BUG: rules with 'exit' filter do not generate any audit events #138

The-Mule · 2022-08-10T14:31:37Z

Hello folks, long time no see :).

on Fedora I am trying to catch syscalls with a specific exit value (EACCES=-13) by the following rule:

# auditctl -a always,exit -S all -F exit=-13 -F key=eacces
# auditctl -l
-a always,exit -S all -F exit=-EACCES -F key=eacces

I am triggering the EACCES syscall as follows:

# useradd testuser
# su - testuser
$ whoami
$ date
10:01:34
$ cat /etc/shadow
cat: /etc/shadow: Permission denied
$ strace -f cat /etc/shadow 2>strace.log
$ grep -e shadow  strace.log | grep EACCES
openat(AT_FDCWD, "/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied)
$ logout

But there are no events generated:

# ausearch -ts 10:01:34 -k eacces
<no matches>
# ausearch -ts 10:01:34 
----
time->Wed Aug 10 10:01:34 2022
type=SERVICE_STOP msg=audit(1660140094.799:510): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Wed Aug 10 10:01:44 2022
type=USER_END msg=audit(1660140104.987:511): pid=1229 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_xauth acct="testuser" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/0 res=success'
----
time->Wed Aug 10 10:01:44 2022
type=CRED_DISP msg=audit(1660140104.987:512): pid=1229 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="testuser" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/0 res=success'
----
time->Wed Aug 10 10:01:54 2022
type=SERVICE_STOP msg=audit(1660140114.793:513): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
----
time->Wed Aug 10 10:01:54 2022
type=BPF msg=audit(1660140114.798:514): prog-id=0 op=UNLOAD
----
time->Wed Aug 10 10:01:54 2022
type=BPF msg=audit(1660140114.798:515): prog-id=0 op=UNLOAD

What I would expect is to see something like this:

type=PROCTITLE msg=audit(...) : proctitle=bash -c cat /etc/shadow 
type=PATH msg=audit(...) ...
type=CWD msg=audit(...) : ...
type=SYSCALL msg=audit(...) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) ... uid=testuser gid=testuser euid=testuser suid=testuser fsuid=testuser egid=testuser sgid=testuser fsgid=testuser tty=(none) ses=4 comm=cat exe=/usr/bin/cat ... key=eacces

This worked until 5.15.18-100.fc34.x86_64 and stop working in 5.16.5-100.fc34.x86_64 and it is like that since then (i.e. also with 5.19.0-0.rc2.21.fc37.x86_64) It seems to be related to commit 12c5e81 (it is also possible we are wrong here).

Is there perhaps something I am doing wrong?

The text was updated successfully, but these errors were encountered:

pcmoore · 2022-08-10T18:33:08Z

Hmm, two things come to mind for debugging next steps:

The audit_state enum does not have explicit assignments so it's possible that the context->current_state check in __audit_syscall_exit() may not be triggering. You could try rewriting that to something like the following:

        if (context->current_state != AUDIT_STATE_RECORD)
                goto out;

While I don't think this is an issue, you could try immediately returning in audit_reset_context(), making it effectively a noop. This is obviously not a fix, but it would help to potentially narrow down the root cause ... although I would try the change above first.

@The-Mule do you think you could take a shot at debugging this further?

WOnder93 · 2022-08-10T18:50:33Z

Just a hunch, but did you try exit=EACCES instead of exit=-EACCES?

rgbriggs · 2022-08-10T19:05:41Z

On 2022-08-10 11:50, Ondrej Mosnáček wrote: Just a hunch, but did you try `exit=EACCES` instead of `exit=-EACCES`?

I have tried both, but no difference.

rgbriggs · 2022-08-10T19:16:24Z

On 2022-08-10 11:33, Paul Moore wrote: @The-Mule do you think you could take a shot at debugging this further?

I'd already started looking at this... I'll start with your suggestions.

pcmoore · 2022-08-10T19:30:53Z

Great, let us know what you find out ... and please don't limit yourself to just my suggestions above :)

rgbriggs · 2022-08-11T01:41:35Z

On 2022-08-10 12:31, Paul Moore wrote: Great, let us know what you find out ... and please don't limit yourself to just my suggestions above :)

Ok, first suggestion is a bust. No change in behaviour.

sergio-correia · 2022-08-11T19:30:58Z

I don't fully understand the interactions here, but this seems to help: https://gist.github.com/sergio-correia/acf68f7d0a5afe39ce42e39197d4af9d -- @rgbriggs: could please try it out and check if it makes sense?

rgbriggs · 2022-08-11T21:29:49Z

On 2022-08-11 12:31, Sergio Correia wrote: I don't fully understand the interactions here, but this seems to help: https://gist.github.com/sergio-correia/acf68f7d0a5afe39ce42e39197d4af9d -- @rgbriggs: could please try it out and check if it makes sense?

That doesn't change anything here. How did you come up with this?

rgbriggs · 2022-08-25T03:13:03Z

posted v1: [PATCH ghak138] audit: move audit_return_fixup before the filters
Message-Id: 7cff118972930ccb650bd62fbf0d2e8e452d729a.1661395017.git.rgb@redhat.com

audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: #138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com>

The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: #138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com>

rgbriggs · 2022-08-26T03:44:59Z

posted v2 Message-Id: cover.1661449312.git.rgb@redhat.com
Subject: [PATCH ghak138 v2 0/4] issues from moving beyond syscalls

rgbriggs · 2022-08-26T13:12:57Z

upstreamed: d4fefa4 (audit/stable-6.0) audit: move audit_return_fixup before the filters

commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

The-Mule · 2022-08-29T13:03:21Z

I have a simple audit-testsuite test for this in my fork https://github.com/The-Mule/audit-testsuite/tree/filter-exit (it only checks exit filter for open* syscalls). Is it something we want to have in audit-testsuite?

pcmoore · 2022-08-29T14:54:57Z

I have a simple audit-testsuite test for this in my fork https://github.com/The-Mule/audit-testsuite/tree/filter-exit (it only checks exit filter for open* syscalls). Is it something we want to have in audit-testsuite?

I think that would be a nice addition, although I don't like the thought of the test adding and deleting users. Perhaps you could modify the test to do something that we know would always fail with a predictable error code, for example:

% echo "TESTING" > /proc/self/status

The-Mule · 2022-08-29T14:56:51Z

Good idea, thanks for the hint. I'll fix that and file a PR.

pcmoore · 2022-08-29T15:10:54Z

Great, thank you!

The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com>

commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com>

pcmoore · 2023-01-09T14:57:32Z

With the kernel fix upstream I think we can close out this issue, if anyone disagrees feel free to leave a comment in the issue and we can reopen it.

pcmoore changed the title ~~Rules with 'exit' filter - no audit events~~ BUG: rules with 'exit' filter do not generate any audit events Aug 10, 2022

pcmoore added bug priority/medium labels Aug 10, 2022

The-Mule mentioned this issue Sep 2, 2022

RFE: add test for filter_exit linux-audit/audit-testsuite#107

Open

pcmoore closed this as completed Jan 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BUG: rules with 'exit' filter do not generate any audit events #138

BUG: rules with 'exit' filter do not generate any audit events #138

The-Mule commented Aug 10, 2022 •

edited

Loading

pcmoore commented Aug 10, 2022

WOnder93 commented Aug 10, 2022

rgbriggs commented Aug 10, 2022 via email

rgbriggs commented Aug 10, 2022 via email

pcmoore commented Aug 10, 2022

rgbriggs commented Aug 11, 2022 via email

sergio-correia commented Aug 11, 2022

rgbriggs commented Aug 11, 2022 via email

rgbriggs commented Aug 25, 2022

rgbriggs commented Aug 26, 2022

rgbriggs commented Aug 26, 2022

The-Mule commented Aug 29, 2022 •

edited

Loading

pcmoore commented Aug 29, 2022

The-Mule commented Aug 29, 2022

pcmoore commented Aug 29, 2022

pcmoore commented Jan 9, 2023

BUG: rules with 'exit' filter do not generate any audit events #138

BUG: rules with 'exit' filter do not generate any audit events #138

Comments

The-Mule commented Aug 10, 2022 • edited Loading

pcmoore commented Aug 10, 2022

WOnder93 commented Aug 10, 2022

rgbriggs commented Aug 10, 2022 via email

rgbriggs commented Aug 10, 2022 via email

pcmoore commented Aug 10, 2022

rgbriggs commented Aug 11, 2022 via email

sergio-correia commented Aug 11, 2022

rgbriggs commented Aug 11, 2022 via email

rgbriggs commented Aug 25, 2022

rgbriggs commented Aug 26, 2022

rgbriggs commented Aug 26, 2022

The-Mule commented Aug 29, 2022 • edited Loading

pcmoore commented Aug 29, 2022

The-Mule commented Aug 29, 2022

pcmoore commented Aug 29, 2022

pcmoore commented Jan 9, 2023

The-Mule commented Aug 10, 2022 •

edited

Loading

The-Mule commented Aug 29, 2022 •

edited

Loading