Bypassing audit's file watches
Amy Griffis
amy.griffis at hp.com
Sat Jul 8 02:00:02 UTC 2006
Steve wrote: [Fri Jul 07 2006, 10:58:42AM EDT]
> I have found that I can modify files that are being watched and audit
> not catch it (ie. no events are dispatched). When monitoring a file for
> all system calls, I can:
>
> echo "" > /file/to/watch
>
> or
>
> cat some_file > /file/to/watch
>
> without generating audit events.
Are you seeing the open and not the write, or no records at all?
With the current implementation, you should expect to see an event for
open(). You wouldn't see a record for the write(), as the argument is
an fd instead of a filename.
As Tim mentioned, the idea is that to determine if a file is modified,
you would filter for open() calls with either the O_RDWR or O_WRONLY
flag. This is pretty unwieldy with the current feature set since you
would need a separate rule for every possible combination of flags
that includes O_RDWR or O_WRONLY. I really think we need to enhance
the filtering options available for open() calls, since trying to
audit the actual modifications is much more difficult.
If you are missing events for open() calls, please let us know since
that would be a bug (versus a lacking feature).
Thanks for testing.
Amy
More information about the Linux-audit
mailing list