file watch result help
zhangxiliang
zhangxiliang at cn.fujitsu.com
Mon Jul 21 05:16:37 UTC 2008
LC Bruzenak said the following on 2008-07-21 12:01:
> Looking for help/advice:
>
> I had a new file (/usr/lib/AuditProxy) I installed via RPM with
> CAP_AUDIT_WRITE assigned.
> I noticed after a couple of days it was removed.
> So I added a file watch and waited.
>
> The file got changed, this was audited, however I cannot realy nail down
> who/how it got changed as of yet...hopefully someone can either
> enlighten me on this or else give me a clue on how to install a better
> watch rule.
>
> I used:
> -w /usr/libexec/AuditProxy -k PROXY
>
> and now that the CAP has been removed I see the following activity (with
> "ausearch -i -k PROXY"):
>
> type=PATH msg=audit(07/18/2008 04:12:24.677:60925) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=CWD msg=audit(07/18/2008 04:12:24.677:60925) : cwd=/
> type=SYSCALL msg=audit(07/18/2008 04:12:24.677:60925) : arch=x86_64
> syscall=open success=yes exit=4 a0=2626330 a1=0 a2=0 a3=100 items=1
> ppid=29219 pid=29228 auid=root uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.678:60926) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=CWD msg=audit(07/18/2008 04:12:24.678:60926) : cwd=/
> type=SYSCALL msg=audit(07/18/2008 04:12:24.678:60926) : arch=x86_64
> syscall=open success=yes exit=3 a0=3e2ba1dc68 a1=0 a2=0 a3=7fff332a1f8b
> items=1 ppid=29228 pid=29354 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.811:60927) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=CWD msg=audit(07/18/2008 04:12:24.811:60927) : cwd=/
> type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60927) : arch=x86_64
> syscall=open success=yes exit=3 a0=2520b90 a1=0 a2=70dc80 a3=24e3880
> items=1 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.811:60928) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=CWD msg=audit(07/18/2008 04:12:24.811:60928) : cwd=/
> type=SYSCALL msg=audit(07/18/2008 04:12:24.811:60928) : arch=x86_64
> syscall=open success=yes exit=4 a0=3e2ba1dc68 a1=0 a2=0 a3=7fffb5a95f70
> items=1 ppid=29228 pid=29358 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=ld-linux-x86-64 exe=/lib64/ld-2.8.so
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.820:60929) : item=0
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=CWD msg=audit(07/18/2008 04:12:24.820:60929) : cwd=/
> type=SYSCALL msg=audit(07/18/2008 04:12:24.820:60929) : arch=x86_64
> syscall=getxattr success=yes exit=27 a0=7fff2d0c1070 a1=4d97e6
> a2=26351d0 a3=ff items=1 ppid=29219 pid=29228 auid=root uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) ses=632 comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
> ----
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=4
> name=/usr/libexec/AuditProxy inode=61043 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=3
> name=/usr/libexec/AuditProxy inode=59928 dev=fd:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=2
> name=/usr/libexec/AuditProxy.#prelink#.BJ0RCF inode=61043 dev=fd:00
> mode=file,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:bin_t:s0
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=1
> name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=PATH msg=audit(07/18/2008 04:12:24.821:60932) : item=0
> name=/usr/libexec/ inode=63847 dev=fd:00 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=CWD msg=audit(07/18/2008 04:12:24.821:60932) : cwd=/
> type=SYSCALL msg=audit(07/18/2008 04:12:24.821:60932) : arch=x86_64
> syscall=rename success=yes exit=0 a0=7fff2d0c1030 a1=7fff2d0c1070 a2=31
> a3=1b items=5 ppid=29219 pid=29228 auid=root uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=632
> comm=prelink exe=/usr/sbin/prelink
> subj=system_u:system_r:prelink_t:s0-s15:c0.c1023 key=PROXY
>
>
> So the file is getting moved to a temp file and then back (is the
> prelink doing this?) with the result being that the CAP is erased.
>
> Not certain what is doing this in my system.
> Any clues or instructions on how to narrow the search?
Could you supply the audit message which type is "AUDIT_CONFIG_CHANGE" in your result?
>
> Thx,
> LCB.
>
More information about the Linux-audit
mailing list