audit-kernel
audit-kernel copied to clipboard
linux-audit
BUG: watches on executable symlinks are not working
Watches on execution of a program seem to not be working on the 4.17 kernel.
$ which ping
/usr/sbin/ping
$ auditctl -w /usr/sbin/ping -p x -k test
$ ping yahoo.com
PING yahoo.com (98.137.246.7) 56(84) bytes of data.
64 bytes from media-router-fp1.prod1.media.vip.gq1.yahoo.com (98.137.246.7): icmp_seq=1 ttl=43 time=117 ms
^C
--- yahoo.com ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2000ms
rtt min/avg/max/mdev = 117.128/119.354/121.580/2.226 ms
$ auditctl -W /usr/sbin/ping -p x -k test
$ ausearch --start recent -k test -m syscall
Just to make sure that something in old style watches was causing the problem, we try again using the new syntax:
$ auditctl -a always,exit -F path=/usr/sbin/ping -F perms=x -F key=test
-F unknown field: perms
$ auditctl -a always,exit -F path=/usr/sbin/ping -F perm=x -F key=test
$ ping www.yahoo.com
PING atsv2-fp.wg1.b.yahoo.com (72.30.35.10) 56(84) bytes of data.
64 bytes from media-router-fp2.prod1.media.vip.bf1.yahoo.com (72.30.35.10): icmp_seq=1 ttl=44 time=62.6 ms
^C
--- atsv2-fp.wg1.b.yahoo.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 62.631/62.787/62.944/0.295 ms
$ auditctl -d always,exit -F path=/usr/sbin/ping -F perm=x -F key=test
$ ausearch --start recent -k test -m syscall
We should have gotten an event both ways.
I checked the 4.12 kernel, it seems to also have the problem. This is the oldest kernel I have available.
My network access is unreliable, but I happen to have it for the moment so I did a quick test on an upstream kernel (the only one I have immediate access to for testing):
# uname -r
4.18.0-0.rc2.git4.1.fc29.x86_64
# auditctl -l
No rules
# which id
/usr/bin/id
# auditctl -a always,exit -S all -F exe=/usr/bin/id -k ghak94
# ausearch -k ghak94
----
time->Fri Jul 6 06:47:46 2018
type=CONFIG_CHANGE msg=audit(1530874066.583:605): auid=0 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key="ghak94" list=4 res=1
# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ausearch -k ghak94 | wc -l
670
# ausearch -k ghak94 | tail -n 5
type=SYSCALL msg=audit(1530874095.277:750): arch=c000003e syscall=3 success=yes exit=0 a0=2 a1=1 a2=7f8570913760 a3=0 items=0 ppid=572 pid=751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="id" exe="/usr/bin/id" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="ghak94"
----
time->Fri Jul 6 06:48:15 2018
type=PROCTITLE msg=audit(1530874095.277:751): proctitle="id"
type=SYSCALL msg=audit(1530874095.277:751): arch=c000003e syscall=231 a0=0 a1=3c a2=0 a3=7ffcef8b5bce items=0 ppid=572 pid=751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="id" exe="/usr/bin/id" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="ghak94"
... granted this is one small test, but it appears to be a case of WORKSFORME. Further, I do test this at least once a week, typically more, using the audit-testsuite, which does contain a test for this functionality:
- https://github.com/linux-audit/audit-testsuite/blob/master/tests/exec_name/test
https://github.com/Exynos7580/android_device_samsung_a5xeltexx/issues/7
Please help me guys unable to resolve this issue...
Unless I'm mistaken @BunsExynos, that issue appears unrelated to this problem mentioned here, yes?
@pcmoore your test works fine because it is watching a regular file. @stevegrubb test file is a symlink, so this is another issue related as he has indicated: https://bugzilla.redhat.com/show_bug.cgi?id=1421794
@rgbriggs let's be sure to add a soft link test to the exec_name test in the test suite once this is resolved. We should probably a test for a hard link too for the sake of completeness.
@rgbriggs I'm going to assign this to you since it looks like this is already on your todo list, if not please let me know and I'll reassign it.
Is this issue resolved? I want to watch power operations as below but I couldn't trigger audit event.
[root@instance-2 ~]# uname -a
Linux instance-2 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@instance-2 ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@instance-2 ~]# grep power /etc/audit/rules.d/power.rules
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power
[root@instance-2 ~]# file /sbin/{halt,poweroff,reboot,shutdown}
/sbin/halt: symbolic link to ../bin/systemctl' /sbin/poweroff: symbolic link to ../bin/systemctl'
/sbin/reboot: symbolic link to ../bin/systemctl' /sbin/shutdown: symbolic link to ../bin/systemctl'
On 2020-11-16 11:05, remotekernel wrote:
Is this issue resolved?
Not yet. It hasn't been abandonned.
I want to watch power operations as below but I couldn't trigger audit event.
This has always been an issue with no obvious solution. We can't monitor the execution binary directly since it will falsely trigger on any use of that binary, filling the logs and crowding out important events. We may be able to match the the execution binary dev/inode along with last element of the path in arg[0] since this latter is generally used to trigger behaviour in multicall binaries.
Same here in 4.19.110-300.el7.x86_64 Unable to direct monitor iptables command , because is symlinked.
/usr/sbin/iptables -> xtables-multi
