Re: Auditing the "chattr" command (ioctl syscall?)
On Wednesday, August 24, 2011 11:31:10 AM Max Williams wrote:
Thanks for the informative reply. I hadn't used autrace before,
looks very
handy. I am wondering why this rule would log chattr...
-a always,exit -F arch=b64 -S ioctl -F a1=40086602 -F path=/root/file
...but not this one?
-a exit,always -F path=/root/file
When you do not give a syscall and its a path or directory based rule, it selects the
syscalls for you based on what kind of permissions are passed. No permissions being
passed defaults to all. The resulting list will not include an ioctl.
In the second rule, is it not implied that all syscalls would be
logged?
Wouldn't that include ioctl?
No. You could add -S all and then it would.
I also tried just auditing all ioctl syscalls for a path:
[root@localhost ~]# auditctl -D
No rules
[root@localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F
path=/root/temp -k chattr3 [root@localhost ~]# chattr +i /root/temp/file
But still no dice. This is on a standard x86_64 RHEL6 host with
audit-2.0.4-1.el6.x86_64. Am I missing something obvious?
Then I guess you cannot limit the auditing to a file. The ioctl is passed a fd, which
is an integer. The audit system does not keep any list of associated fd to name
mappings. So, the only time it knows the string is during the open syscall. I guess
you'll have to drop the -F path=/root/temp/file and you will get the chattr, but you
will get all chattr events. I don't think there are too many of those going on for a
normal system.
-Steve