> Von: Corey Wright [mailto:undefined@pobox.com]
>
> On Tue, 6 May 2014 14:50:05 +0000
> Fiedler Roman <Roman.Fiedler@ait.ac.at> wrote:
>
> > Hello List,
> >
> > I've observed, that adding audit rules on vserver kernels does not work.
> > Since this failure is not logged at any prominent position, I haven't
> > noticed it till now and I'm not sure when this problem might have first
> > occurred (A quick check showed, that it is present since at least
> > 3.13.5-vs2.3.6.11 on amd64).
> >
> > Since this is working on Ubuntu stock kernels, I also do not know, if
the
> > problem was introduced by using problematic kernel configuration on my
> side
> > of if it might be really vserver specific.
> >
> > Could someone with an own build of vserver kernel please test if
auditctl
> > works on his system?
> >
> > # apt-get install auditd
> > # auditctl -l
> > No rules
> > # auditctl -a exit,always -F arch=b32 -S unlink -S rmdir
> > Error sending add rule request (Operation not supported)
>
> # uname -a
> Linux debian-wheezy-server 3.10.39-vs2.3.6.8+1-amd64 #1 SMP Tue May 6
> 23:23:27 UTC 2014 x86_64 GNU/Linux
> # cat /etc/debian_version
> 7.3
> # grep AUDIT /boot/config-3.10.39-vs2.3.6.8+1-amd64
> CONFIG_AUDIT_ARCH=y
> CONFIG_AUDIT=y
> CONFIG_AUDITSYSCALL=y
> CONFIG_AUDIT_WATCH=y
> CONFIG_AUDIT_TREE=y
> # CONFIG_AUDIT_LOGINUID_IMMUTABLE is not set
> CONFIG_NETFILTER_XT_TARGET_AUDIT=m
> CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
> # CONFIG_KVM_MMU_AUDIT is not set
>
> i ran your specified commands (apt-get... auditctl...) and got the same
error.
>
> so that's another data point for you (though i don't know if that helps
you
> determine where the problem is, except that it isn't specific to 3.13).
I guess, I found the cause, it is not related to vserver but using
near-trunk kernels with Ubuntu Precise.
If I understand correctly, this netlink message is used to add a rule:
sendto(4, "\34\3\0\0\353\3\5\0\2\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0"..., 796, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 796
Without checking the data structures, \353\3 is the only value in suitable
range, that it might be an audit command type. That would correspond to
#define AUDIT_ADD 1003 /* Add syscall rule -- deprecated */
The new value should be
#define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */
Since the value is deprecated, the audit_netlink_ok must have been changed
in the past, returning the "not supported" error for the old request type.
/*
* Check for appropriate CAP_AUDIT_ capabilities on incoming audit
* control messages.
*/
static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
{
int err = 0;
/* Only support the initial namespaces for now. */
if ((current_user_ns() != &init_user_ns) ||
(task_active_pid_ns(current) != &init_pid_ns))
return -EPERM;
switch (msg_type) {
case AUDIT_LIST:
case AUDIT_ADD:
case AUDIT_DEL:
return -EOPNOTSUPP;
Conclusio: do not use latest kernels with Ubuntu Precise (and most likely
some other distros)
Roman