From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Possible regression
Date: Thu, 2 Jun 2011 09:21:17 -0400 [thread overview]
Message-ID: <201106020921.17388.sgrubb@redhat.com> (raw)
In-Reply-To: <BANLkTi=Y2qpccRUxy59yj-8C_nHaFkovmg@mail.gmail.com>
On Thursday, June 02, 2011 08:48:30 AM 4javier wrote:
> I'm noticing exactly the same problem mentioned into this old message
> http://osdir.com/ml/linux.redhat.security.audit/2006-07/msg00036.html
> Workaround consisting into watching the whole directory containing the file
> works too. I've found that into 2006 a patch was submitted to solve the
> issue
> http://www.mail-archive.com/linux-audit@redhat.com/msg00476.html
>
> Is this a recent regression, or is there something I don't know?
I just ran the test from that email and got the following:
[root@localhost ~]# touch /tmp/test
[root@localhost ~]# auditctl -a always,exit -F path=/tmp/test -F perm=rwa -k watch
[root@localhost ~]# echo "" > /tmp/test
[root@localhost ~]# cat /tmp/test
[root@localhost ~]# ausearch --start recent --key watch -i
----
type=CONFIG_CHANGE msg=audit(06/02/2011 09:15:49.790:124) : auid=sgrubb ses=2
subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" key=watch
list=exit res=1
----
type=PATH msg=audit(06/02/2011 09:15:56.970:125) : item=0 name=/tmp/test inode=164740
dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(06/02/2011 09:15:56.970:125) : cwd=/root
type=SYSCALL msg=audit(06/02/2011 09:15:56.970:125) : arch=x86_64 syscall=open
success=yes exit=3 a0=28cadd0 a1=241 a2=1b6 a3=0 items=1 ppid=1634 pid=1640
auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts1 ses=2 comm=bash exe=/bin/bash
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch
----
type=PATH msg=audit(06/02/2011 09:16:08.850:126) : item=0 name=/tmp/test inode=164740
dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(06/02/2011 09:16:08.850:126) : cwd=/root
type=SYSCALL msg=audit(06/02/2011 09:16:08.850:126) : arch=x86_64 syscall=open
success=yes exit=3 a0=7fffd7a8f943 a1=0 a2=0 a3=32d80819d0 items=1 ppid=1640 pid=1659
auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts1 ses=2 comm=cat exe=/bin/cat
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch
[root@localhost ~]# uname -r
2.6.38.6-26.rc1.fc15.x86_64
We have 2 events. Are you getting this? Is something missing?
-Steve
next prev parent reply other threads:[~2011-06-02 13:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <BANLkTinKLR4oc2Pss1nKKPbXPtbY9S1K4g@mail.gmail.com>
2011-06-02 12:48 ` Possible regression 4javier
2011-06-02 13:21 ` Steve Grubb [this message]
[not found] ` <BANLkTikPDncr87J3yEFagtm-macX_oOCbw@mail.gmail.com>
2011-06-02 13:46 ` Fwd: " 4javier
2011-06-02 13:59 ` Steve Grubb
[not found] ` <BANLkTinBO4PUK0_aAt_=e0-bwKdTnMRgtg@mail.gmail.com>
2011-06-02 18:14 ` Fwd: " 4javier
2011-06-02 18:40 ` Steve Grubb
2011-06-02 20:11 ` 4javier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201106020921.17388.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.