From: ramsdell@mitre.org (John D. Ramsdell)
To: Linux Audit <linux-audit@redhat.com>
Subject: open record looks like openat
Date: 27 Jul 2007 10:10:17 -0400 [thread overview]
Message-ID: <ogtps2eym2e.fsf@oolong.mitre.org> (raw)
In-Reply-To: <200707251621.38095.sgrubb@redhat.com>
Steve Grubb <sgrubb@redhat.com> writes:
> I've just released a new version of the audit daemon.
Thank you Steve. With this update, and bug fixes to my code, my
analysis program completes without reporting internal
inconsistencies. This usually means most of the bugs have been
removed.
I carefully studied the output of my analysis program, and found one
particularly odd line of output. I traced it back to an interesting
audit event in the raw log (syscall 5 is the open system call):
type=SYSCALL msg=audit(1185450758.059:1699): arch=40000003 syscall=5 success=yes exit=0 a0=bfb9ec10 a1=241 a2=1b6 a3=4284b560 items=2 ppid=1 pid=22079 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="broadcast" exe="/home/ramsdell/scm/polgen/src/daemon-example/broadcast" subj=user_u:system_r:unconfined_t:s0 key=(null)
type=CWD msg=audit(1185450758.059:1699): cwd="/"
type=PATH msg=audit(1185450758.059:1699): item=0 name="/tmp/" inode=4128769 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=PATH msg=audit(1185450758.059:1699): item=1 name="/tmp/polgen_daemon.txt" inode=4128817 dev=fd:00 mode=0100640 ouid=500 ogid=500 rdev=00:00 obj=user_u:object_r:tmp_t:s0
Notice this event has two PATH records, whereas all of the many other
open events I studied in my logs have one PATH record. It's as if the
open system call can behave as the openat system call. I changed my
analysis program to use the last PATH record to find the file name, so
that the same code can be used to analyze open and openat system
calls.
John
next prev parent reply other threads:[~2007-07-27 14:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-25 20:21 audit 1.5.6 released Steve Grubb
2007-07-27 12:25 ` [PATCH] Add auparse_version John D. Ramsdell
2007-07-27 14:10 ` John D. Ramsdell [this message]
2007-07-27 14:59 ` open record looks like openat Steve Grubb
2007-07-27 15:15 ` John D. Ramsdell
2007-07-27 17:41 ` Wieprecht, Karen M.
2007-07-27 17:57 ` John D. Ramsdell
2007-07-27 18:14 ` John D. Ramsdell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ogtps2eym2e.fsf@oolong.mitre.org \
--to=ramsdell@mitre.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox