* Why there is no PATH record for change file time syscalls ?(utimensat) @ 2017-09-06 10:03 Lev Olshvang 2017-09-07 22:32 ` Steve Grubb 0 siblings, 1 reply; 6+ messages in thread From: Lev Olshvang @ 2017-09-06 10:03 UTC (permalink / raw) To: linux-audit [-- Attachment #1: Type: text/html, Size: 415 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Why there is no PATH record for change file time syscalls ?(utimensat) 2017-09-06 10:03 Why there is no PATH record for change file time syscalls ?(utimensat) Lev Olshvang @ 2017-09-07 22:32 ` Steve Grubb 2017-09-08 8:41 ` Richard Guy Briggs 2017-09-08 15:38 ` Steve Grubb 0 siblings, 2 replies; 6+ messages in thread From: Steve Grubb @ 2017-09-07 22:32 UTC (permalink / raw) To: linux-audit On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote: > I got only following SYSCALL record in audit log for 'touch -t ' command, no > CWD, no PATH record Out of curiosity, what kind of rule were you using? > type=SYSCALL msg=audit(1503837757.149:266995): > arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10 a3=0 > items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" exe="/bin/touch" > key="times" I think you found a problem. I also think the syscall should be added to: include/asm-generic/audit_change_attr.h I think this syscall and others have been added since the watch permissions files were setup. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Why there is no PATH record for change file time syscalls ?(utimensat) 2017-09-07 22:32 ` Steve Grubb @ 2017-09-08 8:41 ` Richard Guy Briggs 2017-09-08 13:27 ` Steve Grubb 2017-09-08 15:38 ` Steve Grubb 1 sibling, 1 reply; 6+ messages in thread From: Richard Guy Briggs @ 2017-09-08 8:41 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On 2017-09-07 18:32, Steve Grubb wrote: > On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote: > > I got only following SYSCALL record in audit log for 'touch -t ' command, no > > CWD, no PATH record > > Out of curiosity, what kind of rule were you using? > > > type=SYSCALL msg=audit(1503837757.149:266995): > > arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10 a3=0 > > items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" exe="/bin/touch" > > key="times" > > I think you found a problem. I also think the syscall should be added to: > > include/asm-generic/audit_change_attr.h Steve, my naive addition of utime, utimes, futimesat and utimensat to include/asm-generic/audit_change_attr.h seems to have made no difference. > I think this syscall and others have been added since the watch permissions > files were setup. > > -Steve - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Why there is no PATH record for change file time syscalls ?(utimensat) 2017-09-08 8:41 ` Richard Guy Briggs @ 2017-09-08 13:27 ` Steve Grubb 2017-09-08 15:15 ` Richard Guy Briggs 0 siblings, 1 reply; 6+ messages in thread From: Steve Grubb @ 2017-09-08 13:27 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit On Friday, September 8, 2017 4:41:47 AM EDT Richard Guy Briggs wrote: > On 2017-09-07 18:32, Steve Grubb wrote: > > On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote: > > > I got only following SYSCALL record in audit log for 'touch -t ' > > > command, no CWD, no PATH record > > > > Out of curiosity, what kind of rule were you using? > > > > > type=SYSCALL msg=audit(1503837757.149:266995): > > > arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10 > > > a3=0 items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0 > > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" > > > exe="/bin/touch" key="times" > > > > I think you found a problem. I also think the syscall should be added to: > > > > include/asm-generic/audit_change_attr.h > > Steve, my naive addition of utime, utimes, futimesat and utimensat to > include/asm-generic/audit_change_attr.h seems to have made no > difference. There seems to be 2 problems. 1) the utimensat syscall not getting a path record, 2) you can't use the -F perms=a because the syscall tables seem to be way out of date. fchmodat seems to be the last syscall added. There's about 70 new syscalls that need to be looked through and added. This is the easier of the 2 problems. -Steve > > I think this syscall and others have been added since the watch > > permissions files were setup. > > > > -Steve > > - RGB > > -- > Richard Guy Briggs <rgb@redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Why there is no PATH record for change file time syscalls ?(utimensat) 2017-09-08 13:27 ` Steve Grubb @ 2017-09-08 15:15 ` Richard Guy Briggs 0 siblings, 0 replies; 6+ messages in thread From: Richard Guy Briggs @ 2017-09-08 15:15 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit On 2017-09-08 09:27, Steve Grubb wrote: > On Friday, September 8, 2017 4:41:47 AM EDT Richard Guy Briggs wrote: > > On 2017-09-07 18:32, Steve Grubb wrote: > > > On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote: > > > > I got only following SYSCALL record in audit log for 'touch -t ' > > > > command, no CWD, no PATH record > > > > > > Out of curiosity, what kind of rule were you using? > > > > > > > type=SYSCALL msg=audit(1503837757.149:266995): > > > > arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10 > > > > a3=0 items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0 > > > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" > > > > exe="/bin/touch" key="times" > > > > > > I think you found a problem. I also think the syscall should be added to: > > > > > > include/asm-generic/audit_change_attr.h > > > > Steve, my naive addition of utime, utimes, futimesat and utimensat to > > include/asm-generic/audit_change_attr.h seems to have made no > > difference. > > There seems to be 2 problems. 1) the utimensat syscall not getting a path > record, 2) you can't use the -F perms=a because the syscall tables seem to be > way out of date. fchmodat seems to be the last syscall added. There's about 70 > new syscalls that need to be looked through and added. This is the easier of > the 2 problems. Ok, please file a github audit kernel issue with as much detail as you can. This appears to be an upstream issue. > -Steve > > > > I think this syscall and others have been added since the watch > > > permissions files were setup. > > > > > > -Steve > > > > - RGB - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Why there is no PATH record for change file time syscalls ?(utimensat) 2017-09-07 22:32 ` Steve Grubb 2017-09-08 8:41 ` Richard Guy Briggs @ 2017-09-08 15:38 ` Steve Grubb 1 sibling, 0 replies; 6+ messages in thread From: Steve Grubb @ 2017-09-08 15:38 UTC (permalink / raw) To: linux-audit On Thursday, September 7, 2017 6:32:39 PM EDT Steve Grubb wrote: > On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote: > > I got only following SYSCALL record in audit log for 'touch -t ' command, > > no CWD, no PATH record > > Out of curiosity, what kind of rule were you using? Also, which kernel are you seeing this on? I get full reporting on 4.11.12 -Steve > > type=SYSCALL msg=audit(1503837757.149:266995): > > arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10 > > a3=0 > > items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" exe="/bin/touch" > > key="times" > > I think you found a problem. I also think the syscall should be added to: > > include/asm-generic/audit_change_attr.h > > I think this syscall and others have been added since the watch permissions > files were setup. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-09-08 15:38 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-09-06 10:03 Why there is no PATH record for change file time syscalls ?(utimensat) Lev Olshvang 2017-09-07 22:32 ` Steve Grubb 2017-09-08 8:41 ` Richard Guy Briggs 2017-09-08 13:27 ` Steve Grubb 2017-09-08 15:15 ` Richard Guy Briggs 2017-09-08 15:38 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).