From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Subject: Audit and file watching Date: Wed, 14 Jun 2006 13:41:29 -0400 Message-ID: <44904A49.7090308@ornl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k5EHfXwU001521 for ; Wed, 14 Jun 2006 13:41:33 -0400 Received: from emroute3.ornl.gov (emroute3.ornl.gov [160.91.4.110]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k5EHfWJV008865 for ; Wed, 14 Jun 2006 13:41:32 -0400 Received: from emroute3.ornl.gov (localhost [127.0.0.1]) by emroute3.ornl.gov (PMDF V6.2-1x9 #31038) with ESMTP id <0J0V007Q32H72B@emroute3.ornl.gov> for linux-audit@redhat.com; Wed, 14 Jun 2006 13:41:31 -0400 (EDT) Received: from ORNLEXCHANGE.ornl.gov (ornlexchange2.ornl.gov [160.91.1.22]) by emroute3.ornl.gov (PMDF V6.2-1x9 #31038) with ESMTP id <0J0V0091L2H7RI@emroute3.ornl.gov> for linux-audit@redhat.com; Wed, 14 Jun 2006 13:41:31 -0400 (EDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com I have been using Audit's file watching ability to monitor when files are opened. I decided to also try to monitor the deletion of files, so I told audit to watch for all syscalls pertaining to a particular file. I then tried opening the file, it worked as before. Then I tried to delete the file using 'rm /tmp/test.c' the file was deleted from the filesystem, but audit only showed two syscalls being performed: lstat64 and access. Audit also sent a message saying: ... audit updated rules specifying watch="/tmp/test.c" ... lstat64 and access can not delete files on the filesystem, can they? I expected to see unlink... Any ideas? Steve Jun 14 13:21:06 otslab11 user_actions[8035]: type=1300, payload size=279 Jun 14 13:21:06 otslab11 user_actions[8035]: data="audit(1150305665.265:679): arch=40000003 syscall=196 success=yes exit=0 a0=bf8c7c49 a1=bf8c6fbc a2=8f1ff4 a3=bf8c7c49 items=1 ppid=7838 pid=8043 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0" Jun 14 13:21:06 otslab11 user_actions[8035]: type=1307, payload size=43 Jun 14 13:21:06 otslab11 user_actions[8035]: data="audit(1150305665.265:679): cwd="/tmp/test"" Jun 14 13:21:06 otslab11 user_actions[8035]: type=1302, payload size=143 Jun 14 13:21:06 otslab11 user_actions[8035]: data="audit(1150305665.265:679): item=0 name="/tmp/test.c" inode=5358237 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:tmp_t:s0" Jun 14 13:21:06 otslab11 user_actions[8035]: type=1300, payload size=264 Jun 14 13:21:06 otslab11 user_actions[8035]: data="audit(1150305665.265:680): arch=40000003 syscall=33 success=yes exit=0 a0=bf8c7c49 a1=2 a2=8f1ff4 a3=2 items=1 ppid=7838 pid=8043 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0" Jun 14 13:21:06 otslab11 user_actions[8035]: type=1307, payload size=43 Jun 14 13:21:06 otslab11 user_actions[8035]: data="audit(1150305665.265:680): cwd="/tmp/test"" Jun 14 13:21:06 otslab11 user_actions[8035]: type=1302, payload size=143 Jun 14 13:21:06 otslab11 user_actions[8035]: data="audit(1150305665.265:680): item=0 name="/tmp/test.c" inode=5358237 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:tmp_t:s0" Jun 14 13:21:06 otslab11 user_actions[8035]: type=1305, payload size=113 Jun 14 13:21:06 otslab11 user_actions[8035]: data="audit(1150305665.265:681): audit updated rules specifying watch="/tmp/test.c" with dev=4294967295 ino=4294967295 "