On Friday, April 29, 2016 09:16:17 PM Vincas Dargis wrote: > 2016.04.29 21:00, Steve Grubb rašė: > > On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote: > >> When playing/learning with auditd, I wanted to log events when apache > >> fails to access file. > >> > >> Here's the rules I used in Debian Wheezy (same on Jessie and and current > >> latest Testing): > >> > >> -a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web > >> -a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web > >> > >> /var/www/server-status file is non-existant, > > > > Is it a symlink? If it really doesn't exist, then there is no inode to > > match against. > > Oh... > > No, there is no such file at all, and shouldn’t be, but apache2 tries to > check it, hence success=0 case is spammed into then logs.
Normally ENOENT failures are not a security concern. Normally EACCES and EPERM are what attempted security policy violations return with. There is an inode in that case. > Same with > .htaccess files that apache2 tries to find in every directory... > > I though it is possible to exclude stat calls with that path as argument to > the syscall, but if it actually needs physical inode... then I guess it > makes sense why it does not work for me. > > I wanted to _ignore_ some known stat/open failures for non-existant files, > to recap. The granularity won't allow it unless you can find another unique attribute to weed these out. > > What kernel are you using? > > 3.2 and 3.16 for sure, and I believe I tested on Debian Testing so it should > be 4.5 currently. OK. There were some older kernels where this didn't work right and thought that might be relevant. But it turns out that kernel doesn't matter this time. > P.S. should I reply to all or just the list? Doesn't matter. Mailman usually does the right thing. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
