Re: Probable bug in auditd
Hello,
On Wednesday, January 20, 2021 3:54:45 PM EST Shourya Jaiswal wrote:
I have found a weird behavior in auditd. File "/abc" does
not exist.
audit.rules:
-a always,exit -F arch=b32 -S open -S openat
-a always,exit -F arch=b64 -S open -S openat
A non-root user executes "echo > /abc", it doesn't get logged in
audit.log.
This is because name resolution fails before it gets to audit hooks inside
the kernel. The audit hooks want to collect device, inode, permission, owner,
group, etc. IOW, things that do not exist.
Same with "echo > /etc/abc" A non-root user executes
"cat /abc", it gets
logged in audit.log
Since auditd is monitoring all the open and openat syscalls, ideally both
the cases (i.e. read and write) should have be logged.
It's the kernel doing it. This comes up from time to time. It is logged here:
https://github.com/linux-audit/audit-kernel/issues/118
After I execute "chmod a+w /" then "chmod a-w /",
if a non-root user
executes "echo > /abc", then it gets logged in audit.log.
This looks like a bug to me. Kindly let me know if it's a bug or an
intended feature.
This is essentially how it works. But, there will be an improvement at some
future point when issue 118 is resolved.
-Steve
System used to test: Linux 5.4.0-56-generic #62-Ubuntu SMP x86_64
x86_64
x86_64 GNU/Linux