From: Steve Grubb <sgrubb@redhat.com>
To: 4javier <4javiereg4@gmail.com>, linux-audit@redhat.com
Subject: Re: Possible regression
Date: Thu, 2 Jun 2011 14:40:05 -0400 [thread overview]
Message-ID: <201106021440.06076.sgrubb@redhat.com> (raw)
In-Reply-To: <BANLkTinBO4PUK0_aAt_=e0-bwKdTnMRgtg@mail.gmail.com>
On Thursday, June 02, 2011 12:41:41 PM 4javier wrote:
> root@Archbox /home/javier $ touch /tmp/test
> root@Archbox /home/javier $ cat /tmp/test
> root@Archbox /home/javier $ auditctl -w /tmp/test -p wa
> root@Archbox /home/javier $ echo ppp >> /tmp/test
> root@Archbox /home/javier $ cat /tmp/test
> ppp
> root@Archbox /home/javier $ ausearch -i -f /tmp/test
> <no matches>
> root@Archbox /home/javier $ auditctl -l
> LIST_RULES: exit,always watch=/tmp/test perm=wa
> root@Archbox /home/javier $ echo ppp > /tmp/test
> root@Archbox /home/javier $ ausearch -i -f /tmp/test
> <no matches>
> root@Archbox /home/javier $ ausearch -f /tmp/test
> <no matches>
>
> As you can see from auditcrl -l output, rule seems to be correctly set, but
> ausearch doesn't show anything.
I duplicated your tests here:
[root@localhost ~]# auditctl -w /tmp/test -p wa -k watch
[root@localhost ~]# echo "ppp" >> /tmp/test
[root@localhost ~]# cat /tmp/test
ppp
[root@localhost ~]# ausearch --start recent -i -f /tmp/test
----
type=PATH msg=audit(06/02/2011 14:32:45.146:112) : item=0 name=/tmp/test inode=164740
dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(06/02/2011 14:32:45.146:112) : cwd=/root
type=SYSCALL msg=audit(06/02/2011 14:32:45.146:112) : arch=x86_64 syscall=open
success=yes exit=3 a0=1842830 a1=441 a2=1b6 a3=0 items=1 ppid=1298 pid=1304
auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts0 ses=1 comm=bash exe=/bin/bash
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch
Admittedly I am on the 2.6.38.6 kernel. But I'm not seeing a regression. When you set
the perms to "wa" that is only going to be opens for writing or changes to file
attributes. So, the cat command will not trigger an event and that is why I only get 1
event. I am also on a 64 bit system, but I would think that didn't matter...unless we
have a signed/unsigned comparison problem...what do you have for an inode on the
/tmp/watch file? ls -i /tmp/watch should get it.
-Steve
next prev parent reply other threads:[~2011-06-02 18:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <BANLkTinKLR4oc2Pss1nKKPbXPtbY9S1K4g@mail.gmail.com>
2011-06-02 12:48 ` Possible regression 4javier
2011-06-02 13:21 ` Steve Grubb
[not found] ` <BANLkTikPDncr87J3yEFagtm-macX_oOCbw@mail.gmail.com>
2011-06-02 13:46 ` Fwd: " 4javier
2011-06-02 13:59 ` Steve Grubb
[not found] ` <BANLkTinBO4PUK0_aAt_=e0-bwKdTnMRgtg@mail.gmail.com>
2011-06-02 18:14 ` Fwd: " 4javier
2011-06-02 18:40 ` Steve Grubb [this message]
2011-06-02 20:11 ` 4javier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201106021440.06076.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=4javiereg4@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox