From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Timothy R. Chavez" <tinytim@us.ibm.com>
Subject: Re: Bypassing audit's file watches
Date: Mon, 10 Jul 2006 10:16:23 -0500
Message-ID: <1152544584.13544.11.camel@localhost.localdomain>
References: <44AE76A2.9050205@ornl.gov> <20060708020002.GA5350@dill.zko.hp.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6AFGW9R012735
	for <linux-audit@redhat.com>; Mon, 10 Jul 2006 11:16:32 -0400
Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6AFGT90011052
	for <linux-audit@redhat.com>; Mon, 10 Jul 2006 11:16:30 -0400
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com
	[9.17.195.11])
	by e34.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6AFGO65024096
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <linux-audit@redhat.com>; Mon, 10 Jul 2006 11:16:24 -0400
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167])
	by westrelay02.boulder.ibm.com (8.13.6/NCO/VER7.0) with ESMTP id
	k6AFFZVO279756
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Mon, 10 Jul 2006 09:15:35 -0600
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1])
	by d03av01.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id
	k6AFGNdg021593
	for <linux-audit@redhat.com>; Mon, 10 Jul 2006 09:16:24 -0600
In-Reply-To: <20060708020002.GA5350@dill.zko.hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Amy Griffis <amy.griffis@hp.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Fri, 2006-07-07 at 22:00 -0400, Amy Griffis wrote:
<snip>
> 
> As Tim mentioned, the idea is that to determine if a file is modified,
> you would filter for open() calls with either the O_RDWR or O_WRONLY
> flag.  This is pretty unwieldy with the current feature set since you
> would need a separate rule for every possible combination of flags
> that includes O_RDWR or O_WRONLY.  I really think we need to enhance
> the filtering options available for open() calls, since trying to
> audit the actual modifications is much more difficult.
> 
> If you are missing events for open() calls, please let us know since
> that would be a bug (versus a lacking feature).
> 
> Thanks for testing.
> 
> Amy
> 

I think this is a bug.  We see audit records for a failed attempt at
writing a file (e.g. chmod -w foo, echo "bar" > foo) via redirection,
but not otherwise.

-tim