kernel.34 and audit-0.7.4

Loulwa Salem loulwas at us.ibm.com
Tue May 10 18:42:58 UTC 2005 

I just tried the latest kernel and audit. I am seeing some problems 
regarding missing watch records. the kernel also seems to hang!

I tried twice, and got the same results. also after doing a mv on the 
file, the system hangs (all windows hang, and I have to force reboot it).

Here is what I tried:
[root at comp1 objident]# auditctl -w /tmp/file1 -k file1-key
No rules
AUDIT_WATCH_LIST: dev=253:0, path=/tmp/file1, filterkey=file1-key, 
perms=0, valid=1
[root at comp1 objident]# touch /tmp/file1
[root at comp1 objident]# auditctl -w /tmp/file2 -k file2-key
No rules
AUDIT_WATCH_LIST: dev=253:0, path=/tmp/file2, filterkey=file2-key, 
perms=0, valid=1
AUDIT_WATCH_LIST: dev=253:0, path=/tmp/file1, filterkey=file1-key, 
perms=0, valid=1
[root at comp1 objident]# touch /tmp/file2
[root at comp1 objident]# echo "test" >> /tmp/file1
[root at comp1 objident]# cat /tmp/file1
test
[root at comp1 objident]# echo "test file2" >> /tmp/file2
[root at comp1 objident]# cat /tmp/file2
test file2
[root at comp1 objident]# mv /tmp/file1 /tmp/foo
mv: overwrite `/tmp/foo'? y


I only see two records corresponding with the touch on both watched 
files. The records also seem to be in different order than before 
(backwards):
type=DAEMON msg=audit(1115727149.996:751) auditd start, ver=0.7.4, 
format=raw, uid=514, auditd pid=2795
Init complete, audit pid set to: 2795
type=KERNEL msg=audit(1115727150.199:0): audit_enabled=1 old=1 by auid 514
type=KERNEL msg=audit(1115727176.862:367655): syscall=5 arch=40000003 
success=yes exit=3 a0=bff21c18 a1=8941 a2=1b6 a3=8941 items=1 pid=2798 
loginuid=514 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="touch" exe=/bin/touch
type=KERNEL msg=audit(1115727176.862:367655): auxitem=1 watch="file1" 
filterkey=file1-key perm=0 perm_mask=2 inode=2224526 inode_uid=0 
inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=KERNEL msg=audit(1115727176.862:367655): item=0 name="/tmp/file1" 
inode=2223873 dev=fd:00 mode=041777 uid=0 gid=0 rdev=00:00
type=KERNEL msg=audit(1115727221.850:371646): syscall=5 arch=40000003 
success=yes exit=3 a0=bffd1c18 a1=8941 a2=1b6 a3=8941 items=1 pid=2800 
loginuid=514 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="touch" exe=/bin/touch
type=KERNEL msg=audit(1115727221.850:371646): auxitem=1 watch="file2" 
filterkey=file2-key perm=0 perm_mask=2 inode=2224528 inode_uid=0 
inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=KERNEL msg=audit(1115727221.850:371646): item=0 name="/tmp/file2" 
inode=2223873 dev=fd:00 mode=041777 uid=0 gid=0 rdev=00:00

- loulwa

More information about the Linux-audit mailing list