util: audit events

Bug #388746 reported by Casey Dahlin on 2009-06-18
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
upstart
Wishlist
Unassigned
0.3
Wishlist
Unassigned
upstart (Fedora)
Fix Released
Medium

Bug Description

libaudit supprt for Upstart.

Created attachment 322948
Patch against 0.3.9

Description of problem:
The audit package 1.7.9 includes a new utility to identify and extract user session events. It needs a patch to upstart to be more effective. The patch adds SYSTEM_BOOT, RUNLEVEL_CHANGE, and SYSTEM_SHUTDOWN audit events. I have 2 patches, one for 0.3.9 and one for 0.5.0. Please push these patches into rawhide and F-10.

It will need a BuildRequires: audit-libs-devel >= 1.7.9 and you will need to add --with-libaudit to the configure line. Thanks!

Created attachment 322949
Patch against 0.5.0

Please apply this patch to rawhide if 0.5.0 ever gets pushed out.

Are you sure upstart needs to be patched? I'm pretty certain we could create a couple of job definitions to produce these audit events (assuming there's a way to produce audit events from the shell)

I'm pretty sure upstart needs patching. I want the events generated from a place that would be hard/impossible to bypass so that audit logs are accurate.

AFAIK, we never did this for SysVinit. Is thatb correct?

Given that this seems to be scoped wider than just Fedora (I assume from your post to upstart-devel-list that this change could apply to any distro) I really want to have upstream look at the patch before we apply it. By upstream I mean Scott :) I'll try to get his attention on this.

No, we never did this for SysVinit, although I am thinking about adding it next chance. I got audit-1.7.9 added as a buildroot override for F-10 so that we can apply this patch when everyone is satisfied.

What does having the events in the audit log buy us above & beyond the events already in utmp/wtmp?

This enables improved user session analysis. The audit logs can now be centrally aggregated and some regulatory statutes require companies to maintain them for a couple years. The utmp/wtmp files are not. The problem that this solves is that I can now determine which events belong to the same login session. If I get a bootup event, I now know that all the users in the system had their state changed to logged out since this would indicate a likely kernel oops. If I see a normal shutdown event without the users logged out, this is means that something terminated the session prematurely (dbus) and the user is now considered logged out. IOW, this helps to define boundaries around user sessions for analysis. There is a program in audit-1.7.9, aulast, that already uses these new events. In subsequent releases that tool will evolve into a session explorer tool.

Some of the newer security targets also require system bootup/shutdown in the audit logs.

Created attachment 329038
New patch for 0.5.0

This is a new patch sent upstream that addresses all issues raised. The only thing upstream really questioned was the configure.ac work. We really need this patch put in Fedora (rawhide and 10) so that aulast works correctly. Thanks.

Any update on this? Not having this applied means no one else can take advantage of the session analysis capabilities in the last 3 audit packages released. Upstream apparently has no objection (or no approval either). Thanks.

Rolled in and building now.

Just investigated why I'm not seeing system start up and shutdown events and I see that the patch has been added to cvs - but the spec file has not been updated to apply the patch. The spec file need updating in devel, F-11, and F-10 branches.

Should be fixed in -24.

Steve? Is this good now?

Yes, this appears to be working correctly. Closing the bug. Thanks.

Casey Dahlin (cjdahlin) wrote :
Michael Biebl (mbiebl) wrote :

Would it be possible to add a ./configure check, so this feature can be disabled?
I.e. have something like HAVE_AUDIT and AUDIT_CFLAGS/AUDIT_LIBS for Makefile.am instead of hardcoding -laudit etc.

Is there an RH/Fedora Bug# for this?

Changed in upstart:
importance: Undecided → Wishlist
status: New → Incomplete

This looks like a different patch to the one Steve Grubb sent to the ML earlier this year (attached), could you review the differences?

I would be nervous about introducing the patch without similar support for 0.5/trunk, as otherwise that'd be dropping features

summary: - Audit events
+ util: audit events
Casey Dahlin (cjdahlin) wrote :

https://bugzilla.redhat.com/show_bug.cgi?id=470661

RH Bugzilla. Includes a patch for 0.5 as well.

Changed in upstart (Fedora):
status: Unknown → Fix Released

Marking the 0.3 task as Won't Fix, 0.6 is the stable release series now

Not sure why this is marked Incomplete; have you tested to see whether the patch applies to 0.6?

Changed in upstart:
status: Incomplete → Triaged

Steve - any chance you can do a rebase against 0.6.x in devel?

I sent the patches upstream for his 0.5 release. Did upstream never incorporated the patches?

They aren't in 0.6, and the 0.5 patch doesn't apply cleanly.

Created attachment 378790
audit patch for 0.6

This is a cvs patch rebased for 0.6

There is a problem with logging AUDIT_SYSTEM_BOOT. First runlevel change is done by post-start rcS.conf and there is no running auditd at that moment.

I see the same problem with logging AUDIT_SYSTEM_BOOT also in actual upstart-0.3.11

"runlevel --reboot" is called in /etc/event.d/rcS right after /etc/rc.d/rc.sysinit when no auditd running yet

The event should be queued in the kernel if you boot with audit=1. And the way I check the results is by running aulast. Thanks.

Petr Lautrbach (plautrba) wrote :

This is Steve Grubb's patch slightly changed and rebased for 0.6.

Reopening, as this isn't in currently.

Eep, don't mind me. Stale CVS checkout.

Changed in upstart (Fedora):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.