Auditing the "chattr" command (ioctl syscall?)

Max Williams Max.Williams at betfair.com
Wed Aug 24 15:31:10 UTC 2011 

Hi Steve,
Thanks for the informative reply. I hadn't used autrace before, looks very handy.
I am wondering why this rule would log chattr...
-a always,exit -F arch=b64 -S ioctl -F a1=40086602 -F path=/root/file

...but not this one?
-a exit,always -F path=/root/file

In the second rule, is it not implied that all syscalls would be logged? Wouldn't that include ioctl?

I still can't get auditd to log chattr, I'll show you:

[root at localhost ~]# auditctl -D
No rules
[root at localhost ~]# autrace /usr/bin/chattr +i file
Waiting to execute: /usr/bin/chattr
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 16312'
[root at localhost ~]# 
[root at localhost ~]# ausearch -i -p 16312 | grep ioctl
node=localhost.localdomain type=SYSCALL msg=audit(08/24/2011 15:10:29.752:54096) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=3 a1=80086601 a2=7fff1271bf9c a3=1 items=0 ppid=16310 pid=16312 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1198 comm=chattr exe=/usr/bin/chattr key=(null) 
node=localhost.localdomain type=SYSCALL msg=audit(08/24/2011 15:10:29.752:54100) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=3 a1=40086602 a2=7fff1271bf9c a3=0 items=0 ppid=16310 pid=16312 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1198 comm=chattr exe=/usr/bin/chattr key=(null) 
[root at localhost ~]# 
[root at localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F a1=40086602 -k chattr1
[root at localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F a1=80086601 -k chattr2
[root at localhost ~]# 
[root at localhost ~]# chattr +i file
[root at localhost ~]# chattr -i file
[root at localhost ~]# 
[root at localhost ~]# tail -4 /var/log/audit/audit.log 
node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1314195029.752:54103): auid=0 ses=1198 op="remove rule" key=(null) list=4 res=1
node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1314195029.752:54104): auid=0 ses=1198 op="remove rule" key=(null) list=4 res=1
node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1314195046.666:54105): auid=0 ses=1198 op="add rule" key="chattr1" list=4 res=1
node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1314195054.962:54106): auid=0 ses=1198 op="add rule" key="chattr2" list=4 res=1
[root at localhost ~]#

So it just doesn't log anything after adding the two rules.

I also tried just auditing all ioctl syscalls for a path:
[root at localhost ~]# auditctl -D
No rules
[root at localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F path=/root/temp -k chattr3
[root at localhost ~]# chattr +i /root/temp/file 

But still no dice. This is on a standard x86_64 RHEL6 host with audit-2.0.4-1.el6.x86_64.
Am I missing something obvious?
Thanks,
Max

-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com] 
Sent: 24 August 2011 15:41
To: linux-audit at redhat.com
Cc: Max Williams
Subject: Re: Auditing the "chattr" command (ioctl syscall?)

On Wednesday, August 24, 2011 09:57:13 AM Max Williams wrote:
> Hi,
> I would like to be able to audit the syscalls that the chattr command 
> uses but I'm not having much luck. In an effort to see the syscalls 
> used, I created a rule to log all syscalls, like this: # auditctl -a 
> exit,always -F path=/root/file
> 
> Then run this:
> # chattr +i /root/file
> 
> This produces series of two syscalls in the logs, 6 (sys_newlstat) and 
> 2
> (sys_open): node=localhost.localdomain type=SYSCALL
> msg=audit(1314189320.335:53158): arch=c000003e syscall=6 success=yes
> exit=0 a0=7ffff0f8886c a1=7ffff0f88250 a2=7ffff0f88250 a3=1 items=1
> ppid=15560 pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr"
> key=(null) node=localhost.localdomain type=SYSCALL
> msg=audit(1314189320.335:53160): arch=c000003e syscall=2 success=yes
> exit=3 a0=7ffff0f8886c a1=800 a2=7ffff0f88170 a3=1 items=1 ppid=15560
> pid=15745 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0
> tty=pts0 ses=1198 comm="chattr" exe="/usr/bin/chattr" key=(null)
> 
> I don't think these are the syscalls I want to audit,

nope. You can use the autrace program also and get a strace like list of syscalls made by the process.

> they would be far too
> frequent. I also noticed when I run a strace on the chattr command it 
> looks like it uses ioctl, eg: ioctl(3, EXT2_IOC_SETFLAGS, 
> 0x7fff0314cf3c)
> 
> What audit rule could I use to achieve this?

It starts off like this:

-a always,exit -F arch=b64 -S ioctl

Then you need to look at the man page for ioctl. The first argument is the FD, so you will not have a a0  since that could be different from program to program. Then you need to look in the header files for the definition of EXT2_IOC_SETFLAGS.

/usr/include/linux/ext2_fs.h
#define EXT2_IOC_SETFLAGS               FS_IOC_SETFLAGS

/usr/include/linux/fs.h
#define FS_IOC_SETFLAGS                 _IOW('f', 2, long)

/usr/include/asm-generic/ioctl.h
#define _IOW(type,nr,size)      _IOC(_IOC_WRITE,(type),(nr),(_IOC_TYPECHECK(size)))
#define _IOC(dir,type,nr,size) \
        (((dir)  << _IOC_DIRSHIFT) | \
         ((type) << _IOC_TYPESHIFT) | \
         ((nr)   << _IOC_NRSHIFT) | \
         ((size) << _IOC_SIZESHIFT))
# define _IOC_WRITE     1U

Looks hard to figure out? Let's make a program:

#include <stdio.h>
#include <linux/fs.h>
#include <linux/ext2_fs.h>

int main(void)
{
	printf("%0lX\n", EXT2_IOC_SETFLAGS);
	return 0;
}

It returns this: 40086602

So, the rule is:

-a always,exit -F arch=b64 -S ioctl -F a1=40086602

I don't know if the syscall requires more arguments. You would have to look at the chattr program for more. Also note that you might want a matching b32 rule also. If you wanted to limit this to a file, then put a -F path= on that also. Adding a key field helps in searching later.

-Steve

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________

More information about the Linux-audit mailing list