From: Joe Nall <joe@nall.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: reactive audit proposal
Date: Wed, 13 May 2020 11:47:07 -0500 [thread overview]
Message-ID: <F2185CAB-D941-43EF-B04B-C9BE6D203C5E@nall.com> (raw)
In-Reply-To: <1718624.Kgxutyrx4h@x2>
> On May 12, 2020, at 7:36 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Tuesday, May 12, 2020 8:31:45 PM EDT Joe Nall wrote:
>>> On May 12, 2020, at 7:22 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>>
>>> Hello,
>>>
>>> I wanted to run this by the crowd to see what people's reaction might be.
>>>
>>> The audit system sometimes needs to have rules applied when something
>>> happens. For example, if someone plugs in a USB flash drive, the system
>>> creates the device in /dev and then automatically mounts it under some
>>> circumstances.
>>>
>>> I would propose 2 new additions to the audit rule syntax: on-mount and
>>> on-login.These rules would be in a separate file from the main audit
>>> rules. When a file system is mounted, /proc/mounts changes and the mount
>>> table can be scanned to see if something new is there. In this way we
>>> can reliably detect newly mounted filesystems. We can then match against
>>> a specifier to see if this is a file system in which we want to apply
>>> new rules. If so, we send the new rules to the kernel. When the device
>>> is unmounted, the kernel drops all watches on that file system. So, we
>>> only need to worry about when a device is mounted.
>>>
>>> This works good for anything that gets mounted. But it is also possible
>>> for a USB flash drive to be accessed as a block device, such as the dd
>>> utility. If we had to detect device discovery, there is a netlink group,
>>> NETLINK_KOBJECT_UEVENT which we could monitor for events. The only thing
>>> is that we could only detect open/read/write/close/ioctl/lseek. And we
>>> probably do not want to monitor anything except block devices.
>>>
>>> It may also be possible to poll /sys/block to watch for changes. This
>>> might be easier as the names are more friendly. This would take some
>>> research to see if its even possible.
>>>
>>> The rule syntax could look something like:
>>> on=mount mount=/run/user/1000 : -a exit,always ...
>>> on=device device=/dev/sdd : -a exit,always ...
>>>
>>> The on-login event would simply watch the audit trail for any AUDIT_LOGIN
>>> events. That event can be parsed to get the new auid. If the auid matches
>>> any rules, then it will load them into the kernel. To remove the rules,
>>> we
>>> could watch for the AUDIT_USER_END event. The only issue is that we would
>>> need to track how many sessions the user has open and remove the rules
>>> only when the last session closes out.
>>>
>>> The rules for this might look something like this:
>>> on=login auid=1000 : -a exit,always ...
>>>
>>> The question is whether or not this should be done as part of the audit
>>> daemon or as a plugin for the audit daemon. One advantage of doing this
>>> as
>>> a plugin is that it will keep the audit daemon focused on getting events
>>> and distributing them. Any programming mistake in the plugin will crash
>>> it
>>> and not the daemon. The tradeoff is that it will get the event slightly
>>> after auditd sees it. This only matters for the on-login functionality.
>>> The device and mount events come from an entirely different source. And
>>> I'm sure that in every case, the program will react faster than a user
>>> possibily can winning the race evry time.
>>>
>>> Thoughts?
>>
>> Would bind mounts trigger these rules? I'm sitting next to a box with 10k
>> polyinstantiated bind mounts right now.
>
> If you do cat /proc/mounts do you see 10k entries?
No. This is over many users and applications launched with different contexts.
This morning, on a machine with one user, as a permissive root/sysadm_t:
cat /proc/*/mounts | grep inst | wc -l
2046
and from a user terminal session:
cat /proc/mounts | wc -l
218
> And do you want them or do you think they are harmful?
I thought they were all intentional when I started typing, but you have sent me down a rabbit hole looking into this :(
I like this idea, I just want to make sure that our atypical use case does not break it or vice versa.
cheers,
joe
>
> -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-05-13 16:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 0:22 reactive audit proposal Steve Grubb
2020-05-13 0:31 ` Joe Nall
2020-05-13 0:36 ` Steve Grubb
2020-05-13 16:47 ` Joe Nall [this message]
[not found] ` <2037581034.269445.1589390222295@mail.yahoo.com>
2020-05-13 18:03 ` Steve Grubb
2020-05-14 8:55 ` Burn Alting
2020-05-14 13:32 ` Richard Guy Briggs
2020-05-14 14:47 ` Steve Grubb
2020-05-14 15:14 ` Richard Guy Briggs
2020-05-15 15:00 ` Lenny Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F2185CAB-D941-43EF-B04B-C9BE6D203C5E@nall.com \
--to=joe@nall.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.