Why there is no PATH record for change file time syscalls ?(utimensat)

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

* Why there is no PATH record for change file time syscalls ?(utimensat)
@ 2017-09-06 10:03 Lev Olshvang
  2017-09-07 22:32 ` Steve Grubb
  0 siblings, 1 reply; 6+ messages in thread
From: Lev Olshvang @ 2017-09-06 10:03 UTC (permalink / raw)
  To: linux-audit

[-- Attachment #1: Type: text/html, Size: 415 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Why there is no PATH record for change file time syscalls ?(utimensat)
  2017-09-06 10:03 Why there is no PATH record for change file time syscalls ?(utimensat) Lev Olshvang
@ 2017-09-07 22:32 ` Steve Grubb
  2017-09-08  8:41   ` Richard Guy Briggs
  2017-09-08 15:38   ` Steve Grubb
  0 siblings, 2 replies; 6+ messages in thread
From: Steve Grubb @ 2017-09-07 22:32 UTC (permalink / raw)
  To: linux-audit

On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote:
> I got only following SYSCALL record in audit log for 'touch -t ' command, no
> CWD, no PATH record

Out of curiosity, what kind of rule were you using?

> type=SYSCALL msg=audit(1503837757.149:266995):
> arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10 a3=0
> items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" exe="/bin/touch"
> key="times" 

I think you found a problem. I also think the syscall should be added to:

include/asm-generic/audit_change_attr.h

I think this syscall and others have been added since the watch permissions 
files were setup.

-Steve

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Why there is no PATH record for change file time syscalls ?(utimensat)
  2017-09-07 22:32 ` Steve Grubb
@ 2017-09-08  8:41   ` Richard Guy Briggs
  2017-09-08 13:27     ` Steve Grubb
  2017-09-08 15:38   ` Steve Grubb
  1 sibling, 1 reply; 6+ messages in thread
From: Richard Guy Briggs @ 2017-09-08  8:41 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

On 2017-09-07 18:32, Steve Grubb wrote:
> On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote:
> > I got only following SYSCALL record in audit log for 'touch -t ' command, no
> > CWD, no PATH record
> 
> Out of curiosity, what kind of rule were you using?
> 
> > type=SYSCALL msg=audit(1503837757.149:266995):
> > arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10 a3=0
> > items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" exe="/bin/touch"
> > key="times" 
> 
> I think you found a problem. I also think the syscall should be added to:
> 
> include/asm-generic/audit_change_attr.h

Steve, my naive addition of utime, utimes, futimesat and utimensat to
include/asm-generic/audit_change_attr.h seems to have made no
difference.

> I think this syscall and others have been added since the watch permissions 
> files were setup.
> 
> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Why there is no PATH record for change file time syscalls ?(utimensat)
  2017-09-08  8:41   ` Richard Guy Briggs
@ 2017-09-08 13:27     ` Steve Grubb
  2017-09-08 15:15       ` Richard Guy Briggs
  0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2017-09-08 13:27 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: linux-audit

On Friday, September 8, 2017 4:41:47 AM EDT Richard Guy Briggs wrote:
> On 2017-09-07 18:32, Steve Grubb wrote:
> > On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote:
> > > I got only following SYSCALL record in audit log for 'touch -t '
> > > command, no CWD, no PATH record
> > 
> > Out of curiosity, what kind of rule were you using?
> > 
> > > type=SYSCALL msg=audit(1503837757.149:266995):
> > > arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10
> > > a3=0 items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0
> > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" 
> > > exe="/bin/touch" key="times"
> > 
> > I think you found a problem. I also think the syscall should be added to:
> > 
> > include/asm-generic/audit_change_attr.h
> 
> Steve, my naive addition of utime, utimes, futimesat and utimensat to
> include/asm-generic/audit_change_attr.h seems to have made no
> difference.

There seems to be 2 problems. 1) the utimensat syscall not getting a path 
record, 2) you can't use the -F perms=a because the syscall tables seem to be 
way out of date. fchmodat seems to be the last syscall added. There's about 70 
new syscalls that need to be looked through and added. This is the easier of 
the 2 problems.

-Steve

> > I think this syscall and others have been added since the watch
> > permissions files were setup.
> > 
> > -Steve
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Why there is no PATH record for change file time syscalls ?(utimensat)
  2017-09-08 13:27     ` Steve Grubb
@ 2017-09-08 15:15       ` Richard Guy Briggs
  0 siblings, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2017-09-08 15:15 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

On 2017-09-08 09:27, Steve Grubb wrote:
> On Friday, September 8, 2017 4:41:47 AM EDT Richard Guy Briggs wrote:
> > On 2017-09-07 18:32, Steve Grubb wrote:
> > > On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote:
> > > > I got only following SYSCALL record in audit log for 'touch -t '
> > > > command, no CWD, no PATH record
> > > 
> > > Out of curiosity, what kind of rule were you using?
> > > 
> > > > type=SYSCALL msg=audit(1503837757.149:266995):
> > > > arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10
> > > > a3=0 items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0
> > > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" 
> > > > exe="/bin/touch" key="times"
> > > 
> > > I think you found a problem. I also think the syscall should be added to:
> > > 
> > > include/asm-generic/audit_change_attr.h
> > 
> > Steve, my naive addition of utime, utimes, futimesat and utimensat to
> > include/asm-generic/audit_change_attr.h seems to have made no
> > difference.
> 
> There seems to be 2 problems. 1) the utimensat syscall not getting a path 
> record, 2) you can't use the -F perms=a because the syscall tables seem to be 
> way out of date. fchmodat seems to be the last syscall added. There's about 70 
> new syscalls that need to be looked through and added. This is the easier of 
> the 2 problems.

Ok, please file a github audit kernel issue with as much detail as you
can.  This appears to be an upstream issue.

> -Steve
> 
> > > I think this syscall and others have been added since the watch
> > > permissions files were setup.
> > > 
> > > -Steve
> > 
> > - RGB

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Why there is no PATH record for change file time syscalls ?(utimensat)
  2017-09-07 22:32 ` Steve Grubb
  2017-09-08  8:41   ` Richard Guy Briggs
@ 2017-09-08 15:38   ` Steve Grubb
  1 sibling, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2017-09-08 15:38 UTC (permalink / raw)
  To: linux-audit

On Thursday, September 7, 2017 6:32:39 PM EDT Steve Grubb wrote:
> On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote:
> > I got only following SYSCALL record in audit log for 'touch -t ' command,
> > no CWD, no PATH record
> 
> Out of curiosity, what kind of rule were you using?

Also, which kernel are you seeing this on? I get full reporting on 4.11.12

-Steve

> > type=SYSCALL msg=audit(1503837757.149:266995):
> > arch=c000003e syscall=280 success=yes exit=0 a0=0 a1=0 a2=7fffbb26bb10
> > a3=0
> > items=0 ppid=101 pid=102 auid=1000 uid=0 gid=31 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="touch" exe="/bin/touch"
> > key="times"
> 
> I think you found a problem. I also think the syscall should be added to:
> 
> include/asm-generic/audit_change_attr.h
> 
> I think this syscall and others have been added since the watch permissions
> files were setup.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-09-08 15:38 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-06 10:03 Why there is no PATH record for change file time syscalls ?(utimensat) Lev Olshvang
2017-09-07 22:32 ` Steve Grubb
2017-09-08  8:41   ` Richard Guy Briggs
2017-09-08 13:27     ` Steve Grubb
2017-09-08 15:15       ` Richard Guy Briggs
2017-09-08 15:38   ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).