2:39 p.m.
Hello,
I got a capture of audit doing a log rotate using:
auditctl -w /var/log -k dir -p rwea
type=SYSCALL msg=audit(05/26/05 15:24:55.023:13588534) : arch=i386
syscall=rename success=yes exit=0 a0=94bc008 a1=94bc028 a2=8051254 a3=8054e00
items=2 pid=1716 auid=unknown(4294967295) uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root comm=auditd
exe=/sbin/auditd
type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=0
name=/var/log/audit/audit.log inode=29307 dev=03:07 mode=dir,750 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=1
name=/var/log/audit/audit.log.1 inode=29307 dev=03:07 mode=dir,750 ouid=root
ogid=root rdev=00:00
The thing I'm wondering about is the mode not matching the object in PATH. The
watch is on a dir, but the item listed is not a dir, its a file with access
perms of 0640.
-Steve
2:46 p.m.
On Thursday 26 May 2005 14:39, Steve Grubb wrote:
Hello,
I got a capture of audit doing a log rotate using:
auditctl -w /var/log -k dir -p rwea
type=SYSCALL msg=audit(05/26/05 15:24:55.023:13588534) : arch=i386
syscall=rename success=yes exit=0 a0=94bc008 a1=94bc028 a2=8051254 a3=8054e00
items=2 pid=1716 auid=unknown(4294967295) uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root comm=auditd
exe=/sbin/auditd
type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=0
name=/var/log/audit/audit.log inode=29307 dev=03:07 mode=dir,750 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=1
name=/var/log/audit/audit.log.1 inode=29307 dev=03:07 mode=dir,750 ouid=root
ogid=root rdev=00:00
The thing I'm wondering about is the mode not matching the object in PATH. The
watch is on a dir, but the item listed is not a dir, its a file with access
perms of 0640.
Is the inode being reported the inode of audit/ or audit.log?
-tim
2:52 p.m.
On Thursday 26 May 2005 14:46, Timothy R. Chavez wrote:
On Thursday 26 May 2005 14:39, Steve Grubb wrote:
> Hello,
>
> I got a capture of audit doing a log rotate using:
>
> auditctl -w /var/log -k dir -p rwea
>
> type=SYSCALL msg=audit(05/26/05 15:24:55.023:13588534) : arch=i386
> syscall=rename success=yes exit=0 a0=94bc008 a1=94bc028 a2=8051254 a3=8054e00
> items=2 pid=1716 auid=unknown(4294967295) uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root comm=auditd
> exe=/sbin/auditd
> type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
> filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
> inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
> type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
> filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
> inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
> type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=0
> name=/var/log/audit/audit.log inode=29307 dev=03:07 mode=dir,750 ouid=root
> ogid=root rdev=00:00
> type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=1
> name=/var/log/audit/audit.log.1 inode=29307 dev=03:07 mode=dir,750 ouid=root
> ogid=root rdev=00:00
>
> The thing I'm wondering about is the mode not matching the object in PATH. The
> watch is on a dir, but the item listed is not a dir, its a file with access
> perms of 0640.
Is the inode being reported the inode of audit/ or audit.log?
I suspect that it is. The way that path is being formed is from
sys_rename()->do_rename() right??
static inline int do_rename(const char * oldname, const char *
newname)
{
int error = 0;
struct dentry * old_dir, * new_dir;
struct dentry * old_dentry, *new_dentry;
struct dentry * trap;
struct nameidata oldnd, newnd;
error = path_lookup(oldname, LOOKUP_PARENT, &oldnd);
if (error)
goto exit;
error = path_lookup(newname, LOOKUP_PARENT, &newnd);
if (error)
goto exit1;
If this is true, as you can see, we only ever do a lookup on our parent. So the
inode information (and mode) will be for our parent.
If you were to do a "unlink" you'd see something similar in that the inode
reported
with the path is the inode of it's parent directory.
This is my theory, at least.
-tim
3:03 p.m.
On Thursday 26 May 2005 15:46, Timothy R. Chavez wrote:
Is the inode being reported the inode of audit/ or audit.log?
logs have long since been rotated. I'll try to recreate in better way.
Also, I've been torturing my machine with rule & watch insertion for over an
hour. It seems to be doing fine. Maybe the undersized allocation was causing
all my problems.
-Steve
3:18 p.m.
On Thursday 26 May 2005 15:03, Steve Grubb wrote:
On Thursday 26 May 2005 15:46, Timothy R. Chavez wrote:
> Is the inode being reported the inode of audit/ or audit.log?
logs have long since been rotated. I'll try to recreate in better way.
Also, I've been torturing my machine with rule & watch insertion for over an
hour. It seems to be doing fine. Maybe the undersized allocation was causing
all my problems.
Are you using a .49 or .50 kernel? I wasn't quite sure if David said "OK"
to just
using the hash table from now on or to use the i_audit field until we're in the
clear.
David has incorporated most of the cleanups I had and then he made some
more which I've also added to my tree.. and the last major thing I can think of
is to correctly handle audit_notify_watch() in fs/namei.c
-tim
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
4:20 p.m.
On Thu, 2005-05-26 at 15:18 -0500, Timothy R. Chavez wrote:
--
dwmw2
Are you using a .49 or .50 kernel? I wasn't quite sure if David
said "OK" to just
using the hash table from now on or to use the i_audit field until we're in the
clear.
Yes, let's just use the hash table from now on.
David has incorporated most of the cleanups I had and then he made
some
more which I've also added to my tree.. and the last major thing I can think of
is to correctly handle audit_notify_watch() in fs/namei.c
OK, I'll leave that one to you while I play with trying to allocate
inode audit data for only those inodes which need it -- which will make
the decision to use a hash table sane for upstream too.
If we're going to be poking at the same piece of code we should probably
have a communication channel which has lower latency than email. I've
created a #audit channel on irc.freenode.net.
Not that you're going to get _much_ more out of me tonight, mind you :)
3:13 p.m.
On Thursday 26 May 2005 15:09, Steve Grubb wrote:
On Thursday 26 May 2005 15:46, Timothy R. Chavez wrote:
> Is the inode being reported the inode of audit/ or audit.log?
OK, its the inode of the directory /var/log/audit
But the name doesn't match what the inode points to ! Isn't this a problem?
I think so... I mentioned this several times before =) But I'm not sure there is a
good _solution_ doing it the way it's currently being done in path_lookup()...
which is unfortunate because its a good place to collect information for "free"
-tim
7467
days inactive
7467
days old
linux-audit@lists.linux-audit.osci.io
8 comments
3 participants
participants (3)
-
David Woodhouse -
Steve Grubb -
Timothy R. Chavez