Can we audit writing to character device?

Can we audit writing to character device?

[Tetsuo Handa]

Hello.

I tried to audit write syscall on /dev/watchdog in order to check
https://access.redhat.com/site/solutions/707563 .

I expected that I can do it using

  # auditctl -a exit,always -F filetype=character -F devmajor=10 -F devminor=130 -F arch=b64 -S write -k watchdog

but it did not work (even

  # auditctl -a exit,always -F filetype=character -F arch=b64 -S write -k watchdog

did not work).

Is this functionality not implemented?

Should I do

  # stap -d hpwdt -e 'probe module("hpwdt").function("hpwdt_ping") { printf("%u\n", gettimeofday_ns()); }'

instead (if I can't use this functionality) ?

Regards.

Re: Can we audit writing to character device?

[Steve Grubb]

On Monday, August 04, 2014 08:58:30 PM Tetsuo Handa wrote:
> Hello.
> 
> I tried to audit write syscall on /dev/watchdog in order to check
> https://access.redhat.com/site/solutions/707563 .
> 
> I expected that I can do it using
> 
>   # auditctl -a exit,always -F filetype=character -F devmajor=10 -F
> devminor=130 -F arch=b64 -S write -k watchdog
> 
> but it did not work (even
> 
>   # auditctl -a exit,always -F filetype=character -F arch=b64 -S write -k
> watchdog
> 
> did not work).

The rule matcher only uses the information readily at hand during a syscall. 
The write syscall is 

 ssize_t write(int fd, const void *buf, size_t count);

You can match on anything being passed, like a0=4 or any property of the 
caller. But it will not know that in this case a0 is an FD and it was opened 
in another syscall and it goes to /dev/watchdog. What is more likely to work 
is simply:

-a exit,always -w /dev/watchdog -p wa -k watchdog

It will detect the opening with write permissions, but not the individual 
writes.


> Is this functionality not implemented?

Its too much indirection for the current system. I also don't expect that to 
change.

 
> Should I do
> 
>   # stap -d hpwdt -e 'probe module("hpwdt").function("hpwdt_ping") {
> printf("%u\n", gettimeofday_ns()); }'
> 
> instead (if I can't use this functionality) ?

If you have to watch writes and you know with some certainty which descriptor 
the program always uses and which selinux type it uses (assuming hpwdt_t 
below), you might be able to do something like:

-a exit,always -F arch=b64 -S write -F a0=4 -F subj_type=hpwdt_t

If you know the buffer size used in the program, you might add -F a2=X where X 
is the buffer size to help identify writes to the correct descriptor if the 
descriptor gets reused.

-Steve

Re: Can we audit writing to character device?

[Tetsuo Handa]

Steve Grubb wrote:
> The rule matcher only uses the information readily at hand during a syscall. 

Ah, the rule matcher does not solve f_path.dentry->d_inode->i_mode etc. from
the FD argument. Then, I see that it is impossible.

> -a exit,always -w /dev/watchdog -p wa -k watchdog
> 
> It will detect the opening with write permissions, but not the individual 
> writes.

What I wanted to do is to record the timestamp of the individual writes, for
what I want to do is to determine whether watchdog NMI is raised by error or
by timeout. To determine it, I need to know when the last write syscall on
/dev/watchdog was.

> If you have to watch writes and you know with some certainty which descriptor 
> the program always uses and which selinux type it uses (assuming hpwdt_t 
> below), you might be able to do something like:
> 
> -a exit,always -F arch=b64 -S write -F a0=4 -F subj_type=hpwdt_t
> 
> If you know the buffer size used in the program, you might add -F a2=X where X 
> is the buffer size to help identify writes to the correct descriptor if the 
> descriptor gets reused.

Yes, I'll try a0= and a2= conditions.

Thank you.