[redhat-lspp] Watch question

Steve Grubb sgrubb at redhat.com
Fri Apr 28 12:50:15 UTC 2006 

On Thursday 27 April 2006 18:44, Loulwa Salem wrote:
> And from some analysis, when I do a listing of rules and watches .. it
> looks like the following syscalls are audited when a watch is added:
>         open, truncate, rename, mkdir, rmdir, creat, link, unlink, symlink,
> chmod, fchmod, chown, fchown, lchown.

I completely disagree with the current file system auditing approach requiring 
explicit syscall coupling. I think it is a big problem for the security 
community to have a tool for auditing files that requires knowledge of 
syscalls. I've coded the exact list that Amy supplied. So, now what if 
someone sends a patch to lkml to add a new syscall that does something with 
the file system? Looking at what's happened between 2.6.15 & 2.6.17rc3...its 
already happened. 

Every kernel update, someone is going to have to go over all syscalls and see 
what is new and make new user space tools for people to use with the new 
kernel. This is Not Good for the community. Distributions that rebase their 
kernel will always have a problem since they will always need a new user 
space tool update to just to keep watches working.

The RHEL4 audit system was hooked into the code paths that touched the file 
system so that user space did not have to be aware of syscalls to get it to 
work properly. I really think this is the way to do it.

> Is that what we intended? should execve be also included?

I personally want to be able to tell the kernel that I want notification of: 
reads, writes, execution, or changes to attributes of a specific file or all 
files in that directory and subdirectories. User space should not have to 
know which syscalls implement each of the categories.

Not being able to express it this way will be a regression for Enterprise 
customers. We need -w unhooked from -S. We need to have the concept of -p 
added back to the current implementation. The 'a' option to -p should be 
redefined from 'append' to 'attribute'.

> Do we need to specifically add a syscall rule for execve now to capture the
> audit record associated with it?

That depends on what the group decides. I don't like the coupling.

-Steve

More information about the redhat-lspp mailing list