From: Amy Griffis <amy.griffis@hp.com>
To: Robert Giles <rgiles@arlut.utexas.edu>
Cc: linux-audit@redhat.com
Subject: Re: Logging failed open() calls on /var/log/audit/audit.log
Date: Tue, 27 Jun 2006 17:15:53 -0400 [thread overview]
Message-ID: <20060627211553.GA11601@zk3.dec.com> (raw)
In-Reply-To: <Pine.CYG.4.64.0606271524300.1744@ninja>
Hi Robert,
Robert Giles wrote: [Tue Jun 27 2006, 04:43:10PM EDT]
> Howdy folks - I'm running audit-1.2.2 with the latest audit-current git
> tree (lspp.b20)...
>
> The filesystem auditing seems to be working fine for all files *except*
> the audit.log file.
>
> For example, I do this:
> auditctl -w /etc/shadow
> auditctl -w /var/log/audit/audit.log
>
> The audit daemon generates audit events for both successful and failed
> open() calls to /etc/shadow, but only records *successful* accesses to
> /var/log/audit/audit.log.
>
> So if I attempt to access /etc/shadow as a regular user, a "success=no"
> audit event is generated to indicate read failure - but if a regular user
> attempts to read /var/log/audit/audit.log, nothing happens (no audit event
> whatsoever is created).
This is because the regular doesn't have permissions to read
/var/log/audit. Since the path didn't fully resolve to
/var/log/audit/audit.log, the user didn't actually fail to access
audit.log, they failed to access /var/log/audit.
If you would like to see a record in this case, you must add a watch
for /var/log/audit.
> *Successful* reads of /var/log/audit/audit.log (ie: as super-user) do
> indeed generate the appropriate audit event in audit.log ("success=yes").
>
> Is this the way the audit daemon is supposed to work? (some kind of race
> condition if the audit daemon fully audits its own audit trail?)
>
> (this question may seem unusual, but we're trying to audit "unsuccessful
> attempts to access security-relevant objects"... the audit trail itself
> constitutes a "security-relevant object").
>
> Thanks again!
Hope this helps.
Amy
next prev parent reply other threads:[~2006-06-27 21:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-27 20:43 Logging failed open() calls on /var/log/audit/audit.log Robert Giles
2006-06-27 21:15 ` Amy Griffis [this message]
2006-06-27 21:21 ` Steve Grubb
2006-06-27 21:32 ` Timothy R. Chavez
2006-06-27 23:10 ` Amy Griffis
2006-06-27 21:32 ` Amy Griffis
2006-06-27 21:36 ` Linda Knippers
2006-06-27 22:03 ` Alexander Viro
2006-06-27 22:16 ` Linda Knippers
2006-06-29 16:34 ` Klaus Weidner
2006-06-29 18:04 ` LC Bruzenak
2006-06-29 18:12 ` Robert Giles
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060627211553.GA11601@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=rgiles@arlut.utexas.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox