Auditing the "chattr" command (ioctl syscall?)
Steve Grubb
sgrubb at redhat.com
Wed Aug 24 15:50:23 UTC 2011
On Wednesday, August 24, 2011 11:31:10 AM Max Williams wrote:
> Thanks for the informative reply. I hadn't used autrace before, looks very
> handy. I am wondering why this rule would log chattr...
> -a always,exit -F arch=b64 -S ioctl -F a1=40086602 -F path=/root/file
>
> ...but not this one?
> -a exit,always -F path=/root/file
When you do not give a syscall and its a path or directory based rule, it selects the
syscalls for you based on what kind of permissions are passed. No permissions being
passed defaults to all. The resulting list will not include an ioctl.
> In the second rule, is it not implied that all syscalls would be logged?
> Wouldn't that include ioctl?
No. You could add -S all and then it would.
> I also tried just auditing all ioctl syscalls for a path:
> [root at localhost ~]# auditctl -D
> No rules
> [root at localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F
> path=/root/temp -k chattr3 [root at localhost ~]# chattr +i /root/temp/file
>
> But still no dice. This is on a standard x86_64 RHEL6 host with
> audit-2.0.4-1.el6.x86_64. Am I missing something obvious?
Then I guess you cannot limit the auditing to a file. The ioctl is passed a fd, which
is an integer. The audit system does not keep any list of associated fd to name
mappings. So, the only time it knows the string is during the open syscall. I guess
you'll have to drop the -F path=/root/temp/file and you will get the chattr, but you
will get all chattr events. I don't think there are too many of those going on for a
normal system.
-Steve
More information about the Linux-audit
mailing list