search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

BUG: watches on executable symlinks are not working #94

Open stevegrubb opened 6 years ago

stevegrubb commented 6 years ago

Watches on execution of a program seem to not be working on the 4.17 kernel.

$ which ping /usr/sbin/ping $ auditctl -w /usr/sbin/ping -p x -k test $ ping yahoo.com PING yahoo.com (98.137.246.7) 56(84) bytes of data. 64 bytes from media-router-fp1.prod1.media.vip.gq1.yahoo.com (98.137.246.7): icmp_seq=1 ttl=43 time=117 ms ^C --- yahoo.com ping statistics --- 3 packets transmitted, 2 received, 33% packet loss, time 2000ms rtt min/avg/max/mdev = 117.128/119.354/121.580/2.226 ms $ auditctl -W /usr/sbin/ping -p x -k test $ ausearch --start recent -k test -m syscall

Just to make sure that something in old style watches was causing the problem, we try again using the new syntax: $ auditctl -a always,exit -F path=/usr/sbin/ping -F perms=x -F key=test -F unknown field: perms $ auditctl -a always,exit -F path=/usr/sbin/ping -F perm=x -F key=test $ ping www.yahoo.com PING atsv2-fp.wg1.b.yahoo.com (72.30.35.10) 56(84) bytes of data. 64 bytes from media-router-fp2.prod1.media.vip.bf1.yahoo.com (72.30.35.10): icmp_seq=1 ttl=44 time=62.6 ms ^C --- atsv2-fp.wg1.b.yahoo.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 62.631/62.787/62.944/0.295 ms $ auditctl -d always,exit -F path=/usr/sbin/ping -F perm=x -F key=test $ ausearch --start recent -k test -m syscall We should have gotten an event both ways.
stevegrubb commented 6 years ago

The 4.16 kernel is also affected.

stevegrubb commented 6 years ago

I checked the 4.12 kernel, it seems to also have the problem. This is the oldest kernel I have available.

pcmoore commented 6 years ago

My network access is unreliable, but I happen to have it for the moment so I did a quick test on an upstream kernel (the only one I have immediate access to for testing):

# uname -r
4.18.0-0.rc2.git4.1.fc29.x86_64
# auditctl -l
No rules
# which id
/usr/bin/id
# auditctl -a always,exit -S all -F exe=/usr/bin/id -k ghak94
# ausearch -k ghak94 
----
time->Fri Jul  6 06:47:46 2018
type=CONFIG_CHANGE msg=audit(1530874066.583:605):  auid=0 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key="ghak94" list=4 res=1
# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ausearch -k ghak94 | wc -l
670
# ausearch -k ghak94 | tail -n 5
type=SYSCALL msg=audit(1530874095.277:750): arch=c000003e syscall=3 success=yes exit=0 a0=2 a1=1 a2=7f8570913760 a3=0 items=0 ppid=572 pid=751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="id" exe="/usr/bin/id" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="ghak94"
----
time->Fri Jul  6 06:48:15 2018
type=PROCTITLE msg=audit(1530874095.277:751): proctitle="id"
type=SYSCALL msg=audit(1530874095.277:751): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffcef8b5bce items=0 ppid=572 pid=751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="id" exe="/usr/bin/id" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="ghak94"

... granted this is one small test, but it appears to be a case of WORKSFORME. Further, I do test this at least once a week, typically more, using the audit-testsuite, which does contain a test for this functionality:

bunnyyTheFreak commented 6 years ago

https://github.com/Exynos7580/android_device_samsung_a5xeltexx/issues/7

Please help me guys unable to resolve this issue...

pcmoore commented 6 years ago

Unless I'm mistaken @BunsExynos, that issue appears unrelated to this problem mentioned here, yes?

rgbriggs commented 6 years ago

@pcmoore your test works fine because it is watching a regular file. @stevegrubb test file is a symlink, so this is another issue related as he has indicated: https://bugzilla.redhat.com/show_bug.cgi?id=1421794

pcmoore commented 6 years ago

@rgbriggs let's be sure to add a soft link test to the exec_name test in the test suite once this is resolved. We should probably a test for a hard link too for the sake of completeness.

pcmoore commented 6 years ago

@rgbriggs I'm going to assign this to you since it looks like this is already on your todo list, if not please let me know and I'll reassign it.

remotekernel commented 4 years ago

Is this issue resolved? I want to watch power operations as below but I couldn't trigger audit event.

[root@instance-2 ~]# uname -a Linux instance-2 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [root@instance-2 ~]# cat /etc/redhat-release CentOS Linux release 7.8.2003 (Core) [root@instance-2 ~]# grep power /etc/audit/rules.d/power.rules -w /sbin/shutdown -p x -k power -w /sbin/poweroff -p x -k power -w /sbin/reboot -p x -k power -w /sbin/halt -p x -k power [root@instance-2 ~]# file /sbin/{halt,poweroff,reboot,shutdown} /sbin/halt: symbolic link to ../bin/systemctl' /sbin/poweroff: symbolic link to../bin/systemctl' /sbin/reboot: symbolic link to ../bin/systemctl' /sbin/shutdown: symbolic link to../bin/systemctl'

rgbriggs commented 4 years ago

On 2020-11-16 11:05, remotekernel wrote:

Is this issue resolved?

Not yet. It hasn't been abandonned.

I want to watch power operations as below but I couldn't trigger audit event.

This has always been an issue with no obvious solution. We can't monitor the execution binary directly since it will falsely trigger on any use of that binary, filling the logs and crowding out important events. We may be able to match the the execution binary dev/inode along with last element of the path in arg[0] since this latter is generally used to trigger behaviour in multicall binaries.

takakawa commented 10 months ago

Same here in 4.19.110-300.el7.x86_64 Unable to direct monitor iptables command , because is symlinked.

/usr/sbin/iptables -> xtables-multi