Page 1 of 1

parameters of command in audit.log

Posted: 2019/04/15 08:38:16
by Paczkov

I need help with configuring or understanding auditd service.
My problem is that i do not see parameters of lets say chmod. I see that it was used, but i do not know what was the parameter (i want to search for files where +x permissions was added). Bellow i am presenting chmod log from audit.log. I used chmod 777 on file and i see that log:

type=SYSCALL msg=audit(1555317071.522:85615285): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=9980f0 a2=1ff a3=7ffc0a2bd160 items=1 ppid=3553 pid=6592 auid=1023 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=52335 comm="chmod" exe="/usr/bin/chmod" key="perm_mod"
type=CWD msg=audit(1555317071.522:85615285): cwd="/root"
type=PATH msg=audit(1555317071.522:85615285): item=0 name="" inode=1716 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1555317071.522:85615285): proctitle=63686D6F64003737370074657374746573742E7368

I see command was used but i do not see what permission was granted. At this log i still see old permission under mode=

Could you please advise?

Best Regards!

Re: parameters of command in audit.log

Posted: 2019/04/18 18:52:21
by aks
It's not that hard, here's an example from some time ago:

# Discretionary access control permission modification (unsuccessful and successful use of chown/chmod)
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k permissions

Syscall rules take the general form of:
-a action,list -S syscall -F field=value -k keyname

It's all in the docs, have a read of man audit.rules I think it's pretty clear (albeit long), also RH have some quite (albeit old) docs.