watch question

Monday, 8 August 2005

I'm running the capp rules on my ia64 box with the .84 kernel and the
1.0.1 tools and I'm seeing audit records for things that I don't think I
should be seeing them for.

With a watch rule like this:
-w /etc/group -p wa -k CFG_group
with the associated syscall rules in the capp rules file, should
I only be getting records when someone writes or appends to the
group file?  That's what I think the -p options mean but I'm
getting audit records anytime someone does anything to the group
file, including just access()ing it.  The same is true for other
watched files.

With a little test program that does a read access check on
any file, I always get a set of audit records like this when I do
it on a watched file.

type=SYSCALL msg=audit(1123283719.207:502): arch=c0000032 syscall=1049
success=yes exit=0 a0=60000fffffffb935 a1=4 a2=60000fffffffb935 a3=4
items=1 pid=4230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 comm="t_path" exe="/home/ljk/t_path"
type=FS_INODE msg=audit(1123283719.207:502): inode=559722 inode_uid=0
inode_gid=0 inode_dev=08:13 inode_rdev=00:00
type=CWD msg=audit(1123283719.207:502):  cwd="/home/ljk"
type=PATH msg=audit(1123283719.207:502): name="/etc/group" flags=401
inode=559722 dev=08:13 mode=0100644 ouid=0 ogid=0 rdev=00:00

Should that be happening?

My little test program and output of an auditctl -v are attached.

-- ljk

AUDIT_LIST: entry,possible syscall=chmod
AUDIT_LIST: entry,possible syscall=fchmod
AUDIT_LIST: entry,possible syscall=chown
AUDIT_LIST: entry,possible syscall=fchown
AUDIT_LIST: entry,possible syscall=lchown
AUDIT_LIST: entry,possible syscall=creat
AUDIT_LIST: entry,possible syscall=open
AUDIT_LIST: entry,possible syscall=truncate
AUDIT_LIST: entry,possible syscall=ftruncate
AUDIT_LIST: entry,possible syscall=mkdir
AUDIT_LIST: entry,possible syscall=rmdir
AUDIT_LIST: entry,possible syscall=unlink
AUDIT_LIST: entry,possible syscall=rename
AUDIT_LIST: entry,possible syscall=link
AUDIT_LIST: entry,possible syscall=symlink
AUDIT_LIST: entry,always syscall=mknod
AUDIT_LIST: entry,always syscall=mount
AUDIT_LIST: entry,always syscall=umount
AUDIT_LIST: entry,always syscall=adjtimex
AUDIT_LIST: entry,always syscall=settimeofday
AUDIT_LIST: entry,possible syscall=execve
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit, filterkey=LOG_audit, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log, filterkey=LOG_audit_log,
perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log.1, filterkey=LOG_audit_log,
perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log.2, filterkey=LOG_audit_log,
perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log.3, filterkey=LOG_audit_log,
perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/audit/audit_log.4, filterkey=LOG_audit_log,
perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/auditd.conf, filterkey=CFG_auditd.conf, perms=,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/audit.rules, filterkey=CFG_audit.rules, perms=,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/usr/sbin/stunnel, filterkey=, perms=x, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/spool/at, filterkey=LOG_at, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/at.allow, filterkey=CFG_at.allow, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/at.deny, filterkey=CFG_at.deny, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.allow, filterkey=CFG_cron.allow, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.deny, filterkey=CFG_cron.deny, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.d, filterkey=CFG_cron.d, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.daily, filterkey=CFG_cron.daily, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.hourly, filterkey=CFG_cron.hourly, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.monthly, filterkey=CFG_cron.monthly, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/cron.weekly, filterkey=CFG_cron.weekly, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/crontab, filterkey=CFG_crontab, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/spool/cron/root, filterkey=CFG_crontab_root, perms=,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/group, filterkey=CFG_group, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/passwd, filterkey=CFG_passwd, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/gshadow, filterkey=CFG_gshadow, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/shadow, filterkey=CFG_shadow, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/security/opasswd, filterkey=CFG_opasswd, perms=,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/login.defs, filterkey=CFG_login.defs, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/securetty, filterkey=CFG_securetty, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/faillog, filterkey=LOG_faillog, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/var/log/lastlog, filterkey=LOG_lastlog, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/hosts, filterkey=CFG_hosts, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/sysconfig, filterkey=, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/inittab, filterkey=CFG_inittab, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/rc.d/init.d, filterkey=, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/rc.d/init.d/auditd, filterkey=CFG_initd_auditd,
perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/ld.so.conf, filterkey=CFG_ld.so.conf, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/localtime, filterkey=CFG_localtime, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/sysctl.conf, filterkey=CFG_sysctl.conf, perms=wa,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/modprobe.conf, filterkey=CFG_modprobe.conf,
perms=wa, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/pam.d, filterkey=, perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/ssh/sshd_config, filterkey=CFG_sshd_config, perms=,
valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/stunnel/stunnel.conf, filterkey=CFG_stunnel.conf,
perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/stunnel/stunnel.pem, filterkey=CFG_stunnel.pem,
perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/vsftpd.ftpusers, filterkey=CFG_vsftpd.ftpusers,
perms=, valid=0
AUDIT_WATCH_LIST: dev=8:19, path=/etc/vsftpd/vsftpd.conf, filterkey=CFG_vsftpd.conf,
perms=, valid=0

#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>

int
main(int argc, char *argv[])
{
    int i, cnt = 1;
    int mode=R_OK;
    char *path="/etc/passwd";

    if (argc > 1) {
    	path = argv[1];
    }
    if (argc > 2) {
	cnt = atoi(argv[2]);
	if (cnt <=0)
	    cnt = 1;
    } 
    printf("looping %d times on access(%s, %o)\n", cnt, path, mode);			
    for (i = 0; i < cnt; i++) {
        if (access(path, mode) < 0) {
            fprintf(stderr, "access(%s, %o): %s\n", path,mode,strerror(errno));
        }
    }

    exit(0);
}

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004