Auditing failures for files in protected directories - Lockheed Martin Proprietary/Export Controlled Information

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* Auditing failures for files in protected directories - Lockheed Martin Proprietary/Export Controlled Information
@ 2011-04-18 18:09 Call, Tom H
  2011-04-18 18:29 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Call, Tom H @ 2011-04-18 18:09 UTC (permalink / raw)
  To: sgrubb@redhat.com; +Cc: Walker, Patrick B, linux-audit@redhat.com

[-- Attachment #1.1: Type: text/plain, Size: 1894 bytes --]

Lockheed Martin Proprietary/Export Controlled Information
Proprietary information owned by Lockheed Martin, such as business, financial or technical information, that requires protection from unauthorized disclosure, and is subject to US or foreign export control laws or regulations.

.
.
.
Message Start:
-----------------------
Steve,

Hi, we have what I think is a new but undesirable result trying to audit access failures on files in a NISPOM audit configuration.
We are not seeing audit events for the access failures if the file has a parent directory in the path that blocks access.
Example:
Directory                             Permission
/var                                       755
/var/test                              755
/var/test/bin                     700
/var/test/bin/file             740

If an unprivileged user attempts to change /var/test/bin/file there is no audit event recorded, either for the file or the parent directory /var/test/bin.
Our theory is that the failure to open the /var/test/bin directory causes the audit path to be broken, or something to the like, please excuse my terminology faux pas.
 This is happening on the following configuration:

-          Kernel  - 2.6.18-238.5.1.el5

-          Auditd - 1.7.18-2.el5

We have tried the following auditd rules (among others), no change in result:

-          -w /var/test/bin/file -p rwxa

-          -a exit,always -S open -F path=/var/test/bin/file -F success=0

-          -a exit,always -S open -R dir=/var/test/ -F success=0

And, this is something New, we have been using watches to audit this file for years with previous kernel and auditd versions, such as:

-          Kernel -  2.6.9-100.ELsmp

-          Auditd -  1.0.16-4.el4_8.1

On this system we get audit events for access failures using a simple file watch.

Are we missing something obvious?
Thanks! For any help,

Tom Call, LMCO

[-- Attachment #1.2: Type: text/html, Size: 31535 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Auditing failures for files in protected directories - Lockheed Martin Proprietary/Export Controlled Information
  2011-04-18 18:09 Auditing failures for files in protected directories - Lockheed Martin Proprietary/Export Controlled Information Call, Tom H
@ 2011-04-18 18:29 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2011-04-18 18:29 UTC (permalink / raw)
  To: Call, Tom H; +Cc: Walker, Patrick B, linux-audit@redhat.com

On Monday, April 18, 2011 02:09:02 PM Call, Tom H wrote:
> Hi, we have what I think is a new but undesirable result trying to audit
> access failures on files in a NISPOM audit configuration. We are not
> seeing audit events for the access failures if the file has a parent
> directory in the path that blocks access.

This is by design. The problem is in path resolution if its blocked by a permission 
check, then the path name was never fully resolved. Therefore an access attempt never 
really occurred. This is because the path name does not exist as a string inside the 
kernel. A watch is converted into the inode's number and that is what is watched. I 
think it is possible to place a watch on the directory and then see the failed access 
of that directory.

But I did manage to get a bug filed that should help this in the future:
https://bugzilla.redhat.com/show_bug.cgi?id=661402

-Steve


> Example:
> Directory                             Permission
> /var                                       755
> /var/test                              755
> /var/test/bin                     700
> /var/test/bin/file             740
> 
> If an unprivileged user attempts to change /var/test/bin/file there is no
> audit event recorded, either for the file or the parent directory
> /var/test/bin. Our theory is that the failure to open the /var/test/bin
> directory causes the audit path to be broken, or something to the like,
> please excuse my terminology faux pas. This is happening on the following
> configuration:
> 
> -          Kernel  - 2.6.18-238.5.1.el5
> 
> -          Auditd - 1.7.18-2.el5
> 
> We have tried the following auditd rules (among others), no change in
> result:
> 
> -          -w /var/test/bin/file -p rwxa
> 
> -          -a exit,always -S open -F path=/var/test/bin/file -F success=0
> 
> -          -a exit,always -S open -R dir=/var/test/ -F success=0
> 
> And, this is something New, we have been using watches to audit this file
> for years with previous kernel and auditd versions, such as:
> 
> -          Kernel -  2.6.9-100.ELsmp
> 
> -          Auditd -  1.0.16-4.el4_8.1
> 
> On this system we get audit events for access failures using a simple file
> watch.
> 
> Are we missing something obvious?
> Thanks! For any help,
> 
> Tom Call, LMCO

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-04-18 18:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-18 18:09 Auditing failures for files in protected directories - Lockheed Martin Proprietary/Export Controlled Information Call, Tom H
2011-04-18 18:29 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox