Import audit >1.7.4

git-svn-id: http://svn.fedorahosted.org/svn/audit/trunk@1 03a675c2-f56d-4096-908f-63dba836b7e4
burnalting · Jun 17, 2008 · 0883473 · 0883473
commit 0883473
Show file tree

Hide file tree

Showing 397 changed files with 123,943 additions and 0 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -0,0 +1,3 @@
+This program was started by Rik Faith.
+It is now being maintained by Steve Grubb <sgrubb@redhat.com>
+
diff --git a/COPYING b/COPYING
diff --git a/ChangeLog b/ChangeLog
diff --git a/INSTALL b/INSTALL
@@ -0,0 +1,234 @@
+Installation Instructions
+*************************
+
+Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005,
+2006 Free Software Foundation, Inc.
+
+This file is free documentation; the Free Software Foundation gives
+unlimited permission to copy, distribute and modify it.
+
+Basic Installation
+==================
+
+Briefly, the shell commands `./configure; make; make install' should
+configure, build, and install this package.  The following
+more-detailed instructions are generic; see the `README' file for
+instructions specific to this package.
+
+   The `configure' shell script attempts to guess correct values for
+various system-dependent variables used during compilation.  It uses
+those values to create a `Makefile' in each directory of the package.
+It may also create one or more `.h' files containing system-dependent
+definitions.  Finally, it creates a shell script `config.status' that
+you can run in the future to recreate the current configuration, and a
+file `config.log' containing compiler output (useful mainly for
+debugging `configure').
+
+   It can also use an optional file (typically called `config.cache'
+and enabled with `--cache-file=config.cache' or simply `-C') that saves
+the results of its tests to speed up reconfiguring.  Caching is
+disabled by default to prevent problems with accidental use of stale
+cache files.
+
+   If you need to do unusual things to compile the package, please try
+to figure out how `configure' could check whether to do them, and mail
+diffs or instructions to the address given in the `README' so they can
+be considered for the next release.  If you are using the cache, and at
+some point `config.cache' contains results you don't want to keep, you
+may remove or edit it.
+
+   The file `configure.ac' (or `configure.in') is used to create
+`configure' by a program called `autoconf'.  You need `configure.ac' if
+you want to change it or regenerate `configure' using a newer version
+of `autoconf'.
+
+The simplest way to compile this package is:
+
+  1. `cd' to the directory containing the package's source code and type
+     `./configure' to configure the package for your system.
+
+     Running `configure' might take a while.  While running, it prints
+     some messages telling which features it is checking for.
+
+  2. Type `make' to compile the package.
+
+  3. Optionally, type `make check' to run any self-tests that come with
+     the package.
+
+  4. Type `make install' to install the programs and any data files and
+     documentation.
+
+  5. You can remove the program binaries and object files from the
+     source code directory by typing `make clean'.  To also remove the
+     files that `configure' created (so you can compile the package for
+     a different kind of computer), type `make distclean'.  There is
+     also a `make maintainer-clean' target, but that is intended mainly
+     for the package's developers.  If you use it, you may have to get
+     all sorts of other programs in order to regenerate files that came
+     with the distribution.
+
+Compilers and Options
+=====================
+
+Some systems require unusual options for compilation or linking that the
+`configure' script does not know about.  Run `./configure --help' for
+details on some of the pertinent environment variables.
+
+   You can give `configure' initial values for configuration parameters
+by setting variables in the command line or in the environment.  Here
+is an example:
+
+     ./configure CC=c99 CFLAGS=-g LIBS=-lposix
+
+   *Note Defining Variables::, for more details.
+
+Compiling For Multiple Architectures
+====================================
+
+You can compile the package for more than one kind of computer at the
+same time, by placing the object files for each architecture in their
+own directory.  To do this, you can use GNU `make'.  `cd' to the
+directory where you want the object files and executables to go and run
+the `configure' script.  `configure' automatically checks for the
+source code in the directory that `configure' is in and in `..'.
+
+   With a non-GNU `make', it is safer to compile the package for one
+architecture at a time in the source code directory.  After you have
+installed the package for one architecture, use `make distclean' before
+reconfiguring for another architecture.
+
+Installation Names
+==================
+
+By default, `make install' installs the package's commands under
+`/usr/local/bin', include files under `/usr/local/include', etc.  You
+can specify an installation prefix other than `/usr/local' by giving
+`configure' the option `--prefix=PREFIX'.
+
+   You can specify separate installation prefixes for
+architecture-specific files and architecture-independent files.  If you
+pass the option `--exec-prefix=PREFIX' to `configure', the package uses
+PREFIX as the prefix for installing programs and libraries.
+Documentation and other data files still use the regular prefix.
+
+   In addition, if you use an unusual directory layout you can give
+options like `--bindir=DIR' to specify different values for particular
+kinds of files.  Run `configure --help' for a list of the directories
+you can set and what kinds of files go in them.
