From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B3DFC2B9F7 for ; Fri, 28 May 2021 15:26:28 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A2CDF613AB for ; Fri, 28 May 2021 15:26:27 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A2CDF613AB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1622215586; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=G4Goz5EHIvMh4gbVZg43/z3g9CXyLjkc/LtIIC9OUA4=; b=MRTf7vVTbjvvPxeiELVNRFaNvdKBfegY4l9zb4fgdoLWVzlo2QKKCYH6Yk6WOVHd5C4cvI cXpFNHHuAXSk4jgaWgq2GV3Yvk4GQa8+DTbPlJUN/MblQPI7riqaE7t+dYjIW28WDbg8jo iEtVsJATHY73VxnZC6aan5plkUgoJ6I= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-483-_e_ukDrHNtuF9sxaSn69HA-1; Fri, 28 May 2021 11:26:24 -0400 X-MC-Unique: _e_ukDrHNtuF9sxaSn69HA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D732F180FD62; Fri, 28 May 2021 15:26:19 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6EB4B1A875; Fri, 28 May 2021 15:26:18 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 52A9955348; Fri, 28 May 2021 15:26:17 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 14SFQFNw007467 for ; Fri, 28 May 2021 11:26:15 -0400 Received: by smtp.corp.redhat.com (Postfix) id EC08A1A883; Fri, 28 May 2021 15:26:15 +0000 (UTC) Received: from x2.localnet (ovpn-113-149.rdu2.redhat.com [10.10.113.149]) by smtp.corp.redhat.com (Postfix) with ESMTP id 801101A875; Fri, 28 May 2021 15:26:12 +0000 (UTC) From: Steve Grubb To: Linux-audit@redhat.com, Andreas Hasenack Subject: Re: Replacing file watch (-w) with syscall Date: Fri, 28 May 2021 11:26:09 -0400 Message-ID: <11760122.O9o76ZdvQC@x2> Organization: Red Hat In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Friday, May 28, 2021 8:34:45 AM EDT Andreas Hasenack wrote: > I wanted to place a file watch on a file, but with an auid filter, > i.e., I didn't want to log accesses done by a particular user. That is > not possible with -w, so we have to use a syscall rule. > > The manpage has many examples of such conversions, so here is what I would > use: > > -a always,exit -F auid!=andreas -F path=/etc/myfile -F perm=wa -F > key=myfile-changed > > No syscall, because the manpage also says this for the perm filter: > "You can use this without specifying a syscall and the kernel will > select the syscalls that satisfy the permissions being requested." > > Right after loading that rule, though, auditctl shows it with "-S all": > > -a always,exit -S all -F auid!=1000 -F path=/etc/myfile -F perm=wa -F > key=myfile-changed > > That had me a bit worried, in terms of performance impact, if "-S all" > is true and all syscalls will be checked. Is this a terrible rule? I think what you are seeing is auditctl trying to display something meaningful. The syscalls are selected by the perm filter but it keeps this information private and doesn't move it to the syscall mask. The watch does the same thing you just don't see anything displayed when you list the rule. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit