Probable bug in auditd
Shourya Jaiswal
shourya.jaiswal at citrix.com
Wed Jan 20 20:54:45 UTC 2021
Hi,
I have found a weird behavior in auditd. File "/abc" does not exist.
audit.rules:
-a always,exit -F arch=b32 -S open -S openat
-a always,exit -F arch=b64 -S open -S openat
A non-root user executes "echo > /abc", it doesn't get logged in audit.log. Same with "echo > /etc/abc"
A non-root user executes "cat /abc", it gets logged in audit.log
Since auditd is monitoring all the open and openat syscalls, ideally both the cases (i.e. read and write) should have be logged.
After I execute "chmod a+w /" then "chmod a-w /", if a non-root user executes "echo > /abc", then it gets logged in audit.log.
This looks like a bug to me. Kindly let me know if it's a bug or an intended feature.
System used to test: Linux 5.4.0-56-generic #62-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux
Regards,
Shourya Jaiswal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20210120/02c8758a/attachment.htm>
More information about the Linux-audit
mailing list