* Possible regression [not found] <BANLkTinKLR4oc2Pss1nKKPbXPtbY9S1K4g@mail.gmail.com> @ 2011-06-02 12:48 ` 4javier 2011-06-02 13:21 ` Steve Grubb 0 siblings, 1 reply; 7+ messages in thread From: 4javier @ 2011-06-02 12:48 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 502 bytes --] I'm noticing exactly the same problem mentioned into this old message http://osdir.com/ml/linux.redhat.security.audit/2006-07/msg00036.html Workaround consisting into watching the whole directory containing the file works too. I've found that into 2006 a patch was submitted to solve the issue http://www.mail-archive.com/linux-audit@redhat.com/msg00476.html Is this a recent regression, or is there something I don't know? Arch Linux audit 2.1.1 kernel 2.6.38.7 i686 architecture Thanks in advance [-- Attachment #1.2: Type: text/html, Size: 805 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible regression 2011-06-02 12:48 ` Possible regression 4javier @ 2011-06-02 13:21 ` Steve Grubb [not found] ` <BANLkTikPDncr87J3yEFagtm-macX_oOCbw@mail.gmail.com> 0 siblings, 1 reply; 7+ messages in thread From: Steve Grubb @ 2011-06-02 13:21 UTC (permalink / raw) To: linux-audit On Thursday, June 02, 2011 08:48:30 AM 4javier wrote: > I'm noticing exactly the same problem mentioned into this old message > http://osdir.com/ml/linux.redhat.security.audit/2006-07/msg00036.html > Workaround consisting into watching the whole directory containing the file > works too. I've found that into 2006 a patch was submitted to solve the > issue > http://www.mail-archive.com/linux-audit@redhat.com/msg00476.html > > Is this a recent regression, or is there something I don't know? I just ran the test from that email and got the following: [root@localhost ~]# touch /tmp/test [root@localhost ~]# auditctl -a always,exit -F path=/tmp/test -F perm=rwa -k watch [root@localhost ~]# echo "" > /tmp/test [root@localhost ~]# cat /tmp/test [root@localhost ~]# ausearch --start recent --key watch -i ---- type=CONFIG_CHANGE msg=audit(06/02/2011 09:15:49.790:124) : auid=sgrubb ses=2 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" key=watch list=exit res=1 ---- type=PATH msg=audit(06/02/2011 09:15:56.970:125) : item=0 name=/tmp/test inode=164740 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 type=CWD msg=audit(06/02/2011 09:15:56.970:125) : cwd=/root type=SYSCALL msg=audit(06/02/2011 09:15:56.970:125) : arch=x86_64 syscall=open success=yes exit=3 a0=28cadd0 a1=241 a2=1b6 a3=0 items=1 ppid=1634 pid=1640 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=2 comm=bash exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch ---- type=PATH msg=audit(06/02/2011 09:16:08.850:126) : item=0 name=/tmp/test inode=164740 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 type=CWD msg=audit(06/02/2011 09:16:08.850:126) : cwd=/root type=SYSCALL msg=audit(06/02/2011 09:16:08.850:126) : arch=x86_64 syscall=open success=yes exit=3 a0=7fffd7a8f943 a1=0 a2=0 a3=32d80819d0 items=1 ppid=1640 pid=1659 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=2 comm=cat exe=/bin/cat subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch [root@localhost ~]# uname -r 2.6.38.6-26.rc1.fc15.x86_64 We have 2 events. Are you getting this? Is something missing? -Steve ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <BANLkTikPDncr87J3yEFagtm-macX_oOCbw@mail.gmail.com>]
