From: Amy Griffis <amy.griffis@hp.com>
To: Robert Giles <rgiles@arlut.utexas.edu>
Cc: linux-audit@redhat.com
Subject: Re: Logging failed open() calls on /var/log/audit/audit.log
Date: Tue, 27 Jun 2006 17:15:53 -0400 [thread overview]
Message-ID: <20060627211553.GA11601@zk3.dec.com> (raw)
In-Reply-To: <Pine.CYG.4.64.0606271524300.1744@ninja>
Hi Robert,
Robert Giles wrote: [Tue Jun 27 2006, 04:43:10PM EDT]
> Howdy folks - I'm running audit-1.2.2 with the latest audit-current git
> tree (lspp.b20)...
>
> The filesystem auditing seems to be working fine for all files *except*
> the audit.log file.
>
> For example, I do this:
> auditctl -w /etc/shadow
> auditctl -w /var/log/audit/audit.log
>
> The audit daemon generates audit events for both successful and failed
> open() calls to /etc/shadow, but only records *successful* accesses to
> /var/log/audit/audit.log.
>
> So if I attempt to access /etc/shadow as a regular user, a "success=no"
> audit event is generated to indicate read failure - but if a regular user
> attempts to read /var/log/audit/audit.log, nothing happens (no audit event
> whatsoever is created).
This is because the regular doesn't have permissions to read
/var/log/audit. Since the path didn't fully resolve to
/var/log/audit/audit.log, the user didn't actually fail to access
audit.log, they failed to access /var/log/audit.
If you would like to see a record in this case, you must add a watch
for /var/log/audit.
> *Successful* reads of /var/log/audit/audit.log (ie: as super-user) do
> indeed generate the appropriate audit event in audit.log ("success=yes").
>
> Is this the way the audit daemon is supposed to work? (some kind of race
> condition if the audit daemon fully audits its own audit trail?)
>
> (this question may seem unusual, but we're trying to audit "unsuccessful
> attempts to access security-relevant objects"... the audit trail itself
> constitutes a "security-relevant object").
>
> Thanks again!
Hope this helps.
Amy
next prev parent reply other threads:[~2006-06-27 21:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-27 20:43 Logging failed open() calls on /var/log/audit/audit.log Robert Giles
2006-06-27 21:15 ` Amy Griffis [this message]
2006-06-27 21:21 ` Steve Grubb
2006-06-27 21:32 ` Timothy R. Chavez
2006-06-27 23:10 ` Amy Griffis
2006-06-27 21:32 ` Amy Griffis
2006-06-27 21:36 ` Linda Knippers
2006-06-27 22:03 ` Alexander Viro
2006-06-27 22:16 ` Linda Knippers
2006-06-29 16:34 ` Klaus Weidner
2006-06-29 18:04 ` LC Bruzenak
2006-06-29 18:12 ` Robert Giles
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060627211553.GA11601@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=rgiles@arlut.utexas.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.