Bug in auditing of sys_symlink
Aaron Lewis
the.warl0ck.1989 at gmail.com
Fri Dec 27 05:13:32 UTC 2013
Hi,
Looks like on 2.6.32 kernel there was a bug with sys_symlink,
I'm trying to monitor all symlinks that points to a specific dir, so I added:
-a exit,always -F arch=b64 -S symlink -F success=1 -F dir=/secure
But "ln -s /secure/file /tmp/file" doesn't trigger alert
And "cd /secure; ln -s /bin/ls" does.
So I guess the auditing implementation is somehow incomplete?
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
More information about the Linux-audit
mailing list