* Sucess or failure?
@ 2012-07-22 1:48 Michael Mather
2012-07-22 2:34 ` Peter Moody
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Michael Mather @ 2012-07-22 1:48 UTC (permalink / raw)
To: linux-audit
Hi,
I enter the command "sudo cp qwerty /etc/xxx"
and get the reply: "cp: cannot stat `qwerty': No such file or directory."
A number of log entries are written. The last two are, in part:
type=SYSCALL success=yes
type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
My problem is with "success=yes".
What is happening?
Thanks - Michael Mather
-----------------------
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Sucess or failure?
2012-07-22 1:48 Sucess or failure? Michael Mather
@ 2012-07-22 2:34 ` Peter Moody
2012-07-22 3:44 ` Giang Nguyen
2012-07-22 5:52 ` yersinia
2 siblings, 0 replies; 6+ messages in thread
From: Peter Moody @ 2012-07-22 2:34 UTC (permalink / raw)
To: Michael Mather; +Cc: linux-audit
On Sat, Jul 21, 2012 at 6:48 PM, Michael Mather
<michael.mather@teksavvy.com> wrote:
> Hi,
>
> I enter the command "sudo cp qwerty /etc/xxx"
> and get the reply: "cp: cannot stat `qwerty': No such file or directory."
>
> A number of log entries are written. The last two are, in part:
>
> type=SYSCALL success=yes
> type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
>
> My problem is with "success=yes".
What's the actual syscall and what's the actual rule that triggering the entry?
>
> What is happening?
>
> Thanks - Michael Mather
> -----------------------
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Sucess or failure?
2012-07-22 1:48 Sucess or failure? Michael Mather
2012-07-22 2:34 ` Peter Moody
@ 2012-07-22 3:44 ` Giang Nguyen
2012-07-22 5:52 ` yersinia
2 siblings, 0 replies; 6+ messages in thread
From: Giang Nguyen @ 2012-07-22 3:44 UTC (permalink / raw)
To: Michael Mather; +Cc: linux-audit
On Sat, Jul 21, 2012 at 9:48 PM, Michael Mather
<michael.mather@teksavvy.com> wrote:
> Hi,
>
> I enter the command "sudo cp qwerty /etc/xxx"
> and get the reply: "cp: cannot stat `qwerty': No such file or directory."
>
> A number of log entries are written. The last two are, in part:
>
> type=SYSCALL success=yes
> type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
>
> My problem is with "success=yes".
>
> What is happening?
Assuming the syscall is execve, then it succeeds because your shell
successfully execve() to run cp.
Then cp the program fails.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Sucess or failure?
2012-07-22 1:48 Sucess or failure? Michael Mather
2012-07-22 2:34 ` Peter Moody
2012-07-22 3:44 ` Giang Nguyen
@ 2012-07-22 5:52 ` yersinia
2012-07-22 14:18 ` Michael Mather
[not found] ` <1342966522.2518.7.camel@debian.domain_name>
2 siblings, 2 replies; 6+ messages in thread
From: yersinia @ 2012-07-22 5:52 UTC (permalink / raw)
To: Michael Mather, linux-audit
>From the point of view of the linux kernel, and of the audit, you have
the right to execute the cp, you don't have permission denied. So the
result is success.
Best regards
2012/7/22, Michael Mather <michael.mather@teksavvy.com>:
> Hi,
>
> I enter the command "sudo cp qwerty /etc/xxx"
> and get the reply: "cp: cannot stat `qwerty': No such file or directory."
>
> A number of log entries are written. The last two are, in part:
>
> type=SYSCALL success=yes
> type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
>
> My problem is with "success=yes".
>
> What is happening?
>
> Thanks - Michael Mather
> -----------------------
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Inviato dal mio dispositivo mobile
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Sucess or failure?
2012-07-22 5:52 ` yersinia
@ 2012-07-22 14:18 ` Michael Mather
[not found] ` <1342966522.2518.7.camel@debian.domain_name>
1 sibling, 0 replies; 6+ messages in thread
From: Michael Mather @ 2012-07-22 14:18 UTC (permalink / raw)
To: linux-audit
Thanks for the replies.
The problem is that the PCI requirements say:
10.3 Record at least the following audit trail entries for all system
components for each event:
...
10.3.4 Success or failure indication.
I don't know if PCI would accept the notion that this was success.
Michael
-------
On Sun, 2012-07-22 at 07:52 +0200, yersinia wrote:
> >From the point of view of the linux kernel, and of the audit, you have
> the right to execute the cp, you don't have permission denied. So the
> result is success.
>
> Best regards
>
> 2012/7/22, Michael Mather <michael.mather@teksavvy.com>:
> > Hi,
> >
> > I enter the command "sudo cp qwerty /etc/xxx"
> > and get the reply: "cp: cannot stat `qwerty': No such file or directory."
> >
> > A number of log entries are written. The last two are, in part:
> >
> > type=SYSCALL success=yes
> > type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
> >
> > My problem is with "success=yes".
> >
> > What is happening?
> >
> > Thanks - Michael Mather
> > -----------------------
> >
> >
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> >
>
^ permalink raw reply [flat|nested] 6+ messages in thread[parent not found: <1342966522.2518.7.camel@debian.domain_name>]
* Re: Sucess or failure?
[not found] ` <1342966522.2518.7.camel@debian.domain_name>
@ 2012-07-22 17:44 ` yersinia
0 siblings, 0 replies; 6+ messages in thread
From: yersinia @ 2012-07-22 17:44 UTC (permalink / raw)
To: Michael Mather, linux-audit
Well, i am pretty sure that pci dss could consider this a success.
This is because the standard speak of "security" relevant event , in
the same vain of the common criteria standards does. And some distro
that include the linux audit subsystem are common criteria certified (
check in the doc of the audit, package some example configuration for
these standards, Well documented).
Hope this help
best regards
2012/7/22, Michael Mather <michael.mather@teksavvy.com>:
> Thanks for the replies.
>
> The problem is that the PCI requirements say:
>
> 10.3 Record at least the following audit trail entries for all system
> components for each event:
> ...
> 10.3.4 Success or failure indication.
>
> I don't know if PCI would accept the notion that this was success.
>
> Michael
> -------
>
> On Sun, 2012-07-22 at 07:52 +0200, yersinia wrote:
>> >From the point of view of the linux kernel, and of the audit, you have
>> the right to execute the cp, you don't have permission denied. So the
>> result is success.
>>
>> Best regards
>>
>> 2012/7/22, Michael Mather <michael.mather@teksavvy.com>:
>> > Hi,
>> >
>> > I enter the command "sudo cp qwerty /etc/xxx"
>> > and get the reply: "cp: cannot stat `qwerty': No such file or
>> > directory."
>> >
>> > A number of log entries are written. The last two are, in part:
>> >
>> > type=SYSCALL success=yes
>> > type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
>> >
>> > My problem is with "success=yes".
>> >
>> > What is happening?
>> >
>> > Thanks - Michael Mather
>> > -----------------------
>> >
>> >
>> >
>> > --
>> > Linux-audit mailing list
>> > Linux-audit@redhat.com
>> > https://www.redhat.com/mailman/listinfo/linux-audit
>> >
>>
>
>
>
--
Inviato dal mio dispositivo mobile
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-07-22 17:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-22 1:48 Sucess or failure? Michael Mather
2012-07-22 2:34 ` Peter Moody
2012-07-22 3:44 ` Giang Nguyen
2012-07-22 5:52 ` yersinia
2012-07-22 14:18 ` Michael Mather
[not found] ` <1342966522.2518.7.camel@debian.domain_name>
2012-07-22 17:44 ` yersinia
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox