[redhat-lspp] Re: [PATCH] testing new audit features

Amy Griffis amy.griffis at hp.com
Thu Apr 6 20:39:55 UTC 2006 

On Wed, Apr 05, 2006 at 03:18:22PM -0400, Steve Grubb wrote:
> On Monday 20 March 2006 18:38, Amy Griffis wrote:
> > In contrast to existing audit rule field types, these types require string
> > fields. ?E.g., AUDIT_WATCH requires a path like "/etc/passwd",
> > AUDIT_SE_USER requires a user label like "user_u".
> 
> I have some questions since I'm readying user space tools to support this:
> 
> 1) Does this file system auditing do away with filter keys? Are they no longer 
> needed?

Filter keys are not needed if we include the watch insertion path as part of
the AUDIT_PATH record when an AUDIT_WATCH field matches the context.  It's on
my TODO list. :-)

> 2) What about perms? If someone wanted to express that they want to get write 
> changes to /etc/passwd, how do they do it?

Assuming you mean writes to the file itself,

    auditctl -a exit,always -S open -F watch=/etc/passwd

The open syscall is a rather coarse-grained filter, so we could
consider adding some finer-grained filtering for it, similar to what
was done in Laus.


> >        audit_rule_syscallbyname((struct audit_rule *)rule, "all");
> >        rule->flags = AUDIT_FILTER_EXIT;
> >        rule->action = AUDIT_ALWAYS;
> 
> 3) Does this mean that the file system auditing is handled by the syscall exit 
> filter ?

Yes, in that way it is like inode-based filtering.

> 4) Does each rule get added to the filter or is there some short circuit that 
> keeps them out of the filter? 

Each rule is added to the exit filter list.

> 5) Does the syscall matter ? Its being set to "all", just curious if it really 
> matters.

The syscall(s) specified determine which audit records you will see,
like inode-based filtering.

> 6) The example does not show devmajor and devminor getting used...does this 
> affect anything?

Devmajor and devminor don't really make sense for watches.  The dev
will be determined from the path_lookup on the supplied path.

On Wed, Apr 05, 2006 at 03:45:31PM -0400, Steve Grubb wrote:
> 7) Also...what becomes of the watch_filter? Does it still work ? Is it still 
> needed ?

No, the same feature is now provided using the exit filter list.
Additionally, you may now specify different filters per watched file
if you like, instead of being forced to apply a filter to all watched
files.

Hope this helps,
Amy

More information about the redhat-lspp mailing list