kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #111059
[Bug 1439441] Re: Kernel provides incomplete audit information when an existing monitored file is modified
Test of the following kernel fail:
linux-image-3.13.0-031300-generic_3.13.0-031300.201401192235_amd64.deb
linux-image-3.13.0-24-generic
linux-image-3.13.0-46-generic
linux-image-3.15.0-031500-generic_3.15.0-031500.201406131105_amd64.deb
linux-image-3.17.0-031700-generic_3.17.0-031700.201410060605_amd64.deb
linux-image-3.18.0-031800-generic_3.18.0-031800.201412071935_amd64.deb
linux-image-3.18.9-031809-generic_3.18.9-031809.201503080036_amd64.deb
Success:
linux-image-3.2.0-23-generic
linux-image-3.2.0-79-virtual
linux-image-3.19.0-031900rc2-generic_3.19.0-031900rc2.201412290135_amd64.deb
linux-image-3.19.0-031900rc4-generic_3.19.0-031900rc4.201501112135_amd64.deb
linux-image-3.19.0-031900-generic_3.19.0-031900.201502091451_amd64.deb
linux-image-4.0.0-040000rc6-generic_4.0.0-040000rc6.201503291935_amd64.deb
Bisect process:
linux-image-3.13.0-031300-generic_3.13.0-031300.201401192235_amd64.deb - fail
linux-image-3.13.0-24-generic - fail
linux-image-3.13.0-46-generic - fail
linux-image-3.15.0-031500-generic_3.15.0-031500.201406131105_amd64.deb - fail
linux-image-3.17.0-031700-generic_3.17.0-031700.201410060605_amd64.deb - fail
linux-image-3.18.0-031800-generic_3.18.0-031800.201412071935_amd64.deb - fail
linux-image-3.18.9-031809-generic_3.18.9-031809.201503080036_amd64.deb - fail
linux-image-3.19.0-031900rc1-generic_3.19.0-031900rc1.201412210135_amd64.deb - fail
linux-image-3.19.0-031900rc2-generic_3.19.0-031900rc2.201412290135_amd64.deb - success
linux-image-3.19.0-031900rc4-generic_3.19.0-031900rc4.201501112135_amd64.deb - success
linux-image-3.19.0-031900-generic_3.19.0-031900.201502091451_amd64.deb - success
linux-image-4.0.0-040000rc6-generic_4.0.0-040000rc6.201503291935_amd64.deb - success
Tue Mar 31 17:58:38 gavin@gavin-w530:~/os/work_kernel$ git log --pretty=oneline v3.19-rc1..v3.19-rc2 kernel/audit*
66b3f4f0a0fcc197a1e432c3d2134f5c6a5275b9 Merge branch 'upstream' of git://git.infradead.org/users/pcm
041d7b98ffe59c59fdd639931dea7d74f9aa9a59 audit: restore AUDIT_LOGINUID unset ABI
4a92843601ad0f5067f441d2f0dca55bbe18c076 audit: correctly record file names with different path name
54dc77d974a50147d6639dac6f59cb2c29207161 audit: use supplied gfp_mask from audit_buffer in kauditd_se
3640dcfa4fd00cd91d88bb86250bdb496f7070c0 audit: don't attempt to lookup PIDs when changing PID filter
solution:
commit 4a92843601ad0f5067f441d2f0dca55bbe18c076
Author: Paul Moore <pmoore@xxxxxxxxxx>
Date: Mon Dec 22 12:27:39 2014 -0500
audit: correctly record file names with different path name types
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1439441
Title:
Kernel provides incomplete audit information when an existing
monitored file is modified
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Trusty:
New
Status in linux source package in Utopic:
New
Bug description:
[Impact]
The audit system cannot identify the correct path of the monitored file.
The trusty kernel and utopic kernel both suffer the bug.
root@node-7:~# echo "lalala" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" results in the following auditd entry:
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL msg=audit(1421321904.615:60229): arch=c000003e syscall=2 success=yes exit=3 a0=1dcbd88 a1=441 a2=1b6 a3=7ffff3cc0458 items=3 ppid=49217 pid=49233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13 comm="bash" exe="/bin/bash" key="system_configuration_change"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD msg=audit(1421321904.615:60229): cwd="/root"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE msg=audit(1421321904.615:60229):
the file modified is referenced only by inode : 1582123
With non-buggy kernel (e.g. 3.2.0-72-generic) the output is:
root@atlas:/tmp# echo "lalal" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" produces the following output:
Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL msg=audit(1421322036.194:6825): arch=c000003e syscall=2 success=yes exit=3 a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410 comm="bash" exe="/bin/bash" key="system_configuration_change"
Jan 15 11:40:36 localhost audispd: node=atlas type=CWD msg=audit(1421322036.194:6825): cwd="/tmp"
Jan 15 11:40:36 localhost audispd: node=atlas type=PATH msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
Jan 15 11:40:36 localhost audispd: node=atlas type=EOE msg=audit(1421322036.194:6825):
[Fix]
commit 4a92843601ad0f5067f441d2f0dca55bbe18c076
Author: Paul Moore <pmoore@xxxxxxxxxx>
Date: Mon Dec 22 12:27:39 2014 -0500
audit: correctly record file names with different path name types
There is a problem with the audit system when multiple audit records
are created for the same path, each with a different path name type.
The root cause of the problem is in __audit_inode() when an exact
match (both the path name and path name type) is not found for a
path name record; the existing code creates a new path name record,
but it never sets the path name in this record, leaving it NULL.
This patch corrects this problem by assigning the path name to these
newly created records.
There are many ways to reproduce this problem, but one of the
easiest is the following (assuming auditd is running):
# mkdir /root/tmp/test
# touch /root/tmp/test/567
# auditctl -a always,exit -F dir=/root/tmp/test
# touch /root/tmp/test/567
Afterwards, or while the commands above are running, check the audit
log and pay special attention to the PATH records. A faulty kernel
will display something like the following for the file creation:
type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp"
type=PATH msg=audit(1416957442.025:93): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416957442.025:93): item=1 name=(null)
inode=393804 ... nametype=NORMAL
type=PATH msg=audit(1416957442.025:93): item=2 name=(null)
inode=393804 ... nametype=NORMAL
While a patched kernel will show the following:
type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416955786.566:89): cwd="/root/tmp"
type=PATH msg=audit(1416955786.566:89): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416955786.566:89): item=1 name="test/567"
inode=393804 ... nametype=NORMAL
This issue was brought up by a number of people, but special credit
should go to hujianyang@xxxxxxxxxx for reporting the problem along
with an explanation of the problem and a patch. While the original
patch did have some problems (see the archive link below), it did
demonstrate the problem and helped kickstart the fix presented here.
* https://lkml.org/lkml/2014/9/5/66
Reported-by: hujianyang <hujianyang@xxxxxxxxxx>
Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
Acked-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
$ git describe --contains 4a92843601ad0f5067f441d2f0dca55bbe18c076
v3.19-rc2~7^2~1
[Test case]
- Install any one of the kernel from 3.13 ~ 3.19rc2
- sudo apt-get install -y auditd
- sudo vim /etc/audit/audit.rules
-D
-b 1024
-w /etc/ -p wa -k system_configuration_change
-w /usr/bin -p wa -k system_binary_change
-w /usr/sbin -p wa -k system_binary_change
-w /bin/ -p wa -k system_binary_change
-w /usr/bin/sudo -F auid!=nova -F uid!=nova -F auid!=neutron -F uid!=neutron -F auid!=cinder -F uid!=cinder -F auid!=zabbix -F uid!=zabbix -p x -k privilege_escalation
-w /bin/su -p x -k privilege_escalation
-w /bin/mount -p x -k filesystem_modification
-w /bin/umount -p x -k filesystem_modification
-w /bin/chown -p x -k filesystem_modification
-w /bin/chgrp -p x -k filesystem_modification
-w /bin/chmod -p x -k filesystem_modification
-w /var/log -p wra -F auid>10000 -F auid!=4294967295 -k system_logs_access
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S clock_settime -k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S chroot -S mount -S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S kill -S tkill -S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S kill -S tkill -S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b64 -S execve -k audit_trail
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b32 -S execve -k audit_trail
- sudo vim /etc/audit/auditd.conf
log_format = RAW
priority_boost = 3
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = hostname
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SYSLOG
disk_full_action = SYSLOG
disk_error_action = SYSLOG
- sudo su
- # echo "lalala" >> /etc/testfile
- Open another console: $ sudo tail -f /var/log/audit/audit.log
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1439441/+subscriptions
References