From: Casey Schaufler <casey@schaufler-ca.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: linux-audit: reconstruct path names from syscall events?
Date: Fri, 07 Oct 2011 14:38:41 -0700 [thread overview]
Message-ID: <4E8F7161.5010208@schaufler-ca.com> (raw)
In-Reply-To: <1318012073.3420.4.camel@localhost>
On 10/7/2011 11:27 AM, Eric Paris wrote:
> On Fri, 2011-10-07 at 10:20 -0700, Casey Schaufler wrote:
>> On 10/7/2011 6:50 AM, Eric Paris wrote:
>>> Casey only talked about the easy part of the reason the pathnames are
>>> useless. He forgot to mention
>> I didn't forgot to mention the whole mount point thingy.
>> People always get hung up in coming up with ways to explain
>> around the problem, and having already identified the root
>> cause of the problem
> Ok fair enough. I guess I just saw two root problems not just one. You
> mentioned there existing multiple names for the same object. I was
> thinking of the of there not existing any name for an object which makes
> sense at a 'system wide' level. In any case. We might be able to get
> some more pathname like info, but it's never (like Casey so sagely said)
> going to be truely useful....
The worst case is 4000 processes that opened the file under 4000
different pathnames, all of which have since been unlinked, doing
fchmod. At the time of fchmod there is no pathname that refers to
the file, although 4000 pathnames are associated with the object
whose mode is getting changed. The dev/inode pair is the only
externally visible identifier that could possibly be used to
name the file in the log, and as you point out, the dev is not
reliable.
Now even with that, a path name could be useful. It just can't
be considered definitive or unique. As for audit tracking, you
really ought to be able to say things like "show me everything
that happens to the file that is currently called /etc/shadow"
and "show me everything that happens to any file called /etc/shadow",
even though the two statements are radically different underneath.
The problem is that 99 44/100% of the people looking at or setting
up audit trails are going to be disinterested in or possibly
incapable of making the distinction. Let's face it, most people
shouldn't be using computers capable of running anything except
AngryBirds.
>
> -Eric
>
>
next prev parent reply other threads:[~2011-10-07 21:38 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-17 0:12 linux-audit: reconstruct path names from syscall events? John Feuerstein
2011-10-01 12:31 ` Steve Grubb
2011-10-03 19:42 ` Casey Schaufler
2011-10-04 17:02 ` Steve Grubb
2011-10-04 22:09 ` John Feuerstein
2011-10-07 13:50 ` Eric Paris
2011-10-07 14:04 ` Steve Grubb
2011-10-07 17:20 ` Casey Schaufler
2011-10-07 18:02 ` Steve Grubb
2011-10-07 18:27 ` Eric Paris
2011-10-07 21:38 ` Casey Schaufler [this message]
2011-10-10 12:54 ` Steve Grubb
2012-10-09 23:09 ` Mark Moseley
2012-10-09 23:29 ` Al Viro
2012-10-09 23:39 ` Al Viro
2012-10-09 23:47 ` Mark Moseley
2012-10-09 23:54 ` Al Viro
2012-10-10 22:45 ` Mark Moseley
2012-10-10 23:00 ` Steve Grubb
2012-10-10 23:07 ` Mark Moseley
2012-10-11 17:27 ` Mark Moseley
2012-10-30 1:12 ` Mark Moseley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E8F7161.5010208@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox