[PATCH] Have auditctl check the capability rather than the uid if we were compiled with cap-ng support. Check the euid rather than uid if we were compiled without cap-ng support

[PATCH] Have auditctl check the capability rather than the uid if we were compiled with cap-ng support. Check the euid rather than uid if we were compiled without cap-ng support

[Peter Moody]

This is against the 2.2 release. I wasn't able to get HEAD to compile
(issues with mounttab.h that didn't want to run down because this is
such a small patch).

Signed-off-by: Peter Moody <pmoody@google.com>
---
 trunk/src/Makefile.am |    2 +-
 trunk/src/auditctl.c  |   11 +++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/trunk/src/Makefile.am b/trunk/src/Makefile.am
index d321233..e36bc9f 100644
--- a/trunk/src/Makefile.am
+++ b/trunk/src/Makefile.am
@@ -25,7 +25,7 @@ AUTOMAKE_OPTIONS = no-dependencies
 SUBDIRS = test
 INCLUDES = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src/libev
 sbin_PROGRAMS = auditd auditctl aureport ausearch autrace
-LIBS = -Lmt -lauditmt -lpthread
+LIBS = -Lmt -lauditmt -lpthread $(CAPNG_LDADD)
 AM_LDFLAGS = -pthread
 AM_CFLAGS = -D_REENTRANT -D_GNU_SOURCE -pthread
 noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h
ausearch-llist.h ausearch-options.h auditctl-llist.h
aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h
ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h
ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index d3643fb..936a1a0 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -36,6 +36,9 @@
 #include <errno.h>
 #include <libgen.h>	/* For basename */
 #include <limits.h>	/* PATH_MAX */
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#endif
 #include "libaudit.h"
 #include "private.h"

@@ -1160,9 +1163,13 @@ int main(int argc, char *argv[])
 		return 1;
 	}
 #ifndef DEBUG
+#ifdef HAVE_LIBCAP_NG
+	/* Make sure we have the approprirate capabilities */
+	if (capng_have_capability(CAPNG_PERMITTED, CAP_AUDIT_CONTROL) != 1) {
+#else
 	/* Make sure we are root */
-	if (getuid() != 0) {
+	if (geteuid() != 0) {
+#endif
 		fprintf(stderr, "You must be root to run this program.\n");
 		return 4;
 	}
-- 
1.7.7.3


-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>

[Steve Grubb]

On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote:
> This is against the 2.2 release.

Thanks. I will apply this with probably a small change or two.

> I wasn't able to get HEAD to compile (issues with mounttab.h that didn't want
> to run down because this is such a small patch).

For anyone not on Fedora, I would appreciate if you test what's in svn even if 
its just a quick build check. I am planning to release a new audit package soon. 
The changelog may look small, but there are thousands of lines of code added or 
modified. Its better to fix the headers before the release than after.

The next audit release has a new feature that I hope everyone will appreciate. 
Ausearch and libauparse now has the ability to interpret the arguments being 
passed to certain syscalls. I did this for a little over 40 syscalls:

 *chmod  
 *chown   
 clock_settime  
 clone  
 creat  
 epoll_ctl  
 getrlimit   
 setrlimit
 fchmod  
 fchmodat  
 fcntl  
 ipc  
 kill  
 mkdir  
 mkdirat  
 mknod  
 mmap  
 mount  
 mprotect  
 open  
 openat  
 personality  
 ptrace  
 recv  
 recvfrom  
 recvmmsg  
 recvmsg  
 rt_sigaction  
 setfsgid  
 setfsuid  
 setgid  
 setregid  
 setresgid  
 setresuid  
 setreuid  
 setuid  
 socket  
 socketcall  
 tgkill  
 tkill  

So, now you get output like this:

type=SYSCALL msg=audit(04/14/2011 20:18:28.953:3) : arch=x86_64 syscall=mmap 
success=yes exit=61440 a0=0xf000 a1=0x502 a2=PROT_READ|PROT_WRITE|PROT_EXEC 
a3=MAP_SHARED|MAP_FIXED items=0 ppid=603 pid=618 auid=unset uid=root gid=root 
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) 
ses=unset comm=vbetool exe=/usr/sbin/vbetool 
subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null) 

type=SYSCALL msg=audit(04/14/2011 20:13:34.658:3118) : arch=x86_64 syscall=mount 
success=yes exit=0 a0=0x405b22 a1=0x405469 a2=0x405b22 a3=MS_REC|MS_PRIVATE 
items=1 ppid=3467 pid=3468 auid=sgrubb uid=sgrubb gid=sgrubb euid=root suid=root 
fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1 comm=fusermount 
exe=/bin/fusermount subj=unconfined_u:unconfined_r:unconfined_t:s0 key=export 

type=SYSCALL msg=audit(05/05/2011 19:01:46.559:205) : arch=x86_64 syscall=openat 
success=no exit=-13(Permission denied) a0=0x5 a1=0xd93660 a2=O_RDONLY|O_NOCTTY|
O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=3831 pid=3832 auid=sgrubb uid=sgrubb 
gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb 
fsgid=sgrubb tty=pts2 ses=1 comm=find exe=/bin/find 
subj=unconfined_u:unconfined_r:unconfined_t:s0 key=access

The idea is to reduce the need to go digging through header files to see what 
arguments were being passed to some common and/or security related syscalls. In 
the case where a uid/gid was being passed to the syscall, its now interpretted 
to the account name/group name.

-Steve

Re: Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>

[Peter Moody]

On Wed, Mar 21, 2012 at 2:36 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday, March 21, 2012 03:11:49 PM Peter Moody wrote:
>> This is against the 2.2 release.
>
> Thanks. I will apply this with probably a small change or two.
>
>> I wasn't able to get HEAD to compile (issues with mounttab.h that didn't want
>> to run down because this is such a small patch).
>
> For anyone not on Fedora, I would appreciate if you test what's in svn even if
> its just a quick build check. I am planning to release a new audit package soon.
> The changelog may look small, but there are thousands of lines of code added or
> modified. Its better to fix the headers before the release than after.

ubuntu lucid (10.04, admittedly a little old):

lib/gen_tables.c is missing an include for linux/fs.h
src/ausearch-report.c is missing includes for linux/fs.h and limits.h

refuses to build w/o these includes. builds and appears to work
correctly when they're added.

> The next audit release has a new feature that I hope everyone will appreciate.
> Ausearch and libauparse now has the ability to interpret the arguments being
> passed to certain syscalls. I did this for a little over 40 syscalls:


> So, now you get output like this:
>
> type=SYSCALL msg=audit(04/14/2011 20:18:28.953:3) : arch=x86_64 syscall=mmap
> success=yes exit=61440 a0=0xf000 a1=0x502 a2=PROT_READ|PROT_WRITE|PROT_EXEC
> a3=MAP_SHARED|MAP_FIXED items=0 ppid=603 pid=618 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=vbetool exe=/usr/sbin/vbetool
> subj=system_u:system_r:vbetool_t:s0-s0:c0.c1023 key=(null)
>
> type=SYSCALL msg=audit(04/14/2011 20:13:34.658:3118) : arch=x86_64 syscall=mount
> success=yes exit=0 a0=0x405b22 a1=0x405469 a2=0x405b22 a3=MS_REC|MS_PRIVATE
> items=1 ppid=3467 pid=3468 auid=sgrubb uid=sgrubb gid=sgrubb euid=root suid=root
> fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1 comm=fusermount
> exe=/bin/fusermount subj=unconfined_u:unconfined_r:unconfined_t:s0 key=export
>
> type=SYSCALL msg=audit(05/05/2011 19:01:46.559:205) : arch=x86_64 syscall=openat
> success=no exit=-13(Permission denied) a0=0x5 a1=0xd93660 a2=O_RDONLY|O_NOCTTY|
> O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=3831 pid=3832 auid=sgrubb uid=sgrubb
> gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb
> fsgid=sgrubb tty=pts2 ses=1 comm=find exe=/bin/find
> subj=unconfined_u:unconfined_r:unconfined_t:s0 key=access
>
> The idea is to reduce the need to go digging through header files to see what
> arguments were being passed to some common and/or security related syscalls. In
> the case where a uid/gid was being passed to the syscall, its now interpretted
> to the account name/group name.

Awesome! I had to implement something like this in post-processing for
signal generation.

Cheers,
peter

> -Steve



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>

[Steve Grubb]

On Wednesday, March 21, 2012 06:12:31 PM Peter Moody wrote:
> lib/gen_tables.c is missing an include for linux/fs.h
> src/ausearch-report.c is missing includes for linux/fs.h and limits.h
> 
> refuses to build w/o these includes. builds and appears to work
> correctly when they're added.

I think I have these fixed in svn, do you mind pulling a fresh copy and checking 
it? The limits.h include is fine. But I made the fs.h inclusion optional because 
it sounds like broken headers. It should autodetect the problem, but its needs 
checking.

If no one else has any issues to report we should be ready to do a release.

Thanks,
-Steve

Re: Please check svn was Re: [PATCH] Have auditctl check the capability...<snip>

[Peter Moody]

On Thu, Mar 22, 2012 at 5:55 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday, March 21, 2012 06:12:31 PM Peter Moody wrote:
>> lib/gen_tables.c is missing an include for linux/fs.h
>> src/ausearch-report.c is missing includes for linux/fs.h and limits.h
>>
>> refuses to build w/o these includes. builds and appears to work
>> correctly when they're added.
>
> I think I have these fixed in svn, do you mind pulling a fresh copy and checking
> it? The limits.h include is fine. But I made the fs.h inclusion optional because
> it sounds like broken headers. It should autodetect the problem, but its needs
> checking.

The build fails with the following error:

In file included from ../lib/gen_tables.c:80:
./mounttab.h:31: error: 'MS_DIRSYNC' undeclared here (not in a function)
./mounttab.h:35: error: 'MS_MOVE' undeclared here (not in a function)
./mounttab.h:36: error: 'MS_REC' undeclared here (not in a function)
./mounttab.h:37: error: 'MS_SILENT' undeclared here (not in a function)
./mounttab.h:38: error: 'MS_POSIXACL' undeclared here (not in a function)
./mounttab.h:39: error: 'MS_UNBINDABLE' undeclared here (not in a function)
./mounttab.h:40: error: 'MS_PRIVATE' undeclared here (not in a function)
./mounttab.h:41: error: 'MS_SLAVE' undeclared here (not in a function)
./mounttab.h:42: error: 'MS_SHARED' undeclared here (not in a function)
./mounttab.h:43: error: 'MS_RELATIME' undeclared here (not in a function)
./mounttab.h:44: error: 'MS_KERNMOUNT' undeclared here (not in a function)
./mounttab.h:45: error: 'MS_I_VERSION' undeclared here (not in a function)
./mounttab.h:49: error: 'MS_ACTIVE' undeclared here (not in a function)
./mounttab.h:50: error: 'MS_NOUSER' undeclared here (not in a function)
make[2]: *** [gen_mounttabs_h-gen_tables.o] Error 1


> If no one else has any issues to report we should be ready to do a release.
>
> Thanks,
> -Steve



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038