From: Orion Poplawski <orion@nwra.com>
To: Lenny Bruzenak <lenny@magitekltd.com>, linux-audit@redhat.com
Subject: Re: Is auditing ftruncate useful?
Date: Thu, 6 Feb 2020 11:12:32 -0700 [thread overview]
Message-ID: <8010cdd2-468b-ac87-54f1-2846baf28d28@nwra.com> (raw)
In-Reply-To: <7f299e8c-6888-91eb-8feb-91e37fb87fd2@magitekltd.com>
[-- Attachment #1.1: Type: text/plain, Size: 4452 bytes --]
On 2/6/20 8:37 AM, Lenny Bruzenak wrote:
> On 2/5/20 4:27 PM, Orion Poplawski wrote:
>
>> I would like to track file modifications made by a specific UID. I have:
>>
>> -a exit,never -F dir=/proc/
>> -a exit,never -F dir=/var/cache/
>> -a exit,never -F path=/etc/passwd -F exe=/usr/bin/kdeinit4
>> -a exit,never -F exe=/usr/libexec/gam_server
>> -a always,exit -F arch=b32 -S
>> open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k
>> watched_users
>> -a always,exit -F arch=b64 -S
>> open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k
>> watched_users
>>
>> but as near as I can tell, this is all that gets logged for ftruncate:
>>
>>
>> type=SYSCALL msg=audit(1580944297.114:831002): arch=c000003e syscall=77
>> success=yes exit=0 a0=33 a1=28 a2=7f3417100018 a3=1 items=0 ppid=23746
>> pid=23816 auid=XXXXX uid=XXXXX gid=XXXXX euid=XXXXX suid=XXXXX fsuid=XXXXX
>> egid=XXXXX sgid=XXXXX fsgid=XXXXX tty=(none) ses=1 comm=57656220436F6E74656E74
>> exe="/usr/lib64/firefox/firefox"
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="watched_users"
>> type=PROCTITLE msg=audit(1580944297.114:831002):
>> proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D6368696C6449440031002D6973466F7242726F77736572002D70726566734C656E0031002D707265664D617053697A6500313833303834002D706172656E744275696C644944003230323030313133313131393133002D
>>
>>
>> which does not appear to contain enough information to determine what file was
>> truncated. Am I missing something?
>>
>> This is on EL7.
>>
> For starters, I'd interpret:
>
> # ausearch -i -k watched_users
>
> LCB
>
Doesn't seem much better:
type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) : proctitle=/bin/bash
/usr/bin/thunderbird
type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018
a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER euid=USER
suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=1
comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watched_users
Why no PATH entry? I have them for things like open:
type=PROCTITLE msg=audit(02/06/2020 10:59:05.170:120649) : proctitle=kdeinit4:
konsole [kdeinit] -session 102311da
type=PATH msg=audit(02/06/2020 10:59:05.170:120649) : item=0 name=/etc/passwd
inode=1323462 dev=08:07 mode=file,644 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL cap_fp=none cap_fi=none
cap_fe=0 cap_fver=0
type=CWD msg=audit(02/06/2020 10:59:05.170:120649) : cwd=/home/USER
type=SYSCALL msg=audit(02/06/2020 10:59:05.170:120649) : arch=x86_64
syscall=open success=yes exit=26 a0=0x7fe1b291b552 a1=O_RDONLY|O_CLOEXEC
a2=0x1b6 a3=0x24 items=1 ppid=1 pid=3141 auid=USER uid=USER gid=USER euid=USER
suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=1
comm=konsole exe=/usr/bin/kdeinit4
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watched_users
or even with other rules for fchown:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
type=PROCTITLE msg=audit(02/06/2020 10:59:30.562:59894) : proctitle=kwin
-session 106f726361000123384967700000029380000_1548775895_794186
type=PATH msg=audit(02/06/2020 10:59:30.562:59894) : item=0 name=(null)
inode=595335 dev=fd:01 mode=file,600 ouid=USER ogid=USER rdev=00:00
obj=unconfined_u:object_r:config_home_t:s0 objtype=NORMAL cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0
type=SYSCALL msg=audit(02/06/2020 10:59:30.562:59894) : arch=x86_64
syscall=fchown success=yes exit=0 a0=0xd a1=0x584b a2=0x584b a3=0xc items=1
ppid=27089 pid=27152 auid=USER uid=USER gid=USER euid=USER suid=USER
fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=16 comm=kwin
exe=/usr/bin/kwin subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=perm_mod
There I only get an inode entry which I'll have to interpret - but that seems
expected for syscalls that operate on file handles.
Thanks.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/
[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3799 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2020-02-06 18:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-05 23:27 Is auditing ftruncate useful? Orion Poplawski
2020-02-06 15:37 ` Lenny Bruzenak
2020-02-06 18:12 ` Orion Poplawski [this message]
2020-02-06 18:33 ` Lenny Bruzenak
2020-02-06 19:39 ` Lenny Bruzenak
2020-02-07 19:17 ` Steve Grubb
2020-02-07 21:56 ` Paul Moore
2020-02-07 23:17 ` Orion Poplawski
2020-02-10 22:54 ` Paul Moore
2020-02-10 23:05 ` Orion Poplawski
2020-02-10 23:29 ` Casey Schaufler
2020-03-06 16:59 ` Steve Grubb
2020-02-11 12:58 ` Paul Moore
2020-02-12 21:00 ` Orion Poplawski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8010cdd2-468b-ac87-54f1-2846baf28d28@nwra.com \
--to=orion@nwra.com \
--cc=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox