Auditing failures for files in protected directories - Lockheed Martin Proprietary/Export Controlled Information

Steve Grubb sgrubb at redhat.com
Mon Apr 18 18:29:21 UTC 2011


On Monday, April 18, 2011 02:09:02 PM Call, Tom H wrote:
> Hi, we have what I think is a new but undesirable result trying to audit
> access failures on files in a NISPOM audit configuration. We are not
> seeing audit events for the access failures if the file has a parent
> directory in the path that blocks access.

This is by design. The problem is in path resolution if its blocked by a permission 
check, then the path name was never fully resolved. Therefore an access attempt never 
really occurred. This is because the path name does not exist as a string inside the 
kernel. A watch is converted into the inode's number and that is what is watched. I 
think it is possible to place a watch on the directory and then see the failed access 
of that directory.

But I did manage to get a bug filed that should help this in the future:
https://bugzilla.redhat.com/show_bug.cgi?id=661402

-Steve


> Example:
> Directory                             Permission
> /var                                       755
> /var/test                              755
> /var/test/bin                     700
> /var/test/bin/file             740
> 
> If an unprivileged user attempts to change /var/test/bin/file there is no
> audit event recorded, either for the file or the parent directory
> /var/test/bin. Our theory is that the failure to open the /var/test/bin
> directory causes the audit path to be broken, or something to the like,
> please excuse my terminology faux pas. This is happening on the following
> configuration:
> 
> -          Kernel  - 2.6.18-238.5.1.el5
> 
> -          Auditd - 1.7.18-2.el5
> 
> We have tried the following auditd rules (among others), no change in
> result:
> 
> -          -w /var/test/bin/file -p rwxa
> 
> -          -a exit,always -S open -F path=/var/test/bin/file -F success=0
> 
> -          -a exit,always -S open -R dir=/var/test/ -F success=0
> 
> And, this is something New, we have been using watches to audit this file
> for years with previous kernel and auditd versions, such as:
> 
> -          Kernel -  2.6.9-100.ELsmp
> 
> -          Auditd -  1.0.16-4.el4_8.1
> 
> On this system we get audit events for access failures using a simple file
> watch.
> 
> Are we missing something obvious?
> Thanks! For any help,
> 
> Tom Call, LMCO




More information about the Linux-audit mailing list