Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4169928imu; Mon, 10 Dec 2018 14:26:35 -0800 (PST) X-Google-Smtp-Source: AFSGD/UIxlNjAns0ZEID7oygNIp3uMOzc9dCI0xpcPN28CfWg61Zl2RmGw3IbpjibddCYGdH52db X-Received: by 2002:a63:e545:: with SMTP id z5mr12408131pgj.195.1544480795844; Mon, 10 Dec 2018 14:26:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544480795; cv=none; d=google.com; s=arc-20160816; b=f1t+iU4x404eoaL4oWtNDbkpGB2uxwzbAL62WKFy+AjSxcmldEg3Up+/5H9CgsBzGD jS5o7mLUlS01EXgDkrlVEmlH46nPwMdVOkYqWsFKdbtqHEJbPBSKzHvWaXbyPmH3D79E F+mjWcvoiavn2J1OZYexgjnHItN9Q1rAGG2KEqSHL3BePGCrMY5jb6ImVOAnjE/D/pfS 5ID2eje0jTWJ+942PUwVlbVRuhiEUoKxp691anJBFKWWJcxRbsNjW+Jl/6jbpPo6ktL+ ptkpm7AgnX7Mh6ps2NC4d0txBmv1xqgOdqAJ+QvRMXbXSoZE7hwX63YmBxJnXCk2lzBr QV8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=tRYXQqgntnpXuWu+64vqeN15ri/aEPGv2QQL69M+qJE=; b=S/9wbGFnVjmSB9BEr4XFi/7u7pPOpH/N7P8/bhhOyqjX00D9wu8pdnZYYDIrmnr2c3 KQ1zC1We0CQFzIy4gI79SADBKsDYExzm60/mf7p/hr708kKh9bzB46KhW2SkkgryBefm eMuV7NetgVQIncixDKzmJcOXQc0BAe9FJKAqQUqlCGglpVAEdo4ZmbGmmyyn4ZEUtLc/ j1VcpARFaFCjHY0YMv/6e2kLaK9N6qegypN/7BvdIBYd10LXRm3JXrq4HZ0kebr7blrs Mbs1iqHPucd3w1GZP9BbZRGlWOO0KXfze1FvSq/qBwgyXq1zdKNc33fCIv5DFWLYoADt QO+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i69si10734927pgd.71.2018.12.10.14.26.20; Mon, 10 Dec 2018 14:26:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728926AbeLJWSe (ORCPT + 99 others); Mon, 10 Dec 2018 17:18:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:47876 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726562AbeLJWSd (ORCPT ); Mon, 10 Dec 2018 17:18:33 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 28D5B308212D; Mon, 10 Dec 2018 22:18:32 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-24.phx2.redhat.com [10.3.112.24]) by smtp.corp.redhat.com (Postfix) with ESMTP id A0EA660BF1; Mon, 10 Dec 2018 22:18:25 +0000 (UTC) From: Richard Guy Briggs To: LKML , Linux-Audit Mailing List Cc: Eric Paris , Alexander Viro , Steve Grubb , Paul Moore , Richard Guy Briggs Subject: [PATCH ghak59 V3 0/4] audit: config_change normalizations and event record gathering Date: Mon, 10 Dec 2018 17:17:47 -0500 Message-Id: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Mon, 10 Dec 2018 22:18:32 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Make a number of changes to normalize CONFIG_CHANGE records by adding missing op= fields, providing more information in existing op fields (optional last patch) and connecting all records to existing audit events. The user record needs special-casing since its content isn't directly related to the call that logs it. Since tree purge records are processed after the EOE record is produced, the order of operation of the EOE record and the purge will have to be reversed so that the purge records can be included in the event. The last patch is included for completeness understanding it may be more information than necessary. For reference, here are the calling methods and function tree for all CONFIG_CHANGE events with fields: - audit_log_config_change() - add "op=set" to fields: "[op] old auid ses subj res" - AUDIT_SET:AUDIT_STATUS_PID - AUDIT_SET:AUDIT_STATUS_LOST - audit_do_config_change() - AUDIT_SET:AUDIT_STATUS_FAILURE - AUDIT_SET:AUDIT_STATUS_ENABLED - AUDIT_SET:AUDIT_STATUS_RATE_LIMIT - AUDIT_SET:AUDIT_STATUS_BACKLOG_LIMIT - AUDIT_SET:AUDIT_STATUS_BACKLOG_WAIT_TIME - audit_log_rule_change() - fields: "auid ses subj op key list res" - AUDIT_ADD_RULE -F dir=... - AUDIT_DEL_RULE -F dir=... - audit_log_common_recv_msg() - fields: "pid uid auid ses subj ..." - AUDIT_*USER* events (not CONFIG_CHANGE like all the rest) - AUDIT_LOCKED add "op={add,remove}_rule" to "[op] audit_enabled res" - AUDIT_TRIM "op=trim res" - AUDIT_MAKE_EQUIV: "op=make_equiv old new res" - AUDIT_TTY_SET: "op=tty_set old-enabled new-enabled old-log_passwd new-log_passwd res" - audit_mark_log_rule_change() - add ":mark" to op in fields: "uid ses op=autoremove_rule[] path key list res" - audit_autoremove_mark_rule() - audit_mark_handle_event() - audit_mark_fsnotify_ops.handle_event - audit_tree_log_remove_rule() called from kill_rules() - add to op ":tree:%s" to fields: "op=remove_rule[] dir key list res" - from trim_marked() - AUDIT_TRIM: audit_trim_trees() "trim" - audit_add_tree_rule() iterate_mounts err "add" - audit_add_rule() - audit_rule_change() - AUDIT_ADD_RULE -F dir=... - AUDIT_MAKE_EQUIV: audit_tag_tree() iterate_mounts err "equiv" - from audit_kill_trees() - __audit_free() "free" - do_exit() - copy_process() err - __audit_syscall_exit() "exit" - from evict_chunk() "evict" - audit_tree_freeing_mark() - audit_tree_ops.freeing_mark - audit_watch_log_rule_change() add to op ":watch:%s" to fields "auid ses op={updated,remove}_rule[] path key list res" - audit_update_watch() "updated_rules:watch:inval" : "updated_rules:watch:set" - audit_watch_handle_event() FS_CREATE|FS_MOVED_TO, FS_DELETE|FS_MOVED_FROM - audit_watch_fsnotify_ops.handle_event - audit_remove_parent_watches() "remove_rule:watch:parent" - audit_watch_handle_event() FS_DELETE_SELF|FS_UNMOUNT|FS_MOVE_SELF - audit_watch_fsnotify_ops.handle_event - audit_seccomp_actions_logged() - fields: "op actions old-actions res" See: https://github.com/linux-audit/audit-kernel/issues/50 See: https://github.com/linux-audit/audit-kernel/issues/59 Sources of AUDIT_CONFIG_CHANGE records and their current and proposed fields are listed here https://github.com/linux-audit/audit-kernel/issues/59#issuecomment-445055154 Changelog: v3: - un-clever %s_rule to not break up op values - create audit_log_user_recv_msg() and squash into record connection - squash kill_trees context handling with kill-trees before EOE - rebase on audit/next (v4.20-rc1) with 2a1fe215e730 ("audit: use current whenever possible") - remove parens in extended format v2: - re-order audit_log_exit() and audit_kill_trees() - drop EOE reordering patch - rebase on 4.18-rc1 (audit/next) Richard Guy Briggs (4): audit: give a clue what CONFIG_CHANGE op was involved audit: add syscall information to CONFIG_CHANGE records audit: hand taken context to audit_kill_trees for syscall logging audit: extend config_change mark/watch/tree rule changes kernel/audit.c | 33 +++++++++++++++++++++++---------- kernel/audit.h | 4 ++-- kernel/audit_fsnotify.c | 4 ++-- kernel/audit_tree.c | 28 +++++++++++++++------------- kernel/audit_watch.c | 8 +++++--- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 12 ++++++------ 7 files changed, 54 insertions(+), 37 deletions(-) -- 1.8.3.1