All,
Ok, let me preface by saying I'm an auditd novice. Ok, so I've basically gotten a watch on 3 files and a filter to never log mount syscalls, with the following rules:
[root@XXXX audit]# auditctl -l
AUDIT_LIST: exit,never syscall=mount
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/important, filterkey=important_file, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/shadow, filterkey=important_file, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/passwd, filterkey=important_file, perms=wa, valid=0
I'm only interested in when the file is written to or appended (hence the wa). However, I'm running into something that I was hoping I could get confirmed on this list. When I vi one of the files, and quit without writing content to the file, I get the following lines to my audit.log:
type=SYSCALL msg=audit(1184082224.278:6396): arch=c000003e syscall=21 success=yes exit=0 a0=75d930 a1=2 a2=0 a3=1 items=1 pid=28804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="vim" exe="/usr/bin/vim"
type=FS_WATCH msg=audit(1184082224.278:6396): watch_inode=36339931 watch="passwd" filterkey=important_file perm=10 perm_mask=2
type=FS_INODE msg=audit(1184082224.278:6396): inode=36339931 inode_uid=0 inode_gid=0 inode_dev=68:02 inode_rdev=00:00
type=CWD msg=audit(1184082224.278:6396): cwd="/var/tmp/auditd_test"
type=PATH msg=audit(1184082224.278:6396): name="passwd" flags=401 inode=36339931 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
(that’s not the -i view so bear with the actual numbers).
Could someone confirm for me what Vi is doing to the file that pops a perm_mask=2 (write) event?
On a side note, when I do actually write to the file (via vi or redirecting text) I get 7 separate type=FS_WATCH….perm_mask=2 events. I can live with the multiples but anyone have any idea why I see that for one file write?
Thanks in advance
Felix
(running audit-1.0.14-1.EL4 on a RHEL box with a 2.6.9-42.0.10.Elsmp kernel)