[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Bypassing audit's file watches



Amy Griffis wrote:
Steve wrote:  [Mon Jul 10 2006, 07:32:26AM EDT]
Amy Griffis wrote:
Steve wrote:  [Fri Jul 07 2006, 10:58:42AM EDT]
I have found that I can modify files that are being watched and audit not catch it (ie. no events are dispatched). When monitoring a file for all system calls, I can:

echo "" > /file/to/watch

or

cat some_file > /file/to/watch

without generating audit events.
Are you seeing the open and not the write, or no records at all?
If you are missing events for open() calls, please let us know since
that would be a bug (versus a lacking feature).
I am not seeing the open() or any other syscall records.

The problem you're seeing is with audit's data collection during open() calls.
When open() is called with O_CREAT, but the file exists, audit collects the
wrong inode number for the call.  I'll try to come up with a decent patch to fix
this.

Timothy R. Chavez wrote:  [Mon Jul 10 2006, 11:16:23AM EDT]
I think this is a bug.  We see audit records for a failed attempt at
writing a file (e.g. chmod -w foo, echo "bar" > foo) via redirection,
but not otherwise.

This is interesting.  You see a record for the failed attempt because the shell
tries again without the O_CREAT flag.

From strace:

open("/tmp/foo", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EACCES (Permission denied)
open("/tmp/foo", O_WRONLY|O_TRUNC|O_LARGEFILE) = -1 EACCES (Permission denied)

So you should actually see 2 open() records in the failure case.

As far as I can tell, if you have a watch on the file, you still do not see the success attempts (from an audit perspective) and you only see 1 open audit record, although you do get two different open() attempts.

Resulting strace & audit from the same action:
open("file", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EACCES (Permission denied)
open("file", O_WRONLY|O_TRUNC|O_LARGEFILE) = -1 EACCES (Permission denied)

type=SYSCALL msg=audit(1152367792.459:15443): arch=40000003 syscall=5 success=no exit=-13 a0=8dfa910 a1=8201 a2=0 a3=8201 items=1 ppid=12690 pid=12691 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="script" exe="/bin/bash" subj=root:staff_r:staff_t:s0-s15:c0.c255 key=(null)
type=CWD msg=audit(1152367792.459:15443):  cwd="/home/mcthomps"
type=PATH msg=audit(1152367792.459:15443): item=0 name="file" inode=3375168 dev=03:03 mode=0100444 ouid=500 ogid=500 rdev=00:00 obj=root:object_r:user_home_dir_t:s0



There is only 1 audit record, while there are two open attempts. This is that O_CREAT problem. Note that the audit record here does _not_ have the O_CREAT flag (0100).

If you would like to duplicate this, here are the steps to follow:
# touch file
# chmod -w file
# echo -e '#!/bin/bash\necho 123 > file' > script.sh
# chmod +x script.sh
# auditctl -w `pwd`/file
# strace -f ./script.sh


Note that you should do the script action as non-root, since root can override normal DAC permissions.

Mike


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]