#387 closed defect (fixed)
Support for Linux audit system suffers from various quirks
Reported by: | rainer | Owned by: | rainer |
---|---|---|---|
Priority: | major | Milestone: | 4.1.0 |
Component: | main | Version: | |
Keywords: | Cc: |
Description
(1) Placing a watch on a directory does not place a watch on the directory inode itself. This is a "feature" of the Linux audit system and needs to be mitigated by placing an explicit watch on the directory inode (to be fixed).
(2) Even then, changing a directory timestamp with /bin/touch generates an audit log entry with "success=no", although the timestamp changes. This is because /bin/touch will first try to open() the directory, which fails with EISDIR (Is a directory), and only this is recorded by the audit system. Don't know how to mitigate this.
(3) Samhain currently fetches the wrong audit log entry if only the ctime but not the mtime is changed (e.g. chmod). To be fixed.
(4) The default auditd configuration on Ubuntu sets 'flush = INCREMENTAL'. As a result, the audit log entry might not be written yet when Samhain tries to fetch it. Auditd should be configured with 'flush = DATA' or 'flush = SYNC', and this needs to be mentioned in the Samhain documentation.
(investigation instigated by Bond)
Believed to be fixed by changeset [488].