Possible regression

Possible regression

[4javier]

[-- Attachment #1.1: Type: text/plain, Size: 502 bytes --]

I'm noticing exactly the same problem mentioned into this old message
http://osdir.com/ml/linux.redhat.security.audit/2006-07/msg00036.html
Workaround consisting into watching the whole directory containing the file
works too. I've found that into 2006 a patch was submitted to solve the
issue
http://www.mail-archive.com/linux-audit@redhat.com/msg00476.html

Is this a recent regression, or is there something I don't know?

Arch Linux
audit 2.1.1
kernel 2.6.38.7
i686 architecture

Thanks in advance

[-- Attachment #1.2: Type: text/html, Size: 805 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Possible regression

[Steve Grubb]

On Thursday, June 02, 2011 08:48:30 AM 4javier wrote:
> I'm noticing exactly the same problem mentioned into this old message
> http://osdir.com/ml/linux.redhat.security.audit/2006-07/msg00036.html
> Workaround consisting into watching the whole directory containing the file
> works too. I've found that into 2006 a patch was submitted to solve the
> issue
> http://www.mail-archive.com/linux-audit@redhat.com/msg00476.html
> 
> Is this a recent regression, or is there something I don't know?

I just ran the test from that email and got the following:

[root@localhost ~]# touch /tmp/test
[root@localhost ~]# auditctl -a always,exit -F path=/tmp/test -F perm=rwa -k watch
[root@localhost ~]#  echo "" > /tmp/test
[root@localhost ~]# cat /tmp/test 

[root@localhost ~]# ausearch --start recent --key watch -i
----
type=CONFIG_CHANGE msg=audit(06/02/2011 09:15:49.790:124) : auid=sgrubb ses=2 
subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" key=watch 
list=exit res=1 
----
type=PATH msg=audit(06/02/2011 09:15:56.970:125) : item=0 name=/tmp/test inode=164740 
dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 
obj=unconfined_u:object_r:user_tmp_t:s0 
type=CWD msg=audit(06/02/2011 09:15:56.970:125) :  cwd=/root 
type=SYSCALL msg=audit(06/02/2011 09:15:56.970:125) : arch=x86_64 syscall=open 
success=yes exit=3 a0=28cadd0 a1=241 a2=1b6 a3=0 items=1 ppid=1634 pid=1640 
auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root 
fsgid=root tty=pts1 ses=2 comm=bash exe=/bin/bash 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch 
----
type=PATH msg=audit(06/02/2011 09:16:08.850:126) : item=0 name=/tmp/test inode=164740 
dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 
obj=unconfined_u:object_r:user_tmp_t:s0 
type=CWD msg=audit(06/02/2011 09:16:08.850:126) :  cwd=/root 
type=SYSCALL msg=audit(06/02/2011 09:16:08.850:126) : arch=x86_64 syscall=open 
success=yes exit=3 a0=7fffd7a8f943 a1=0 a2=0 a3=32d80819d0 items=1 ppid=1640 pid=1659 
auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root 
fsgid=root tty=pts1 ses=2 comm=cat exe=/bin/cat 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch 
[root@localhost ~]# uname -r
2.6.38.6-26.rc1.fc15.x86_64

We have 2 events. Are you getting this? Is something missing?

-Steve

Fwd: Possible regression

[4javier]

[-- Attachment #1.1: Type: text/plain, Size: 2853 bytes --]

---------- Forwarded message ----------
From: 4javier <4javiereg4@gmail.com>
Date: 2011/6/2
Subject: Re: Possible regression
To: Steve Grubb <sgrubb@redhat.com>


you're right...sorry for my fault...
I didn't use the -a switch. I read the man, but I cannot understand how this
settings is able to fix the problem with O_CREAT.
Could you explain that to me, please?


