Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: test for audit container ID functionality #64

Open
rgbriggs opened this Issue Mar 1, 2018 · 7 comments

Comments

Projects
None yet
3 participants
@rgbriggs
Copy link
Contributor

commented Mar 1, 2018

Test for kernel audit container id functionality:

  • prohibit unsetting
  • prohibit self-setting
  • prohibit setting again
  • prohibit without CAP_AUDIT_CONTROL
  • verify AUDIT_CONTAINER record
  • verify auditctl containerid filter
  • verify kernel AUDIT_CONTAINERID filter functionality
  • verify AUDIT_CONTAINER_INFO record

See: linux-audit/audit-kernel#32
See: linux-audit/audit-kernel#90
See: linux-audit/audit-kernel#91
See: linux-audit/audit-kernel#92
See: linux-audit/audit-userspace#40
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

@rgbriggs

This comment has been minimized.

Copy link
Contributor Author

commented Mar 1, 2018

Here's an updated test script:

#!/bin/sh

#test self-set, should succeed
echo 123455 > /proc/$$/audit_containerid || echo self-write should have succeeded
ausearch -ts boot |grep " contid=123455" || echo self-write success record should appear

#setup for several tests
sleep 5&
child=$!; sleep 1

#test unset, should fail
echo 18446744073709551615 > /proc/$child/audit_containerid && echo write unset should have failed
ausearch -ts boot |grep " contid=18446744073709551615" || echo write unset failure record should appear

#test first set, should pass
echo 123456 > /proc/$child/audit_containerid || echo write set should have succeeded
ausearch -ts boot |grep " contid=123456" || echo write set record success should appear

#test set again, should fail
echo 123457 > /proc/$child/audit_containerid && echo write set again should have failed
ausearch -ts boot |grep " contid=123457" || echo write set again record failure should appear

#test set child with child, should fail
#FIXME, doesn't spawn child of child
bash -c "sleep 1"&
child2=$!
echo 123458 > /proc/$child2/audit_containerid && echo write set child with child should fail
ausearch -ts boot |grep " contid=123458" || echo write set child with child failure record should appear
echo self:$$ contid:$(cat /proc/$$/audit_containerid)
echo child:$child contid:$(cat /proc/$child/audit_containerid)
echo child2:$child2 contid:$(cat /proc/$child2/audit_containerid)

#test filter on containerid
containerid=123459
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$containerid -F key=$key || echo failed to add containerid filter rule
perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
child3=$!
echo $containerid > /proc/$child3/audit_containerid || echo failed to set containerid on file open task
sleep 2
rm -f /tmp/$key
ausearch -i -ts boot -k $key || echo failed to find CONTAINER record
auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$containerid -F key=$key || echo failed to del containerid filter rule
@The-Mule

This comment has been minimized.

Copy link

commented Jul 17, 2018

Just for the record. We agreed that I will assist Richard with transforming bash test script mentioned above into Perl so that it fits into audit regression test suite.

@pcmoore pcmoore changed the title RFE: test for container id functionality RFE: test for audit container ID functionality Jul 17, 2018

@pcmoore

This comment has been minimized.

Copy link
Member

commented Jul 17, 2018

Great, thanks for letting me know. I went ahead and assigned this task to both of you :)

@rgbriggs

This comment has been minimized.

Copy link
Contributor Author

commented Jul 31, 2018

Test netfilter packet audit container identifier auxiliary records:

#test multiple containers on one netns
# create two child processes
sleep 5 &
child4=$!
containerid1=123451
echo $containerid1 > /proc/$child4/audit_containerid || echo failed to set containerid on child4
sleep 5 &
child5=$!
containerid2=123452
echo $containerid2 > /proc/$child5/audit_containerid || echo failed to set containerid on child5
# set up audit rules in netfilter and send a test packet
iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -I INPUT  -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
sleep 1;
#ping -c 1 127.0.0.1
bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1"
sleep 1;
iptables -D INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -D INPUT  -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
ausearch -i -m NETFILTER_PKT -ts recent|grep mark=0x12345555 || echo failed to find NETFILTER_PKT record
ausearch -i -m NETFILTER_PKT -ts recent|grep contid=|grep $containerid1|grep $containerid2 || echo failed to find CONTAINER record
@The-Mule

This comment has been minimized.

Copy link

commented Aug 3, 2018

Just out of curiosity, aforementioned test is currently the only way to test container ID, is that correct? Because no container tool / orchestrator [*] supports this yet. I just want to make sure I understand it well - first, we need to have this container-id functionality in kernel. Then each orchestration willing to support container auditing must implement it (ie. create container id associated with container process).

Now suppose I have a Fedora machine with a container and I will trigger audit event from that container. What will happen? Will I see the event on host machine? What happens if my host machine does have container-id support, I will create container-id in /proc/ and trigger event from the container?

I am sorry for such silly questions.

@rgbriggs

This comment has been minimized.

Copy link
Contributor Author

commented Aug 3, 2018

fcicq pushed a commit to fcicq/chromiumos-third_party-kernel that referenced this issue Jan 20, 2019

BACKPORT: FROMLIST: audit: add container id
Implement the proc fs write to set the audit container identifier of a
process, emitting an AUDIT_CONTAINER_OP record to document the event.

This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/audit_containerid where PID is the process ID of the
newly created task that is to become the first task in a container, or
an additional task added to a container.

The write expects up to a u64 value (unset: 18446744073709551615).

The writer must have capability CAP_AUDIT_CONTROL.

This will produce a record such as this:
  type=CONTAINER_ID msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes

The "op" field indicates an initial set.  The "pid" to "ses" fields are
the orchestrator while the "opid" field is the object's PID, the process
being "contained".  Old and new audit container identifier values are
given in the "contid" fields, while res indicates its success.

It is not permitted to unset the audit container identifier.
A child inherits its parent's audit container identifier.

See: linux-audit/audit-kernel#90
See: linux-audit/audit-userspace#51
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
(am from https://patchwork.kernel.org/patch/10551315/)

BUG=chromium:918980
TEST=Build, boot and GCP internal testing.

Changed the return value of the default audit_get_contid as the kuid_t
is a 32-bit value where the other version is a u64 failing compilation
on 32-bit kernels.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Change-Id: Iee61e96d015715f1dde24f92c230f14410cb5a79
Reviewed-on: https://chromium-review.googlesource.com/1379655
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>

rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 9, 2019

tests: add test for contid
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019

tests: add test for contid
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019

tests: add test for contid
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019

tests: add test for contid
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019

tests: add test for contid
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019

tests: add test for contid
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019

tests: add test for contid
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019

tests: add test for contid
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
@rgbriggs

This comment has been minimized.

Copy link
Contributor Author

commented Apr 10, 2019

V1 PR: #83

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.