[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6 U1) the latest incarnation

On Thu, 2005-03-24 at 14:13 -0500, Stephen Smalley wrote:
> Ok, going back to what you are trying to achieve in terms of high level
> goals (e.g. maintain auditing on /etc/shadow across re-creation for each
> transaction), I did the following:
> 	auditctl -w /etc/shadow -k SHADOW -p wa
> i.e. show me all attempts to write or append to /etc/shadow.
> Then I ran 'passwd' as a normal user and changed my own password, thus
> re-creating /etc/shadow with my new password.  No audit messages were
> generated.

Running strace on passwd, I see that the transaction consists of:
1) create /etc/nshadow
2) read old content from /etc/shadow
3) write new content to /etc/nshadow
4) rename /etc/nshadow to /etc/shadow

So I would have expected to see an audit upon the rename
from /etc/nshadow to /etc/shadow, no?  I also tried adding a watch for
nshadow, e.g.
	auditctl -w /etc/nshadow -k SHADOW -p w

Still no audit messages upon using passwd to change my password.

Now, if I change my watch to include read access as well, e.g.
	auditctl -W /etc/shadow
	auditctl -w /etc/shadow -k SHADOW -p rwa

Then I start to see some audit messages during passwd, but I shouldn't
have to request read access auditing in order to see modifications
(especially as that will generate a lot more data, e.g. upon every
authentication program's use of /etc/shadow).

Stephen Smalley <sds tycho nsa gov>
National Security Agency

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]