BUG: loading or unloading the debugfs kernel module results in 1000's of PATH records

[pcmoore]

All we really want is the kernel module name. Reproducer is below:

1. Add "-a always,exit -F arch=x86_64 -S init_module -F key=mod-load" to the audit rules
2. Reboot the system
3. Run 'ausearch --start today -k mod-load -i | less'

[pcmoore]

See issue #7 as a related issue.

[rgbriggs]

@pcmoore The title of this issue mentions debugfs kernel nodule. I see no such module in several distros but is appears to be a builtin. What distro exhibits this behaviour and how did you trace it to the debugfs kernel module? I am seeing this unwanted behaviour with the modprobe command on fs-nfs4 and nfsv4 services, but they are in use and am trying to figure out a way to trigger this behaviour on demand rather than depending on a reboot.

[rgbriggs]

@pcmoore I guess this also begs the larger question about the audit-testsuite being able to do reboot tests.

[rgbriggs]

Push a preliminiary commit to my fork for RFC: https://github.com/rgbriggs/audit-testsuite/commit/1b00d163f0c1a1cea56acb94972b78a373e59bda

[pcmoore]

@rgbriggs This is an old bug report taken from the Red Hat Bugzilla. I believe it originally came from @stevegrubb, perhaps he has more information he could share.

[pcmoore]

@pcmoore I guess this also begs the larger question about the audit-testsuite being able to do reboot tests.

To follow up on our offline conversation - tests that doesn't easily fit within the automated audit-testsuite can be places in a _testsmanual directory in the audit-testsuite.

[rgbriggs]

@pcmoore Here's an update moved to tests_manual with a readme: https://github.com/rgbriggs/audit-testsuite/commit/045c23950a533b25b402afa5cab80a804cd75f17

[pcmoore]

One more comment, let's just call it "syscall_module_path", we don't need the "spam" part at the end ;)

[rgbriggs]

Anything else?

[rgbriggs]

Update: https://github.com/rgbriggs/audit-testsuite/commit/2d0004c89df306c928eecb3d27e40f8017c0c314

[pcmoore]

Did you see the comments I made to the patch?

[pcmoore]

To be clear, the comments were attached to https://github.com/rgbriggs/audit-testsuite/commit/045c23950a533b25b402afa5cab80a804cd75f17.

[rgbriggs]

Ok, got those too... https://github.com/rgbriggs/audit-testsuite/commit/7ff7ebc02553aa0a30d29d3f0c84e8013d5fce51

[pcmoore]

My previous comments about the rules still applies (comment added inline).

[rgbriggs]

Ok, updated https://github.com/rgbriggs/audit-testsuite/commit/ab2bb3f95047371f89a0338823893f82b18e97a3 It will be of limited use on RHEL6 due to missing PROCTITLE record, but will still detect bug. A more deterministic way of expressing the date/time to ausearch would help.

[pcmoore]

@rgbriggs the test looks reasonable, want to create a audit-testuite PR?

[rgbriggs]

Ugh, I just noticed that is is based on my ghak7 test, so I'll rebase it to HEAD first.

[rgbriggs]

Ok, untangled from ghak7 test case... https://github.com/linux-audit/audit-testsuite/pull/42

[rgbriggs]

Kernel patch posted upstream: https://www.redhat.com/archives/linux-audit/2017-April/msg00011.html https://www.redhat.com/archives/linux-audit/2017-April/msg00012.html

Userspace issue created: https://github.com/linux-audit/audit-userspace/issues/15 Userspace patch posted upstream: https://www.redhat.com/archives/linux-audit/2017-April/msg00009.html

[rgbriggs]

Discussion about enabling DebugFS and TraceFS by default on production distributions. https://github.com/linux-audit/audit-documentation/wiki/TraceFS-and-DebugFS-on-production-distributions

[rgbriggs]

Userspace patch v3 posted upstream: https://www.redhat.com/archives/linux-audit/2017-June/msg00071.html Update feature bitmap macro to reflect the filter name change. https://www.redhat.com/archives/linux-audit/2017-June/msg00072.html

[rgbriggs]

Kernel patch ALT4 V3 posted upstream: https://www.redhat.com/archives/linux-audit/2017-August/msg00073.html

[pcmoore]

Merged patch 1/2 via 41e1f7b7776be704906742120db908b8d34e10ff

[rgbriggs]

Tests brought up to date. First test patch tests first kernel patch, second test patch tests second kernel patch: https://github.com/linux-audit/audit-testsuite/pull/42

[rgbriggs]

upstream in git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next 41e1f7b audit: show fstype:pathname for entries with anonymous parents 3d7810b audit: filter PATH records keyed on filesystem magic

[stevegrubb]

Please put the file system type in a field all by itself called "fstype". You can just leave it as the hex magic number prepended with 0x and user space can do the lookup from there, Also, put it at the end of the record and it's OK if this field appears and disappears based on file system type. In general, this field will rarely appear and we can suppress the event generation with audit rules.

[rgbriggs]

The first problem is that this should be an untrusted field, so switch from audit_log_format() to audit_log_untrustedstring() would fix that.

I'm fine with creating and appending a field called fstype.

This still leaves us with a relative path that appears to be an absolute path which is arguably less correct. One way to be less misleading is to remove the leading "./" or "/" so that it isn't explicitly anchored on root or CWD and instead use another special symbol (this is essentially what the original patch does). Another suggestion was made to use the nametype field, instead of "NORMAL", make it "RELA", "NOMOUNT" or "NOMNTPT".

[rgbriggs]

Posted patchset v4 to add partial pathname, filesystem type and new file types to indicate anonymous entries, also fix memleak and don't trust filename: https://lkml.org/lkml/2018/2/12/1 https://www.redhat.com/archives/linux-audit/2018-February/msg00020.html

[rgbriggs]

Since one of the two parts of the solution has been accepted upstream, I'm closing this issue to indicate the filter is done and pushing the other solution (giving a name to the anonymous PATH records) into a new issue to indicate partial completion. See: https://github.com/linux-audit/audit-kernel/issues/108

[rgbriggs]

I don't have permission to close issues. Please close this issue.