2011/6/2 Steve Grubb <sgrubb@redhat.com>

> On Thursday, June 02, 2011 08:48:30 AM 4javier wrote:
> > I'm noticing exactly the same problem mentioned into this old message
> > http://osdir.com/ml/linux.redhat.security.audit/2006-07/msg00036.html
> > Workaround consisting into watching the whole directory containing the
> file
> > works too. I've found that into 2006 a patch was submitted to solve the
> > issue
> > http://www.mail-archive.com/linux-audit@redhat.com/msg00476.html
> >
> > Is this a recent regression, or is there something I don't know?
>
> I just ran the test from that email and got the following:
>
> [root@localhost ~]# touch /tmp/test
> [root@localhost ~]# auditctl -a always,exit -F path=/tmp/test -F perm=rwa
> -k watch
> [root@localhost ~]#  echo "" > /tmp/test
> [root@localhost ~]# cat /tmp/test
>
> [root@localhost ~]# ausearch --start recent --key watch -i
> ----
> type=CONFIG_CHANGE msg=audit(06/02/2011 09:15:49.790:124) : auid=sgrubb
> ses=2
> subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule"
> key=watch
> list=exit res=1
> ----
> type=PATH msg=audit(06/02/2011 09:15:56.970:125) : item=0 name=/tmp/test
> inode=164740
> dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0
> type=CWD msg=audit(06/02/2011 09:15:56.970:125) :  cwd=/root
> type=SYSCALL msg=audit(06/02/2011 09:15:56.970:125) : arch=x86_64
> syscall=open
> success=yes exit=3 a0=28cadd0 a1=241 a2=1b6 a3=0 items=1 ppid=1634 pid=1640
> auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root
> fsgid=root tty=pts1 ses=2 comm=bash exe=/bin/bash
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch
> ----
> type=PATH msg=audit(06/02/2011 09:16:08.850:126) : item=0 name=/tmp/test
> inode=164740
> dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0
> type=CWD msg=audit(06/02/2011 09:16:08.850:126) :  cwd=/root
> type=SYSCALL msg=audit(06/02/2011 09:16:08.850:126) : arch=x86_64
> syscall=open
> success=yes exit=3 a0=7fffd7a8f943 a1=0 a2=0 a3=32d80819d0 items=1
> ppid=1640 pid=1659
> auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root
> fsgid=root tty=pts1 ses=2 comm=cat exe=/bin/cat
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch
> [root@localhost ~]# uname -r
> 2.6.38.6-26.rc1.fc15.x86_64
>
> We have 2 events. Are you getting this? Is something missing?
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 3797 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Possible regression

[Steve Grubb]

On Thursday, June 02, 2011 09:45:38 AM you wrote:
> you're right...sorry for my fault...
> I didn't use the -a switch. I read the man, but I cannot understand how
> this settings is able to fix the problem with O_CREAT.
> Could you explain that to me, please?

As far as I know, the problem was fixed in 2006 and there has been no regression. The -
w command is translated into -a always,exit -F path= under the hood. Its been this way 
since watches were deprecated around 2005/2006.

How were you testing? You might have found a bug and I just don't know how to 
reproduce it.

-Steve

Fwd: Possible regression

[4javier]

[-- Attachment #1.1: Type: text/plain, Size: 1502 bytes --]

---------- Forwarded message ----------
From: 4javier <4javiereg4@gmail.com>
Date: 2011/6/2
Subject: Re: Possible regression
To: Steve Grubb <sgrubb@redhat.com>


root@Archbox /home/javier $ touch /tmp/test
root@Archbox /home/javier $ cat /tmp/test
root@Archbox /home/javier $ auditctl -w /tmp/test -p wa
root@Archbox /home/javier $ echo ppp >> /tmp/test
root@Archbox /home/javier $ cat /tmp/test
ppp
root@Archbox /home/javier $ ausearch -i -f /tmp/test
<no matches>
root@Archbox /home/javier $ auditctl -l
LIST_RULES: exit,always watch=/tmp/test perm=wa
root@Archbox /home/javier $ echo ppp > /tmp/test
root@Archbox /home/javier $ ausearch -i -f /tmp/test
<no matches>
root@Archbox /home/javier $ ausearch -f /tmp/test
<no matches>

As you can see from auditcrl -l output, rule seems to be correctly set, but
ausearch doesn't show anything.
2011/6/2 Steve Grubb <sgrubb@redhat.com>

> On Thursday, June 02, 2011 09:45:38 AM you wrote:
> > you're right...sorry for my fault...
> > I didn't use the -a switch. I read the man, but I cannot understand how
> > this settings is able to fix the problem with O_CREAT.
> > Could you explain that to me, please?
>
> As far as I know, the problem was fixed in 2006 and there has been no
> regression. The -
> w command is translated into -a always,exit -F path= under the hood. Its
> been this way
> since watches were deprecated around 2005/2006.
>
> How were you testing? You might have found a bug and I just don't know how
> to
> reproduce it.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 2223 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Possible regression

[Steve Grubb]

On Thursday, June 02, 2011 12:41:41 PM 4javier wrote:
> root@Archbox /home/javier $ touch /tmp/test
> root@Archbox /home/javier $ cat /tmp/test
> root@Archbox /home/javier $ auditctl -w /tmp/test -p wa
> root@Archbox /home/javier $ echo ppp >> /tmp/test
> root@Archbox /home/javier $ cat /tmp/test
> ppp
> root@Archbox /home/javier $ ausearch -i -f /tmp/test
> <no matches>
> root@Archbox /home/javier $ auditctl -l
> LIST_RULES: exit,always watch=/tmp/test perm=wa
> root@Archbox /home/javier $ echo ppp > /tmp/test
> root@Archbox /home/javier $ ausearch -i -f /tmp/test
> <no matches>
> root@Archbox /home/javier $ ausearch -f /tmp/test
> <no matches>
> 
> As you can see from auditcrl -l output, rule seems to be correctly set, but
> ausearch doesn't show anything.

