Steve,
Auditctl version 3.0.7
Kernel 6.5.0-44-generic.
That extra check on if the directory exists may be the core difference. What is
interesting is the -w version seems to honor the rule filter given (-F
exe!=/usr/bin/example).
On Mon, July 22 2024 at 6:06 PM Steve Grubb <sgr...@redhat.com>
wrote:
Hello,
On Monday, July 22, 2024 4:00:37 PM EDT Michael McKinley via Linux-audit
wrote:
> I believe I’ve come across a bug in Linux audit when writing syscall
> monitors for a directory.
>
> File watchers are suggested to be syscall rules under the hood. I don’t
> believe this is true, based on the different behavior of syscall rules and
> file watcher rules when monitoring directories that don’t exist. Suggested
> to be equivalent per auditctl(8):-w /tmp/fakedir -p warx -k test1 -s
> always, exit -F dir=/tmp/fakedir -F perm=warx -k test2
It might be good to know what version of the audit package (auditctl -v) you
are using and the version of the kernel (uname -r). They were different once
upon a time.
> What will happen if the dir doesn’t exist in case 1 is the rule loads and
> continues. In case 2, the rule will fail to load, thus failing to load all
> rules below it.
In the current code, when it find a 'w' option, it calls stat on the directory
to ensure it is there. If it is, it converts the call to syscall auditing on
all syscalls. This gets refined when it finds the -perm field.
When it finds a 'S', it adds the syscall without any checks. When it finds '-F
dir=' it verifies the filter that it's being placed on but no other path checks
are done.
That means the -w version is more strict and needs a directory to exist when
the rule loads. The code in this area is probably at least 15 years old
without much reworking.
> The auditctl(8)
> Per the auditctl(8) man page -F (rule fields) are not supported by
> watchers. This doesn’t appear to be true any longer, as watchers do seem
> to honor -F (extensive testing not performed).
My man page differs. It says:
The -w form of writing watches is for backwards compatibility and is
deprecated due to poor system performance. Convert watches of this form
to the syscall based form.
> Any insight or suggestions? I am considering using a watcher with rule
> fields despite it not being officially supported due to the loading error
> with syscalls.
I'd be curious what versions you are using.
-Steve
_______________________________________________
Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
