* A question about the directory watch in audit_tree.c in kernel
@ 2008-05-20 1:11 zhangxiliang
2008-05-20 12:06 ` Kevin Boyce
0 siblings, 1 reply; 7+ messages in thread
From: zhangxiliang @ 2008-05-20 1:11 UTC (permalink / raw)
To: 'Steve Grubb', dwmw2; +Cc: linux-audit
HI,
When I use "auditctl -w /home" to watch a directory, nothing about the
directory changed can be output.
I found the "audit tree handle_event" in audit_tree.c in kernel. It
implements as follows:
static void handle_event(struct inotify_watch *watch, u32 wd, u32 mask,
u32 cookie, const char *dname, struct inode *inode)
{
struct audit_chunk *chunk = container_of(watch, struct audit_chunk, watch);
if (mask & IN_IGNORED) {
evict_chunk(chunk);
put_inotify_watch(watch);
}
}
In "handle_event", the mask can be "IN_MOVED_FROM", "IN_MOVED_TO",
"IN_DELETE_SELF", "IN_IGNORED" and so on.
Why it only deals with the mask " IN_IGNORED" and ignores the other
mask?
--
Regards
Zhang Xiliang
--------------------------------------------------
Zhang Xiliang
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) 8/F., Civil Defense
Building, No.189 Guangzhou Road, Nanjing, 210029, China
TEL: +86+25-86630566-838
COINS: 79955-838
FAX: +86+25-83317685
MAIL: zhangxiliang@cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may
contain information that is privileged, confidential and exempt from
disclosure under applicable law. If you are not an intended recipient of this
communication, you are hereby notified that any dissemination, distribution or
copying hereof is strictly prohibited. If you have received this
communication in error, please notify me by reply e-mail, permanently delete
this communication from your system, and destroy any hard copies you may have
printed.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: A question about the directory watch in audit_tree.c in kernel
2008-05-20 1:11 A question about the directory watch in audit_tree.c in kernel zhangxiliang
@ 2008-05-20 12:06 ` Kevin Boyce
2008-05-20 12:41 ` Steve Grubb
2008-05-21 1:47 ` zhangxiliang
0 siblings, 2 replies; 7+ messages in thread
From: Kevin Boyce @ 2008-05-20 12:06 UTC (permalink / raw)
To: zhangxiliang; +Cc: dwmw2, linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2226 bytes --]
Correct me if I am wrong, but in doing the auditctl -w /home, the only
thing that is being audited is the inode entry for the directory itself.
You need to construct an explicit list of each file you want to watch.
You can do this rather easily with a combination of find and awk.
Regards.
Kevin
On Tue, 2008-05-20 at 09:11 +0800, zhangxiliang wrote:
> HI,
> When I use "auditctl -w /home" to watch a directory, nothing about the
> directory changed can be output.
>
> I found the "audit tree handle_event" in audit_tree.c in kernel. It
> implements as follows:
>
> static void handle_event(struct inotify_watch *watch, u32 wd, u32 mask,
> u32 cookie, const char *dname, struct inode *inode)
> {
> struct audit_chunk *chunk = container_of(watch, struct audit_chunk, watch);
>
> if (mask & IN_IGNORED) {
> evict_chunk(chunk);
> put_inotify_watch(watch);
> }
> }
>
> In "handle_event", the mask can be "IN_MOVED_FROM", "IN_MOVED_TO",
> "IN_DELETE_SELF", "IN_IGNORED" and so on.
> Why it only deals with the mask " IN_IGNORED" and ignores the other
> mask?
>
> --
> Regards
> Zhang Xiliang
> --------------------------------------------------
> Zhang Xiliang
> Development Dept.I
> Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) 8/F., Civil Defense
> Building, No.189 Guangzhou Road, Nanjing, 210029, China
> TEL: +86+25-86630566-838
> COINS: 79955-838
> FAX: +86+25-83317685
> MAIL: zhangxiliang@cn.fujitsu.com
> --------------------------------------------------
> This communication is for use by the intended recipient(s) only and may
> contain information that is privileged, confidential and exempt from
> disclosure under applicable law. If you are not an intended recipient of this
> communication, you are hereby notified that any dissemination, distribution or
> copying hereof is strictly prohibited. If you have received this
> communication in error, please notify me by reply e-mail, permanently delete
> this communication from your system, and destroy any hard copies you may have
> printed.
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
[-- Attachment #1.2: Type: text/html, Size: 3922 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: A question about the directory watch in audit_tree.c in kernel
2008-05-20 12:06 ` Kevin Boyce
@ 2008-05-20 12:41 ` Steve Grubb
2008-05-21 1:47 ` zhangxiliang
1 sibling, 0 replies; 7+ messages in thread
From: Steve Grubb @ 2008-05-20 12:41 UTC (permalink / raw)
To: kevin.boyce; +Cc: linux-audit, dwmw2
On Tuesday 20 May 2008 08:06:12 am Kevin Boyce wrote:
> Correct me if I am wrong, but in doing the auditctl -w /home, the only
> thing that is being audited is the inode entry for the directory itself.
Not in new kernels. I think starting in 2.6.24 we have the ability to
recursively audit to the bottom of a given directory tree.
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: A question about the directory watch in audit_tree.c in kernel
2008-05-20 12:06 ` Kevin Boyce
2008-05-20 12:41 ` Steve Grubb
@ 2008-05-21 1:47 ` zhangxiliang
2008-05-21 15:03 ` Steve Grubb
1 sibling, 1 reply; 7+ messages in thread
From: zhangxiliang @ 2008-05-21 1:47 UTC (permalink / raw)
To: kevin.boyce; +Cc: dwmw2, linux-audit
Sorry, I think my idea may be not express correctly. A example as follows:
1, mkdir test
2, touch test.c
3, auditctl -w /home/test -k 11
4, auditctl -w /home/test.c -k 11
The audit-log as follows:
node=mydomain type=CONFIG_CHANGE msg=audit(1211331237.488:307618): auid=0
subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key="11" list=4 res=1
node=mydomain type=CONFIG_CHANGE msg=audit(1211331242.045:307619): auid=0
subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key="11" list=4 res=1
==============>record the add rule operation
node=mydomain type=SYSCALL msg=audit(1211331247.517:307620): arch=40000003
syscall=38 success=yes exit=0 a0=bf974b80 a1=bf974b85 a2=805a8fc a3=bf974b85
items=4 ppid=19616 pid=19895 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts3 ses=2689 comm="mv" exe="/bin/mv"
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="11"
node=mydomain type=CWD msg=audit(1211331247.517:307620): cwd="/home"
node=mydomain type=PATH msg=audit(1211331247.517:307620): item=0 name="/home"
inode=1532577 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:home_root_t:s0
node=mydomain type=PATH msg=audit(1211331247.517:307620): item=1 name="/home"
inode=1532577 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:home_root_t:s0
node=mydomain type=PATH msg=audit(1211331247.517:307620): item=2 name="test"
inode=1535099 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:user_home_dir_t:s0
node=mydomain type=PATH msg=audit(1211331247.517:307620): item=3 name="test1"
inode=1535099 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:user_home_dir_t:s0
===============>record the directory changed(the information supply by kernel
funtion "audit_syscall_exit")
node=mydomain type=CONFIG_CHANGE msg=audit(1211331254.160:307621): op=updated
rules specifying path="/home/test.c" with dev=4294967295 ino=4294967295
list=778332531 res=1
node=mydomain type=SYSCALL msg=audit(1211331254.160:307622): arch=40000003
syscall=38 success=yes exit=0 a0=bff86b7c a1=bff86b83 a2=805a8fc a3=0 items=4
ppid=19616 pid=19897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts3 ses=2689 comm="mv" exe="/bin/mv"
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="11"
===============>record the files changed status(the information supply by
kernel inotify hook funtion "fsnotify_move")
node=mydomain type=CWD msg=audit(1211331254.160:307622): cwd="/home"
node=mydomain type=PATH msg=audit(1211331254.160:307622): item=0 name="/home"
inode=1532577 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:home_root_t:s0
node=mydomain type=PATH msg=audit(1211331254.160:307622): item=1 name="/home"
inode=1532577 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:home_root_t:s0
node=mydomain type=PATH msg=audit(1211331254.160:307622): item=2 name="test.c"
inode=1535101 dev=03:06 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:home_root_t:s0
node=mydomain type=PATH msg=audit(1211331254.160:307622): item=3
name="test1.c" inode=1535101 dev=03:06 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=root:object_r:home_root_t:s0
=================>record the files changed(the information supply by kernel
funtion "audit_syscall_exit")
My question is why no information will be output by kernel hook funtion?(It
only has some information by "audit_syscall_exit" ) when watch the directory.
Correct me if I am wrong, I think when watch a directory, kernel-audit can
also supply more information by kernel hook funtion as audit files watch and
inotify_user.
Compare the kernel code as file watch and directory watch:
in auditfilter.c:
/* Update watch data in audit rules based on inotify events. */
void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask,
u32 cookie, const char *dname, struct inode *inode)
{
struct audit_parent *parent;
parent = container_of(i_watch, struct audit_parent, wdata);
if (mask & (IN_CREATE|IN_MOVED_TO) && inode)
audit_update_watch(parent, dname, inode->i_sb->s_dev,
inode->i_ino, 0);
else if (mask & (IN_DELETE|IN_MOVED_FROM))
audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1);
/* inotify automatically removes the watch and sends IN_IGNORED */
else if (mask & (IN_DELETE_SELF|IN_UNMOUNT))
audit_remove_parent_watches(parent);
/* inotify does not remove the watch, so remove it manually */
else if(mask & IN_MOVE_SELF) {
audit_remove_parent_watches(parent);
inotify_remove_watch_locked(audit_ih, i_watch);
} else if (mask & IN_IGNORED)
put_inotify_watch(i_watch);
}
in audit_tree.c:
static void handle_event(struct inotify_watch *watch, u32 wd, u32 mask,
u32 cookie, const char *dname, struct inode *inode)
{
struct audit_chunk *chunk = container_of(watch, struct audit_chunk, watch);
if (mask & IN_IGNORED) {
evict_chunk(chunk);
put_inotify_watch(watch);
}
}
I can found that "handle_event" in audit_tree.c has no any code with mask
"IN_CREATE, IN_MOVED_TO, IN_DELETE, IN_MOVED_FROM, IN_DELETE_SELF, IN_UNMOUNT,
IN_MOVE_SELF".
So no information will be output by kernel hook funtion when watch a
directory.
--
Regards
Zhang Xiliang
________________________________
From: Kevin Boyce [mailto:kevin.boyce@ngc.com]
Sent: Tuesday, May 20, 2008 8:06 PM
To: zhangxiliang
Cc: 'Steve Grubb'; dwmw2@infradead.org; linux-audit@redhat.com
Subject: Re: A question about the directory watch in audit_tree.c in kernel
Correct me if I am wrong, but in doing the auditctl -w /home, the only thing
that is being audited is the inode entry for the directory itself. You need
to construct an explicit list of each file you want to watch. You can do this
rather easily with a combination of find and awk.
Regards.
Kevin
On Tue, 2008-05-20 at 09:11 +0800, zhangxiliang wrote:
HI,
When I use "auditctl -w /home" to watch a directory, nothing about
the
directory changed can be output.
I found the "audit tree handle_event" in audit_tree.c in kernel. It
implements as follows:
static void handle_event(struct inotify_watch *watch, u32 wd, u32
mask,
u32 cookie, const char *dname, struct inode
*inode)
{
struct audit_chunk *chunk = container_of(watch, struct audit_chunk,
watch);
if (mask & IN_IGNORED) {
evict_chunk(chunk);
put_inotify_watch(watch);
}
}
In "handle_event", the mask can be "IN_MOVED_FROM", "IN_MOVED_TO",
"IN_DELETE_SELF", "IN_IGNORED" and so on.
Why it only deals with the mask " IN_IGNORED" and ignores the
other
mask?
--
Regards
Zhang Xiliang
--------------------------------------------------
Zhang Xiliang
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) 8/F., Civil Defense
Building, No.189 Guangzhou Road, Nanjing, 210029, China
TEL: +86+25-86630566-838
COINS: 79955-838
FAX: +86+25-83317685
MAIL: zhangxiliang@cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may
contain information that is privileged, confidential and exempt from
disclosure under applicable law. If you are not an intended recipient of
this
communication, you are hereby notified that any dissemination,
distribution or
copying hereof is strictly prohibited. If you have received this
communication in error, please notify me by reply e-mail, permanently
delete
this communication from your system, and destroy any hard copies you may
have
printed.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: A question about the directory watch in audit_tree.c in kernel
2008-05-21 1:47 ` zhangxiliang
@ 2008-05-21 15:03 ` Steve Grubb
2008-05-22 12:28 ` LC Bruzenak
0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2008-05-21 15:03 UTC (permalink / raw)
To: zhangxiliang; +Cc: linux-audit
On Tuesday 20 May 2008 21:47:59 zhangxiliang wrote:
> Sorry, I think my idea may be not express correctly. A example as follows:
> 1, mkdir test
> 2, touch test.c
> 3, auditctl -w /home/test -k 11
> 4, auditctl -w /home/test.c -k 11
And then what did you do to create these records?
> My question is why no information will be output by kernel hook funtion?
What is missing? I can't tell what commands you run and what you expected to
be output by the kernel.
> Correct me if I am wrong, I think when watch a directory, kernel-audit can
> also supply more information by kernel hook funtion
What other information do you need?
Also, note that -w rules are legacy for compatibility with RHEL4 kernel. They
are used to express simple ideas like watch this file or directory subtree.
If you want tight control over what you are auditing, you should use the
syscall audit format where you can express more details about what you wanted
to trigger on. IOW, you can express that you want changes to a directory
itself rather than the files in the directory.
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: A question about the directory watch in audit_tree.c in kernel
2008-05-21 15:03 ` Steve Grubb
@ 2008-05-22 12:28 ` LC Bruzenak
2008-05-22 13:09 ` Steve Grubb
0 siblings, 1 reply; 7+ messages in thread
From: LC Bruzenak @ 2008-05-22 12:28 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Wed, 2008-05-21 at 11:03 -0400, Steve Grubb wrote:
...
>
> Also, note that -w rules are legacy for compatibility with RHEL4 kernel. They
> are used to express simple ideas like watch this file or directory subtree.
> If you want tight control over what you are auditing, you should use the
> syscall audit format where you can express more details about what you wanted
> to trigger on. IOW, you can express that you want changes to a directory
> itself rather than the files in the directory.
>
> -Steve
Steve, do any of the syscall directory watches recursively audit to the
bottom of a given directory tree?
I had kept many "-w" fields in place b/c the man page says they do not
impact performance based on the number of rules, and I wanted the full
subtree covered.
Should look to changing these watches to specific syscall watches in
order to not get "legacied out" at some point?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: A question about the directory watch in audit_tree.c in kernel
2008-05-22 12:28 ` LC Bruzenak
@ 2008-05-22 13:09 ` Steve Grubb
0 siblings, 0 replies; 7+ messages in thread
From: Steve Grubb @ 2008-05-22 13:09 UTC (permalink / raw)
To: LC Bruzenak; +Cc: linux-audit
On Thursday 22 May 2008 08:28:13 LC Bruzenak wrote:
> Steve, do any of the syscall directory watches recursively audit to the
> bottom of a given directory tree?
Yes, any watch on a directory does. auditctl does the following
transformations:
-w /etc - p wa
becomes:
-a always,exit -F dir=/etc -F perm=wa
while
-w /etc/shadow -p wa
becomes:
-a always,exit -F path=/etc/shadow -F perm=wa
Its not necessary to have -S as the perm field selects the appropriate
syscalls based on the permissions you are interested in.
> I had kept many "-w" fields in place b/c the man page says they do not
> impact performance based on the number of rules, and I wanted the full
> subtree covered.
They are in fact transformed into the above which is the new API. The -w form
is easier to write, but if you wanted to do something special like only see
writes to a file caused by a certain range of auids or failures, then you
have to use the new form of the rule.
-a always,exit -F path=/etc/shadow -F perm=wa -F exit=-EACCES -F auid>=500
> Should look to changing these watches to specific syscall watches in
> order to not get "legacied out" at some point?
No, they are the same thing. You only need to change if you wanted to do
something extra.
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2008-05-22 13:09 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-20 1:11 A question about the directory watch in audit_tree.c in kernel zhangxiliang
2008-05-20 12:06 ` Kevin Boyce
2008-05-20 12:41 ` Steve Grubb
2008-05-21 1:47 ` zhangxiliang
2008-05-21 15:03 ` Steve Grubb
2008-05-22 12:28 ` LC Bruzenak
2008-05-22 13:09 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox