Re: Path ignored but syscall event still logged

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Path ignored but syscall event still logged
Date: Fri, 13 Jan 2012 13:51:45 -0500	[thread overview]
Message-ID: <201201131351.45969.sgrubb@redhat.com> (raw)
In-Reply-To: <D0A5F96279337C499E18E7D5B0695A2F68010B21@HAMMBX04.uk.betfair.local>

On Friday, January 13, 2012 11:46:58 AM Max Williams wrote:
> Hi Steve,
> Thanks for the reply. Yes and yes:
> 
> [root@host1 ~]# mount|grep ab
> /dev/mapper/VolGroupCF00-abf_graph on /naab2 type ext4 (rw)
> /dev/mapper/VolGroupCF01-abf_icff on /naab1 type ext4 (rw)
> 
> [root@host1 ~]# ll /|grep ab
> lrwxrwxrwx    1 root root               6 May  9  2011 ab1 -> /naab1
> lrwxrwxrwx    1 root root               6 May  9  2011 ab2 -> /naab2
> drwxrwx---    5 root ab_users  4096 May 20  2011 naab1
> drwxrwx---    6 root ab_users  4096 Jun 29  2011 naab2
> [root@host1 ~]#
> 
> How does that affect the the rule, which was for the actual mount point,
> not the sym link? LIST_RULES: exit,never dir=/naab1 (0x6) syscall=all

Its OK for the top level dir to be a mount point. However, what about
everything under it?

/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873

Could data or dir1 be a mount point?  If anything under /naab1 is
a mount point, then you have to tell the kernel to treat it as equivalent
to the parent dir that you have the rule on. For example, suppose data
was in fact a moint point and you mounted /dev/sda1 onto it. You
would need to add the follwoing to your audit rules:

-q  /naab1/serial/data,/dev/sda1

As for symlinks, I'm not sure that a recursive watch will follow the
symlink. If for example, some-app was a symlink to /opt/some-app,
I am pretty sure the watch will not follow over to the other device.
You would have to add a watch on /opt/some-app to get events.

The same thing applies for suppressing events.

-Steve

> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: 13 January 2012 14:46
> To: linux-audit@redhat.com
> Cc: Max Williams
> Subject: Re: Path ignored but syscall event still logged
> 
> On Thursday, January 12, 2012 09:45:59 AM Max Williams wrote:
> > Sorry to bug you but is this issue I'm having a bug or have I made a
> > mistake in the rules? Is there another way I could exclude this
> > directory from auditd?
> 
> Looking back at the original...
> 
> /naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-
> serial/1568280a-4eef7e3f-3873
> 
> Are there any mount points in that path? Or any symlinks pointing to other
> disk devices?
> 
> Thanks,
> -Steve
> 
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
> 
> ________________________________________________________________________
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit