We've recently started using auditd on one of our Ubuntu servers.
The example audit.rules file we were given has a rule like this:
-w /var/log/syslog -p wra -k logs
However, when syslog writes to the file, nothing gets logged by auditd. Similarly, if I go to the command line and run the logger
command, the syslog file gets written without generating an audit log. If I alter the file directly by using an editor or appending a line to it from the command line, it does get logged.
Of course, I don't want an audit log every time syslog gets written, but I'm interested to know what causes this to happen and if there are any other cases besides syslog where this could be happening without my knowledge.
Thank you very much!
Additional info:
Test audit.rules file:
-D
-b 8192
-f 1
-w /var/log/syslog -p wra -k logs
Output of auditctl -l
and augenrules --check
:
# auditctl -l
-w /var/log/syslog -p rwa -k logs
# augenrules --check
/sbin/augenrules: Rules have changed and should be updated
Using logger:
# logger "logger example"
# ausearch -k logs
----
time->Fri Mar 10 14:35:20 2017
type=CONFIG_CHANGE msg=audit(1489156520.983:4463): auid=4294967295 ses=4294967295 op="add_rule" key="logs" list=4 res=1
Using echo and output redirect:
# echo "echo example" >> /var/log/syslog
# ausearch -k logs
----
time->Fri Mar 10 14:35:20 2017
type=CONFIG_CHANGE msg=audit(1489156520.983:4463): auid=4294967295 ses=4294967295 op="add_rule" key="logs" list=4 res=1
----
time->Fri Mar 10 14:36:52 2017
type=PROCTITLE msg=audit(1489156612.334:4465): proctitle="bash"
type=PATH msg=audit(1489156612.334:4465): item=1 name="/var/log/syslog" inode=417506 dev=08:01 mode=0100640 ouid=104 ogid=4 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1489156612.334:4465): item=0 name="/var/log/" inode=411799 dev=08:01 mode=040775 ouid=0 ogid=108 rdev=00:00 nametype=PARENT
type=CWD msg=audit(1489156612.334:4465): cwd="/etc/audit"
type=SYSCALL msg=audit(1489156612.334:4465): arch=c000003e syscall=2 success=yes exit=3 a0=a93108 a1=441 a2=1b6 a3=7ffe24385b98 items=2 ppid=28462 pid=28463 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="bash" exe="/bin/bash" key="logs"
Tail of /var/log/syslog:
# tail -n 2 /var/log/syslog
Mar 10 14:36:40 testserver root: logger example
echo example
Best Answer
I've understood the reason behind this behavior.
The
auditctl
man page for the-p
flag states:I didn't understand what this meant at the time, but after a couple of hours digging into the linux-audit mailing list, I've come to realize this means that if you watch a file for writing, it doesn't log when there's a syscall for writing to the file. It just logs if a file was accessed with write permissions by checking for
open
syscalls with theO_RDWR
orO_WRONLY
flags.So, when I use the
logger
command, I'm actually asking my Syslog daemon to write to the file for me. The syslog daemon always has that file open for writing, therefore it makes sense that nothing gets logged.If I restart the Syslog daemon, I get something like this on my audit logs: