Linux-audit January 2007

linux-audit@lists.linux-audit.osci.io

28 participants
24 discussions

by Steve Grubb

Hello, BZ 221663 was opened to report a problem with some test results. From the bugzilla: semctl(id, 0, IPC_RMID); Expected argument: a0 = SEMCTL, a1 = id, a2 = 0, a3 = 0 (IPC_RMID) Actual arguments seen in the audit log: a0 = SEMCTL, a1 = id, a2 = 0, a3 = 0x100 msgctl(id, IPC_STAT, &buf) Expected argument: a0 = MSGCTL, a1 = id, a2 = 2 (IPC_STAT) Actual arguments seen in the audit log: a0 = MSGCTL, a1 = id, a2 = 0x102 The answer was: /* * Version flags for semctl, msgctl, and shmctl commands * These are passed as bitflags or-ed with the actual command */ #define IPC_OLD 0 /* Old version (no 32-bit UID support on many architectures) */ #define IPC_64 0x0100 /* New version (support 32-bit UIDs, bigger message sizes, etc. */ Looks like userspace will "or" the value with IPC_64 to indicate the version it supports. So the question is, should ausearch report the actual recorded register value, or should it "and" the register with IPC_64 ? -Steve

17 years, 11 months

2
3
0 / 0

RE: Linux-audit Digest, Vol 28, Issue 1

by Thomas, Daniel J.

Steve, In the response below you mention using mount --bind along with exit code logging to track a directory structure. I'm not familiar with --bind option, but according to the man page, it looks like a way to mount a file system in a second place (similar to MS-DOS "subst" command). While this is helpful for perhaps replacing a symlink with a "link" that can't be deleted, I don't understand how you would use this for auditing purposes. Could you elaborate? Thanks! -Dan Thomas Message: 3 Date: Tue, 2 Jan 2007 16:22:22 -0500 From: Steve Grubb <sgrubb(a)redhat.com> Subject: Re: Audit rule questions To: linux-audit(a)redhat.com Cc: "Fulda, Paul \(Mission Systems\)" <Paul.Fulda(a)ngc.com> Message-ID: <200701021622.22477.sgrubb(a)redhat.com> Content-Type: text/plain; charset="utf-8" On Tuesday 02 January 2007 15:49, Fulda, Paul (Mission Systems) wrote: > Is there a way to set a rule to watch particular files in a directory > like /etc/*? Â You can probably use mount --bind option to get this with syscall auditing rules rather than watches. Then use devmajor/minor (-a always,exit -S open -F devmajor=0x1F -F devminor=3 ). > Can you use wildcards in the rules? No. This area is very tricky to do right from an implementation point of view. Some things to consider: 1) What should the behavior be when subtrees get moved? IOW, we watch /opt/tmp/test/* and /opt/tmp gets renamed to /opt/tmp2 ? 2) What should the behavior be when subtrees get moved into the watched subtree? IOW, we watch /opt/temp/test/* and someone does a mv /opt/temp/test2 /opt/temp/test/test2 3) Should it catch the access via hardlink from outside the watched tree? 4) What should the behavior be if there is a mount point in the watched tree? 5) What should happen when we do mount --move to or from that subtree? 6) What should happen when mount --move the parent of subtree itself? 7) What should happen if tree is mounted elsewhere? (e.g. in chroot jail) 8) What should the behavior be if the directory is polyinstantiated? IOW, we watch /tmp/* and /tmp is polyinstantiated on a per user & per level basis. > Also, is there a way to set a rule to grab just non-root user actions > on a file? In RHEL4 using: using watches - no, using syscall audit rules - yes. RHEL5/2.6.19 is more flexible and can let you get better control over what is audited with watches. -Steve

17 years, 11 months

2
1
0 / 0

content and format?

by John Calcote

So what's in the future for linux audit regarding content and format? My company's really interested in this aspect of audit in order to provide good analytical tools for audit logs. Anyone? ----- John Calcote (jcalcote(a)novell.com) Sr. Software Engineeer Novell, Inc.

17 years, 11 months

2
4
0 / 0

Audit rule questions

by Fulda, Paul (Mission Systems)

All, Is there a way to set a rule to watch particular files in a directory like /etc/*? Can you use wildcards in the rules? Also, is there a way to set a rule to grab just non-root user actions on a file? Thanks!

17 years, 11 months

2
1
0 / 0

← Newer
1
2
3
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit January 2007