* Can we audit writing to character device?
@ 2014-08-04 11:58 Tetsuo Handa
2014-08-04 12:39 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Tetsuo Handa @ 2014-08-04 11:58 UTC (permalink / raw)
To: linux-audit
Hello.
I tried to audit write syscall on /dev/watchdog in order to check
https://access.redhat.com/site/solutions/707563 .
I expected that I can do it using
# auditctl -a exit,always -F filetype=character -F devmajor=10 -F devminor=130 -F arch=b64 -S write -k watchdog
but it did not work (even
# auditctl -a exit,always -F filetype=character -F arch=b64 -S write -k watchdog
did not work).
Is this functionality not implemented?
Should I do
# stap -d hpwdt -e 'probe module("hpwdt").function("hpwdt_ping") { printf("%u\n", gettimeofday_ns()); }'
instead (if I can't use this functionality) ?
Regards.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Can we audit writing to character device?
2014-08-04 11:58 Can we audit writing to character device? Tetsuo Handa
@ 2014-08-04 12:39 ` Steve Grubb
2014-08-04 13:08 ` Tetsuo Handa
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2014-08-04 12:39 UTC (permalink / raw)
To: linux-audit
On Monday, August 04, 2014 08:58:30 PM Tetsuo Handa wrote:
> Hello.
>
> I tried to audit write syscall on /dev/watchdog in order to check
> https://access.redhat.com/site/solutions/707563 .
>
> I expected that I can do it using
>
> # auditctl -a exit,always -F filetype=character -F devmajor=10 -F
> devminor=130 -F arch=b64 -S write -k watchdog
>
> but it did not work (even
>
> # auditctl -a exit,always -F filetype=character -F arch=b64 -S write -k
> watchdog
>
> did not work).
The rule matcher only uses the information readily at hand during a syscall.
The write syscall is
ssize_t write(int fd, const void *buf, size_t count);
You can match on anything being passed, like a0=4 or any property of the
caller. But it will not know that in this case a0 is an FD and it was opened
in another syscall and it goes to /dev/watchdog. What is more likely to work
is simply:
-a exit,always -w /dev/watchdog -p wa -k watchdog
It will detect the opening with write permissions, but not the individual
writes.
> Is this functionality not implemented?
Its too much indirection for the current system. I also don't expect that to
change.
> Should I do
>
> # stap -d hpwdt -e 'probe module("hpwdt").function("hpwdt_ping") {
> printf("%u\n", gettimeofday_ns()); }'
>
> instead (if I can't use this functionality) ?
If you have to watch writes and you know with some certainty which descriptor
the program always uses and which selinux type it uses (assuming hpwdt_t
below), you might be able to do something like:
-a exit,always -F arch=b64 -S write -F a0=4 -F subj_type=hpwdt_t
If you know the buffer size used in the program, you might add -F a2=X where X
is the buffer size to help identify writes to the correct descriptor if the
descriptor gets reused.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Can we audit writing to character device?
2014-08-04 12:39 ` Steve Grubb
@ 2014-08-04 13:08 ` Tetsuo Handa
0 siblings, 0 replies; 3+ messages in thread
From: Tetsuo Handa @ 2014-08-04 13:08 UTC (permalink / raw)
To: sgrubb, linux-audit
Steve Grubb wrote:
> The rule matcher only uses the information readily at hand during a syscall.
Ah, the rule matcher does not solve f_path.dentry->d_inode->i_mode etc. from
the FD argument. Then, I see that it is impossible.
> -a exit,always -w /dev/watchdog -p wa -k watchdog
>
> It will detect the opening with write permissions, but not the individual
> writes.
What I wanted to do is to record the timestamp of the individual writes, for
what I want to do is to determine whether watchdog NMI is raised by error or
by timeout. To determine it, I need to know when the last write syscall on
/dev/watchdog was.
> If you have to watch writes and you know with some certainty which descriptor
> the program always uses and which selinux type it uses (assuming hpwdt_t
> below), you might be able to do something like:
>
> -a exit,always -F arch=b64 -S write -F a0=4 -F subj_type=hpwdt_t
>
> If you know the buffer size used in the program, you might add -F a2=X where X
> is the buffer size to help identify writes to the correct descriptor if the
> descriptor gets reused.
Yes, I'll try a0= and a2= conditions.
Thank you.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-08-04 13:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-04 11:58 Can we audit writing to character device? Tetsuo Handa
2014-08-04 12:39 ` Steve Grubb
2014-08-04 13:08 ` Tetsuo Handa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.