kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #110874
[Bug 1439441] [NEW] Kernel provides incomplete audit information when an existing monitored file is modified
Public bug reported:
[Impact]
The audit system cannot identify the correct path of the monitored file.
The trusty kernel and utopic kernel both suffer the bug.
root@node-7:~# echo "lalala" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" results in the following auditd entry:
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c000003e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=7ffff3cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229):
the file modified is referenced only by inode : 1582123
With non-buggy kernel (e.g. 3.2.0-72-generic) the output is:
root@atlas:/tmp# echo "lalal" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" produces the following output:
Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c000003e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change"
Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp"
Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825):
[Fix]
commit 4a92843601ad0f5067f441d2f0dca55bbe18c076
Author: Paul Moore <pmoore@xxxxxxxxxx>
Date: Mon Dec 22 12:27:39 2014 -0500
audit: correctly record file names with different path name types
There is a problem with the audit system when multiple audit records
are created for the same path, each with a different path name type.
The root cause of the problem is in __audit_inode() when an exact
match (both the path name and path name type) is not found for a
path name record; the existing code creates a new path name record,
but it never sets the path name in this record, leaving it NULL.
This patch corrects this problem by assigning the path name to these
newly created records.
There are many ways to reproduce this problem, but one of the
easiest is the following (assuming auditd is running):
# mkdir /root/tmp/test
# touch /root/tmp/test/567
# auditctl -a always,exit -F dir=/root/tmp/test
# touch /root/tmp/test/567
Afterwards, or while the commands above are running, check the audit
log and pay special attention to the PATH records. A faulty kernel
will display something like the following for the file creation:
type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp"
type=PATH msg=audit(1416957442.025:93): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416957442.025:93): item=1 name=(null)
inode=393804 ... nametype=NORMAL
type=PATH msg=audit(1416957442.025:93): item=2 name=(null)
inode=393804 ... nametype=NORMAL
While a patched kernel will show the following:
type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416955786.566:89): cwd="/root/tmp"
type=PATH msg=audit(1416955786.566:89): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416955786.566:89): item=1 name="test/567"
inode=393804 ... nametype=NORMAL
This issue was brought up by a number of people, but special credit
should go to hujianyang@xxxxxxxxxx for reporting the problem along
with an explanation of the problem and a patch. While the original
patch did have some problems (see the archive link below), it did
demonstrate the problem and helped kickstart the fix presented here.
* https://lkml.org/lkml/2014/9/5/66
Reported-by: hujianyang <hujianyang@xxxxxxxxxx>
Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
Acked-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
$ git describe --contains 4a92843601ad0f5067f441d2f0dca55bbe18c076
v3.19-rc2~7^2~1
[Test case]
- Install any one of the kernel from 3.13 ~ 3.19rc2
- sudo apt-get install -y auditd
- sudo vim /etc/audit/audit.rules
-D
-b 1024
-w /etc/ -p wa -k system_configuration_change
-w /usr/bin -p wa -k system_binary_change
-w /usr/sbin -p wa -k system_binary_change
-w /bin/ -p wa -k system_binary_change
-w /usr/bin/sudo -F auid!=nova -F uid!=nova -F auid!=neutron -F uid!=neutron -F auid!=cinder -F uid!=cinder -F auid!=zabbix -F uid!=zabbix -p x -k privilege_escalation
-w /bin/su -p x -k privilege_escalation
-w /bin/mount -p x -k filesystem_modification
-w /bin/umount -p x -k filesystem_modification
-w /bin/chown -p x -k filesystem_modification
-w /bin/chgrp -p x -k filesystem_modification
-w /bin/chmod -p x -k filesystem_modification
-w /var/log -p wra -F auid>10000 -F auid!=4294967295 -k system_logs_access
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S kill -S tkill -S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S kill -S tkill -S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b64 -S execve -k audit_trail
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b32 -S execve -k audit_trail
- sudo vim /etc/audit/auditd.conf
log_format = RAW
priority_boost = 3
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = hostname
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SYSLOG
disk_full_action = SYSLOG
disk_error_action = SYSLOG
- sudo su
- # echo "lalala" >> /etc/testfile
- Open another console: $ sudo tail -f /var/log/audit/audit.log
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Gavin Guo (mimi0213kimo)
Status: Incomplete
** Tags: cts precise trusty utopic
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Gavin Guo (mimi0213kimo)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1439441
Title:
Kernel provides incomplete audit information when an existing
monitored file is modified
Status in linux package in Ubuntu:
Incomplete
Bug description:
[Impact]
The audit system cannot identify the correct path of the monitored file.
