From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DAD6C433DB for ; Wed, 20 Jan 2021 21:41:12 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0C394235F9 for ; Wed, 20 Jan 2021 21:41:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0C394235F9 Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1611178870; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=t4ys2GmN+/Xf0UFHnvg8L3kONc1ou6z3wSyPgtCNY0I=; b=htwhCgi3ieHz1QKNGMANrS2mav8ciD1A9TAzDOOXEExo1dGeHZ9LrMwdvFxV6z2E+9k8fH Hm11njvjcou7Mj1nwE4SLx0Vt+NiP+rAVotz/Nb2JKoec+yRJqJfdZRbReXKX+CC1B8pD5 NJ4iURfIbqQzZY18C8RFknx4fKxk8P0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-294-cEaVUjvnMb2vuQHH2SNrWg-1; Wed, 20 Jan 2021 16:41:07 -0500 X-MC-Unique: cEaVUjvnMb2vuQHH2SNrWg-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1C599107ACE3; Wed, 20 Jan 2021 21:41:04 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9F65819D9B; Wed, 20 Jan 2021 21:41:03 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D0D72180954D; Wed, 20 Jan 2021 21:40:43 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 10KLcxQG002358 for ; Wed, 20 Jan 2021 16:38:59 -0500 Received: by smtp.corp.redhat.com (Postfix) id CFF995D9DD; Wed, 20 Jan 2021 21:38:59 +0000 (UTC) Received: from x2.localnet (ovpn-114-140.phx2.redhat.com [10.3.114.140]) by smtp.corp.redhat.com (Postfix) with ESMTP id 844485D9C2; Wed, 20 Jan 2021 21:38:55 +0000 (UTC) From: Steve Grubb To: "linux-audit@redhat.com" Subject: Re: Probable bug in auditd Date: Wed, 20 Jan 2021 16:38:55 -0500 Message-ID: <2062426.irdbgypaU6@x2> Organization: Red Hat In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: linux-audit@redhat.com Cc: "shourya98@gmail.com" , Shourya Jaiswal X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, On Wednesday, January 20, 2021 3:54:45 PM EST Shourya Jaiswal wrote: > I have found a weird behavior in auditd. File "/abc" does not exist. > > audit.rules: > > -a always,exit -F arch=b32 -S open -S openat > > -a always,exit -F arch=b64 -S open -S openat > > A non-root user executes "echo > /abc", it doesn't get logged in audit.log. This is because name resolution fails before it gets to audit hooks inside the kernel. The audit hooks want to collect device, inode, permission, owner, group, etc. IOW, things that do not exist. > Same with "echo > /etc/abc" A non-root user executes "cat /abc", it gets > logged in audit.log > > Since auditd is monitoring all the open and openat syscalls, ideally both > the cases (i.e. read and write) should have be logged. It's the kernel doing it. This comes up from time to time. It is logged here: https://github.com/linux-audit/audit-kernel/issues/118 > After I execute "chmod a+w /" then "chmod a-w /", if a non-root user > executes "echo > /abc", then it gets logged in audit.log. > > This looks like a bug to me. Kindly let me know if it's a bug or an > intended feature. This is essentially how it works. But, there will be an improvement at some future point when issue 118 is resolved. -Steve > System used to test: Linux 5.4.0-56-generic #62-Ubuntu SMP x86_64 x86_64 > x86_64 GNU/Linux > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit