* Fwd: linux auditd: Not getting log for chmod syscall
[not found] ` <4F1ECDD2.5040907@linux.vnet.ibm.com>
@ 2012-01-24 15:30 ` bharat gupta
2012-01-24 16:03 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: bharat gupta @ 2012-01-24 15:30 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 20481 bytes --]
>
>
>
> Last time it was working for chmod but this time when i am
> trying to get log for open system call, i have made similar
> changes in rules but did not get any log can you suggest
> something. details are given below:
>
> *rules*:
>
> -a always,exit -F arch=b32 -S creat -S open -S openat -S
> truncate -F exit=-EACCES -F auid!=4294967295 -k access
> -a always,exit -F arch=b32 -S creat -S open -S openat -S
> truncate -F exit=-EPERM -F auid!=4294967295 -k access
> -a always,exit -F arch=b64 -S creat -S open -S openat -S
> truncate -F exit=-EACCES -F auid!=4294967295 -k access
> -a always,exit -F arch=b64 -S creat -S open -S openat -S
> truncate -F exit=-EPERM -F auid!=4294967295 -k access
>
> *strace output*: file have been attached named as "output for
> open sytem call.txt"
>
>
> strace -o /root/open_output open w
> /root/test01
>
> *
> *
> *auditctl -l output*: file have been attached named "auditctl
> -l output.txt"
>
>
> file have been attached
>
>
> On Fri, Jan 20, 2012 at 9:53 AM, bharat gupta
> <bharatguptagg@gmail.com <mailto:bharatguptagg@gmail.**com<bharatguptagg@gmail.com>
> >
> <mailto:bharatguptagg@gmail.**com <bharatguptagg@gmail.com>
>
> <mailto:bharatguptagg@gmail.**com <bharatguptagg@gmail.com>>>>
> wrote:
>
> Hi,
> Finally we got the log by doing as you have told me to
> remove
> auid >=500. generated log is like :
>
> time->Fri Jan 20 05:19:45 2012
> type=PATH msg=audit(1327033185.331:**1561983): item=0
> name=(null)
> inode=235577256
> dev=00:06 mode=0140777 ouid=0 ogid=0 rdev=00:00
> type=SYSCALL msg=audit(1327033185.331:**1561983): arch=c000003e
> syscall=91 success
> =yes exit=0 a0=d a1=100 a2=0
> a3=7fffa34b3740 items=1
> ppid=83194 pid=1287823 auid
> =0 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=216 co
> mm="mmdsm"
> exe="/bin/ksh" key="perm_mod"
>
> Thanks for helping so much.
>
> On Thu, Jan 19, 2012 at 5:43 PM, Marcelo Cerri
> <mhcerri@linux.vnet.ibm.com
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> >>>
>
> wrote:
>
> So that's the problem :)
>
> root user id is 0 and your rule will only match user
> id's >=
> 500 (which is usually used for regular users).
>
> The auid field is the original user id. So if you were
> logged
> in as a regular user and tried to run chmod using sudo then
> your rule would worked.
>
> Try to remove the -F auid>=500.
>
> Regards,
> Marcelo
>
>
> On 01/19/2012 09:57 AM, bharat gupta wrote:
>
> yes i have been login as root in base machine and then
> login to virtual cluster.
>
> On Thu, Jan 19, 2012 at 5:25 PM, Marcelo Cerri
> <mhcerri@linux.vnet.ibm.com <mailto:mhcerri@linux.vnet.**ibm.com<mhcerri@linux.vnet.ibm.com>
> >
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>>>
> wrote:
>
> I noticed that you are changing permission on a
> file in
> /root dir.
>
> Are you running chmod as root? More precisily,
> are you
> logged in
> directly as root?
>
>
>
> On 01/19/2012 09:42 AM, bharat gupta wrote:
>
> Q1. Is this the only rule that you have? What is
> the output
> for "auditctl -l"?
>
> Ans. This is not the only rule i am running.
> output
> of auditcl
> -l is given in attached file named
> "auditctl-l_output.txt".
>
> Q2. What is the architecture that you are
> running on?
> Ans. architecture detail is gien in attached
> file named
> "architecture.txt".
>
> Q3. Which program are you using to changing
> the file
> permissions? Is it running as which user?
> Ans. strace -o /root/temp/output_chmod chmod 777
> /root/test02
> and its output is given in attached
> file named
> "output_chmod.txt".
>
> On Thu, Jan 19, 2012 at 4:45 PM, Marcelo Cerri
> <mhcerri@linux.vnet.ibm.com <mailto:mhcerri@linux.vnet.**ibm.com<mhcerri@linux.vnet.ibm.com>
> >
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> >>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>>>>
> wrote:
>
>
> Some questions:
>
> 1. Is this the only rule that you have?
