Hi,

 

I have found a weird behavior in auditd. File “/abc” does not exist.

 

audit.rules:

-a always,exit -F arch=b32 -S open -S openat

-a always,exit -F arch=b64 -S open -S openat

 

A non-root user executes “echo > /abc”, it doesn’t get logged in audit.log. Same with “echo > /etc/abc”

A non-root user executes “cat /abc”, it gets logged in audit.log

 

Since auditd is monitoring all the open and openat syscalls, ideally both the cases (i.e. read and write) should have be logged.

 

After I execute “chmod a+w /” then “chmod a-w /”, if a non-root user executes “echo > /abc”, then it gets logged in audit.log.

 

This looks like a bug to me. Kindly let me know if it’s a bug or an intended feature.

 

System used to test: Linux 5.4.0-56-generic #62-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux

 

Regards,

Shourya Jaiswal