Question regarding audit message interpretation
by Kangkook Jee
Hi, all
I have a question regarding how to interpret the audit message that we got for
an open system call. In most cases, we observe a single item (path) information
followed by 'syscall' and 'cwd' messages. However, in some cases, we see 2 or 3
items (paths) followed by 'syscall' and 'cwd' messages like following cases.
CASE 1:
Jan 14 11:00:01 hostname kernel: [4980285.399982] type=1300 audit(1421233201.056:893730395): arch=c000003e syscall=2 success=yes exit=5 a0=7ffff4ae5830 a1=c2 a2=180 a3=2233546f14d99 items=2 ppid=983 pid=5723 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="cron" exe="/usr/sbin/cron" key=(null)
Jan 14 11:00:01 hostname kernel: [4980285.399985] type=1307 audit(1421233201.056:893730395): cwd="/var/spool/cron"
Jan 14 11:00:01 hostname kernel: [4980285.399988] type=1302 audit(1421233201.056:893730395): item=0 name="/tmp/" inode=40961 dev=ca:01 mode=041777 ouid=0 ogid=0 rdev=00:00
Jan 14 11:00:01 hostname kernel: [4980285.399990] type=1302 audit(1421233201.056:893730395): item=1 name="/tmp/tmpfS9woiP" inode=30733 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
CASE 2:
Jan 14 11:19:37 hostname kernel: [4981461.529450] type=1300 audit(1421234377.184:894228556): arch=c000003e syscall=2 success=yes exit=5 a0=fa9700 a1=441 a2=1b6 a3=0 items=3 ppid=5727 pid=5728 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm="Run" exe="/usr/bin/perl" key=(null)
Jan 14 11:19:37 hostname kernel: [4981461.529454] type=1307 audit(1421234377.184:894228556): cwd="/home/ubuntu/benchmarks/UnixBench/testdir"
Jan 14 11:19:37 hostname kernel: [4981461.529458] type=1302 audit(1421234377.184:894228556): item=0 name="/home/ubuntu/benchmarks/UnixBench/results/" inode=396144 dev=ca:01 mode=040775 ouid=1000 ogid=1000 rdev=00:00
Jan 14 11:19:37 hostname kernel: [4981461.529460] type=1302 audit(1421234377.184:894228556): item=1 name=(null) inode=440344 dev=ca:01 mode=0100664 ouid=1000 ogid=1000 rdev=00:00
Jan 14 11:19:37 hostname kernel: [4981461.529463] type=1302 audit(1421234377.184:894228556): item=2 name=(null) inode=440344 dev=ca:01 mode=0100664 ouid=1000 ogid=1000 rdev=00:00
I investigated audit source code a bit and found out that these are produced as
a result of enumerations over audit_context.names_list data structure. But, I'm
still not clear how and when entries for this data structure are filled.
Could anyone explain what would it mean to have multiple items (paths) means for
a single open syscall invocation?
Thanks a lot for your help in advance.
Regards, Kangkook
9 years, 9 months
Is audit=1 still required for RHEL 7?
by Erinn Looney-Triggs
I have been digging around trying to find the answer to the above, hopefully I
didn't miss something obvious. It was for RHEL < 7 is it still for RHEL 7? Or
has systemd done some magic to remove that need?
-Erinn
9 years, 9 months
How to audit socket close system call?
by Jie Cui
Hi all~
How to audit socket close system call?
I can audit the socket connection by 'connect' system call.
I can also audit the socket termination by 'shutdown' system call.
But I can't figure out how to audit when the socket is closed.
Does the 'close' system call works? However all the file close events will
also be auditing. That's not what I want.
9 years, 9 months
[GIT PULL] Audit fixes for 3.19 #2
by Paul Moore
Hi Linus,
One audit patch to resolve a panic/oops when recording filenames in the audit
log, see the mail archive link below. The fix isn't as nice as I would like,
as it involves an allocate/copy of the filename, but it solves the problem and
the overhead should only affect users who have configured audit rules
involving file names. We'll revisit this issue with future kernels in an
attempt to make this suck less, but in the meantime I think this fix should go
into the next release of v3.19-rcX.
* https://marc.info/?t=141986927600001&r=1&w=2
Thanks,
-Paul
---
The following changes since commit 041d7b98ffe59c59fdd639931dea7d74f9aa9a59:
audit: restore AUDIT_LOGINUID unset ABI (2014-12-23 16:40:18 -0500)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit upstream
for you to fetch changes up to fcf22d8267ad2601fe9b6c549d1be96401c23e0b:
audit: create private file name copies when auditing inodes (2014-12-30
09:26:21 -0500)
----------------------------------------------------------------
Paul Moore (1):
audit: create private file name copies when auditing inodes
kernel/auditsc.c | 49 ++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 40 insertions(+), 9 deletions(-)
9 years, 10 months