On Wednesday, August 24, 2011 11:31:10 AM Max Williams wrote: > Thanks for the informative reply. I hadn't used autrace before, looks very > handy. I am wondering why this rule would log chattr... > -a always,exit -F arch=b64 -S ioctl -F a1=40086602 -F path=/root/file > > ...but not this one? > -a exit,always -F path=/root/file
When you do not give a syscall and its a path or directory based rule, it selects the syscalls for you based on what kind of permissions are passed. No permissions being passed defaults to all. The resulting list will not include an ioctl. > In the second rule, is it not implied that all syscalls would be logged? > Wouldn't that include ioctl? No. You could add -S all and then it would. > I also tried just auditing all ioctl syscalls for a path: > [root@localhost ~]# auditctl -D > No rules > [root@localhost ~]# auditctl -a exit,always -F arch=b64 -S ioctl -F > path=/root/temp -k chattr3 [root@localhost ~]# chattr +i /root/temp/file > > But still no dice. This is on a standard x86_64 RHEL6 host with > audit-2.0.4-1.el6.x86_64. Am I missing something obvious? Then I guess you cannot limit the auditing to a file. The ioctl is passed a fd, which is an integer. The audit system does not keep any list of associated fd to name mappings. So, the only time it knows the string is during the open syscall. I guess you'll have to drop the -F path=/root/temp/file and you will get the chattr, but you will get all chattr events. I don't think there are too many of those going on for a normal system. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