+
+   If the package supports it, you can cause programs to be installed
+with an extra prefix or suffix on their names by giving `configure' the
+option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+
+Optional Features
+=================
+
+Some packages pay attention to `--enable-FEATURE' options to
+`configure', where FEATURE indicates an optional part of the package.
+They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+is something like `gnu-as' or `x' (for the X Window System).  The
+`README' should mention any `--enable-' and `--with-' options that the
+package recognizes.
+
+   For packages that use the X Window System, `configure' can usually
+find the X include and library files automatically, but if it doesn't,
+you can use the `configure' options `--x-includes=DIR' and
+`--x-libraries=DIR' to specify their locations.
+
+Specifying the System Type
+==========================
+
+There may be some features `configure' cannot figure out automatically,
+but needs to determine by the type of machine the package will run on.
+Usually, assuming the package is built to be run on the _same_
+architectures, `configure' can figure that out, but if it prints a
+message saying it cannot guess the machine type, give it the
+`--build=TYPE' option.  TYPE can either be a short name for the system
+type, such as `sun4', or a canonical name which has the form:
+
+     CPU-COMPANY-SYSTEM
+
+where SYSTEM can have one of these forms:
+
+     OS KERNEL-OS
+
+   See the file `config.sub' for the possible values of each field.  If
+`config.sub' isn't included in this package, then this package doesn't
+need to know the machine type.
+
+   If you are _building_ compiler tools for cross-compiling, you should
+use the option `--target=TYPE' to select the type of system they will
+produce code for.
+
+   If you want to _use_ a cross compiler, that generates code for a
+platform different from the build platform, you should specify the
+"host" platform (i.e., that on which the generated programs will
+eventually be run) with `--host=TYPE'.
+
+Sharing Defaults
+================
+
+If you want to set default values for `configure' scripts to share, you
+can create a site shell script called `config.site' that gives default
+values for variables like `CC', `cache_file', and `prefix'.
+`configure' looks for `PREFIX/share/config.site' if it exists, then
+`PREFIX/etc/config.site' if it exists.  Or, you can set the
+`CONFIG_SITE' environment variable to the location of the site script.
+A warning: not all `configure' scripts look for a site script.
+
+Defining Variables
+==================
+
+Variables not defined in a site shell script can be set in the
+environment passed to `configure'.  However, some packages may run
+configure again during the build, and the customized values of these
+variables may be lost.  In order to avoid this problem, you should set
+them in the `configure' command line, using `VAR=value'.  For example:
+
+     ./configure CC=/usr/local2/bin/gcc
+
+causes the specified `gcc' to be used as the C compiler (unless it is
+overridden in the site shell script).
+
+Unfortunately, this technique does not work for `CONFIG_SHELL' due to
+an Autoconf bug.  Until the bug is fixed you can use this workaround:
+
+     CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash
+
+`configure' Invocation
+======================
+
+`configure' recognizes the following options to control how it operates.
+
+`--help'
+`-h'
+     Print a summary of the options to `configure', and exit.
+
+`--version'
+`-V'
+     Print the version of Autoconf used to generate the `configure'
+     script, and exit.
+
+`--cache-file=FILE'
+     Enable the cache: use and save the results of the tests in FILE,
+     traditionally `config.cache'.  FILE defaults to `/dev/null' to
+     disable caching.
+
+`--config-cache'
+`-C'
+     Alias for `--cache-file=config.cache'.
+
+`--quiet'
+`--silent'
+`-q'
+     Do not print messages saying which checks are being made.  To
+     suppress all normal output, redirect it to `/dev/null' (any error
+     messages will still be shown).
+
+`--srcdir=DIR'
+     Look for the package's source code in directory DIR.  Usually
+     `configure' can determine that directory automatically.
+
+`configure' also accepts some other, not widely useful, options.  Run
+`configure --help' for more details.
+
diff --git a/Makefile.am b/Makefile.am
@@ -0,0 +1,36 @@
+# Makefile.am -- 
+# Copyright 2004-08 Red Hat Inc., Durham, North Carolina.
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# Authors:
+#   Steve Grubb <sgrubb@redhat.com>
+#   Rickard E. (Rik) Faith <faith@redhat.com>
+#
+
+SUBDIRS = lib auparse src/mt src audisp tools swig bindings init.d \
+	docs system-config-audit
+EXTRA_DIST = ChangeLog AUTHORS NEWS README README-install audit.spec \
+	contrib/capp.rules contrib/nispom.rules contrib/lspp.rules \
+	contrib/stig.rules contrib/skeleton.c contrib/avc_snap \
+	contrib/plugin/Makefile contrib/plugin/audisp-example.c \
+	contrib/plugin/audisp-example.conf
+CONFIG_CLEAN_FILES = Makefile.in aclocal.m4* config.h.* configure \
+	debug*.list config/*
+
+clean-generic:
+	rm -rf autom4te*.cache zos-remote-policy
+	rm -f *.rej *.orig *.lang
diff --git a/NEWS b/NEWS
diff --git a/README b/README
@@ -0,0 +1,119 @@
+This is some background information about the Linux Auditing Framework.
