Public bug reported:
[Impact]
The audit system cannot identify the correct path of the monitored file.
The trusty kernel and utopic kernel both suffer the bug.
root@node-7:~# echo "lalala" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" results in the following auditd entry:
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=SYSCALL
msg=audit(1421321904.615:60229): arch=c000003e syscall=2 success=yes exit=3
a0=1dcbd88 a1=441 a2=1b6 a3=7ffff3cc0458 items=3 ppid=49217 pid=49233 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=271 tty=pts13
comm="bash" exe="/bin/bash" key="system_configuration_change"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=CWD
msg=audit(1421321904.615:60229): cwd="/root"
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH
msg=audit(1421321904.615:60229): item=0 name="/etc/" inode=1572865 dev=08:03
mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH
msg=audit(1421321904.615:60229): item=1 name=(null) inode=1582123 dev=08:03
mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=PATH
msg=audit(1421321904.615:60229): item=2 name=(null) inode=1582123 dev=08:03
mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
<14>Jan 15 11:38:24 node-7 audispd: node=node-7 type=EOE
msg=audit(1421321904.615:60229):
the file modified is referenced only by inode : 1582123
With non-buggy kernel (e.g. 3.2.0-72-generic) the output is:
root@atlas:/tmp# echo "lalal" >> /etc/testfile
"sudo tail -f /var/log/audit/audit.log" produces the following output:
Jan 15 11:40:36 localhost audispd: node=atlas type=SYSCALL
msg=audit(1421322036.194:6825): arch=c000003e syscall=2 success=yes exit=3
a0=24ac028 a1=441 a2=1b6 a3=7fff7ddaefe8 items=1 ppid=18562 pid=18570 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=410
comm="bash" exe="/bin/bash" key="system_configuration_change"
Jan 15 11:40:36 localhost audispd: node=atlas type=CWD
msg=audit(1421322036.194:6825): cwd="/tmp"
Jan 15 11:40:36 localhost audispd: node=atlas type=PATH
msg=audit(1421322036.194:6825): item=0 name="/etc/testfile" inode=159619
dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
Jan 15 11:40:36 localhost audispd: node=atlas type=EOE
msg=audit(1421322036.194:6825):
[Fix]
commit 4a92843601ad0f5067f441d2f0dca55bbe18c076
Author: Paul Moore <pmo...@redhat.com>
Date: Mon Dec 22 12:27:39 2014 -0500
audit: correctly record file names with different path name types
There is a problem with the audit system when multiple audit records
are created for the same path, each with a different path name type.
The root cause of the problem is in __audit_inode() when an exact
match (both the path name and path name type) is not found for a
path name record; the existing code creates a new path name record,
but it never sets the path name in this record, leaving it NULL.
This patch corrects this problem by assigning the path name to these
newly created records.
There are many ways to reproduce this problem, but one of the
easiest is the following (assuming auditd is running):
# mkdir /root/tmp/test
# touch /root/tmp/test/567
# auditctl -a always,exit -F dir=/root/tmp/test
# touch /root/tmp/test/567
Afterwards, or while the commands above are running, check the audit
log and pay special attention to the PATH records. A faulty kernel
will display something like the following for the file creation:
type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp"
type=PATH msg=audit(1416957442.025:93): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416957442.025:93): item=1 name=(null)
inode=393804 ... nametype=NORMAL
type=PATH msg=audit(1416957442.025:93): item=2 name=(null)
inode=393804 ... nametype=NORMAL
While a patched kernel will show the following:
type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416955786.566:89): cwd="/root/tmp"
type=PATH msg=audit(1416955786.566:89): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416955786.566:89): item=1 name="test/567"
inode=393804 ... nametype=NORMAL
This issue was brought up by a number of people, but special credit
should go to hujiany...@huawei.com for reporting the problem along
with an explanation of the problem and a patch. While the original
patch did have some problems (see the archive link below), it did
demonstrate the problem and helped kickstart the fix presented here.
* https://lkml.org/lkml/2014/9/5/66
Reported-by: hujianyang <hujiany...@huawei.com>
Signed-off-by: Paul Moore <pmo...@redhat.com>
Acked-by: Richard Guy Briggs <r...@redhat.com>
$ git describe --contains 4a92843601ad0f5067f441d2f0dca55bbe18c076
v3.19-rc2~7^2~1
[Test case]
- Install any one of the kernel from 3.13 ~ 3.19rc2
- sudo apt-get install -y auditd
- sudo vim /etc/audit/audit.rules
-D
-b 1024
-w /etc/ -p wa -k system_configuration_change
-w /usr/bin -p wa -k system_binary_change
-w /usr/sbin -p wa -k system_binary_change
-w /bin/ -p wa -k system_binary_change
-w /usr/bin/sudo -F auid!=nova -F uid!=nova -F auid!=neutron -F uid!=neutron
-F auid!=cinder -F uid!=cinder -F auid!=zabbix -F uid!=zabbix -p x -k
privilege_escalation
-w /bin/su -p x -k privilege_escalation
-w /bin/mount -p x -k filesystem_modification
-w /bin/umount -p x -k filesystem_modification
-w /bin/chown -p x -k filesystem_modification
-w /bin/chgrp -p x -k filesystem_modification
-w /bin/chmod -p x -k filesystem_modification
-w /var/log -p wra -F auid>10000 -F auid!=4294967295 -k system_logs_access
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S clock_settime
-k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S clock_settime
-k time-change_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S chroot -S mount
-S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S chroot -S mount
-S umount2 -k filesystem_modification_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S kill -S tkill
-S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S kill -S tkill
-S tgkill -k process_termination_syscall
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b64 -S sethostname -S
setdomainname -k system-locale
-a always,exit -F auid>10000 -F auid!=4294967295 -F arch=b32 -S sethostname -S
setdomainname -k system-locale
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b64 -S execve -k
audit_trail
-a exit,always -F auid>10000 -F auid!=4294967295 -F arch=b32 -S execve -k
audit_trail
- sudo vim /etc/audit/auditd.conf
log_format = RAW
priority_boost = 3
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = hostname
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SYSLOG
disk_full_action = SYSLOG
disk_error_action = SYSLOG
- sudo su
- # echo "lalala" >> /etc/testfile
- Open another console: $ sudo tail -f /var/log/audit/audit.log
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Gavin Guo (mimi0213kimo)
Status: Incomplete
** Tags: cts precise trusty utopic
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Gavin Guo (mimi0213kimo)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1439441
Title:
Kernel provides incomplete audit information when an existing
monitored file is modified
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1439441/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