The trusty kernel and utopic kernel both suffer the bug.
root@node-7:~# echo "lalala" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" results in the following auditd entry:
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c000003e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=7ffff3cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229):
the file modified is referenced only by inode : 1582123
With non-buggy kernel (e.g. 3.2.0-72-generic) the output is:
root@atlas:/tmp# echo "lalal" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" produces the following output:
Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c000003e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change"
Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp"
Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825):
[Fix]
commit 4a92843601ad0f5067f441d2f0dca55bbe18c076
Author: Paul Moore <pmoore@xxxxxxxxxx>
Date: Mon Dec 22 12:27:39 2014 -0500
audit: correctly record file names with different path name types
There is a problem with the audit system when multiple audit records
are created for the same path, each with a different path name type.
The root cause of the problem is in __audit_inode() when an exact
match (both the path name and path name type) is not found for a
path name record; the existing code creates a new path name record,
but it never sets the path name in this record, leaving it NULL.
This patch corrects this problem by assigning the path name to these
newly created records.
There are many ways to reproduce this problem, but one of the
easiest is the following (assuming auditd is running):
# mkdir /root/tmp/test
# touch /root/tmp/test/567
# auditctl -a always,exit -F dir=/root/tmp/test
# touch /root/tmp/test/567
Afterwards, or while the commands above are running, check the audit
log and pay special attention to the PATH records. A faulty kernel
will display something like the following for the file creation:
type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp"
type=PATH msg=audit(1416957442.025:93): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416957442.025:93): item=1 name=(null)
inode=393804 ... nametype=NORMAL
type=PATH msg=audit(1416957442.025:93): item=2 name=(null)
inode=393804 ... nametype=NORMAL
While a patched kernel will show the following:
type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416955786.566:89): cwd="/root/tmp"
type=PATH msg=audit(1416955786.566:89): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416955786.566:89): item=1 name="test/567"
inode=393804 ... nametype=NORMAL
This issue was brought up by a number of people, but special credit
should go to hujianyang@xxxxxxxxxx for reporting the problem along
with an explanation of the problem and a patch. While the original
patch did have some problems (see the archive link below), it did
demonstrate the problem and helped kickstart the fix presented here.
* https://lkml.org/lkml/2014/9/5/66
Reported-by: hujianyang <hujianyang@xxxxxxxxxx>
Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
Acked-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
$ git describe --contains 4a92843601ad0f5067f441d2f0dca55bbe18c076
v3.19-rc2~7^2~1
[Test case]
- Install any one of the kernel from 3.13 ~ 3.19rc2
- sudo apt-get install -y auditd
- sudo vim /etc/audit/audit.rules
-D
-b 1024
-w /etc/ -p wa -k system_configuration_change
-w /usr/bin -p wa -k system_binary_change
-w /usr/sbin -p wa -k system_binary_change
-w /bin/ -p wa -k system_binary_change
-w /usr/bin/sudo -F auid!=nova -F uid!=nova -F auid!=neutron -F uid!=neutron -F auid!=cinder -F uid!=cinder -F auid!=zabbix -F uid!=zabbix -p x -k privilege_escalation
-w /bin/su -p x -k privilege_escalation
-w /bin/mount -p x -k filesystem_modification
-w /bin/umount -p x -k filesystem_modification
-w /bin/chown -p x -k filesystem_modification
-w /bin/chgrp -p x -k filesystem_modification
-w /bin/chmod -p x -k filesystem_modification
-w /var/log -p wra -F auid>10000 -F auid!=4294967295 -k system_logs_access
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S kill -S tkill -S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S kill -S tkill -S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b64 -S execve -k audit_trail
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b32 -S execve -k audit_trail
- sudo vim /etc/audit/auditd.conf
log_format = RAW
priority_boost = 3
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = hostname
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SYSLOG
disk_full_action = SYSLOG
disk_error_action = SYSLOG
- sudo su
- # echo "lalala" >> /etc/testfile
- Open another console: $ sudo tail -f /var/log/audit/audit.log
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1439441/+subscriptions
Follow ups
-
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
From: Launchpad Bug Tracker, 2015-04-29
-
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
From: Launchpad Bug Tracker, 2015-04-29
-
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
From: Gavin Guo, 2015-04-21
-
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
From: Gavin Guo, 2015-04-21
-
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
From: Brad Figg, 2015-04-17
-
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
From: Brad Figg, 2015-04-17
-
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
From: Tim Gardner, 2015-04-03
-
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
From: Gavin Guo, 2015-04-03
-
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
From: Chris J Arges, 2015-04-02
-
[Bug 1439441] Missing required logs.
From: Brad Figg, 2015-04-01
-
[Bug 1439441] [NEW] Kernel provides incomplete audit information when an existing monitored file is modified
From: Gavin Guo, 2015-04-01
References