Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: audit log #148

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 10 additions & 15 deletions README
Original file line number Diff line number Diff line change
@@ -1,18 +1,13 @@
Linux kernel
============
Linux Kernel Audit Subsystem
=============================================================================
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
https://github.com/linux-audit/audit-kernel

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.
The original Linux Kernel README file:
* https://github.com/linux-audit/audit-kernel/blob/main/README.orig

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``. The formatted documentation can also be read online at:
The Linux Kernel audit subsystem README.md file:
* https://github.com/linux-audit/audit-kernel/blob/main/README.md

https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.
The latest official Linux Kernel documentation:
* https://www.kernel.org/doc/html/latest
62 changes: 62 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
Linux Kernel Audit Subsystem
=============================================================================
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
https://github.com/linux-audit/audit-kernel

The Linux Audit subsystem provides a secure logging framework that is used to
capture and record security relevant events. It consists of a kernel component
which generates audit records based on system activity, a userspace daemon
which logs these records to a local file or a remote aggregation server, and a
set of userspace tools to for audit log inspection and post-processing.

The main Linux Kernel README can be found at
[Documentation/admin-guide/README.rst](./Documentation/admin-guide/README.rst)

## Online Resources

The canonical audit kernel repository is hosted by kernel.org:

* https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
* git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

There is also an officially maintained GitHub mirror:

* https://github.com/linux-audit/audit-kernel

## Kernel Tree Process

After the merge window closes upstream, a decision will be made regarding the
need to rebase the next branch on top of the current Linux -rc1 release. If
there have been a number of subsystem related changes outside of the
subsystem's next branch, or if the branch's base is too far behind
linux/master, it may be necessary to rebase the next branch. If a rebase is
needed, it should be done before any patches are merged, and rebasing the next
branch during the remaining -rcX releases should only be done in extreme cases.

Patches will be merged into the subsystem's next branch during the development
cycle which extends from merge window close up until the merge window reopens.
However, it is important to note that large, complicated, or invasive patches
sent late in the development cycle may be deferred until the next cycle. As a
general rule, only small patches or critical fixes will be merged after
-rc5/-rc6.

Any patches deemed necessary for the current Linux -rcX releases will be merged
into the current stable-X.Y branch, marked with a signed tag, and a pull
request sent against linux/master as soon as it is reasonable to do so.

During the development cycle Fedora Rawhide test kernels will be generated
using the next and most recent stable-X.Y branches on a weekly basis, if not
more often. These kernels will be tested against the SELinux test suite and
audit test suite as well as being made available to everyone for additional
testing.

Once the merge window opens, the next branch will be copied to a new branch,
stable-X.Y, and the branch will be marked with a signed tag in the format
audit-pr-YYYYMMDD. A pull request will be sent against the linux/master
branch using the signed tag.

## Userspace Tools and Test Suites

The audit userspace tools and test suites are hosted by GitHub:

* https://github.com/linux-audit
18 changes: 18 additions & 0 deletions README.orig
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``. The formatted documentation can also be read online at:

https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.
16 changes: 16 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
Audit Kernel Subsystem Security Policy
=============================================================================

The audit kernel developers take security very seriously and if you think you
have found a serious problem or security vulnerability in the audit kernel
code you are encouraged to send email to the current audit kernel maintainer
who is listed below:

* Paul Moore, [email protected]

## Linux Kernel General Security Policy

In addition to the contact information above, the Linux Kernel also has a
security policy documented in the link below:

* https://github.com/linux-audit/audit-kernel/blob/main/Documentation/admin-guide/security-bugs.rst
26 changes: 23 additions & 3 deletions kernel/auditsc.c
Original file line number Diff line number Diff line change
Expand Up @@ -2416,6 +2416,10 @@ void __audit_inode_child(struct inode *parent,
struct audit_entry *e;
struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS];
int i;
char *n_file_name = NULL;
int dlen;
int name_len;
bool special_end = false;

if (context->context == AUDIT_CTX_UNUSED)
return;
Expand All @@ -2439,23 +2443,39 @@ void __audit_inode_child(struct inode *parent,
if (inode)
handle_one(inode);

n_file_name = kmalloc(PATH_MAX, GFP_KERNEL);
if (n_file_name) {
memset(n_file_name, '\0', PATH_MAX);
}
dlen = strlen(dname);
/* look for a parent entry first */
list_for_each_entry(n, &context->names_list, list) {
if (!n->name ||
(n->type != AUDIT_TYPE_PARENT &&
n->type != AUDIT_TYPE_UNKNOWN))
continue;

name_len = strlen(n->name->name);
if (n_file_name && dname[dlen -1] != '/' && n->name->name[name_len - 1] == '/')
{
strncpy(n_file_name, n->name->name, name_len - 1);
special_end = true;
}
if (n->ino == parent->i_ino && n->dev == parent->i_sb->s_dev &&
!audit_compare_dname_path(dname,
n->name->name, n->name_len)) {
special_end ? n_file_name : n->name->name, n->name_len)) {
if (n->type == AUDIT_TYPE_UNKNOWN)
n->type = AUDIT_TYPE_PARENT;
found_parent = n;
break;
}
if (special_end) {
memset(n_file_name, '\0', name_len + 1);
}
special_end = false;
}
if (n_file_name) {
kfree(n_file_name);
}

/* is there a matching child entry? */
list_for_each_entry(n, &context->names_list, list) {
/* can only match entries that have a name */
Expand Down