+
+LICENSE
+=======
+The audit daemon is released as GPL'd code. The audit daemon's library
+libaudit.* is released under LGPL so that it may be linked with 3rd
+party software.
+
+BUILDING
+========
+See the README-install File.
+
+USAGE
+=====
+Examples usage of utilities:
+
+  General:
+
+    Window 1:
+        ./auditd
+    Window 2 (you don't have to have the daemon running to try this, but
+    enabled has to be 1):
+        ./auditctl -s
+        ./auditctl -a entry,always -S open
+        ls
+        ./auditctl -d entry,always -S open
+
+
+  Identity tracking:
+	./auditctl -a exit,always -S all -F loginuid=2000
+	./auditctl -L 2000,"test uid" 
+
+SAMPLE CONFIGS
+==============
+There are 2 files sample.config which just shows variuos configuration
+options in use. There is also contrib/capp.rules which can be installed
+to /etc/audit.rules and then customized. This shows what a CAPP style 
+audit environment might look like.
+
+DISCUSSION
+==========
+lkml thread(s): 
+     http://marc.theaimsgroup.com/?t=107815888100001&r=1&w=2
+     http://marc.theaimsgroup.com/?t=107901570800002&r=1&w=2
+
+
+DESIGN INFO
+===========
+
+The main goals were to provide system call auditing with 1) as low
+overhead as possible, and 2) without duplicating functionality that is
+already provided by SELinux (and/or other security infrastructures).
+This framework will work "stand-alone", but is not designed to provide,
+e.g., CAPP functionality without another security component in place.
+
+There are two main parts, one that is always on (generic logging in
+audit.c) and one that you can disable at boot- or run-time
+(per-system-call auditing in auditsc.c).  The patch includes changes to
+security/selinux/avc.c as an example of how system-call auditing can be
+integrated with other code that identifies auditable events.
+
+Logging:
+    1) Uses a netlink socket for communication with user-space.  All
+       messages are logged via the netlink socket if a user-space daemon
+       is listening.  If not, the messages are logged via printk to the
+       syslog daemon (by default).
+    2) Messages can be dropped (optionally) based on message rate or
+       memory use (this isn't fully integrated into the selinux/avc.c
+       part of the patch: the avc.c code that currently does this can be
+       eliminated).
+    3) When some part of the kernel generates part of an audit record,
+       the partial record is sent immediately to user-space, AND the
+       system call "auditable" flag is automatically set for that call
+       -- thereby producing extra information at syscall exit (if
+       syscall auditing is enabled).
+
+System-call auditing:
+    1) At task-creation time, an audit context is allocated and linked
+       off the task structure.
+    2) At syscall entry time, if the audit context exists, information
+       is filled in (syscall number, timestamp; but not arguments).
+    3) During the system call, calls to getname() and path_lookup() are
+       intercepted.  These routines are called when the kernel is
+       actually looking up information that will be used to make the
+       decision about whether the syscall will succeed or fail.  An
+       effort has been made to avoid copying the information that
+       getname generates, since getname is already making a
+       kernel-private copy of the information.  [Note that storing
+       copies of all syscall arguments requires complexity and overhead
+       that arguably isn't needed.  With this patch, for example, if
+       chroot("foo") fails because you are not root, "foo" will not
+       appear in the audit record because the kernel determined the
+       syscall cannot proceed before it ever needed to look up "foo".
+       This approach avoids storing user-supplied information that could
+       be misleading or unreliable (e.g., due to a cooperative
+       shared-memory attack) in favor of reporting information actually
+       used by the kernel.]
+    4) At syscall exit time, if the "auditable" flag has been set (e.g.,
+       because SELinux generated an avc record; or some other part of
+       the kernel detected an auditable event), the syscall-part of the
+       audit record is generated, including file names and inode numbers
+       (if available).  Some of this information is currently
+       complementary to the information that selinux/avc.c generates
+       (e.g., file names and some inode numbers), but some is less
+       complete (e.g., getname doesn't return a fully-qualified path,
+       and this patch does not add the overhead of determining one).
+       [Note that the complete audit record comes to userspace in
+       pieces, which eliminates the need to store messages for
+       arbitrarily long periods inside the kernel.]
+    5) At task-exit time, the audit context is destroyed.
+
+    At steps 1, 2, and 4, simple filtering can be done (e.g., a database
+    role uid might have syscall auditing disabled for performance
+    reasons).  The filtering is simple and could be made more complex.
+    However, I tried to implement as much filtering as possible without
+    adding significant overhead (e.g., d_path()).  In general, the audit
+    framework should rely on some other kernel component (e.g., SELinux)
+    to make the majority of the decisions about what is and is not
+    auditable.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		This program was started by Rik Faith.
		It is now being maintained by Steve Grubb <sgrubb@redhat.com>