problem about audit

Steve Grubb sgrubb at redhat.com
Tue Mar 9 15:53:00 UTC 2010 

On Monday 08 March 2010 08:37:50 pm tianyong1979sh wrote:
>      my work is that when user input "getfacl" or "setfacl", whatever
> success or failed, the process of auditd can log this operation 

On Linux, ACLs are stored as extended attributes. You can audit success and 
failure by using these rules:

-a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S 
removexattr -S lremovexattr -S fremovexattr
-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S 
removexattr -S lremovexattr -S fremovexattr


-a exit,always -F arch=b32 -S getxattr -S lgetxattr -S fgetxattr -S listxattr 
-S llistxattr -S flistxattr
-a exit,always -F arch=b64 -S getxattr -S lgetxattr -S fgetxattr -S listxattr 
-S llistxattr -S flistxattr

You can also add a -k setfacl and -k getfacl respectively if you wanted. SE 
Linux also writes to the xattrs when policy is updated, so you would possible 
have that issue, too.


> and the operation type is AUDIT_DAC_CHECHK that is defined in libaudit.h.

That type is meant for applications that do access control. In other words, 
suppose an application connects to a local server and the server checks its 
access control rules and decides that a connection should be allowed or 
rejected. In that case, you would use this type. For any other use, the 
generic AUDIT_TRUSTED_APP type is available for anything.


> In order to reach the destination ,i modified the codes in the packets
> of acl-2.2.39 and audit-1.7.7 . Firstly ,i added the function
> audit_log_acct_message()  in the file of getfacl.c and setfacl.c in the
> audited place and the function audit_log_acct_message() is in file
> audit_logging.c of the audit-1.7.7. Secondly, i make the the project of 
> acl and the result is ok .And i run the object file of getfacl. When the
> user is root,the audit message of getfacl operation can be logged.But when
> the user is normal user,the audit message cann't be logged.

Correct. This is so that unprivileged users and operations cannot spam the 
audit logs. Allowing anything to write to the audit system would destroy the 
integrity guarantees and reduce it to being another syslog.


> The VAR "errno" value is "Operation not permitted".when i execute the
> command "chmod u+s getfacl" as root. and then the audit message of getfacl
> operation can be logged au normal user. how i can reslove the problem that
> when normal user and normal authority execute the command "getfacl" ,the
> audit system still can log the operation?????

You would need to make the application setuid root or if your OS supports file 
system based capabilities, then you can grant CAP_AUDIT_WRITE to the program.

But, do you really need to alter getfacl and setfacl? We were able to obtain 
Common Criteria certification without modifying those apps. Besides, someone 
could use another app besides those two to write/read the ACLs. Only watching 
the syscalls can provide a complete solution.

-Steve

More information about the Linux-audit mailing list