I duplicated your tests here:
[root@localhost ~]# auditctl -w /tmp/test -p wa -k watch
[root@localhost ~]# echo "ppp" >> /tmp/test 
[root@localhost ~]# cat /tmp/test 

ppp
[root@localhost ~]# ausearch --start recent -i -f /tmp/test 
----
type=PATH msg=audit(06/02/2011 14:32:45.146:112) : item=0 name=/tmp/test inode=164740 
dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 
obj=unconfined_u:object_r:user_tmp_t:s0 
type=CWD msg=audit(06/02/2011 14:32:45.146:112) :  cwd=/root 
type=SYSCALL msg=audit(06/02/2011 14:32:45.146:112) : arch=x86_64 syscall=open 
success=yes exit=3 a0=1842830 a1=441 a2=1b6 a3=0 items=1 ppid=1298 pid=1304 
auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root 
fsgid=root tty=pts0 ses=1 comm=bash exe=/bin/bash 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch

Admittedly I am on the 2.6.38.6 kernel. But I'm not seeing a regression. When you set 
the perms to "wa" that is only going to be opens for writing or changes to file 
attributes. So, the cat command will not trigger an event and that is why I only get 1 
event. I am also on a 64 bit system, but I would think that didn't matter...unless we 
have a signed/unsigned comparison problem...what do you have for an inode on the 
/tmp/watch file? ls -i /tmp/watch should get it.

-Steve

Re: Possible regression

[4javier]

[-- Attachment #1.1: Type: text/plain, Size: 2446 bytes --]

both ls -i both stat return 252 as inode for /tmp/test (I considered your
/tmp/watch a typo)
I also tried to add read permission to the watch and execute a cat on the
file, but not even that get recognized by audit.

2011/6/2 Steve Grubb <sgrubb@redhat.com>

> On Thursday, June 02, 2011 12:41:41 PM 4javier wrote:
> > root@Archbox /home/javier $ touch /tmp/test
> > root@Archbox /home/javier $ cat /tmp/test
> > root@Archbox /home/javier $ auditctl -w /tmp/test -p wa
> > root@Archbox /home/javier $ echo ppp >> /tmp/test
> > root@Archbox /home/javier $ cat /tmp/test
> > ppp
> > root@Archbox /home/javier $ ausearch -i -f /tmp/test
> > <no matches>
> > root@Archbox /home/javier $ auditctl -l
> > LIST_RULES: exit,always watch=/tmp/test perm=wa
> > root@Archbox /home/javier $ echo ppp > /tmp/test
> > root@Archbox /home/javier $ ausearch -i -f /tmp/test
> > <no matches>
> > root@Archbox /home/javier $ ausearch -f /tmp/test
> > <no matches>
> >
> > As you can see from auditcrl -l output, rule seems to be correctly set,
> but
> > ausearch doesn't show anything.
>
> I duplicated your tests here:
> [root@localhost ~]# auditctl -w /tmp/test -p wa -k watch
> [root@localhost ~]# echo "ppp" >> /tmp/test
> [root@localhost ~]# cat /tmp/test
>
> ppp
> [root@localhost ~]# ausearch --start recent -i -f /tmp/test
> ----
> type=PATH msg=audit(06/02/2011 14:32:45.146:112) : item=0 name=/tmp/test
> inode=164740
> dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> obj=unconfined_u:object_r:user_tmp_t:s0
> type=CWD msg=audit(06/02/2011 14:32:45.146:112) :  cwd=/root
> type=SYSCALL msg=audit(06/02/2011 14:32:45.146:112) : arch=x86_64
> syscall=open
> success=yes exit=3 a0=1842830 a1=441 a2=1b6 a3=0 items=1 ppid=1298 pid=1304
> auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root
> fsgid=root tty=pts0 ses=1 comm=bash exe=/bin/bash
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch
>
> Admittedly I am on the 2.6.38.6 kernel. But I'm not seeing a regression.
> When you set
> the perms to "wa" that is only going to be opens for writing or changes to
> file
> attributes. So, the cat command will not trigger an event and that is why I
> only get 1
> event. I am also on a 64 bit system, but I would think that didn't
> matter...unless we
> have a signed/unsigned comparison problem...what do you have for an inode
> on the
> /tmp/watch file? ls -i /tmp/watch should get it.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 3041 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]