Skip to content

GitLab

Switch branch/tag
  1. 28 Apr, 2008 3 commits
    • Eric Paris's avatar
      Audit: increase the maximum length of the key field · a42da93c
      Eric Paris authored 
      
Key lengths were arbitrarily limited to 32 characters.  If userspace is going
to start using the single kernel key field as multiple virtual key fields
(example key=key1,key2,key3,key4) we should give them enough room to work.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a42da93c
    • Eric Paris's avatar
      Audit: standardize string audit interfaces · b556f8ad
      Eric Paris authored 
      
This patch standardized the string auditing interfaces.  No userspace
changes will be visible and this is all just cleanup and consistancy
work.  We have the following string audit interfaces to use:

void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);

void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
void audit_log_string(struct audit_buffer *ab, const char *buf);

void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);

This may be the first step to possibly fixing some of the issues that
people have with the string output from the kernel audit system.  But we
still don't have an agreed upon solution to that problem.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b556f8ad
    • Eric Paris's avatar
      Audit: collect sessionid in netlink messages · 2532386f
      Eric Paris authored 
      
Previously I added sessionid output to all audit messages where it was
available but we still didn't know the sessionid of the sender of
netlink messages.  This patch adds that information to netlink messages
so we can audit who sent netlink messages.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      2532386f
  3. 18 Apr, 2008 2 commits
  5. 15 Feb, 2008 1 commit
  7. 01 Feb, 2008 5 commits
  9. 29 Jan, 2008 1 commit
  11. 21 Oct, 2007 2 commits
    • Al Viro's avatar
      [PATCH] audit: watching subtrees · 74c3cbe3
      Al Viro authored 
      
New kind of audit rule predicates: "object is visible in given subtree".
The part that can be sanely implemented, that is.  Limitations:
	* if you have hardlink from outside of tree, you'd better watch
it too (or just watch the object itself, obviously)
	* if you mount something under a watched tree, tell audit
that new chunk should be added to watched subtrees
	* if you umount something in a watched tree and it's still mounted
elsewhere, you will get matches on events happening there.  New command
tells audit to recalculate the trees, trimming such sources of false
positives.

Note that it's _not_ about path - if something mounted in several places
(multiple mount, bindings, different namespaces, etc.), the match does
_not_ depend on which one we are using for access.
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      74c3cbe3
    • Al Viro's avatar
      [PATCH] pass dentry to audit_inode()/audit_inode_child() · 5a190ae6
      Al Viro authored 
      
makes caller simpler *and* allows to scan ancestors
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5a190ae6
  13. 10 Oct, 2007 1 commit
    • Joy Latten's avatar
      [XFRM]: xfrm audit calls · ab5f5e8b
      Joy Latten authored 
      
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.

So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.
Signed-off-by: default avatarJoy Latten <latten@austin.ibm.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab5f5e8b
  15. 24 Aug, 2007 1 commit
  17. 22 Jul, 2007 2 commits
  19. 16 Jul, 2007 1 commit
    • Miloslav Trmac's avatar
      Audit: add TTY input auditing · 522ed776
      Miloslav Trmac authored 
      Add TTY input auditing, used to audit system administrator's actions.  This is
required by various security standards such as DCID 6/3 and PCI to provide
non-repudiation of administrator's actions and to allow a review of past
actions if the administrator seems to overstep their duties or if the system
becomes misconfigured for unknown reasons.  These requirements do not make it
necessary to audit TTY output as well.

Compared to an user-space keylogger, this approach records TTY input using the
audit subsystem, correlated with other audit events, and it is completely
transparent to the user-space application (e.g.  the console ioctls still
work).

TTY input auditing works on a higher level than auditing all system calls
within the session, which would produce an overwhelming amount of mostly
useless audit events.

Add an "audit_tty" attribute, inherited across fork ().  Data read from TTYs
by process with the attribute is sent to the audit subsystem by the kernel.
The audit ...
      522ed776
  21. 11 May, 2007 5 commits
  23. 06 Mar, 2007 1 commit
  25. 17 Feb, 2007 1 commit
    • Al Viro's avatar
      [PATCH] AUDIT_FD_PAIR · db349509
      Al Viro authored 
      
Provide an audit record of the descriptor pair returned by pipe() and
socketpair().  Rewritten from the original posted to linux-audit by
John D. Ramsdell <ramsdell@mitre.org>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      db349509
  27. 06 Dec, 2006 1 commit
  29. 04 Oct, 2006 1 commit
  31. 29 Sep, 2006 1 commit
  33. 28 Sep, 2006 1 commit
  35. 11 Sep, 2006 2 commits
  37. 03 Aug, 2006 5 commits
  39. 01 Jul, 2006 3 commits
    • Al Viro's avatar
      [PATCH] audit syscall classes · b915543b
      Al Viro authored 
      
Allow to tie upper bits of syscall bitmap in audit rules to kernel-defined
sets of syscalls.  Infrastructure, a couple of classes (with 32bit counterparts
for biarch targets) and actual tie-in on i386, amd64 and ia64.
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b915543b
    • Darrel Goeddel's avatar
      [PATCH] audit: rename AUDIT_SE_* constants · 3a6b9f85
      Darrel Goeddel authored 
      
This patch renames some audit constant definitions and adds
additional definitions used by the following patch.  The renaming
avoids ambiguity with respect to the new definitions.
Signed-off-by: default avatarDarrel Goeddel <dgoeddel@trustedcs.com>

 include/linux/audit.h          |   15 ++++++++----
 kernel/auditfilter.c           |   50 ++++++++++++++++++++---------------------
 kernel/auditsc.c               |   10 ++++----
 security/selinux/ss/services.c |   32 +++++++++++++-------------
 4 files changed, 56 insertions(+), 51 deletions(-)
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3a6b9f85
    • Amy Griffis's avatar
      [PATCH] add rule filterkey · 5adc8a6a
      Amy Griffis authored 
      
Add support for a rule key, which can be used to tie audit records to audit
rules.  This is useful when a watched file is accessed through a link or
symlink, as well as for general audit log analysis.

Because this patch uses a string key instead of an integer key, there is a bit
of extra overhead to do the kstrdup() when a rule fires.  However, we're also
allocating memory for the audit record buffer, so it's probably not that
significant.  I went ahead with a string key because it seems more
user-friendly.

Note that the user must ensure that filterkeys are unique.  The kernel only
checks for duplicate rules.
Signed-off-by: default avatarAmy Griffis <amy.griffis@hpd.com>
      5adc8a6a