* Fwd: Possible regression [not found] ` <BANLkTikPDncr87J3yEFagtm-macX_oOCbw@mail.gmail.com> @ 2011-06-02 13:46 ` 4javier 2011-06-02 13:59 ` Steve Grubb 1 sibling, 0 replies; 7+ messages in thread From: 4javier @ 2011-06-02 13:46 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2853 bytes --] ---------- Forwarded message ---------- From: 4javier <4javiereg4@gmail.com> Date: 2011/6/2 Subject: Re: Possible regression To: Steve Grubb <sgrubb@redhat.com> you're right...sorry for my fault... I didn't use the -a switch. I read the man, but I cannot understand how this settings is able to fix the problem with O_CREAT. Could you explain that to me, please? 2011/6/2 Steve Grubb <sgrubb@redhat.com> > On Thursday, June 02, 2011 08:48:30 AM 4javier wrote: > > I'm noticing exactly the same problem mentioned into this old message > > http://osdir.com/ml/linux.redhat.security.audit/2006-07/msg00036.html > > Workaround consisting into watching the whole directory containing the > file > > works too. I've found that into 2006 a patch was submitted to solve the > > issue > > http://www.mail-archive.com/linux-audit@redhat.com/msg00476.html > > > > Is this a recent regression, or is there something I don't know? > > I just ran the test from that email and got the following: > > [root@localhost ~]# touch /tmp/test > [root@localhost ~]# auditctl -a always,exit -F path=/tmp/test -F perm=rwa > -k watch > [root@localhost ~]# echo "" > /tmp/test > [root@localhost ~]# cat /tmp/test > > [root@localhost ~]# ausearch --start recent --key watch -i > ---- > type=CONFIG_CHANGE msg=audit(06/02/2011 09:15:49.790:124) : auid=sgrubb > ses=2 > subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" > key=watch > list=exit res=1 > ---- > type=PATH msg=audit(06/02/2011 09:15:56.970:125) : item=0 name=/tmp/test > inode=164740 > dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 > obj=unconfined_u:object_r:user_tmp_t:s0 > type=CWD msg=audit(06/02/2011 09:15:56.970:125) : cwd=/root > type=SYSCALL msg=audit(06/02/2011 09:15:56.970:125) : arch=x86_64 > syscall=open > success=yes exit=3 a0=28cadd0 a1=241 a2=1b6 a3=0 items=1 ppid=1634 pid=1640 > auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root > sgid=root > fsgid=root tty=pts1 ses=2 comm=bash exe=/bin/bash > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch > ---- > type=PATH msg=audit(06/02/2011 09:16:08.850:126) : item=0 name=/tmp/test > inode=164740 > dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 > obj=unconfined_u:object_r:user_tmp_t:s0 > type=CWD msg=audit(06/02/2011 09:16:08.850:126) : cwd=/root > type=SYSCALL msg=audit(06/02/2011 09:16:08.850:126) : arch=x86_64 > syscall=open > success=yes exit=3 a0=7fffd7a8f943 a1=0 a2=0 a3=32d80819d0 items=1 > ppid=1640 pid=1659 > auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root > sgid=root > fsgid=root tty=pts1 ses=2 comm=cat exe=/bin/cat > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch > [root@localhost ~]# uname -r > 2.6.38.6-26.rc1.fc15.x86_64 > > We have 2 events. Are you getting this? Is something missing? > > -Steve > [-- Attachment #1.2: Type: text/html, Size: 3797 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible regression [not found] ` <BANLkTikPDncr87J3yEFagtm-macX_oOCbw@mail.gmail.com> 2011-06-02 13:46 ` Fwd: " 4javier @ 2011-06-02 13:59 ` Steve Grubb [not found] ` <BANLkTinBO4PUK0_aAt_=e0-bwKdTnMRgtg@mail.gmail.com> 1 sibling, 1 reply; 7+ messages in thread From: Steve Grubb @ 2011-06-02 13:59 UTC (permalink / raw) To: 4javier, linux-audit On Thursday, June 02, 2011 09:45:38 AM you wrote: > you're right...sorry for my fault... > I didn't use the -a switch. I read the man, but I cannot understand how > this settings is able to fix the problem with O_CREAT. > Could you explain that to me, please? As far as I know, the problem was fixed in 2006 and there has been no regression. The - w command is translated into -a always,exit -F path= under the hood. Its been this way since watches were deprecated around 2005/2006. How were you testing? You might have found a bug and I just don't know how to reproduce it. -Steve ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <BANLkTinBO4PUK0_aAt_=e0-bwKdTnMRgtg@mail.gmail.com>]
