Bug 1396737 - watch rule for directory has no effect
Summary: watch rule for directory has no effect
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: 25
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-19 14:05 UTC by Frank Ansari
Modified: 2016-11-30 19:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-30 19:37:27 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Frank Ansari 2016-11-19 14:05:53 UTC 
Description of problem:
-a exit,always -F dir=/etc/ -F perm=wa -F key=etc_change

This rule has no effect on my system. I can add or change files or directories and do not see any logs in /var/log/audit/audit.log.

"aureport -k" shows no new line for key "etc_change".

Version-Release number of selected component (if applicable):
2.6.7

How reproducible:
Edit a file in /etc and check for new entries in audit.log.

Steps to Reproduce:
1.
2.
3.

Actual results:
no lines

Expected results:
Changing files in /etc should bring some output in audit.log

Here the documentation:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls.html

I also tested the example from this docu:

auditctl -w /etc/selinux/ -p wa -k selinux_changes

and it did not work.

Additional info:
-a exit,always -F path=/etc/bla -F perm=wa -F key=test_change

This example (monitoring a simple file) is working. Whenever I edit the file /etc/bla I find two new lines in audit.log. When I create or remove it I have one new line.
Comment 1 Steve Grubb 2016-11-19 15:45:59 UTC 
Here's what I did to check:

auditctl -a exit,always -F dir=/etc -F perm=wa -F key=dir-test
vi /etc/ssh/sshd_config
deleted a comment and saved
ausearch --start recent -k dir --raw | aureport --file --summary

File Summary Report
===========================
total  file
===========================
13  /etc/ssh/
5  /etc/ssh/.sshd_config.swp
5  /etc/ssh/sshd_config
2  /etc/ssh/.sshd_config.swpx
2  /etc/ssh/4913
2  /etc/ssh/sshd_config~
1  (null)

It seems to be working. I also did the following:

# touch /etc/test
# ausearch --start recent -k dir --raw | aureport --file --summary

File Summary Report
===========================
total  file
===========================
1  /etc/
1  /etc/test

# uname -r
4.8.7-200.fc24.x86_64

Try to delete all your rules and then manually enter just the one rule and retest. I suspect its something in the other rules blocking it.
Comment 2 Frank Ansari 2016-11-19 21:27:54 UTC 
Ok - I think I got it. I always had this rule active:

# This suppresses syscall auditing for all tasks started
# with this rule in effect.  Remove it if you need syscall
# auditing.
-a task,never

After the removal of this rule it is working.

Only thing I don't understand is why it works for single file even with the above rule active.
Comment 3 Steve Grubb 2016-11-30 19:37:27 UTC 
I suspect it has to do with some tasks have an audit flag in the task struct and some don't. Everything run before auditd starts does not get the flag and cannot be audited. The solution is to add audit=1 to the kernel boot prompt.

I'm going to close he bz as there is nothing actionable on my end.
Note You need to log in before you can comment on or make changes to this bug.