Re: Possible regression
both ls -i both stat return 252 as inode for /tmp/test (I considered your
/tmp/watch a typo)
I also tried to add read permission to the watch and execute a cat on the
file, but not even that get recognized by audit.
2011/6/2 Steve Grubb <sgrubb(a)redhat.com>
On Thursday, June 02, 2011 12:41:41 PM 4javier wrote:
> root@Archbox /home/javier $ touch /tmp/test
> root@Archbox /home/javier $ cat /tmp/test
> root@Archbox /home/javier $ auditctl -w /tmp/test -p wa
> root@Archbox /home/javier $ echo ppp >> /tmp/test
> root@Archbox /home/javier $ cat /tmp/test
> ppp
> root@Archbox /home/javier $ ausearch -i -f /tmp/test
> <no matches>
> root@Archbox /home/javier $ auditctl -l
> LIST_RULES: exit,always watch=/tmp/test perm=wa
> root@Archbox /home/javier $ echo ppp > /tmp/test
> root@Archbox /home/javier $ ausearch -i -f /tmp/test
> <no matches>
> root@Archbox /home/javier $ ausearch -f /tmp/test
> <no matches>
>
> As you can see from auditcrl -l output, rule seems to be correctly set,
but
> ausearch doesn't show anything.
I duplicated your tests here:
[root@localhost ~]# auditctl -w /tmp/test -p wa -k watch
[root@localhost ~]# echo "ppp" >> /tmp/test
[root@localhost ~]# cat /tmp/test
ppp
[root@localhost ~]# ausearch --start recent -i -f /tmp/test
----
type=PATH msg=audit(06/02/2011 14:32:45.146:112) : item=0 name=/tmp/test
inode=164740
dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(06/02/2011 14:32:45.146:112) : cwd=/root
type=SYSCALL msg=audit(06/02/2011 14:32:45.146:112) : arch=x86_64
syscall=open
success=yes exit=3 a0=1842830 a1=441 a2=1b6 a3=0 items=1 ppid=1298 pid=1304
auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root
fsgid=root tty=pts0 ses=1 comm=bash exe=/bin/bash
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch
Admittedly I am on the 2.6.38.6 kernel. But I'm not seeing a regression.
When you set
the perms to "wa" that is only going to be opens for writing or changes to
file
attributes. So, the cat command will not trigger an event and that is why I
only get 1
event. I am also on a 64 bit system, but I would think that didn't
matter...unless we
have a signed/unsigned comparison problem...what do you have for an inode
on the
/tmp/watch file? ls -i /tmp/watch should get it.
-Steve
Attachments:
- attachment.html (text/html — 2.9 KB)