test patch for auditctl inter-field comparisons on euid/uid, egid/gid
Peter Moody
pmoody at google.com
Mon Dec 12 16:40:29 UTC 2011
On Mon, Dec 12, 2011 at 6:40 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Sunday, December 11, 2011 02:09:27 PM Peter Moody wrote:
> > This patch extends Eric's test patch from 11/17 (
> > http://www.redhat.com/archives/linux-audit/2011-November/msg00045.html).
> > This turns -C into a long opt with similar syntax to -F.
>
> Thanks.
>
> > One strange thing related to this patch: auditd seems to be reporting
> > success for a normal user process (gklrellm) opening /proc/meminfo (mode
> > 444) O_RDWR, and I don't see how this is possible. eg:
> >
> > type=SYSCALL msg=audit(1323540255.146:97): arch=c000003e syscall=2
> > success=yes exit=13 a0=4b1972 a1=0 a2=1b6 a3=0 items=1 ppid=1704 pid=1797
> > auid=11532 uid=11532 gid=5000 euid=11532 suid=11532 fsuid=11532 egid=5000
> > sgid=5000 fsgid=5000 tty=(none) ses=1 comm="gkrellm"
> exe="/usr/bin/gkrellm"
> > key="permissive"
> > type=CWD msg=audit(1323540255.146:97): cwd="/home/pmoody"
> > type=PATH msg=audit(1323540255.146:97): item=0 name="/proc/meminfo"
> inode=
> > 4026532008 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
> >
> > hopefully someone with more auditd internal knowledge can explain what's
> > going on.
>
> Simple, int open(const char *pathname, int flags, mode_t mode);
>
> So, we want to look at a1's contents.
d'oh, of course. I keep thinking it's a2 for some reason.
> Its a zero. So, let's look that up in
> /usr/include/asm-generic/fcntl.h:
>
> #define O_RDONLY 00000000
> #define O_WRONLY 00000001
> #define O_RDWR 00000002
>
> So, it would appear open is called with O_RDONLY, which is allowed by the
> permissions 0444.
>
>
> > auditctl -l doesn't know how to report this yet; if this patch is
> generally
> > acceptable, I can try to fix that and update the manpage, etc.
>
> Yes, auditctl -l will have to be updated. If you want to do that, it would
> be
> helpful. Also, see the comments on the other patch in case it affects this
> one.
>
It will and I'll update this.
This only supports != and = because those were the only two that really
seemed like meaningful tests for these fields; do you think this should
support <, <=, >, >= as well (I'm assuming that bitmasks wouldn't make
sense at all)
Cheers,
peter
> -Steve
>
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20111212/be3d6b48/attachment.htm>
More information about the Linux-audit
mailing list