From mboxrd@z Thu Jan 1 00:00:00 1970 From: Boyd Memmott Subject: Audit record created by echo "ThisIsATest" >>/tmp/test/file11 Date: Fri, 9 Oct 2015 14:43:59 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3788742771184004130==" Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t99Ei6Zf002679 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 9 Oct 2015 10:44:06 -0400 Received: from cluster-a.mailcontrol.com (cluster-a.mailcontrol.com [85.115.52.190]) by mx1.redhat.com (Postfix) with ESMTPS id BE08F91E8F for ; Fri, 9 Oct 2015 14:44:04 +0000 (UTC) Received: from prvxcaht01.microfocus.com ([137.65.249.208]) by rly14a.srv.mailcontrol.com (MailControl) with ESMTPS id t99Ei0X2021766 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 9 Oct 2015 15:44:01 +0100 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============3788742771184004130== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_A00B071BFA01DA43B042DB000B1F1EDC012E1ABCprvxmb02microfo_" --_000_A00B071BFA01DA43B042DB000B1F1EDC012E1ABCprvxmb02microfo_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi I have an audit question concerning echo "ThisIsATest" >>/tmp/test/file11 I have a rule: -w /tmp/test -p war -S all -k thekey It produces the following audit record. type=3DSYSCALL msg=3Daudit(1444398577.247:1581): arch=3Dc000003e syscall=3D= 2 success=3Dyes exit=3D3 a0=3D1f5bca0 a1=3D441 a2=3D1b6 a3=3D20 items=3D2 p= pid=3D17766 pid=3D17808 auid=3D0 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D= 0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts3 ses=3D1 comm=3D"bash" exe=3D"/bin/= bash" key=3D"thekey" type=3DCWD msg=3Daudit(1444398577.247:1581): cwd=3D"/tmp/test" type=3DPATH msg=3Daudit(1444398577.247:1581): item=3D0 name=3D"/tmp/test" i= node=3D1436 dev=3D00:2e mode=3D040755 ouid=3D0 ogid=3D0 rdev=3D00:00 namety= pe=3DPARENT type=3DPATH msg=3Daudit(1444398577.247:1581): item=3D1 name=3D"file11" inod= e=3D6797 dev=3D00:2e mode=3D0100644 ouid=3D0 ogid=3D0 rdev=3D00:00 nametype= =3DCREATE I understand bash is the executable, because ">" is writing to the file via= a file handle. Is there another switch or rule that would improve the audit record to capt= ure echo as being the initiator of the command?? Thank you Boyd --_000_A00B071BFA01DA43B042DB000B1F1EDC012E1ABCprvxmb02microfo_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi

 

I have an audit question concerning echo "ThisI= sATest" >>/tmp/test/file11

 

I have a rule: -w /tmp/test –p war –S al= l –k thekey

 

It produces the following audit record.

type=3DSYSCALL msg=3Daudit(1444398577.247:1581): arc= h=3Dc000003e syscall=3D2 success=3Dyes exit=3D3 a0=3D1f5bca0 a1=3D441 a2=3D= 1b6 a3=3D20 items=3D2 ppid=3D17766 pid=3D17808 auid=3D0 uid=3D0 gid=3D0 eui= d=3D0 suid=3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts3 ses=3D1 com= m=3D"bash" exe=3D"/bin/bash" key=3D"thekey"

type=3DCWD msg=3Daudit(1444398577.247:1581):  c= wd=3D"/tmp/test"

type=3DPATH msg=3Daudit(1444398577.247:1581): item= =3D0 name=3D"/tmp/test" inode=3D1436 dev=3D00:2e mode=3D040755 ou= id=3D0 ogid=3D0 rdev=3D00:00 nametype=3DPARENT

type=3DPATH msg=3Daudit(1444398577.247:1581): item= =3D1 name=3D"file11" inode=3D6797 dev=3D00:2e mode=3D0100644 ouid= =3D0 ogid=3D0 rdev=3D00:00 nametype=3DCREATE

 

I understand bash is the executable, because “= >” is writing to the file via a file handle.

 

Is there another switch or rule that would improve t= he audit record to capture echo as being the initiator of the command??

 

Thank you

Boyd

--_000_A00B071BFA01DA43B042DB000B1F1EDC012E1ABCprvxmb02microfo_-- --===============3788742771184004130== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3788742771184004130==--