From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jon Smith <JoSmith@tripwire.com>
Subject: file watch: separating file reads and writes
Date: Wed, 9 Jul 2014 04:00:18 +0000
Message-ID: <94943543FF1E4246B0C4B827E39988190176403A@PDXMB01.tripwire.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1061377486894851267=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com
	[10.5.110.21])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s6940xlj020163
	for <linux-audit@redhat.com>; Wed, 9 Jul 2014 00:00:59 -0400
Received: from co9outboundpool.messaging.microsoft.com
	(co9ehsobe001.messaging.microsoft.com [207.46.163.24])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s6940udw030754
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL)
	for <linux-audit@redhat.com>; Wed, 9 Jul 2014 00:00:56 -0400
Received: from mail214-co9 (localhost [127.0.0.1])	by
	mail214-co9-R.bigfish.com (Postfix) with ESMTP id 81E1812047F	for
	<linux-audit@redhat.com>; Wed,  9 Jul 2014 04:00:55 +0000 (UTC)
Received: from CO9EHSMHS005.bigfish.com (unknown [10.236.132.236])	by
	mail214-co9.bigfish.com (Postfix) with ESMTP id C180920047	for
	<linux-audit@redhat.com>; Wed,  9 Jul 2014 04:00:53 +0000 (UTC)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1])	by Outbound.tripwire.com
	(Proprietary) with SMTP id 1323D2321248	for <linux-audit@redhat.com>;
	Tue,  8 Jul 2014 21:00:53 -0700 (PDT)
Received: from rint.tripwire.com (unknown [192.168.192.19])	(using TLSv1 with
	cipher DHE-RSA-AES256-SHA (256/256 bits))	(No client certificate
	requested)
	by zgw01.tripwire.com (Proprietary) with ESMTPS id 9182323211E0	for
	<linux-audit@redhat.com>; Tue,  8 Jul 2014 21:00:52 -0700 (PDT)
Received: from PDXED01.tripwire.com ([192.168.192.5]) by rint.tripwire.com
	(RSA Interceptor) for <linux-audit@redhat.com>; Tue, 8 Jul 2014 23:47:36
	-0400
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

--===============1061377486894851267==
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_94943543FF1E4246B0C4B827E39988190176403APDXMB01tripwire_"

--_000_94943543FF1E4246B0C4B827E39988190176403APDXMB01tripwire_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I'm running CentOS-6.5-i386-minimal.

I recently used auditd to setup a watch on a specific file (-w /path/to/my/=
file -p warx), but found it difficult to distinguish system calls that were=
 modifying the file vs. reading from the file when using ausearch/aureport.

In response to that, I separated out the watches by keys:

-w /patch/to/my/file -p wa thisisawrite
-w /path/to/my/file -p r thisisaread

And then ran both aureport -k and aureport -f to join the keys to the syste=
m calls by event number.

Am I wholly approaching this the wrong way, or is there an easier way to di=
stinguish between a syscall that reads from a file vs. writes to a file?

Assuming this is the correct approach, would there then be a benefit to add=
ing the key to the aureport -f output? I find it awkward to have to combine=
 the two commands to get the necessary information.

Regards,
Jon Smith

--_000_94943543FF1E4246B0C4B827E39988190176403APDXMB01tripwire_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">I&#8217;m running CentOS-6.5-i386-minimal.<o:p></o:p=
></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">I recently used auditd to setup a watch on a specifi=
c file (-w /path/to/my/file -p warx), but found it difficult to distinguish=
 system calls that were modifying the file vs. reading from the file when u=
sing ausearch/aureport.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">In response to that, I separated out the watches by =
keys:<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">-w /patch/to/my/file -p wa thisisawrite<o:p></o:p></=
p>
<p class=3D"MsoNormal">-w /path/to/my/file -p r thisisaread<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">And then ran both aureport -k and aureport -f to joi=
n the keys to the system calls by event number.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Am I wholly approaching this the wrong way, or is th=
ere an easier way to distinguish between a syscall that reads from a file v=
s. writes to a file?<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Assuming this is the correct approach, would there t=
hen be a benefit to adding the key to the aureport -f output? I find it awk=
ward to have to combine the two commands to get the necessary information.<=
o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Regards,<o:p></o:p></p>
<p class=3D"MsoNormal">Jon Smith<o:p></o:p></p>
</div>
</body>
</html>

--_000_94943543FF1E4246B0C4B827E39988190176403APDXMB01tripwire_--


--===============1061377486894851267==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1061377486894851267==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: file watch: separating file reads and writes
Date: Thu, 10 Jul 2014 16:24:54 -0400
Message-ID: <8316343.lH8SE5fr7Q@x2>
References: <94943543FF1E4246B0C4B827E39988190176403A@PDXMB01.tripwire.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <94943543FF1E4246B0C4B827E39988190176403A@PDXMB01.tripwire.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, July 09, 2014 04:00:18 AM Jon Smith wrote:
> I recently used auditd to setup a watch on a specific file (-w
> /path/to/my/file -p warx), but found it difficult to distinguish system
> calls that were modifying the file vs. reading from the file when using
> ausearch/aureport.
> 
> In response to that, I separated out the watches by keys:
> 
> -w /patch/to/my/file -p wa thisisawrite
> -w /path/to/my/file -p r thisisaread

This sounds like the correct way to do it.

