc428be0 a2=0xc a3=0x0 items=0 ppid=642 pid=645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > > type=UNKNOWN[1335] msg=audit(2020-02-18 15:28:01.594:307) : pid=645 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes
> > >
> > > type=PROCTITLE msg=audit(2020-03-17 11:35:31.474:344) : proctitle=/usr/bin/perl -w amcast_joinpart/test
> > > type=SYSCALL msg=audit(2020-03-17 11:35:31.474:344) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_NETLINK a2=0x2 a3=0x7ffee21ca5f0 items=0 ppid=686 pid=689 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=3 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > > type=UNKNOWN[1335] msg=audit(2020-03-17 11:35:31.474:344) : pid=689 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
> > >
> > > type=UNKNOWN[1335] msg=audit(2020-01-17 10:36:24.051:295) : pid=674 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
> >
> > This patch looks fine to me, but this line is curious ... I'm assuming
> > this is just a stray/cut-n-paste-error from the last time you updated
> > the commit description? If so, just let me know and I can drop it
> > while merging, otherwise there is something odd going on ....
>
> That last line is the result of close() from an earlier version of the
> testsuite, rather than setsockopt(..., NETLINK_DROP_MEMBERSHIP, ...).
>
> This is why we need the subject attributes, as noted in the first note
> above the changelog below.

Argh. I wasn't looking at the subject info, I was just noting the
timestamp was obviously wrong and the connects/disconnects didn't
match.

I was going to be nice and just drop that message during the merge,
but you need to regenerate those messages with the audit records from
just this patch since it is 1/3. As it stands right now someone is
going to be very confused in a few years when they try to reconcile
the code changes with your commit description.

Regardless of the subject info, we should make sure the
connects/disconnects are matched. The example you provide from the
test shows one connect, but two disconnects. That is going to confuse
people looking through the audit logs. I'm hoping you just did a
copy-n-paste error, but if not we need to figure that out and find a
way to make them match if there is somewhat to do so.

While you are respinning this patch, please fix the checkpatch.pl
errors; there were multiple line length, space/tab, and code indent
problems. I was going to fix them during the merge, but you might as
well fix them now. Feel free to insert my usual plea to run your
patches through checkpatch.pl before submitting.

> > > Please see the upstream issue tracker at
> > > https://github.com/linux-audit/audit-kernel/issues/28
> > > With the feature description at
> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Socket-Join-Part
> > > The testsuite support is at
> > > https://github.com/rgbriggs/audit-testsuite/compare/ghak28-mcast-part-join
> > > https://github.com/linux-audit/audit-testsuite/pull/93
> > > And the userspace support patch is at
> > > https://github.com/linux-audit/audit-userspace/pull/114
> > >
> > > Signed-off-by: Richard Guy Briggs <[email protected]>
> > >
> > > ---
> > > Note: subj attrs included due to missing syscall record for disconnect on close
> > > Note: tried refactor of subj attrs, but this is yet another new order.
> > >
> > > Changelog:
> > > v7:
> > > - rename audit_log_multicast_bind to audit_log_multicast
> > >
> > > v6:
> > > - rebased on 5.6-rc1 audit/next and audit log BPF
> > > - updated patch description sample records
> > >
> > > v5:
> > > - rebased on 5.5-rc1 audit/next
> > > - group bind/unbind ops
> > > - add audit context
> > > - justify message number skip
> > > - check audit_enabled
> > > - change field name from nlnk-grp to nl-mcgrp
> > > - fix whitespace issues
> > >
> > > v4:
> > > - 2017-10-13 sgrubb
> > > - squash to 1 patch
> > > - rebase on KERN_MODULE event
> > > - open code subj attrs
> > >
> > > v3:
> > > - 2016-11-30 sgrubb
> > > - rebase on REPLACE event
> > > - minimize audit_log_format calls
> > > - rename audit_log_bind to audit_log_multicast_bind
> > >
> > > v2:
> > > - 2015-07-23 sgrubb
> > > - spin off audit_log_task_simple in seperate patch
> > >
> > > v1:
> > > - 2014-10-07 rgb
> > > ---
> > > include/uapi/linux/audit.h | 1 +
> > > kernel/audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++----
> > > 2 files changed, 45 insertions(+), 4 deletions(-)

--
paul moore
http://www.paul-moore.com

2020-04-21 20:40:41

by Richard Guy Briggs

[permalink] [raw]
Subject: Re: [PATCH ghak28 V7] audit: log audit netlink multicast bind and unbind events

On 2020-04-17 18:19, Paul Moore wrote:
> On Fri, Apr 17, 2020 at 5:34 PM Richard Guy Briggs <[email protected]> wrote:
> > On 2020-04-17 17:18, Paul Moore wrote:
> > > On Tue, Mar 17, 2020 at 12:04 PM Richard Guy Briggs <[email protected]> wrote:
> > > >
> > > > Log information about programs connecting to and disconnecting from the
> > > > audit netlink multicast socket. This is needed so that during
> > > > investigations a security officer can tell who or what had access to the
> > > > audit trail. This helps to meet the FAU_SAR.2 requirement for Common
> > > > Criteria. Here is the systemd startup event:
> > > >
> > > > type=PROCTITLE msg=audit(2020-02-18 15:26:50.775:10) : proctitle=/init
> > > > type=SYSCALL msg=audit(2020-02-18 15:26:50.775:10) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x19 a1=0x55645c369b70 a2=0xc a3=0x7fff9fedec24 items=0 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=kernel key=(null)
> > > > type=UNKNOWN[1335] msg=audit(2020-02-18 15:26:50.775:10) : pid=1 uid=root auid=unset tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1 op=connect res=yes
> > > >
> > > > And the events from the test suite:
> > > >
> > > > type=PROCTITLE msg=audit(2020-02-18 15:28:01.594:307) : proctitle=/usr/bin/perl -w amcast_joinpart/test
> > > > type=SYSCALL msg=audit(2020-02-18 15:28:01.594:307) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x558ebc428be0 a2=0xc a3=0x0 items=0 ppid=642 pid=645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > > > type=UNKNOWN[1335] msg=audit(2020-02-18 15:28:01.594:307) : pid=645 uid=root auid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=connect res=yes
> > > >
> > > > type=PROCTITLE msg=audit(2020-03-17 11:35:31.474:344) : proctitle=/usr/bin/perl -w amcast_joinpart/test
> > > > type=SYSCALL msg=audit(2020-03-17 11:35:31.474:344) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_NETLINK a2=0x2 a3=0x7ffee21ca5f0 items=0 ppid=686 pid=689 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=3 comm=perl exe=/usr/bin/perl subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > > > type=UNKNOWN[1335] msg=audit(2020-03-17 11:35:31.474:344) : pid=689 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
> > > >
> > > > type=UNKNOWN[1335] msg=audit(2020-01-17 10:36:24.051:295) : pid=674 uid=root auid=root tty=ttyS0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=perl exe=/usr/bin/perl nl-mcgrp=1 op=disconnect res=yes
> > >
> > > This patch looks fine to me, but this line is curious ... I'm assuming
> > > this is just a stray/cut-n-paste-error from the last time you updated
> > > the commit description? If so, just let me know and I can drop it
> > > while merging, otherwise there is something odd going on ....
> >
> > That last line is the result of close() from an earlier version of the
> > testsuite, rather than setsockopt(..., NETLINK_DROP_MEMBERSHIP, ...).
> >
> > This is why we need the subject attributes, as noted in the first note
> > above the changelog below.
>
> Argh. I wasn't looking at the subject info, I was just noting the
> timestamp was obviously wrong and the connects/disconnects didn't
> match.

I can doctor the timestamp if you like? ;-)

> I was going to be nice and just drop that message during the merge,
> but you need to regenerate those messages with the audit records from
> just this patch since it is 1/3. As it stands right now someone is
> going to be very confused in a few years when they try to reconcile
> the code changes with your commit description.
>
> Regardless of the subject info, we should make sure the
> connects/disconnects are matched. The example you provide from the
> test shows one connect, but two disconnects. That is going to confuse
> people looking through the audit logs. I'm hoping you just did a
> copy-n-paste error, but if not we need to figure that out and find a
> way to make them match if there is somewhat to do so.

No, it wasn't a copy/paste error. It was an intentional inclusion, but
it will need some prose to explain what it demonstrates.

> While you are respinning this patch, please fix the checkpatch.pl
> errors; there were multiple line length, space/tab, and code indent
> problems. I was going to fix them during the merge, but you might as
> well fix them now. Feel free to insert my usual plea to run your
> patches through checkpatch.pl before submitting.

I assume this paragraph was to be conditionally included in the ghak25
patchset comments if a respin was necessary since this patch has no
issues (other than one patch description line too long that is a record
sample). I've fixed all those issues in ghak25 patches 1/3 and 2/3 and
am just doing a test compile to make sure I've not messed anything up
and that the rebase to v5.7-rc1 didn't cause a problem.

> > > > Please see the upstream issue tracker at
> > > > https://github.com/linux-audit/audit-kernel/issues/28
> > > > With the feature description at
> > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Socket-Join-Part
> > > > The testsuite support is at
> > > > https://github.com/rgbriggs/audit-testsuite/compare/ghak28-mcast-part-join
> > > > https://github.com/linux-audit/audit-testsuite/pull/93
> > > > And the userspace support patch is at
> > > > https://github.com/linux-audit/audit-userspace/pull/114
> > > >
> > > > Signed-off-by: Richard Guy Briggs <[email protected]>
> > > >
> > > > ---
> > > > Note: subj attrs included due to missing syscall record for disconnect on close
> > > > Note: tried refactor of subj attrs, but this is yet another new order.
> > > >
> > > > Changelog:
> > > > v7:
> > > > - rename audit_log_multicast_bind to audit_log_multicast
> > > >
> > > > v6:
> > > > - rebased on 5.6-rc1 audit/next and audit log BPF
> > > > - updated patch description sample records
> > > >
> > > > v5:
> > > > - rebased on 5.5-rc1 audit/next
> > > > - group bind/unbind ops
> > > > - add audit context
> > > > - justify message number skip
> > > > - check audit_enabled
> > > > - change field name from nlnk-grp to nl-mcgrp
> > > > - fix whitespace issues
> > > >
> > > > v4:
> > > > - 2017-10-13 sgrubb
> > > > - squash to 1 patch
> > > > - rebase on KERN_MODULE event
> > > > - open code subj attrs
> > > >
> > > > v3:
> > > > - 2016-11-30 sgrubb
> > > > - rebase on REPLACE event
> > > > - minimize audit_log_format calls
> > > > - rename audit_log_bind to audit_log_multicast_bind
> > > >
> > > > v2:
> > > > - 2015-07-23 sgrubb
> > > > - spin off audit_log_task_simple in seperate patch
> > > >
> > > > v1:
> > > > - 2014-10-07 rgb
> > > > ---
> > > > include/uapi/linux/audit.h | 1 +
> > > > kernel/audit.c | 48 ++++++++++++++++++++++++++++++++++++++++++----
> > > > 2 files changed, 45 insertions(+), 4 deletions(-)
>
> --
> paul moore
> http://www.paul-moore.com
>

- RGB

--
Richard Guy Briggs <[email protected]>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635