1:04 a.m.
Hi,
I am Sarthak Jain working in MicroFocus. I want your small help to clarify one of my doubt
regarding the kernel auditing on RHEL 7.1. I hope you are the right person to contact. It
will just 2 min (max :P) to go through the problem.
Assumption: Ideally, if we change the configuration file (for ex- /etc/hosts), we should
be getting audit events for it.
Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we modify
this file, then audit events are coming as attached in file - 'file1.txt'.
Problem: Let say if we change the permissions of the '/etc/hosts' to (rw-rw-rw),
then audit system is not recording the "CONFIG_CHANGE" event at all. I have
attached the file - 'file2.txt' for your reference. Can you please clarify this ?
Is it a kernel level bug?
I would be greatly thankful to you if you could please comment on this.
Thanks.
1:52 p.m.
On Wednesday, February 24, 2016 07:04:08 AM Sarthak Jain wrote:
I am Sarthak Jain working in MicroFocus. I want your small help to
clarify
one of my doubt regarding the kernel auditing on RHEL 7.1. I hope you are
the right person to contact. It will just 2 min (max :P) to go through the
problem.
Assumption: Ideally, if we change the configuration file (for ex-
/etc/hosts), we should be getting audit events for it.
Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we
modify this file, then audit events are coming as attached in file -
'file1.txt'.
Problem: Let say if we change the permissions of the '/etc/hosts' to
(rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" event at
all.
That is because the audit configuration has not changed. Config change events
are specific to changes in the audit system itself. What you get on this is
syscall event with a path
If you want to get events on changing permissions on a file, then you would put
a rule like this:
-a always,exit -F path=/etc/hosts -F perms=a -F key=permission-change
After modifying the file with chmod, then run:
ausearch --start today -k permission-change
I have attached the file - 'file2.txt' for your reference.
Can you
please clarify this ? Is it a kernel level bug?
No. Its doing what it should.
-Steve
12:28 a.m.
Hi Steve,
Thanks for explaining the thing properly. I think I misinterpreted the meaning of
"CONFIG_CHANGE" and I understood.
The problem which I was asking was something different. I actually have already started a
different thread for that.
Thanks.
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Friday, February 26, 2016 1:22 AM
To: linux-audit(a)redhat.com
Cc: Sarthak Jain <Sarthak.Jain(a)microfocus.com>
Subject: Re: Regarding Auditing on RHEL 7.1
On Wednesday, February 24, 2016 07:04:08 AM Sarthak Jain wrote:
I am Sarthak Jain working in MicroFocus. I want your small help to
clarify one of my doubt regarding the kernel auditing on RHEL 7.1. I
hope you are the right person to contact. It will just 2 min (max :P)
to go through the problem.
Assumption: Ideally, if we change the configuration file (for ex-
/etc/hosts), we should be getting audit events for it.
Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--).
If we modify this file, then audit events are coming as attached in
file - 'file1.txt'.
Problem: Let say if we change the permissions of the '/etc/hosts' to
(rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE"
event at all.
That is because the audit configuration has not changed. Config change events are specific
to changes in the audit system itself. What you get on this is syscall event with a path
If you want to get events on changing permissions on a file, then you would put a rule
like this:
-a always,exit -F path=/etc/hosts -F perms=a -F key=permission-change
After modifying the file with chmod, then run:
ausearch --start today -k permission-change
I have attached the file - 'file2.txt' for your reference.
Can you
please clarify this ? Is it a kernel level bug?
No. Its doing what it should.
-Steve
3221
days inactive
3223
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Sarthak Jain -
Steve Grubb