From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Todd, Charles" <CTODD@ball.com>
Subject: Re: close(2) not being audited?
Date: Sat, 30 Dec 2006 09:36:05 -0500 [thread overview]
Message-ID: <200612300936.05707.sgrubb@redhat.com> (raw)
In-Reply-To: <C482FF98AE985A47B8C982FD429C9E3401370D58@daytonmsg2k3.AERO.BALL.COM>
On Thursday 28 December 2006 16:58, Todd, Charles wrote:
> NISPOM 8-602 requires that CLOSE operations on security-relevant objects be
> logged. Well, I've got logging for OPEN on security-relevant objects (with
> the watches) working VERY well (yeah!!!). The default CAPP.rules file had
> nothing about close(2),
CAPP says nothing about this syscall other than the ability to audit it. Which
you can get with "auditctl -a entry,always -S close", which admittedly is
overkill.
> so just to test it, I ran:
> auditctl -a entry,possible -S close
> and then as a normal user typed: cat /etc/group (which is a
> security-relevant object that I have permission to open, and thus
> eventually close)
I'd want to see the accompanying watch for that file.
> However, when I review the audit files, nothing is logged.
Hmm.
> If I change the "entry,possible" to "entry,always" then lots of stuff gets
> logged, but not my actual opening of the /etc/group file.
This would log all close system calls - even socket closes.
> There is only one other thing that could be a configuration issue:
> "auditctl -l |grep /etc/group" reveals an additional "perm=wa" field
> that is set by the -p option in CAPP.rules, but even if root writes to
> one of the watched files, close(2) is still not logged.
I think that open is called with either read and/or write flag set. This is
how it picks up an event for open. However, close is neither read nor write.
> Do I have a configuration problem or is something deeper going on?
Probably something deeper. I'd say you should open a support request so that
it gets fixed.
I think we'd also want to verify this for the current upstream kernels to make
sure kernel.org kernels havethis solved. FC6 is probably new enough to test
for that purpose.
-Steve
next prev parent reply other threads:[~2006-12-30 14:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-28 21:58 close(2) not being audited? Todd, Charles
2006-12-30 14:36 ` Steve Grubb [this message]
2007-01-26 17:37 ` Steve Grubb
2007-01-26 18:03 ` John D. Ramsdell
2007-01-26 20:14 ` Wieprecht, Karen M.
2007-01-26 22:19 ` Alexander Viro
2007-01-26 23:00 ` Timothy R. Chavez
2007-01-26 23:01 ` Timothy R. Chavez
2007-01-26 23:20 ` Alexander Viro
2007-01-26 23:46 ` Timothy R. Chavez
2007-01-28 21:40 ` James Antill
2007-01-29 20:19 ` Timothy R. Chavez
2007-01-26 23:29 ` Alexander Viro
2007-01-27 0:03 ` Timothy R. Chavez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200612300936.05707.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=CTODD@ball.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox