From: Rohit <cola.vn@gmail.com>
To: linux-audit@redhat.com
Subject: Mapping of Audit rule to Record Type Generated + chmod log query
Date: Tue, 11 Jan 2022 02:02:55 +0530 [thread overview]
Message-ID: <CAHvE9BLxOm12w9UOOpRnuaoEqweTed8n503K+6Gs3sbBdYg0zg@mail.gmail.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1556 bytes --]
Hello!
I have two questions. I had a quick search through the mailing archives
before posting here.
-----
Question 1
I'm not even sure if this is feasible but does there exist an audit rule
type <--> record type mapping?
For example, a file watch rule for writes and attribute changes (-p wa)
would generate record types of SYSCALL and CWD. While a watch for execution
(-p x) on a file would generate a SYSCALL, EXECVE and CWD.
Similarly, is there a way to know what record types the different audit
rule types (file watches, syscalls) may generate?
-----
Question 2
I am trying to decipher a chmod related log entry. My audit rule is
-w /etc/passwd -p wa -k passwd_mod
I thereafter ran a "chmod 744 /etc/passwd" . I received a SYSCALL record
type with the following parameters
type=SYSCALL msg=audit(1641846347.980:1326): arch=c000003e syscall=268
success=yes exit=0 a0=ffffffffffffff9c a1=1a600f0 a2=1a4 a3=3c0 items=1
ppid=6639 pid=6781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts6 ses=4294967295 comm="chmod" exe="/bin/chmod"
I'm trying to decipher whether the above event can give me the exact
permission passed to the chmod command (755). I understand that execve may
give it to me easier.
I see the underlying syscall is fchmodat which accepts 3 arguments
int dfd, const char __user *filename, umode_t mode
In which case, in the above log event, would a3=3c0 be the right argument
to represent the new permission (755)? Or am I reading this incorrectly?
---
Thanks so much for the help!
Regards
Rohit
[-- Attachment #1.2: Type: text/html, Size: 2519 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next reply other threads:[~2022-01-10 20:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 20:32 Rohit [this message]
2022-01-10 21:17 ` Mapping of Audit rule to Record Type Generated + chmod log query Steve Grubb
2022-01-11 6:37 ` Rohit
2022-01-11 15:42 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHvE9BLxOm12w9UOOpRnuaoEqweTed8n503K+6Gs3sbBdYg0zg@mail.gmail.com \
--to=cola.vn@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).