From mboxrd@z Thu Jan  1 00:00:00 1970
From: zhangxiliang <zhangxiliang@cn.fujitsu.com>
Subject: Re: file watch result help
Date: Mon, 21 Jul 2008 13:16:37 +0800
Message-ID: <48841BB5.6080904@cn.fujitsu.com>
References: <1216612916.8213.23.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain; charset=gb18030
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m6L5IsP5008268
	for <linux-audit@redhat.com>; Mon, 21 Jul 2008 01:18:54 -0400
Received: from song.cn.fujitsu.com (cn.fujitsu.com [222.73.24.84] (may be
	forged))
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m6L5IhcN018743
	for <linux-audit@redhat.com>; Mon, 21 Jul 2008 01:18:44 -0400
In-Reply-To: <1216612916.8213.23.camel@homeserver>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: LC Bruzenak <lenny@magitekltd.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com



LC Bruzenak said the following on 2008-07-21 12:01:
> Looking for help/advice:
> 
> I had a new file (/usr/lib/AuditProxy) I installed via RPM with
> CAP_AUDIT_WRITE assigned.
> I noticed after a couple of days it was removed.
> So I added a file watch and waited.
> 
> The file got changed, this was audited, however I cannot realy nail down
> who/how it got changed as of yet...hopefully someone can either
> enlighten me on this or else give me a clue on how to install a better
> watch rule.
> 
> I used:
> -w /usr/libexec/AuditProxy -k PROXY
> 
> and now that the CAP has been removed I see the following activity (with
> "ausearch -i  -k PROXY"):
> 
> type=PATH msg=audit(07/18/2008 04:12:24.677:60925) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.677:60925) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.677:60925) : arch=x86_64
> syscall=open success=yes exit=4 a0=2626330 a1=0 a2=0 a3=100 items=1
> ppid=29219 pid=29228 auid=root uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.678:60926) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.678:60926) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.678:60926) : arch=x86_64
> syscall=open success=yes exit=3 a0=3e2ba1dc68 a1=0 a2=0 a3=7fff332a1f8b
> items=1 ppid=29228 pid=29354 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.811:60927) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.811:60927) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60927) : arch=x86_64
> syscall=open success=yes exit=3 a0=2520b90 a1=0 a2=70dc80 a3=24e3880
> items=1 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.811:60928) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.811:60928) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60928) : arch=x86_64
> syscall=open success=yes exit=4 a0=3e2ba1dc68 a1=0 a2=0 a3=7fffb5a95f70
> items=1 ppid=29228 pid=29358 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.820:60929) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.820:60929) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.820:60929) : arch=x86_64
> syscall=getxattr success=yes exit=27 a0=7fff2d0c1070 a1=4d97e6
> a2=26351d0 a3=ff items=1 ppid=29219 pid=29228 auid=root uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) ses=632 comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=4
> name=/usr/libexec/AuditProxy inode=61043 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=3
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=2
> name=/usr/libexec/AuditProxy.#prelink#.BJ0RCF inode=61043 dev=fd:00
> mode=file,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:bin_t:s0 
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=1
> name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=0
> name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 
> type=CWD msg=audit(07/18/2008 04:12:24.821:60932) :  cwd=/ 
> type=SYSCALL msg=audit(07/18/2008 04:12:24.821:60932) : arch=x86_64
> syscall=rename success=yes exit=0 a0=7fff2d0c1030 a1=7fff2d0c1070 a2=31
> a3=1b items=5 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY 
> 
> 
> So the file is getting moved to a temp file and then back (is the
> prelink doing this?) with the result being that the CAP is erased.
> 
> Not certain what is doing this in my system. 
> Any clues or instructions on how to narrow the search?

Could you supply the audit message which type is "AUDIT_CONFIG_CHANGE" in your result?

> 
> Thx,
> LCB.
>