From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditing the "chattr" command (ioctl syscall?)
Date: Wed, 24 Aug 2011 10:40:32 -0400
Message-ID: <201108241040.32951.sgrubb@redhat.com>
References: <D0A5F96279337C499E18E7D5B0695A2F67DD6395@HAMMBX02.uk.betfair.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <D0A5F96279337C499E18E7D5B0695A2F67DD6395@HAMMBX02.uk.betfair.local>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, August 24, 2011 09:57:13 AM Max Williams wrote:
> Hi,
> I would like to be able to audit the syscalls that the chattr command uses
> but I'm not having much luck. In an effort to see the syscalls used, I
> created a rule to log all syscalls, like this: # auditctl -a exit,always
> -F path=/root/file
> 
> Then run this:
> # chattr +i /root/file
> 
> This produces series of two syscalls in the logs, 6 (sys_newlstat) and 2
> (sys_open): node=localhost.localdomain type=SYSCALL
> msg=audit(1314189320.335:53158): arch=c000003e syscall=6 success=yes
> exit=0 a0=7ffff0f8886c a1=7ffff0f88250 a2=7ffff0f88250 a3=1 items=1
> ppid=15560 pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr"
> key=(null) node=localhost.localdomain type=SYSCALL
> msg=audit(1314189320.335:53160): arch=c000003e syscall=2 success=yes
> exit=3 a0=7ffff0f8886c a1=800 a2=7ffff0f88170 a3=1 items=1 ppid=15560
> pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr" key=(null)
> 
> I don't think these are the syscalls I want to audit, 

nope. You can use the autrace program also and get a strace like list of syscalls made 
by the process.

> they would be far too
> frequent. I also noticed when I run a strace on the chattr command it
> looks like it uses ioctl, eg: ioctl(3, EXT2_IOC_SETFLAGS, 0x7fff0314cf3c)
> 
> What audit rule could I use to achieve this?

It starts off like this:

-a always,exit -F arch=b64 -S ioctl

Then you need to look at the man page for ioctl. The first argument is the FD, so you 
will not have a a0  since that could be different from program to program. Then you 
need to look in the header files for the definition of EXT2_IOC_SETFLAGS.

/usr/include/linux/ext2_fs.h
#define EXT2_IOC_SETFLAGS               FS_IOC_SETFLAGS

/usr/include/linux/fs.h
#define FS_IOC_SETFLAGS                 _IOW('f', 2, long)

/usr/include/asm-generic/ioctl.h
#define _IOW(type,nr,size)      _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
#define _IOC(dir,type,nr,size) \
        (((dir)  << _IOC_DIRSHIFT) | \
         ((type) << _IOC_TYPESHIFT) | \
         ((nr)   << _IOC_NRSHIFT) | \
         ((size) << _IOC_SIZESHIFT))
# define _IOC_WRITE     1U

Looks hard to figure out? Let's make a program:

#include <stdio.h>
#include <linux/fs.h>
#include <linux/ext2_fs.h>

int main(void)
{
	printf("%0lX\n", EXT2_IOC_SETFLAGS);
	return 0;
}

It returns this: 40086602

So, the rule is:

-a always,exit -F arch=b64 -S ioctl -F a1=40086602

I don't know if the syscall requires more arguments. You would have to look at the 
chattr program for more. Also note that you might want a matching b32 rule also. If 
you wanted to limit this to a file, then put a -F path= on that also. Adding a key field 
helps in searching later.

-Steve