From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: test patch for auditctl inter-field comparisons on euid/uid, egid/gid
Date: Mon, 12 Dec 2011 09:40:38 -0500 [thread overview]
Message-ID: <201112120940.39028.sgrubb@redhat.com> (raw)
In-Reply-To: <CALnj_=7X+DmQCBTkSiju=Uop1Eyxw74dRVtm1OyoHPS2McOuNQ@mail.gmail.com>
On Sunday, December 11, 2011 02:09:27 PM Peter Moody wrote:
> This patch extends Eric's test patch from 11/17 (
> http://www.redhat.com/archives/linux-audit/2011-November/msg00045.html).
> This turns -C into a long opt with similar syntax to -F.
Thanks.
> One strange thing related to this patch: auditd seems to be reporting
> success for a normal user process (gklrellm) opening /proc/meminfo (mode
> 444) O_RDWR, and I don't see how this is possible. eg:
>
> type=SYSCALL msg=audit(1323540255.146:97): arch=c000003e syscall=2
> success=yes exit=13 a0=4b1972 a1=0 a2=1b6 a3=0 items=1 ppid=1704 pid=1797
> auid=11532 uid=11532 gid=5000 euid=11532 suid=11532 fsuid=11532 egid=5000
> sgid=5000 fsgid=5000 tty=(none) ses=1 comm="gkrellm" exe="/usr/bin/gkrellm"
> key="permissive"
> type=CWD msg=audit(1323540255.146:97): cwd="/home/pmoody"
> type=PATH msg=audit(1323540255.146:97): item=0 name="/proc/meminfo" inode=
> 4026532008 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
>
> hopefully someone with more auditd internal knowledge can explain what's
> going on.
Simple, int open(const char *pathname, int flags, mode_t mode);
So, we want to look at a1's contents. Its a zero. So, let's look that up in
/usr/include/asm-generic/fcntl.h:
#define O_RDONLY 00000000
#define O_WRONLY 00000001
#define O_RDWR 00000002
So, it would appear open is called with O_RDONLY, which is allowed by the
permissions 0444.
> auditctl -l doesn't know how to report this yet; if this patch is generally
> acceptable, I can try to fix that and update the manpage, etc.
Yes, auditctl -l will have to be updated. If you want to do that, it would be
helpful. Also, see the comments on the other patch in case it affects this one.
-Steve
next prev parent reply other threads:[~2011-12-12 14:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-11 19:09 test patch for auditctl inter-field comparisons on euid/uid, egid/gid Peter Moody
2011-12-12 14:40 ` Steve Grubb [this message]
2011-12-12 16:40 ` Peter Moody
2011-12-14 1:38 ` Peter Moody
2011-12-15 0:16 ` Peter Moody
2011-12-15 1:18 ` Peter Moody
2011-12-15 6:55 ` Stephen Quinney
2011-12-15 13:36 ` Steve Grubb
2011-12-16 23:34 ` Peter Moody
2012-02-28 23:07 ` Steve Grubb
2012-02-28 23:12 ` Peter Moody
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201112120940.39028.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.