util: audit events

Created attachment 322948
Patch against 0.3.9

Description of problem:
The audit package 1.7.9 includes a new utility to identify and extract user session events. It needs a patch to upstart to be more effective. The patch adds SYSTEM_BOOT, RUNLEVEL_CHANGE, and SYSTEM_SHUTDOWN audit events. I have 2 patches, one for 0.3.9 and one for 0.5.0. Please push these patches into rawhide and F-10.

It will need a BuildRequires: audit-libs-devel >= 1.7.9 and you will need to add --with-libaudit to the configure line. Thanks!

Created attachment 322949
Patch against 0.5.0

Please apply this patch to rawhide if 0.5.0 ever gets pushed out.

Are you sure upstart needs to be patched? I'm pretty certain we could create a couple of job definitions to produce these audit events (assuming there's a way to produce audit events from the shell)

I'm pretty sure upstart needs patching. I want the events generated from a place that would be hard/impossible to bypass so that audit logs are accurate.

AFAIK, we never did this for SysVinit. Is thatb correct?

Given that this seems to be scoped wider than just Fedora (I assume from your post to upstart-devel-list that this change could apply to any distro) I really want to have upstream look at the patch before we apply it. By upstream I mean Scott :) I'll try to get his attention on this.

No, we never did this for SysVinit, although I am thinking about adding it next chance. I got audit-1.7.9 added as a buildroot override for F-10 so that we can apply this patch when everyone is satisfied.

What does having the events in the audit log buy us above & beyond the events already in utmp/wtmp?

This enables improved user session analysis. The audit logs can now be centrally aggregated and some regulatory statutes require companies to maintain them for a couple years. The utmp/wtmp files are not. The problem that this solves is that I can now determine which events belong to the same login session. If I get a bootup event, I now know that all the users in the system had their state changed to logged out since this would indicate a likely kernel oops. If I see a normal shutdown event without the users logged out, this is means that something terminated the session prematurely (dbus) and the user is now considered logged out. IOW, this helps to define boundaries around user sessions for analysis. There is a program in audit-1.7.9, aulast, that already uses these new events. In subsequent releases that tool will evolve into a session explorer tool.

Some of the newer security targets also require system bootup/shutdown in the audit logs.

Created attachment 329038
New patch for 0.5.0

This is a new patch sent upstream that addresses all issues raised. The only thing upstream really questioned was the configure.ac work. We really need this patch put in Fedora (rawhide and 10) so that aulast works correctly. Thanks.

Any update on this? Not having this applied means no one else can take advantage of the session analysis capabilities in the last 3 audit packages released. Upstream apparently has no objection (or no approval either). Thanks.

Rolled in and building now.

Just investigated why I'm not seeing system start up and shutdown events and I see that the patch has been added to cvs - but the spec file has not been updated to apply the patch. The spec file need updating in devel, F-11, and F-10 branches.

Should be fixed in -24.

Steve? Is this good now?

Yes, this appears to be working correctly. Closing the bug. Thanks.

Steve - any chance you can do a rebase against 0.6.x in devel?

I sent the patches upstream for his 0.5 release. Did upstream never incorporated the patches?

They aren't in 0.6, and the 0.5 patch doesn't apply cleanly.

Created attachment 378790
audit patch for 0.6

This is a cvs patch rebased for 0.6

There is a problem with logging AUDIT_SYSTEM_BOOT. First runlevel change is done by post-start rcS.conf and there is no running auditd at that moment.

I see the same problem with logging AUDIT_SYSTEM_BOOT also in actual upstart-0.3.11

"runlevel --reboot" is called in /etc/event.d/rcS right after /etc/rc.d/rc.sysinit when no auditd running yet

The event should be queued in the kernel if you boot with audit=1. And the way I check the results is by running aulast. Thanks.

Reopening, as this isn't in currently.

Eep, don't mind me. Stale CVS checkout.