From mboxrd@z Thu Jan 1 00:00:00 1970 From: Max Williams Subject: Auditing the "chattr" command (ioctl syscall?) Date: Wed, 24 Aug 2011 13:57:13 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3532140475159451124==" Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id p7OE1QSa002640 for ; Wed, 24 Aug 2011 10:01:26 -0400 Received: from mail134.messagelabs.com (mail134.messagelabs.com [85.158.137.35]) by mx1.redhat.com (8.14.4/8.14.4) with SMTP id p7OE1NZI015698 for ; Wed, 24 Aug 2011 10:01:23 -0400 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "'linux-audit@redhat.com'" List-Id: linux-audit@redhat.com --===============3532140475159451124== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_D0A5F96279337C499E18E7D5B0695A2F67DD6395HAMMBX02ukbetfa_" --_000_D0A5F96279337C499E18E7D5B0695A2F67DD6395HAMMBX02ukbetfa_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, I would like to be able to audit the syscalls that the chattr command uses= but I'm not having much luck. In an effort to see the syscalls used, I created a rule to log all syscall= s, like this: # auditctl -a exit,always -F path=3D/root/file Then run this: # chattr +i /root/file This produces series of two syscalls in the logs, 6 (sys_newlstat) and 2 (= sys_open): node=3Dlocalhost.localdomain type=3DSYSCALL msg=3Daudit(1314189320.335:531= 58): arch=3Dc000003e syscall=3D6 success=3Dyes exit=3D0 a0=3D7ffff0f8886c = a1=3D7ffff0f88250 a2=3D7ffff0f88250 a3=3D1 items=3D1 ppid=3D15560 pid=3D15= 745 auid=3D0 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 sgid=3D0= fsgid=3D0 tty=3Dpts0 ses=3D1198 comm=3D"chattr" exe=3D"/usr/bin/chattr" k= ey=3D(null) node=3Dlocalhost.localdomain type=3DSYSCALL msg=3Daudit(1314189320.335:531= 60): arch=3Dc000003e syscall=3D2 success=3Dyes exit=3D3 a0=3D7ffff0f8886c = a1=3D800 a2=3D7ffff0f88170 a3=3D1 items=3D1 ppid=3D15560 pid=3D15745 auid=3D= 0 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 = tty=3Dpts0 ses=3D1198 comm=3D"chattr" exe=3D"/usr/bin/chattr" key=3D(null)= I don't think these are the syscalls I want to audit, they would be far to= o frequent. I also noticed when I run a strace on the chattr command it lo= oks like it uses ioctl, eg: ioctl(3, EXT2_IOC_SETFLAGS, 0x7fff0314cf3c) What audit rule could I use to achieve this? Is it a combination of specif= ying syscall 6 or 2 with some of a0, a1 or a2? Or is this not possible? I've tried auditing file attribute changes (auditctl -a exit,always -F arc= h=3Db64 -p a) but it does not work. Many thanks, Max Williams ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from=20= MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ --_000_D0A5F96279337C499E18E7D5B0695A2F67DD6395HAMMBX02ukbetfa_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi,

I would like to be able to audit the syscalls that = the chattr command uses but I’m not having much luck.

=

In an effort to see the syscalls used, I created a = rule to log all syscalls, like this:

# auditctl -a exit,alw= ays -F path=3D/root/file

 

Then run this:

# chattr +i /root/= file

 

This produces series of two syscalls in the logs, 6= (sys_newlstat) and 2 (sys_open):

node=3Dlocalhost.localdomain type=3DSYSCALL msg=3Da= udit(1314189320.335:53158): arch=3Dc000003e syscall=3D6 success=3Dyes exit= =3D0 a0=3D7ffff0f8886c a1=3D7ffff0f88250 a2=3D7ffff0f88250 a3=3D1 items=3D= 1 ppid=3D15560 pid=3D15745 auid=3D0 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsui= d=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts0 ses=3D1198 comm=3D"chattr&quo= t; exe=3D"/usr/bin/chattr" key=3D(null)

node=3Dlocalhost.localdomain type=3DSYSCALL msg=3Da= udit(1314189320.335:53160): arch=3Dc000003e syscall=3D2 success=3Dyes exit= =3D3 a0=3D7ffff0f8886c a1=3D800 a2=3D7ffff0f88170 a3=3D1 items=3D1 ppid=3D= 15560 pid=3D15745 auid=3D0 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egi= d=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts0 ses=3D1198 comm=3D"chattr" exe=3D= "/usr/bin/chattr" key=3D(null)

 

I don’t think these are the syscalls I want t= o audit, they would be far too frequent. I also noticed when I run a strac= e on the chattr command it looks like it uses ioctl, eg:

ioctl(3, EXT2_IOC_SETFLAGS, 0x7fff0314cf3c)

 

What audit rule could I use to achieve this? Is it = a combination of specifying syscall 6 or 2 with some of a0, a1 or a2? Or i= s this not possible?

 

I’ve tried auditing file attribute changes (a= uditctl -a exit,always -F arch=3Db64 -p a) but it does not work.

 

Many thanks,

Max Williams


________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from <= BR> MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________ --_000_D0A5F96279337C499E18E7D5B0695A2F67DD6395HAMMBX02ukbetfa_-- --===============3532140475159451124== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3532140475159451124==--