* Fwd: Possible regression [not found] ` <BANLkTinBO4PUK0_aAt_=e0-bwKdTnMRgtg@mail.gmail.com> @ 2011-06-02 18:14 ` 4javier 2011-06-02 18:40 ` Steve Grubb 1 sibling, 0 replies; 7+ messages in thread From: 4javier @ 2011-06-02 18:14 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1502 bytes --] ---------- Forwarded message ---------- From: 4javier <4javiereg4@gmail.com> Date: 2011/6/2 Subject: Re: Possible regression To: Steve Grubb <sgrubb@redhat.com> root@Archbox /home/javier $ touch /tmp/test root@Archbox /home/javier $ cat /tmp/test root@Archbox /home/javier $ auditctl -w /tmp/test -p wa root@Archbox /home/javier $ echo ppp >> /tmp/test root@Archbox /home/javier $ cat /tmp/test ppp root@Archbox /home/javier $ ausearch -i -f /tmp/test <no matches> root@Archbox /home/javier $ auditctl -l LIST_RULES: exit,always watch=/tmp/test perm=wa root@Archbox /home/javier $ echo ppp > /tmp/test root@Archbox /home/javier $ ausearch -i -f /tmp/test <no matches> root@Archbox /home/javier $ ausearch -f /tmp/test <no matches> As you can see from auditcrl -l output, rule seems to be correctly set, but ausearch doesn't show anything. 2011/6/2 Steve Grubb <sgrubb@redhat.com> > On Thursday, June 02, 2011 09:45:38 AM you wrote: > > you're right...sorry for my fault... > > I didn't use the -a switch. I read the man, but I cannot understand how > > this settings is able to fix the problem with O_CREAT. > > Could you explain that to me, please? > > As far as I know, the problem was fixed in 2006 and there has been no > regression. The - > w command is translated into -a always,exit -F path= under the hood. Its > been this way > since watches were deprecated around 2005/2006. > > How were you testing? You might have found a bug and I just don't know how > to > reproduce it. > > -Steve > [-- Attachment #1.2: Type: text/html, Size: 2223 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible regression [not found] ` <BANLkTinBO4PUK0_aAt_=e0-bwKdTnMRgtg@mail.gmail.com> 2011-06-02 18:14 ` Fwd: " 4javier @ 2011-06-02 18:40 ` Steve Grubb 2011-06-02 20:11 ` 4javier 1 sibling, 1 reply; 7+ messages in thread From: Steve Grubb @ 2011-06-02 18:40 UTC (permalink / raw) To: 4javier, linux-audit On Thursday, June 02, 2011 12:41:41 PM 4javier wrote: > root@Archbox /home/javier $ touch /tmp/test > root@Archbox /home/javier $ cat /tmp/test > root@Archbox /home/javier $ auditctl -w /tmp/test -p wa > root@Archbox /home/javier $ echo ppp >> /tmp/test > root@Archbox /home/javier $ cat /tmp/test > ppp > root@Archbox /home/javier $ ausearch -i -f /tmp/test > <no matches> > root@Archbox /home/javier $ auditctl -l > LIST_RULES: exit,always watch=/tmp/test perm=wa > root@Archbox /home/javier $ echo ppp > /tmp/test > root@Archbox /home/javier $ ausearch -i -f /tmp/test > <no matches> > root@Archbox /home/javier $ ausearch -f /tmp/test > <no matches> > > As you can see from auditcrl -l output, rule seems to be correctly set, but > ausearch doesn't show anything. I duplicated your tests here: [root@localhost ~]# auditctl -w /tmp/test -p wa -k watch [root@localhost ~]# echo "ppp" >> /tmp/test [root@localhost ~]# cat /tmp/test ppp [root@localhost ~]# ausearch --start recent -i -f /tmp/test ---- type=PATH msg=audit(06/02/2011 14:32:45.146:112) : item=0 name=/tmp/test inode=164740 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 type=CWD msg=audit(06/02/2011 14:32:45.146:112) : cwd=/root type=SYSCALL msg=audit(06/02/2011 14:32:45.146:112) : arch=x86_64 syscall=open success=yes exit=3 a0=1842830 a1=441 a2=1b6 a3=0 items=1 ppid=1298 pid=1304 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=bash exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch Admittedly I am on the 2.6.38.6 kernel. But I'm