[redhat-lspp] Re: [PATCH] testing new audit features

Steve Grubb sgrubb at redhat.com
Thu Apr 6 21:03:20 UTC 2006 

On Thursday 06 April 2006 16:39, Amy Griffis wrote:
> > 2) What about perms? If someone wanted to express that they want to get
> > write changes to /etc/passwd, how do they do it?
>
> Assuming you mean writes to the file itself,
>
>     auditctl -a exit,always -S open -F watch=/etc/passwd

Maybe it should be:
auditctl -a exit,always -S write -F watch=/etc/passwd

So what about execution of a certain program? For example, we need to see if a 
user tries to reset the audit rules. Would the audit rule be:

auditctl -a exit,always -S execve -F watch=/sbin/auditctl


> > >        audit_rule_syscallbyname((struct audit_rule *)rule, "all");
> > >        rule->flags = AUDIT_FILTER_EXIT;
> > >        rule->action = AUDIT_ALWAYS;
> >
> > 3) Does this mean that the file system auditing is handled by the syscall
> > exit filter ?
>
> Yes, in that way it is like inode-based filtering.

Then this is truly bad news. Suppose that we typically have 20-30 watches. 
Every single syscall will be affected since it will have to scan through 
30-40 rules to see if any apply. (There's about 10 syscall auditing rules.)

Have you considered this problem? Are there any ways to separate your file 
system auditing from syscall auditing? Do you see any optimizations to it?

Can we do wildcard matching? If not, we have a real problem since I know of  
one person has tried to audit writes to about 5000 individual files. Imagine 
that affecting every single syscall.


> > 6) The example does not show devmajor and devminor getting used...does
> > this affect anything?
>
> Devmajor and devminor don't really make sense for watches.

Has to do with namespaces and similar named files. I guess we'll test this 
after I get auditctl basically working.

> > 7) Also...what becomes of the watch_filter? Does it still work ? Is it
> > still needed ?
>
> No, the same feature is now provided using the exit filter list.
> Additionally, you may now specify different filters per watched file
> if you like, instead of being forced to apply a filter to all watched
> files.

Should we delete it from audit.h ?

-Steve

More information about the redhat-lspp mailing list