Bypassing audit's file watches
Michael C Thompson
thompsmc at us.ibm.com
Tue Jul 11 15:07:01 UTC 2006
Amy Griffis wrote:
> Steve wrote: [Mon Jul 10 2006, 07:32:26AM EDT]
>> Amy Griffis wrote:
>>> Steve wrote: [Fri Jul 07 2006, 10:58:42AM EDT]
>>>> I have found that I can modify files that are being watched and audit
>>>> not catch it (ie. no events are dispatched). When monitoring a file for
>>>> all system calls, I can:
>>>>
>>>> echo "" > /file/to/watch
>>>>
>>>> or
>>>>
>>>> cat some_file > /file/to/watch
>>>>
>>>> without generating audit events.
>>> Are you seeing the open and not the write, or no records at all?
>>> If you are missing events for open() calls, please let us know since
>>> that would be a bug (versus a lacking feature).
>> I am not seeing the open() or any other syscall records.
>
> The problem you're seeing is with audit's data collection during open() calls.
> When open() is called with O_CREAT, but the file exists, audit collects the
> wrong inode number for the call. I'll try to come up with a decent patch to fix
> this.
>
> Timothy R. Chavez wrote: [Mon Jul 10 2006, 11:16:23AM EDT]
>> I think this is a bug. We see audit records for a failed attempt at
>> writing a file (e.g. chmod -w foo, echo "bar" > foo) via redirection,
>> but not otherwise.
>
> This is interesting. You see a record for the failed attempt because the shell
> tries again without the O_CREAT flag.
>
>>From strace:
>
> open("/tmp/foo", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EACCES (Permission denied)
> open("/tmp/foo", O_WRONLY|O_TRUNC|O_LARGEFILE) = -1 EACCES (Permission denied)
>
> So you should actually see 2 open() records in the failure case.
As far as I can tell, if you have a watch on the file, you still do not
see the success attempts (from an audit perspective) and you only see 1
open audit record, although you do get two different open() attempts.
Resulting strace & audit from the same action:
open("file", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 EACCES
(Permission denied)
open("file", O_WRONLY|O_TRUNC|O_LARGEFILE) = -1 EACCES (Permission denied)
type=SYSCALL msg=audit(1152367792.459:15443): arch=40000003 syscall=5
success=no exit=-13 a0=8dfa910 a1=8201 a2=0 a3=8201 items=1 ppid=12690
pid=12691 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=pts1 comm="script" exe="/bin/bash"
subj=root:staff_r:staff_t:s0-s15:c0.c255 key=(null)
type=CWD msg=audit(1152367792.459:15443): cwd="/home/mcthomps"
type=PATH msg=audit(1152367792.459:15443): item=0 name="file"
inode=3375168 dev=03:03 mode=0100444 ouid=500 ogid=500 rdev=00:00
obj=root:object_r:user_home_dir_t:s0
There is only 1 audit record, while there are two open attempts. This is
that O_CREAT problem. Note that the audit record here does _not_ have
the O_CREAT flag (0100).
If you would like to duplicate this, here are the steps to follow:
# touch file
# chmod -w file
# echo -e '#!/bin/bash\necho 123 > file' > script.sh
# chmod +x script.sh
# auditctl -w `pwd`/file
# strace -f ./script.sh
Note that you should do the script action as non-root, since root can
override normal DAC permissions.
Mike
More information about the Linux-audit
mailing list