10:13 a.m.
Greetings,
I have the following rule in audit.rules
-a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F key=mod
If I log in as a typical user and try "chown bob /etc/shadow" I don't get an
event produced, however if I try "chmod 666 /etc/shadow" I do.
What am I missing here?
Thanks!
Bob
10:14 a.m.
On Wed, May 02, 2007 at 11:13:23AM -0400, Robert Evans wrote:
Greetings,
I have the following rule in audit.rules
-a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F
key=mod
If I log in as a typical user and try "chown bob /etc/shadow" I don't get
an event produced, however if I try "chmod 666 /etc/shadow" I do.
What am I missing here?
Thanks!
You need to give 1 systemcall per line I guess.
-a exit,always -S chmod -F success!-1 -F key=mod
-a exit,always -S chown -F success!-1 -F key=mod
-a exit,always -S lchown -F success!-1 -F key=mod
-a exit,always -S fchown -F success!-1 -F key=mod
Ciao, Marcus
10:45 a.m.
Hmm... The documentation says that it is best to combine system calls on
one line.
And in fact the sample audit.rules for NISPOM coverage posted by this
site have the system calls on one line as well.
Bob
-----Original Message-----
From: Marcus Meissner [mailto:meissner@suse.de]
Sent: Wednesday, May 02, 2007 11:15 AM
To: Evans, Robert B.
Cc: linux-audit(a)redhat.com
Subject: Re: Why doesn't chown produce an event
On Wed, May 02, 2007 at 11:13:23AM -0400, Robert Evans wrote:
Greetings,
I have the following rule in audit.rules
-a exit,always -S chmod -S chown -S lchown -S fchown -F success!-1 -F
key=mod
If I log in as a typical user and try "chown bob /etc/shadow" I don't
get an event produced, however if I try "chmod 666 /etc/shadow" I do.
What am I missing here?
Thanks!
You need to give 1 systemcall per line I guess.
-a exit,always -S chmod -F success!-1 -F key=mod -a exit,always -S chown
-F success!-1 -F key=mod -a exit,always -S lchown -F success!-1 -F
key=mod -a exit,always -S fchown -F success!-1 -F key=mod
Ciao, Marcus
12:30 p.m.
On Wednesday 02 May 2007 11:13, Robert Evans wrote:
If I log in as a typical user and try "chown bob
/etc/shadow" I don't get
an event produced, however if I try "chmod 666 /etc/shadow" I do.
What am I missing here?
A syscall. If I am on a i386 machine and I strace chmod root file.txt, I see
this:
chown32("file.txt", 0, -1) = 0
So, you would want to use chown32 instead of chown on i386 machines. On x86_64
the chown syscall is used.
-Steve
1 p.m.
Got it! So when I want to figure out how to trace something, the recommended
course of action is do a strace on the operation, and look for a good syscall to
tag...
Bob
Steve Grubb wrote:
On Wednesday 02 May 2007 11:13, Robert Evans wrote:
> If I log in as a typical user and try "chown bob /etc/shadow" I don't
get
> an event produced, however if I try "chmod 666 /etc/shadow" I do.
>
> What am I missing here?
A syscall. If I am on a i386 machine and I strace chmod root file.txt, I see
this:
chown32("file.txt", 0, -1) = 0
So, you would want to use chown32 instead of chown on i386 machines. On x86_64
the chown syscall is used.
-Steve
1:15 p.m.
On Wednesday 02 May 2007 14:00, Robert Evans wrote:
Got it! So when I want to figure out how to trace something, the
recommended course of action is do a strace on the operation, and look for
a good syscall to tag...
You should do that whenever you don't get a hit when you think you should. It
should also be trivial for me to write a simple app that iterates the
syscalls it knows about for a given arch.
-Steve
6444
days inactive
6444
days old
linux-audit@lists.linux-audit.osci.io
6 comments
4 participants
participants (4)
-
Evans, Robert B. -
Marcus Meissner -
Robert Evans
-
Steve Grubb