Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3996243yba; Tue, 9 Apr 2019 09:00:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqyWO5YYOA1psQCrLdUbcsrn7gV0e21ObO9Dq2vHtTdk8URJL6UVvGq0Bi95QcCHmVvQFxMM X-Received: by 2002:a63:2b4c:: with SMTP id r73mr36119323pgr.181.1554825607095; Tue, 09 Apr 2019 09:00:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554825607; cv=none; d=google.com; s=arc-20160816; b=RDg/CYDx7PC6Vn6NhkCox68OVlJDEUy8qTG474nv37umNixGi5to3mbWIzxdr64uqd Qo2lhy9OIyNqTcJCOnhYMJyqS0NktgjfPZESIAmrmImk1HSsN4gLLaV7MJ+cAPlo/M0Z jQDEWwUfqWeFpHGw7Br9JmesQXNki8UT3/MpFkvAueTjzT4bVyXWDEucMLolx3ze7HmF nifCrJmbrqPr6cxna+bj4Szfo7+PDykiTdZCwJmuBy9Zf+UgF66Eqme+lTghVqBAN2QE 1EMMw8dr3ba2ob9h72kIgHPtZsVkjd+g1XVO9HeO0lQbwD+F/HzpW6EdrB+AIG5uwkJf QBMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=yjgt85Cb3G/Hxz0rLylotvKczoyuY20A198i3yG2fdM=; b=aJxJVilXxi7KSg4M6SY2c9jtEdQV1tg8bCAbVhzfDh+85SEIaWe3DQ5rIVJP43/sF3 l5Al/YTh8LvbwDaH6xCqLzbDXJpOGkAXJo+WQ7nBy37VFWe7lxYGlyIKXjbvZyjbUAmO TUPSMLvqfKNUgcCUB6z0QewUSorQPQRjth8EMpzdqEVLxAcz+Y3/PP5qVZQmkeK9fbsa Dx7TfJByc211GrDa2f3MpVVanAWyDTsEPOW+j6qTveqOOyv+fQtW6FpRoTkPbwjdSe1T hoTfirEs8/syNZumhnd4/RY+1p0mnMnv6p+4dKG4vBeMWQlz7o7RGaOld46uZKChJoPW eDPA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 144si3933699pgf.59.2019.04.09.08.59.51; Tue, 09 Apr 2019 09:00:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726676AbfDIP5k (ORCPT + 99 others); Tue, 9 Apr 2019 11:57:40 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53830 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726538AbfDIP5j (ORCPT ); Tue, 9 Apr 2019 11:57:39 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 974F530A9CE1; Tue, 9 Apr 2019 15:57:39 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-16.phx2.redhat.com [10.3.112.16]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4FE181001E7B; Tue, 9 Apr 2019 15:57:31 +0000 (UTC) Date: Tue, 9 Apr 2019 11:57:28 -0400 From: Richard Guy Briggs To: Steve Grubb Cc: LKML , Linux-Audit Mailing List , Paul Moore , omosnace@redhat.com, eparis@parisplace.org, ebiederm@xmission.com, oleg@redhat.com Subject: Re: [PATCH ghak111 V1] audit: deliver siginfo regarless of syscall Message-ID: <20190409155728.dfp4qwseo6jxdmqr@madcap2.tricolour.ca> References: <20190409080138.745d18a1@ivy-bridge> <20190409140259.n4t6rxb24eu3uzvp@madcap2.tricolour.ca> <20190409173716.1a0308fb@ivy-bridge> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190409173716.1a0308fb@ivy-bridge> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Tue, 09 Apr 2019 15:57:39 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019-04-09 17:37, Steve Grubb wrote: > On Tue, 9 Apr 2019 10:02:59 -0400 > Richard Guy Briggs wrote: > > > On 2019-04-09 08:01, Steve Grubb wrote: > > > On Mon, 8 Apr 2019 23:52:29 -0400 Richard Guy Briggs > > > wrote: > > > > When a process signals the audit daemon (shutdown, rotate, resume, > > > > reconfig) but syscall auditing is not enabled, we still want to > > > > know the identity of the process sending the signal to the audit > > > > daemon. > > > > > > Why? If syscall auditing is disabled, then there is no requirement > > > to provide anything. What is the real problem that you are seeing? > > > > Shutdown messages with -1 in them rather than the real values. > > OK. We can fix that by patching auditd to see if auditing is enabled > before requesting signal info. If auditing is disabled, the proper > action is for the kernel to ignore any audit userspace messages except > the configuration commands. If auditing is disabled in the kernel, none of this is trackable. It is for those as yet unsupported arches that can run audit enabled but without auditsyscall support. Here's a current sample with CONFIG_AUDIT and ~CONFIG_AUDITSYSCALL configured, note "auid=" and "pid=": killall -HUP auditd type=DAEMON_CONFIG msg=audit(2019-04-09 11:37:04.508:3266) op=reconfigure state=changed auid=unset pid=-1 subj=? res=success killall -TERM auditd type=DAEMON_END msg=audit(2019-04-09 11:51:50.441:5709) : op=terminate auid=unset pid=-1 subj=? res=success and the same with the patch applied: killall -HUP auditd type=DAEMON_CONFIG msg=audit(2019-04-09 11:42:40.851:8924) op=reconfigure state=changed auid=root pid=652 subj=? res=success killall -TERM auditd type=DAEMON_END msg=audit(2019-04-09 11:51:50.441:5709) : op=terminate auid=root pid=652 subj=? res=success The USR1 "rotate" and USR2 "resume" log messages need to be fixed in userspace. > -Steve - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635