linux/kernel/auditfilter.c, branch v4.15Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v4.152017-11-10T21:08:56Zaudit: filter PATH records keyed on filesystem magic2017-11-10T21:08:56ZRichard Guy Briggsrgb@redhat.com2017-08-23T11:03:39Zurn:sha1:42d5e37654e4cdb9fb2e2f3ab30045fee35c42d8
Tracefs or debugfs were causing hundreds to thousands of PATH records to
be associated with the init_module and finit_module SYSCALL records on a
few modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Provide a method to ignore these large number of PATH records from
overwhelming the logs if they are not of interest. Introduce a new
filter list "AUDIT_FILTER_FS", with a new field type AUDIT_FSTYPE,
which keys off the filesystem 4-octet hexadecimal magic identifier to
filter specific filesystem PATH records.
An example rule would look like:
-a never,filesystem -F fstype=0x74726163 -F key=ignore_tracefs
-a never,filesystem -F fstype=0x64626720 -F key=ignore_debugfs
Arguably the better way to address this issue is to disable tracefs and
debugfs on boot from production systems.
See: https://github.com/linux-audit/audit-kernel/issues/16
See: https://github.com/linux-audit/audit-userspace/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: fixed the whitespace damage in kernel/auditsc.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: kernel generated netlink traffic should have a portid of 02017-05-02T14:16:05ZPaul Moorepaul@paul-moore.com2017-05-02T14:16:05Zurn:sha1:45a0642b4d021a2f50d5db9c191b5bfe60bfa1c7
We were setting the portid incorrectly in the netlink message headers,
fix that to always be 0 (nlmsg_pid = 0).
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
audit: remove unnecessary semicolon in audit_field_valid()2017-05-02T14:16:03ZNicholas Mc Guireder.herr@hofr.at2017-05-02T14:16:03Zurn:sha1:b7a84deaf8d1b0e62b437a290a40d6380975f126
The excess ; after the closing parenthesis is just code-noise it has no
and can be removed.
Signed-off-by: Nicholas Mc Guire <der.herr@hofr.at>
[PM: tweak subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: add support for session ID user filter2016-11-29T20:10:12ZRichard Guy Briggsrgb@redhat.com2016-11-20T21:47:55Zurn:sha1:8fae47705685fcaa75a1fe4c8c3e18300a702979
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID. Also add the new session ID filter
to the feature bitmap so userspace knows it is available.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: combine multiple patches from Richard into this one]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: fix formatting of AUDIT_CONFIG_CHANGE events2016-11-20T20:38:00ZSteve Grubbsgrubb@redhat.com2016-11-16T21:14:33Zurn:sha1:c1e8f06d7a0eea232ce0767471e1b4756ccab70a
The AUDIT_CONFIG_CHANGE events sometimes use a op= field. The current
code logs the value of the field with quotes. This field is documented
to not be encoded, so it should not have quotes.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
[PM: reformatted commit description to make checkpatch.pl happy]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: add fields to exclude filter by reusing user filter2016-06-27T15:01:00ZRichard Guy Briggsrgb@redhat.com2016-06-24T20:35:46Zurn:sha1:86b2efbe3a390e07dbba725ef700b0d143e9a385
RFE: add additional fields for use in audit filter exclude rules
https://github.com/linux-audit/audit-kernel/issues/5
Re-factor and combine audit_filter_type() with audit_filter_user() to
use audit_filter_user_rules() to enable the exclude filter to
additionally filter on PID, UID, GID, AUID, LOGINUID_SET, SUBJ_*.
The process of combining the similar audit_filter_user() and
audit_filter_type() functions, required inverting the meaning and
including the ALWAYS action of the latter.
Include audit_filter_user_rules() into audit_filter(), removing
unneeded logic in the process.
Keep the check to quit early if the list is empty.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: checkpatch.pl fixes - whitespace damage, wrapped description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: fix some horrible switch statement style crimes2016-06-16T21:08:19ZPaul Moorepaul@paul-moore.com2016-06-16T21:08:19Zurn:sha1:66b12abc846d31e75fa5f2f31db1396ddfa8ee4a
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: fixup: log on errors from filter user rules2016-05-31T16:06:59ZRichard Guy Briggsrgb@redhat.com2016-05-16T02:47:39Zurn:sha1:2b4c7afe79a8a0a0e05edeaded5653c190153f9b
In commit 724e4fcc the intention was to pass any errors back from
audit_filter_user_rules() to audit_filter_user(). Add that code.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: Fix typo in comment2016-02-08T16:25:39ZWei Yuanweiyuan.wei@huawei.com2016-02-06T07:39:47Zurn:sha1:fd97646b05957348e01be3d9de5c3d979b25c819
Signed-off-by: Weiyuan <weiyuan.wei@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
audit: fix comment block whitespace2015-11-04T13:23:51ZScott Matheinascott@matheina.com2015-11-04T13:23:51Zurn:sha1:725131efa52812973afda6ff3fbeec6cc22882a5
Signed-off-by: Scott Matheina <scott@matheina.com>
[PM: fixed subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>