 
> And then ran both aureport -k and aureport -f to join the keys to the system
> calls by event number.

Why not use ausearch -k? You can also give a partial key name since partial 
matching is the default. You could use: ausearch --start today -k thisisa


> Am I wholly approaching this the wrong way, or is there an easier way to
> distinguish between a syscall that reads from a file vs. writes to a file?

Well, what you are getting is the requested permissions, rather than actual 
use of the permissions. I think it can be assumed that if an app opens a file 
for write, it will eventually get around to that. But not always.

> Assuming this is the correct approach, would there then be a benefit to
> adding the key to the aureport -f output? I find it awkward to have to
> combine the two commands to get the necessary information.

No one has asked for that so far. There is one quirk about keys, you can have 
multiple keys for the same event. So, that could be a bit of text if you have 
several. The idea of aureport was to have a utility that can extract, total, 
and sort properties of the event.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jon Smith <JoSmith@tripwire.com>
Subject: RE: file watch: separating file reads and writes
Date: Tue, 22 Jul 2014 02:19:46 +0000
Message-ID: <94943543FF1E4246B0C4B827E399881901771C17@PDXMB01.tripwire.com>
References: <94943543FF1E4246B0C4B827E39988190176403A@PDXMB01.tripwire.com>
	<8316343.lH8SE5fr7Q@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.19])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s6M2Kmal000486
	for <linux-audit@redhat.com>; Mon, 21 Jul 2014 22:20:48 -0400
Received: from va3outboundpool.messaging.microsoft.com
	(va3ehsobe005.messaging.microsoft.com [216.32.180.31])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s6M2Klu5028653
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL)
	for <linux-audit@redhat.com>; Mon, 21 Jul 2014 22:20:47 -0400
Received: from mail216-va3 (localhost [127.0.0.1])	by
	mail216-va3-R.bigfish.com (Postfix) with ESMTP id 54C7A2C031F	for
	<linux-audit@redhat.com>; Tue, 22 Jul 2014 02:20:46 +0000 (UTC)
Received: from VA3EHSMHS004.bigfish.com (unknown [10.7.14.250])	by
	mail216-va3.bigfish.com (Postfix) with ESMTP id 6E7C0C80052	for
	<linux-audit@redhat.com>; Tue, 22 Jul 2014 02:20:44 +0000 (UTC)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1])	by Outbound.tripwire.com
	(Proprietary) with SMTP id BB3252321203	for <linux-audit@redhat.com>;
	Mon, 21 Jul 2014 19:20:42 -0700 (PDT)
In-Reply-To: <8316343.lH8SE5fr7Q@x2>
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Steve,
I just wanted to thank you for your reply. I totally overlooked the ability to pipe ausearch output to aureport, so the end result looked like this:

ausearch -k thisisawrite | aureport -f

And that solved my problem.

Thank you very much for your time.

Regards,
Jon Smith

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Thursday, July 10, 2014 1:25 PM
To: linux-audit@redhat.com
Cc: Jon Smith
Subject: Re: file watch: separating file reads and writes

On Wednesday, July 09, 2014 04:00:18 AM Jon Smith wrote:
> I recently used auditd to setup a watch on a specific file (-w 
> /path/to/my/file -p warx), but found it difficult to distinguish 
> system calls that were modifying the file vs. reading from the file 
> when using ausearch/aureport.
> 
> In response to that, I separated out the watches by keys:
> 
> -w /patch/to/my/file -p wa thisisawrite -w /path/to/my/file -p r 
> thisisaread

This sounds like the correct way to do it.

 
> And then ran both aureport -k and aureport -f to join the keys to the 
> system calls by event number.

Why not use ausearch -k? You can also give a partial key name since partial matching is the default. You could use: ausearch --start today -k thisisa


> Am I wholly approaching this the wrong way, or is there an easier way to
> distinguish between a syscall that reads from a file vs. writes to a file?

Well, what you are getting is the requested permissions, rather than actual 
use of the permissions. I think it can be assumed that if an app opens a file 
for write, it will eventually get around to that. But not always.

> Assuming this is the correct approach, would there then be a benefit to
> adding the key to the aureport -f output? I find it awkward to have to
> combine the two commands to get the necessary information.

No one has asked for that so far. There is one quirk about keys, you can have 
multiple keys for the same event. So, that could be a bit of text if you have 
several. The idea of aureport was to have a utility that can extract, total, 
and sort properties of the event.

-Steve