not seeing a regression. When you set the perms to "wa" that is only going to be opens for writing or changes to file attributes. So, the cat command will not trigger an event and that is why I only get 1 event. I am also on a 64 bit system, but I would think that didn't matter...unless we have a signed/unsigned comparison problem...what do you have for an inode on the /tmp/watch file? ls -i /tmp/watch should get it. -Steve ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible regression 2011-06-02 18:40 ` Steve Grubb @ 2011-06-02 20:11 ` 4javier 0 siblings, 0 replies; 7+ messages in thread From: 4javier @ 2011-06-02 20:11 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2446 bytes --] both ls -i both stat return 252 as inode for /tmp/test (I considered your /tmp/watch a typo) I also tried to add read permission to the watch and execute a cat on the file, but not even that get recognized by audit. 2011/6/2 Steve Grubb <sgrubb@redhat.com> > On Thursday, June 02, 2011 12:41:41 PM 4javier wrote: > > root@Archbox /home/javier $ touch /tmp/test > > root@Archbox /home/javier $ cat /tmp/test > > root@Archbox /home/javier $ auditctl -w /tmp/test -p wa > > root@Archbox /home/javier $ echo ppp >> /tmp/test > > root@Archbox /home/javier $ cat /tmp/test > > ppp > > root@Archbox /home/javier $ ausearch -i -f /tmp/test > > <no matches> > > root@Archbox /home/javier $ auditctl -l > > LIST_RULES: exit,always watch=/tmp/test perm=wa > > root@Archbox /home/javier $ echo ppp > /tmp/test > > root@Archbox /home/javier $ ausearch -i -f /tmp/test > > <no matches> > > root@Archbox /home/javier $ ausearch -f /tmp/test > > <no matches> > > > > As you can see from auditcrl -l output, rule seems to be correctly set, > but > > ausearch doesn't show anything. > > I duplicated your tests here: > [root@localhost ~]# auditctl -w /tmp/test -p wa -k watch > [root@localhost ~]# echo "ppp" >> /tmp/test > [root@localhost ~]# cat /tmp/test > > ppp > [root@localhost ~]# ausearch --start recent -i -f /tmp/test > ---- > type=PATH msg=audit(06/02/2011 14:32:45.146:112) : item=0 name=/tmp/test > inode=164740 > dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 > obj=unconfined_u:object_r:user_tmp_t:s0 > type=CWD msg=audit(06/02/2011 14:32:45.146:112) : cwd=/root > type=SYSCALL msg=audit(06/02/2011 14:32:45.146:112) : arch=x86_64 > syscall=open > success=yes exit=3 a0=1842830 a1=441 a2=1b6 a3=0 items=1 ppid=1298 pid=1304 > auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root > sgid=root > fsgid=root tty=pts0 ses=1 comm=bash exe=/bin/bash > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch > > Admittedly I am on the 2.6.38.6 kernel. But I'm not seeing a regression. > When you set > the perms to "wa" that is only going to be opens for writing or changes to > file > attributes. So, the cat command will not trigger an event and that is why I > only get 1 > event. I am also on a 64 bit system, but I would think that didn't > matter...unless we > have a signed/unsigned comparison problem...what do you have for an inode > on the > /tmp/watch file? ls -i /tmp/watch should get it. > > -Steve > [-- Attachment #1.2: Type: text/html, Size: 3041 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-06-02 20:11 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <BANLkTinKLR4oc2Pss1nKKPbXPtbY9S1K4g@mail.gmail.com>
2011-06-02 12:48 ` Possible regression 4javier
2011-06-02 13:21 ` Steve Grubb
[not found] ` <BANLkTikPDncr87J3yEFagtm-macX_oOCbw@mail.gmail.com>
2011-06-02 13:46 ` Fwd: " 4javier
2011-06-02 13:59 ` Steve Grubb
[not found] ` <BANLkTinBO4PUK0_aAt_=e0-bwKdTnMRgtg@mail.gmail.com>
2011-06-02 18:14 ` Fwd: " 4javier
2011-06-02 18:40 ` Steve Grubb
2011-06-02 20:11 ` 4javier
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox