From: Steve Grubb <sgrubb@redhat.com>
To: "Call, Tom H" <tom.h.call@lmco.com>
Cc: "Walker, Patrick B" <patrick.b.walker@lmco.com>,
"linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Auditing failures for files in protected directories - Lockheed Martin Proprietary/Export Controlled Information
Date: Mon, 18 Apr 2011 14:29:21 -0400 [thread overview]
Message-ID: <201104181429.21743.sgrubb@redhat.com> (raw)
In-Reply-To: <F0F062E07030F74BAA49473944E7C8368E6A1583@HVXMSPB.us.lmco.com>
On Monday, April 18, 2011 02:09:02 PM Call, Tom H wrote:
> Hi, we have what I think is a new but undesirable result trying to audit
> access failures on files in a NISPOM audit configuration. We are not
> seeing audit events for the access failures if the file has a parent
> directory in the path that blocks access.
This is by design. The problem is in path resolution if its blocked by a permission
check, then the path name was never fully resolved. Therefore an access attempt never
really occurred. This is because the path name does not exist as a string inside the
kernel. A watch is converted into the inode's number and that is what is watched. I
think it is possible to place a watch on the directory and then see the failed access
of that directory.
But I did manage to get a bug filed that should help this in the future:
https://bugzilla.redhat.com/show_bug.cgi?id=661402
-Steve
> Example:
> Directory Permission
> /var 755
> /var/test 755
> /var/test/bin 700
> /var/test/bin/file 740
>
> If an unprivileged user attempts to change /var/test/bin/file there is no
> audit event recorded, either for the file or the parent directory
> /var/test/bin. Our theory is that the failure to open the /var/test/bin
> directory causes the audit path to be broken, or something to the like,
> please excuse my terminology faux pas. This is happening on the following
> configuration:
>
> - Kernel - 2.6.18-238.5.1.el5
>
> - Auditd - 1.7.18-2.el5
>
> We have tried the following auditd rules (among others), no change in
> result:
>
> - -w /var/test/bin/file -p rwxa
>
> - -a exit,always -S open -F path=/var/test/bin/file -F success=0
>
> - -a exit,always -S open -R dir=/var/test/ -F success=0
>
> And, this is something New, we have been using watches to audit this file
> for years with previous kernel and auditd versions, such as:
>
> - Kernel - 2.6.9-100.ELsmp
>
> - Auditd - 1.0.16-4.el4_8.1
>
> On this system we get audit events for access failures using a simple file
> watch.
>
> Are we missing something obvious?
> Thanks! For any help,
>
> Tom Call, LMCO
prev parent reply other threads:[~2011-04-18 18:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-18 18:09 Auditing failures for files in protected directories - Lockheed Martin Proprietary/Export Controlled Information Call, Tom H
2011-04-18 18:29 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201104181429.21743.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=patrick.b.walker@lmco.com \
--cc=tom.h.call@lmco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox