-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feedback for "[RFC] Future audit changes" #323
Comments
There is one last issue, the stop libexec script has the ability to wait until auditd exits. This is necessary or a restart can happen before the old one can exit. This was a bz filed by RH QE personnel. I am considering adding the logic to auditctl to do this. It already has the pid of auditd. I think watching the inode of
It should be known that journald listens on a best effort, multicast socket that is lossy. Auditd adds extra information. https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment. This is necessary due to uids being transient and different on each system.
There are other plugins that process events in realtime. But, besides the plugin reason, some people may want to search and do reporting. Only the audit logs are supported. And as of a couple weeks ago, I no longer work in the RH Security Dept and have new daytime responsibilities. So, if handling journald logs is needed, someone will have to send patches. Or work to make the journald logs identical. This whole proposal is to reduce my need to ever touch audit code in the future.
Yes, semanage and setroubleshoot-server. Semanage is OK since it only sends events. The other app is problematic as it is using lookup tables directly rather than using auparse which naturally uses the lookup tables. I will be emailing it's maintainer to see what we can do.
There might be others not in Fedora. Hopefully they get found in alpha or beta releases.
Community contributions are usually toss it over the wall expecting me to maintain it. (The DEC Alpha was a good example of this.) I simply have no more time to work on audit since it's not my day job anymore. I don't want any more arches until someone reliable contributes to the project on a sustained basis. |
+1 to that. If we can also use the new PID file API (maybe with a fallback to the legacy one) that would be best.
Hum, the journal listens on a netlink socket. I did not know that this was lossy (it's indeed written in https://man7.org/linux/man-pages/man7/netlink.7.html). How does auditd do it lossless then?
OK, then my mental model of the architecture is not correct and I'm not sure how all of this fits. How does audit "enhances" the logs if the journal already has them.
If I understand correctly, you're suggesting that auditd could read the logs from the journal and then process / enhance them (needs the journal to be reliable and read all logs) and write them to the audit log files. Or we fix journald to process the logs like audit does. Both sound like a good amount of work.
OK, we can not really "freely" break those two as they are kind of important indeed.
Agree. Can we make the support for a specific architecture not impact the others? |
What is this new PID file API? I think everything else above boils down to how the audit netlink comms work. Auditd uses the primary audit netlink socket. It has a backlog where events queue until auditd can get it. If the queue fills, the kernel can take special admin defined actions. Auditd sends an ACK to the kernel that it received the event. Then the kernel dequeues it. Auditd then enhances the event (by resolving local lookups) and distributes it to plugins and writes it to disk. It can run as a logger or a distributor or both. It does not read events from journald. Journald, on the other hand, reads from a multicast netlink socket. It does not use ACKS, the kernel just blasts them out and everyone has to keep up. At the time it was created, the thinking was that if journald wants events, there might be other apps that also want audit data. So, it was made into a multicast socket. Any app attaching causes an audit event so that we know who all is listening. Traditionally, other apps get audit events by being an auditd plugin. For example, setroubleshoot has something called sedispatch that is an auditd plugin and relays events to setroubleshootd. But for whatever reason, journald wanted to do it's own thing without auditd so the multicast socket is what it uses. As for the log format, what I was suggesting is that if someone wanted to use the ausearch, aureport, or the auparse library with journald logs when auditd is not installed, then work would need to be done to harmonize the format and parsing. (See #130) Journald would also need to resolve local lookups if it were forwarding. But what we looked at for Common Criteria was the opposite: block the journald audit socket so we don't get duplicate events and then have auditd enhancing events and wrapping them around to syslog (journald) for transport. We also have #49 which is to revive the audit log facility called out in RFC 3164. Glibc just needs the define added to syslog.h. |
See https://man7.org/linux/man-pages/man2/pidfd_open.2.html. This lets a process wait for another to terminate in a "race free" fashion:
This sounds like the least amount of work from all the options. |
Thanks for the info on pidfd_open. Looks like we can use it on current kernels. Older ones won't have it, but audit-4.0 is aimed at recent kernels. I think I can use this to make auditctl wait until auditd exits so that a restart can work without versions of auditd stepping on each other. (Auditd sometimes doesn't terminate immediately on SIGTERM. It stops receiving new events. But it has to clear it's internal queues before exiting.) |
I rewrote the signal sending for auditctl in commit de080ad. Looks like the PIDFD_GET_PROCFD ioctl didn't make it into the kernel. So, there is still a possibility of killing the wrong process. But this let me drop the dependency on procps-ng and simplify logic around stopping the daemon. |
I think this finishes the work for Audit-4.0alpha. Looking to do a release soon. If anyone knows of any issues, now would be a good time to raise them. |
To get this out the door, I enabled access to the 5 functions that setroubleshoot uses in commit 2722984. I think this finalizes audit-4.0. |
This is an issue to track feedback for "[RFC] Future audit changes" as posted on the
linux-audit
mailing list a: https://listman.redhat.com/archives/linux-audit/2023-August/020036.htmlFully agree here. Let's drop Python 2 support.
auditd
currently relies on the legacyservice
binary and its logic as well as initscripts to handle daemon stop (and restart) actions(1, 2). While looking at adding audit to Fedora CoreOS (coreos/fedora-coreos-tracker#1362), Steve added another option (39802bf) to be able to manage the daemon without the scripts and service binary. The PR to apply that change in the Fedora package (#9) revealed that some logic from the scripts is still needed in some cases.So I'm not sure how to move forward here.
Maybe we should add proper
auditctl stop|restart
commands that handle all those cases completely before we drop all initscripts?If I understand https://www.freedesktop.org/software/systemd/man/journald.conf.html#Audit= and https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html#Files correctly then systemd journald is now capable of handling audit messages from the kernel on its own.
We thus only need
auditd
to:According to https://manpages.debian.org/testing/audispd-plugins/audisp-remote.conf.5.en.html, the supprted transports are clear text TCP connections and KRB5 encrypted ones.
I would expect that most users would want their audit logs centralized in the system journal and would then forward the entire journal to a remote system for security / compliance.
Splitting 1 and making it the default would make sense, while keeping 2 as an option for users with more complex cases.
I don't know enough about this to have an opinion.
Do we have known users of this API? If there are no known users, then let's focus on what's better from a maintenance and coherence perspective.
If we have known existing users, then maybe that would help guide this discussion.
I would suggest focusing on architectures supported by Fedora and leaving all the others to community contributions.
I don't know enough about this to have an opinion.
The text was updated successfully, but these errors were encountered: