From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: file watch result help Date: Sun, 20 Jul 2008 23:01:56 -0500 Message-ID: <1216612916.8213.23.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m6L42ixn011795 for ; Mon, 21 Jul 2008 00:02:44 -0400 Received: from magi (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m6L42CtV014984 for ; Mon, 21 Jul 2008 00:02:12 -0400 Received: from [24.242.137.194] (helo=[192.168.30.40]) by magi with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1KKmaJ-0007px-0v for linux-audit@redhat.com; Sun, 20 Jul 2008 23:01:15 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com Looking for help/advice: I had a new file (/usr/lib/AuditProxy) I installed via RPM with CAP_AUDIT_WRITE assigned. I noticed after a couple of days it was removed. So I added a file watch and waited. The file got changed, this was audited, however I cannot realy nail down who/how it got changed as of yet...hopefully someone can either enlighten me on this or else give me a clue on how to install a better watch rule. I used: -w /usr/libexec/AuditProxy -k PROXY and now that the CAP has been removed I see the following activity (with "ausearch -i -k PROXY"): type=PATH msg=audit(07/18/2008 04:12:24.677:60925) : item=0 name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=CWD msg=audit(07/18/2008 04:12:24.677:60925) : cwd=/ type=SYSCALL msg=audit(07/18/2008 04:12:24.677:60925) : arch=x86_64 syscall=open success=yes exit=4 a0=2626330 a1=0 a2=0 a3=100 items=1 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632 comm=prelink exe=/usr/sbin/prelink subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY ---- type=PATH msg=audit(07/18/2008 04:12:24.678:60926) : item=0 name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=CWD msg=audit(07/18/2008 04:12:24.678:60926) : cwd=/ type=SYSCALL msg=audit(07/18/2008 04:12:24.678:60926) : arch=x86_64 syscall=open success=yes exit=3 a0=3e2ba1dc68 a1=0 a2=0 a3=7fff332a1f8b items=1 ppid=29228 pid=29354 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632 comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY ---- type=PATH msg=audit(07/18/2008 04:12:24.811:60927) : item=0 name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=CWD msg=audit(07/18/2008 04:12:24.811:60927) : cwd=/ type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60927) : arch=x86_64 syscall=open success=yes exit=3 a0=2520b90 a1=0 a2=70dc80 a3=24e3880 items=1 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632 comm=prelink exe=/usr/sbin/prelink subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY ---- type=PATH msg=audit(07/18/2008 04:12:24.811:60928) : item=0 name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=CWD msg=audit(07/18/2008 04:12:24.811:60928) : cwd=/ type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60928) : arch=x86_64 syscall=open success=yes exit=4 a0=3e2ba1dc68 a1=0 a2=0 a3=7fffb5a95f70 items=1 ppid=29228 pid=29358 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632 comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY ---- type=PATH msg=audit(07/18/2008 04:12:24.820:60929) : item=0 name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=CWD msg=audit(07/18/2008 04:12:24.820:60929) : cwd=/ type=SYSCALL msg=audit(07/18/2008 04:12:24.820:60929) : arch=x86_64 syscall=getxattr success=yes exit=27 a0=7fff2d0c1070 a1=4d97e6 a2=26351d0 a3=ff items=1 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632 comm=prelink exe=/usr/sbin/prelink subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY ---- type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=4 name=/usr/libexec/AuditProxy inode=61043 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=3 name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=2 name=/usr/libexec/AuditProxy.#prelink#.BJ0RCF inode=61043 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=1 name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=0 name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 type=CWD msg=audit(07/18/2008 04:12:24.821:60932) : cwd=/ type=SYSCALL msg=audit(07/18/2008 04:12:24.821:60932) : arch=x86_64 syscall=rename success=yes exit=0 a0=7fff2d0c1030 a1=7fff2d0c1070 a2=31 a3=1b items=5 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632 comm=prelink exe=/usr/sbin/prelink subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY So the file is getting moved to a temp file and then back (is the prelink doing this?) with the result being that the CAP is erased. Not certain what is doing this in my system. Any clues or instructions on how to narrow the search? Thx, LCB. -- LC (Lenny) Bruzenak lenny@magitekltd.com