Why doesn't chown produce an event

All of lore.kernel.org
 help / color / mirror / Atom feed

* Why doesn't chown produce an event
@ 2007-05-02 15:13 Robert Evans
  2007-05-02 15:14 ` Marcus Meissner
  2007-05-02 17:30 ` Steve Grubb
  0 siblings, 2 replies; 7+ messages in thread
From: Robert Evans @ 2007-05-02 15:13 UTC (permalink / raw)
  To: linux-audit

Greetings,

I have the following rule in audit.rules

-a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F key=mod

If I log in as a typical user and try "chown bob /etc/shadow" I don't get an 
event produced, however if I try "chmod 666 /etc/shadow" I do.

What am I missing here?

Thanks!

Bob

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Why doesn't chown produce an event
  2007-05-02 15:13 Why doesn't chown produce an event Robert Evans
@ 2007-05-02 15:14 ` Marcus Meissner
  2007-05-02 15:45   ` Evans, Robert B.
  2007-05-02 17:30 ` Steve Grubb
  1 sibling, 1 reply; 7+ messages in thread
From: Marcus Meissner @ 2007-05-02 15:14 UTC (permalink / raw)
  To: Robert Evans; +Cc: linux-audit

On Wed, May 02, 2007 at 11:13:23AM -0400, Robert Evans wrote:
> Greetings,
> 
> I have the following rule in audit.rules
> 
> -a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F 
> key=mod
> 
> If I log in as a typical user and try "chown bob /etc/shadow" I don't get 
> an event produced, however if I try "chmod 666 /etc/shadow" I do.
> 
> What am I missing here?
> 
> Thanks!

You need to give 1 systemcall per line I guess.

-a exit,always -S chmod -F success!-1 -F key=mod
-a exit,always -S chown -F success!-1 -F key=mod
-a exit,always -S lchown -F success!-1 -F key=mod
-a exit,always -S fchown -F success!-1 -F key=mod

Ciao, Marcus

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: Why doesn't chown produce an event
  2007-05-02 15:14 ` Marcus Meissner
@ 2007-05-02 15:45   ` Evans, Robert B.
  2007-05-02 17:34     ` Steve Grubb
  0 siblings, 1 reply; 7+ messages in thread
From: Evans, Robert B. @ 2007-05-02 15:45 UTC (permalink / raw)
  To: Marcus Meissner; +Cc: linux-audit

Hmm... The documentation says that it is best to combine system calls on
one line.
And in fact the sample audit.rules for NISPOM coverage posted by this
site have the system calls on one line as well.

Bob

-----Original Message-----
From: Marcus Meissner [mailto:meissner@suse.de] 
Sent: Wednesday, May 02, 2007 11:15 AM
To: Evans, Robert B.
Cc: linux-audit@redhat.com
Subject: Re: Why doesn't chown produce an event

On Wed, May 02, 2007 at 11:13:23AM -0400, Robert Evans wrote:
> Greetings,
> 
> I have the following rule in audit.rules
> 
> -a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F 
> key=mod
> 
> If I log in as a typical user and try "chown bob /etc/shadow" I don't 
> get an event produced, however if I try "chmod 666 /etc/shadow" I do.
> 
> What am I missing here?
> 
> Thanks!

You need to give 1 systemcall per line I guess.

-a exit,always -S chmod -F success!-1 -F key=mod -a exit,always -S chown
-F success!-1 -F key=mod -a exit,always -S lchown -F success!-1 -F
key=mod -a exit,always -S fchown -F success!-1 -F key=mod

Ciao, Marcus

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Why doesn't chown produce an event
  2007-05-02 15:13 Why doesn't chown produce an event Robert Evans
  2007-05-02 15:14 ` Marcus Meissner
@ 2007-05-02 17:30 ` Steve Grubb
  2007-05-02 18:00   ` Robert Evans
  1 sibling, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2007-05-02 17:30 UTC (permalink / raw)
  To: linux-audit; +Cc: Robert Evans

On Wednesday 02 May 2007 11:13, Robert Evans wrote:
> If I log in as a typical user and try "chown bob /etc/shadow" I don't get
> an event produced, however if I try "chmod 666 /etc/shadow" I do.
>
> What am I missing here?

A syscall. If I am on a i386 machine and I strace chmod root file.txt, I see 
this:

chown32("file.txt", 0, -1)        = 0

So, you would want to use chown32 instead of chown on i386 machines. On x86_64 
the chown syscall is used.

-Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Why doesn't chown produce an event
  2007-05-02 15:45   ` Evans, Robert B.
@ 2007-05-02 17:34     ` Steve Grubb
  0 siblings, 0 replies; 7+ messages in thread
From: Steve Grubb @ 2007-05-02 17:34 UTC (permalink / raw)
  To: linux-audit; +Cc: Evans, Robert B.

On Wednesday 02 May 2007 11:45, Evans, Robert B. wrote:
> Hmm... The documentation says that it is best to combine system calls on
> one line.

Correct.

-Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Why doesn't chown produce an event
  2007-05-02 17:30 ` Steve Grubb
@ 2007-05-02 18:00   ` Robert Evans
  2007-05-02 18:15     ` Steve Grubb
  0 siblings, 1 reply; 7+ messages in thread
From: Robert Evans @ 2007-05-02 18:00 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

Got it!  So when I want to figure out how to trace something, the recommended 
course of action is do a strace on the operation, and look for a good syscall to 
tag...

Bob

Steve Grubb wrote:
> On Wednesday 02 May 2007 11:13, Robert Evans wrote:
>> If I log in as a typical user and try "chown bob /etc/shadow" I don't get
>> an event produced, however if I try "chmod 666 /etc/shadow" I do.
>>
>> What am I missing here?
> 
> A syscall. If I am on a i386 machine and I strace chmod root file.txt, I see 
> this:
> 
> chown32("file.txt", 0, -1)        = 0
> 
> So, you would want to use chown32 instead of chown on i386 machines. On x86_64 
> the chown syscall is used.
> 
> -Steve
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Why doesn't chown produce an event
  2007-05-02 18:00   ` Robert Evans
@ 2007-05-02 18:15     ` Steve Grubb
  0 siblings, 0 replies; 7+ messages in thread
From: Steve Grubb @ 2007-05-02 18:15 UTC (permalink / raw)
  To: Robert Evans; +Cc: linux-audit

On Wednesday 02 May 2007 14:00, Robert Evans wrote:
> Got it!  So when I want to figure out how to trace something, the
> recommended course of action is do a strace on the operation, and look for
> a good syscall to tag...

You should do that whenever you don't get a hit when you think you should. It 
should also be trivial for me to write a simple app that iterates the 
syscalls it knows about for a given arch.

-Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2007-05-02 18:15 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-02 15:13 Why doesn't chown produce an event Robert Evans
2007-05-02 15:14 ` Marcus Meissner
2007-05-02 15:45   ` Evans, Robert B.
2007-05-02 17:34     ` Steve Grubb
2007-05-02 17:30 ` Steve Grubb
2007-05-02 18:00   ` Robert Evans
2007-05-02 18:15     ` Steve Grubb

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.