file watch result help

file watch result help

[LC Bruzenak]

Looking for help/advice:

I had a new file (/usr/lib/AuditProxy) I installed via RPM with
CAP_AUDIT_WRITE assigned.
I noticed after a couple of days it was removed.
So I added a file watch and waited.

The file got changed, this was audited, however I cannot realy nail down
who/how it got changed as of yet...hopefully someone can either
enlighten me on this or else give me a clue on how to install a better
watch rule.

I used:
-w /usr/libexec/AuditProxy -k PROXY

and now that the CAP has been removed I see the following activity (with
"ausearch -i  -k PROXY"):

type=PATH msg=audit(07/18/2008 04:12:24.677:60925) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=CWD msg=audit(07/18/2008 04:12:24.677:60925) :  cwd=/ 
type=SYSCALL msg=audit(07/18/2008 04:12:24.677:60925) : arch=x86_64
syscall=open success=yes exit=4 a0=2626330 a1=0 a2=0 a3=100 items=1
ppid=29219 pid=29228 auid=root uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=prelink exe=/usr/sbin/prelink
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
----
type=PATH msg=audit(07/18/2008 04:12:24.678:60926) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=CWD msg=audit(07/18/2008 04:12:24.678:60926) :  cwd=/ 
type=SYSCALL msg=audit(07/18/2008 04:12:24.678:60926) : arch=x86_64
syscall=open success=yes exit=3 a0=3e2ba1dc68 a1=0 a2=0 a3=7fff332a1f8b
items=1 ppid=29228 pid=29354 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
----
type=PATH msg=audit(07/18/2008 04:12:24.811:60927) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=CWD msg=audit(07/18/2008 04:12:24.811:60927) :  cwd=/ 
type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60927) : arch=x86_64
syscall=open success=yes exit=3 a0=2520b90 a1=0 a2=70dc80 a3=24e3880
items=1 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=prelink exe=/usr/sbin/prelink
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
----
type=PATH msg=audit(07/18/2008 04:12:24.811:60928) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=CWD msg=audit(07/18/2008 04:12:24.811:60928) :  cwd=/ 
type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60928) : arch=x86_64
syscall=open success=yes exit=4 a0=3e2ba1dc68 a1=0 a2=0 a3=7fffb5a95f70
items=1 ppid=29228 pid=29358 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
----
type=PATH msg=audit(07/18/2008 04:12:24.820:60929) : item=0
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=CWD msg=audit(07/18/2008 04:12:24.820:60929) :  cwd=/ 
type=SYSCALL msg=audit(07/18/2008 04:12:24.820:60929) : arch=x86_64
syscall=getxattr success=yes exit=27 a0=7fff2d0c1070 a1=4d97e6
a2=26351d0 a3=ff items=1 ppid=29219 pid=29228 auid=root uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=632 comm=prelink exe=/usr/sbin/prelink
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
----
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=4
name=/usr/libexec/AuditProxy inode=61043 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=3
name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=2
name=/usr/libexec/AuditProxy.#prelink#.BJ0RCF inode=61043 dev=fd:00
mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:bin_t:s0 
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=1
name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=0
name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
type=CWD msg=audit(07/18/2008 04:12:24.821:60932) :  cwd=/ 
type=SYSCALL msg=audit(07/18/2008 04:12:24.821:60932) : arch=x86_64
syscall=rename success=yes exit=0 a0=7fff2d0c1030 a1=7fff2d0c1070 a2=31
a3=1b items=5 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
comm=prelink exe=/usr/sbin/prelink
subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 


So the file is getting moved to a temp file and then back (is the
prelink doing this?) with the result being that the CAP is erased.

Not certain what is doing this in my system. 
Any clues or instructions on how to narrow the search?

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: file watch result help

[zhangxiliang]

LC Bruzenak said the following on 2008-07-21 12:01:
> Looking for help/advice:
> 
> I had a new file (/usr/lib/AuditProxy) I installed via RPM with
> CAP_AUDIT_WRITE assigned.
> I noticed after a couple of days it was removed.
> So I added a file watch and waited.
> 
> The file got changed, this was audited, however I cannot realy nail down
> who/how it got changed as of yet...hopefully someone can either
> enlighten me on this or else give me a clue on how to install a better
> watch rule.
> 
> I used:
> -w /usr/libexec/AuditProxy -k PROXY
> 
> and now that the CAP has been removed I see the following activity (with
> "ausearch -i  -k PROXY"):
> 
> type=PATH msg=audit(07/18/2008 04:12:24.677:60925) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.677:60925) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.677:60925) : arch=x86_64
> syscall=open success=yes exit=4 a0=2626330 a1=0 a2=0 a3=100 items=1
> ppid=29219 pid=29228 auid=root uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.678:60926) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.678:60926) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.678:60926) : arch=x86_64
> syscall=open success=yes exit=3 a0=3e2ba1dc68 a1=0 a2=0 a3=7fff332a1f8b
> items=1 ppid=29228 pid=29354 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.811:60927) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.811:60927) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60927) : arch=x86_64
> syscall=open success=yes exit=3 a0=2520b90 a1=0 a2=70dc80 a3=24e3880
> items=1 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.811:60928) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.811:60928) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60928) : arch=x86_64
> syscall=open success=yes exit=4 a0=3e2ba1dc68 a1=0 a2=0 a3=7fffb5a95f70
> items=1 ppid=29228 pid=29358 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.820:60929) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.820:60929) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.820:60929) : arch=x86_64
> syscall=getxattr success=yes exit=27 a0=7fff2d0c1070 a1=4d97e6
> a2=26351d0 a3=ff items=1 ppid=29219 pid=29228 auid=root uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) ses=632 comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=4
> name=/usr/libexec/AuditProxy inode=61043 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=3
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=2
> name=/usr/libexec/AuditProxy.#prelink#.BJ0RCF inode=61043 dev=fd:00
> mode=file,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:bin_t:s0 
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=1
> name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=0
> name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.821:60932) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.821:60932) : arch=x86_64
> syscall=rename success=yes exit=0 a0=7fff2d0c1030 a1=7fff2d0c1070 a2=31
> a3=1b items=5 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> 
> 
> So the file is getting moved to a temp file and then back (is the
> prelink doing this?) with the result being that the CAP is erased.
> 
> Not certain what is doing this in my system. 
> Any clues or instructions on how to narrow the search?

Could you supply the audit message which type is "AUDIT_CONFIG_CHANGE" in your result?

> 
> Thx,
> LCB.
> 

Re: file watch result help

[LC Bruzenak]

On Mon, 2008-07-21 at 13:16 +0800, zhangxiliang wrote:
> > 
> > So the file is getting moved to a temp file and then back (is the
> > prelink doing this?) with the result being that the CAP is erased.
> > 
> > Not certain what is doing this in my system. 
> > Any clues or instructions on how to narrow the search?
> 
> Could you supply the audit message which type is "AUDIT_CONFIG_CHANGE" in your result?

[root@hugo ~]# ausearch -i  -k AUDIT_CONFIG_CHANGE
<no matches>

Thank you for the reply, however there was no config change after I
installed this file.
The action is happening automatically, since it occurred at 4AM.
I suspect that the prelink cron job is doing this.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: file watch result help

[LC Bruzenak]

On Mon, 2008-07-21 at 08:39 -0500, LC Bruzenak wrote:
...
> 
> Thank you for the reply, however there was no config change after I
> installed this file.
> The action is happening automatically, since it occurred at 4AM.
> I suspect that the prelink cron job is doing this.

That is definitely the problem - prelink cron job moves file, which
erases the CAP. 
The audit record was adequate in pointing me to the problem.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: file watch result help

[zhangxiliang]

LC Bruzenak said the following on 2008-07-21 21:39:
> On Mon, 2008-07-21 at 13:16 +0800, zhangxiliang wrote:
>>> So the file is getting moved to a temp file and then back (is the
>>> prelink doing this?) with the result being that the CAP is erased.
>>>
>>> Not certain what is doing this in my system. 
>>> Any clues or instructions on how to narrow the search?
>> Could you supply the audit message which type is "AUDIT_CONFIG_CHANGE" in your result?
> 
> [root@hugo ~]# ausearch -i  -k AUDIT_CONFIG_CHANGE
> <no matches>
> 
sorry, "AUDIT_CONFIG_CHANGE" is a name in code. In result, it names "CONFIG_CHANGE".
Could you supply the audit message which type is "CONFIG_CHANGE" in your result?

> Thank you for the reply, however there was no config change after I
> installed this file.
> The action is happening automatically, since it occurred at 4AM.
> I suspect that the prelink cron job is doing this.
> 
> LCB.
>