both ls -i both stat return 252 as inode for /tmp/test (I considered your /tmp/watch a typo) I also tried to add read permission to the watch and execute a cat on the file, but not even that get recognized by audit.
2011/6/2 Steve Grubb <[email protected]> > On Thursday, June 02, 2011 12:41:41 PM 4javier wrote: > > root@Archbox /home/javier $ touch /tmp/test > > root@Archbox /home/javier $ cat /tmp/test > > root@Archbox /home/javier $ auditctl -w /tmp/test -p wa > > root@Archbox /home/javier $ echo ppp >> /tmp/test > > root@Archbox /home/javier $ cat /tmp/test > > ppp > > root@Archbox /home/javier $ ausearch -i -f /tmp/test > > <no matches> > > root@Archbox /home/javier $ auditctl -l > > LIST_RULES: exit,always watch=/tmp/test perm=wa > > root@Archbox /home/javier $ echo ppp > /tmp/test > > root@Archbox /home/javier $ ausearch -i -f /tmp/test > > <no matches> > > root@Archbox /home/javier $ ausearch -f /tmp/test > > <no matches> > > > > As you can see from auditcrl -l output, rule seems to be correctly set, > but > > ausearch doesn't show anything. > > I duplicated your tests here: > [root@localhost ~]# auditctl -w /tmp/test -p wa -k watch > [root@localhost ~]# echo "ppp" >> /tmp/test > [root@localhost ~]# cat /tmp/test > > ppp > [root@localhost ~]# ausearch --start recent -i -f /tmp/test > ---- > type=PATH msg=audit(06/02/2011 14:32:45.146:112) : item=0 name=/tmp/test > inode=164740 > dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 > obj=unconfined_u:object_r:user_tmp_t:s0 > type=CWD msg=audit(06/02/2011 14:32:45.146:112) : cwd=/root > type=SYSCALL msg=audit(06/02/2011 14:32:45.146:112) : arch=x86_64 > syscall=open > success=yes exit=3 a0=1842830 a1=441 a2=1b6 a3=0 items=1 ppid=1298 pid=1304 > auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root > sgid=root > fsgid=root tty=pts0 ses=1 comm=bash exe=/bin/bash > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watch > > Admittedly I am on the 2.6.38.6 kernel. But I'm not seeing a regression. > When you set > the perms to "wa" that is only going to be opens for writing or changes to > file > attributes. So, the cat command will not trigger an event and that is why I > only get 1 > event. I am also on a 64 bit system, but I would think that didn't > matter...unless we > have a signed/unsigned comparison problem...what do you have for an inode > on the > /tmp/watch file? ls -i /tmp/watch should get it. > > -Steve >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
