From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: Re: Bypassing audit's file watches
Date: Fri, 07 Jul 2006 11:08:53 -0500
Message-ID: <44AE8715.5040309@us.ibm.com>
References: <44AE76A2.9050205@ornl.gov>
	<1152287952.21687.0.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k67G94kk022381
	for <linux-audit@redhat.com>; Fri, 7 Jul 2006 12:09:04 -0400
Received: from e31.co.us.ibm.com (e31.co.us.ibm.com [32.97.110.149])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k67G92j6010507
	for <linux-audit@redhat.com>; Fri, 7 Jul 2006 12:09:02 -0400
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com
	[9.17.195.11])
	by e31.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k67G8umb020593
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <linux-audit@redhat.com>; Fri, 7 Jul 2006 12:08:56 -0400
Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170])
	by westrelay02.boulder.ibm.com (8.13.6/NCO/VER7.0) with ESMTP id
	k67G8BkU240120
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Fri, 7 Jul 2006 10:08:11 -0600
Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1])
	by d03av04.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id
	k67G8uPW015182
	for <linux-audit@redhat.com>; Fri, 7 Jul 2006 10:08:56 -0600
In-Reply-To: <1152287952.21687.0.camel@localhost.localdomain>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Timothy R. Chavez" <tinytim@us.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Timothy R. Chavez wrote:
> On Fri, 2006-07-07 at 10:58 -0400, Steve wrote:
>> I have found that I can modify files that are being watched and audit 
>> not catch it (ie. no events are dispatched).  When monitoring a file for 
>> all system calls, I can:
>>
>> echo "" > /file/to/watch
>>
>> or
>>
>> cat some_file > /file/to/watch
>>
>> without generating audit events.  I assume this has to do with how the 
>> kernel handles re-direction.  Is it possible to catch these modifications?
>>
>> Thanks,
>> Steve
> 
> What are your rules?  You should catch these on open()
> of /file/to/watch, right?
> 
> -tim

I am seeing this as well with the .42 kernel and audit-1.2.4-1. Not sure 
when this might have broken, but its broke now.

It seems if you set a watch on /file/to (to use your example above), 
then you are getting the opens that bash does, although the PATH record 
shows the item as "/file/to/watch".

So watching the parent directory will audit redirect shell magic, but 
watching the target of that redirection will not audit that same magic.

Mike