* Probable bug in auditd
@ 2021-01-20 20:54 Shourya Jaiswal
2021-01-20 21:38 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Shourya Jaiswal @ 2021-01-20 20:54 UTC (permalink / raw)
To: linux-audit@redhat.com; +Cc: shourya98@gmail.com
[-- Attachment #1.1: Type: text/plain, Size: 837 bytes --]
Hi,
I have found a weird behavior in auditd. File "/abc" does not exist.
audit.rules:
-a always,exit -F arch=b32 -S open -S openat
-a always,exit -F arch=b64 -S open -S openat
A non-root user executes "echo > /abc", it doesn't get logged in audit.log. Same with "echo > /etc/abc"
A non-root user executes "cat /abc", it gets logged in audit.log
Since auditd is monitoring all the open and openat syscalls, ideally both the cases (i.e. read and write) should have be logged.
After I execute "chmod a+w /" then "chmod a-w /", if a non-root user executes "echo > /abc", then it gets logged in audit.log.
This looks like a bug to me. Kindly let me know if it's a bug or an intended feature.
System used to test: Linux 5.4.0-56-generic #62-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux
Regards,
Shourya Jaiswal
[-- Attachment #1.2: Type: text/html, Size: 6039 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Probable bug in auditd
2021-01-20 20:54 Probable bug in auditd Shourya Jaiswal
@ 2021-01-20 21:38 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2021-01-20 21:38 UTC (permalink / raw)
To: linux-audit@redhat.com; +Cc: shourya98@gmail.com, Shourya Jaiswal
Hello,
On Wednesday, January 20, 2021 3:54:45 PM EST Shourya Jaiswal wrote:
> I have found a weird behavior in auditd. File "/abc" does not exist.
>
> audit.rules:
>
> -a always,exit -F arch=b32 -S open -S openat
>
> -a always,exit -F arch=b64 -S open -S openat
>
> A non-root user executes "echo > /abc", it doesn't get logged in audit.log.
This is because name resolution fails before it gets to audit hooks inside
the kernel. The audit hooks want to collect device, inode, permission, owner,
group, etc. IOW, things that do not exist.
> Same with "echo > /etc/abc" A non-root user executes "cat /abc", it gets
> logged in audit.log
>
> Since auditd is monitoring all the open and openat syscalls, ideally both
> the cases (i.e. read and write) should have be logged.
It's the kernel doing it. This comes up from time to time. It is logged here:
https://github.com/linux-audit/audit-kernel/issues/118
> After I execute "chmod a+w /" then "chmod a-w /", if a non-root user
> executes "echo > /abc", then it gets logged in audit.log.
>
> This looks like a bug to me. Kindly let me know if it's a bug or an
> intended feature.
This is essentially how it works. But, there will be an improvement at some
future point when issue 118 is resolved.
-Steve
> System used to test: Linux 5.4.0-56-generic #62-Ubuntu SMP x86_64 x86_64
> x86_64 GNU/Linux
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-01-20 21:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-20 20:54 Probable bug in auditd Shourya Jaiswal
2021-01-20 21:38 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).