> What is
> the output for
> "auditctl -l"?
>
> 2. What is the architecture that you are
> running on?
>
> 3. Which program are you using to
> changing the file
> permissions?
> Is it running as which user?
>
> Regards,
> Marcelo
>
> PS: I think that it's important to keep the
> discussion in the
> mailing list. Other people with the same
> issue
> can can
> access this
> thread later.
>
>
>
> On 01/19/2012 08:16 AM, bharat gupta wrote:
>
> If i will remove quotes then it will be
> simmilar to the
> previous rule which was not giving
> any log.
> what should i do to get logs.
> Thanks
>
> 18, 2012 at 5:40 PM, Marcelo Cerri
> <mhcerri@linux.vnet.ibm.com <mailto:mhcerri@linux.vnet.**ibm.com<mhcerri@linux.vnet.ibm.com>
> >
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> >>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> >>>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> >>>
>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>
> <mailto:mhcerri@linux.vnet.**ibm.com <mhcerri@linux.vnet.ibm.com>>>>>>>
> wrote:
>
> Just remove the quotes. It's only
> necessary when running
> auditctl
> directly from bash.
>
> Regards,
> Marcelo
>
>
> On 01/18/2012 09:10 AM, bharat
> gupta wrote:
>
> when i am using auid>=500 in quote
> like u have
> told -a
> always,exit -F arch=b64 -S
> chmod -S
> fchmod -S
> fchmodat -F
> 'auid>=500' -F auid!=4294967295 -k
> perm_mod
>
> it is giving error :
> #service auditd restart
> Stopping auditd:
> [
> OK ]
> Starting auditd:
> [
> OK ]
> -F unknown field: "auid
> There was an error in line 102 of
> /etc/audit/audit.rules
>
>
>
> On Sat, Jan 14, 2012 at 1:34 AM,
> Steve Grubb
> <sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>
> <mailto:sgrubb@redhat.com <mailto:sgrubb@redhat.com>>>>>**>>
> wrote:
>
> On Thursday, January 12, 2012
> 11:52:29 PM bharat
> gupta wrote:
> > I am using redhat 6, and trying to create logs for some
> system
> call using
> > the rule given below:
> >
> > *-a always,exit -F arch=b64 -S chmod -S fchmod -S
> fchmodat -F
> auid>=500
> > -F auid!=4294967295 -k perm_mod*
>
> The rule works for me.
>
> # auditctl -a always,exit -F
> arch=b64 -S
> chmod -S
> fchmod -S
> fchmodat -F
> 'auid>=500' -F
> auid!=4294967295 -k
> perm_mod
>
> I don't have any asterisk and I
> have single
> quote marks
> since bash
> will
> interpret the > as a
> redirection.
> But then
> doing a chmod
> command,
> it does pick
> up the fchmodat() syscall.
>
>
> > After running command chmod i was not able to get any
> log, but
> when i used
> > strace command i have seen that syscall have been called.
> > I also checked that auditd service is running properly.
>
> When you use auditctl -l,
> is the
> rule just
> like you
> expected?
>
> LIST_RULES: exit,always
> arch=3221225534
> (0xc000003e)
> auid>=500
> (0x1f4) auid!=-1
> (0xffffffff) key=perm_mod
> syscall=chmod,fchmod,fchmodat
>
> It should just work unless
> you are
> on a
> distribution
> that
> does not
> really
> support auditing.
>
> -Steve
>
>
>
>
> -- Bharat Gupta
> IIT -Roorkee
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**
> >>>>>
>
>
>
> https://www.redhat.com/**mailman/listinfo/linux-audit<https://www.redhat.com/mailman/listinfo/linux-audit>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**>
> <mailto:Linux-audit@redhat.com <mailto:Linux-audit@redhat.com**
> >>>>>
>
>
>
> https://www.redhat.com/**mailman/listinfo/linux-audit<https://www.redhat.com/mailman/listinfo/linux-audit>
>
>
>
>
> -- Bharat Gupta
> IIT -Roorkee
>
>
>
>
>
>
> -- Thanks,
> Bharat Gupta
> IIT -Roorkee
>
>
>
>
>
>
> -- Thanks,
> Bharat Gupta
> IIT -Roorkee
>
>
>
>
>
>
> -- Thanks,
> Bharat Gupta
> IIT -Roorkee
>
>
>
>
>
> -- Thanks,
> Bharat Gupta
> IIT -Roorkee
>
>
>
>
>
>
> --
> Thanks,
> Bharat Gupta
> IIT -Roorkee
>
>
>
--
Thanks,
Bharat Gupta
IIT -Roorkee
[-- Attachment #1.2: Type: text/html, Size: 34609 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread