From: Steve Grubb <sgrubb@redhat.com>
To: John T Olson <jtolson@us.ibm.com>
Cc: linux-audit@redhat.com
Subject: Re: Not seeing access denied audit messages in restricted subdirectories
Date: Fri, 8 Nov 2019 22:39:05 +0100 [thread overview]
Message-ID: <20191108223905.773a79d3@ivy-bridge> (raw)
In-Reply-To: <OF3C0EFCFA.EE160C73-ON002584AC.006EBA93-072584AC.0071860C@notes.na.collabserv.com>
On Fri, 8 Nov 2019 13:39:58 -0700
"John T Olson" <jtolson@us.ibm.com> wrote:
> Greetings,
>
> I have the following 2 audit rules set up:
>
> -a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1
> -a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1
>
> I have a directory structure like the following:
>
> (13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/
> total 257
> drwx------. 3 root root 4096 Nov 7 12:46 .
> drwxr-xr-x. 15 root root 262144 Nov 7 12:50 ..
> drwx------. 2 root root 4096 Nov 7 12:46 test2
>
> Essentially, directory "/gpfs/fs1/test/" is owned by root and has
> permissions 700. The subdirectory underneath it (with
> path /gpfs/fs1/test/test2) is also owned by root and has permissions
> 700.
>
> When I have a non-root user attempt to list the contents of directory
> "/gpfs/fs1/test/" I receive an audit message for the denied access.
> However, when the non-root user attempts to list the contents of the
> subdirectory (/gpfs/fs1/test/test2), there is no audit message
> generated. Does anyone know why this is and how I get audit messages
> in both cases?
Yes, the reason is because the path did not resolve so audit never saw
it. This has been this way for quite some time. In the past, it was
said because the path never resolved, a PATH record with all attributes
could not be generated. I have mentioned to kernel maintainers, that
the path is available as a syscall argument. While a full PATH record
cannot be generated with file attributes, an abbreviated one could be
generated. So, far...no one has saw this as a big enough problem to
fix. Personally, I think it should be fixed.
-Steve
next prev parent reply other threads:[~2019-11-08 21:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-08 20:39 Not seeing access denied audit messages in restricted subdirectories John T Olson
2019-11-08 21:39 ` Steve Grubb [this message]
2019-11-09 9:18 ` Lenny Bruzenak
2019-11-09 10:08 ` Steve Grubb
[not found] ` <OF2EB856B2.9F56FBC0-ON002584AE.001B1E42-072584AE.001B5554@notes.na.collabserv.com>
2019-11-10 15:48 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191108223905.773a79d3@ivy-bridge \
--to=sgrubb@redhat.com \
--cc=jtolson@us.ibm.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox