Re: [RFC][PATCH] (#6 U1) the latest incarnation
On Thu, 2005-03-24 at 14:13 -0500, Stephen Smalley wrote:
Ok, going back to what you are trying to achieve in terms of high
level
goals (e.g. maintain auditing on /etc/shadow across re-creation for each
transaction), I did the following:
auditctl -w /etc/shadow -k SHADOW -p wa
i.e. show me all attempts to write or append to /etc/shadow.
Then I ran 'passwd' as a normal user and changed my own password, thus
re-creating /etc/shadow with my new password. No audit messages were
generated.
Running strace on passwd, I see that the transaction consists of:
1) create /etc/nshadow
2) read old content from /etc/shadow
3) write new content to /etc/nshadow
4) rename /etc/nshadow to /etc/shadow
So I would have expected to see an audit upon the rename
from /etc/nshadow to /etc/shadow, no? I also tried adding a watch for
nshadow, e.g.
auditctl -w /etc/nshadow -k SHADOW -p w
Still no audit messages upon using passwd to change my password.
Now, if I change my watch to include read access as well, e.g.
auditctl -W /etc/shadow
auditctl -w /etc/shadow -k SHADOW -p rwa
Then I start to see some audit messages during passwd, but I shouldn't
have to request read access auditing in order to see modifications
(especially as that will generate a lot more data, e.g. upon every
authentication program's use of /etc/shadow).
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency