Bypassing audit's file watches
Michael C Thompson
thompsmc at us.ibm.com
Fri Jul 7 16:20:43 UTC 2006
Michael C Thompson wrote:
> Timothy R. Chavez wrote:
>> On Fri, 2006-07-07 at 10:58 -0400, Steve wrote:
>>> I have found that I can modify files that are being watched and audit
>>> not catch it (ie. no events are dispatched). When monitoring a file
>>> for all system calls, I can:
>>>
>>> echo "" > /file/to/watch
>>>
>>> or
>>>
>>> cat some_file > /file/to/watch
>>>
>>> without generating audit events. I assume this has to do with how
>>> the kernel handles re-direction. Is it possible to catch these
>>> modifications?
>>>
>>> Thanks,
>>> Steve
>>
>> What are your rules? You should catch these on open()
>> of /file/to/watch, right?
>>
>> -tim
>
> I am seeing this as well with the .42 kernel and audit-1.2.4-1. Not sure
> when this might have broken, but its broke now.
>
> It seems if you set a watch on /file/to (to use your example above),
> then you are getting the opens that bash does, although the PATH record
> shows the item as "/file/to/watch".
>
> So watching the parent directory will audit redirect shell magic, but
> watching the target of that redirection will not audit that same magic.
>
> Mike
Oh, and it turns out if the action fails, then the watch on the target
of redirection will get audited. So if you echo "123" >
not_writable_file, and you have a watch on 'not_writable_file', you will
see an audit record, but if the write is successful, then you don't see it.
Mike
More information about the Linux-audit
mailing list