Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#387 closed defect (fixed)

Support for Linux audit system suffers from various quirks

Reported by: rainer Owned by: rainer
Priority: major Milestone: 4.1.0
Component: main Version:
Keywords: Cc:


(1) Placing a watch on a directory does not place a watch on the directory inode itself. This is a "feature" of the Linux audit system and needs to be mitigated by placing an explicit watch on the directory inode (to be fixed).

(2) Even then, changing a directory timestamp with /bin/touch generates an audit log entry with "success=no", although the timestamp changes. This is because /bin/touch will first try to open() the directory, which fails with EISDIR (Is a directory), and only this is recorded by the audit system. Don't know how to mitigate this.

(3) Samhain currently fetches the wrong audit log entry if only the ctime but not the mtime is changed (e.g. chmod). To be fixed.

(4) The default auditd configuration on Ubuntu sets 'flush = INCREMENTAL'. As a result, the audit log entry might not be written yet when Samhain tries to fetch it. Auditd should be configured with 'flush = DATA' or 'flush = SYNC', and this needs to be mentioned in the Samhain documentation.

(investigation instigated by Bond)

Change History (1)

comment:1 Changed 6 years ago by rainer

Resolution: fixed
Status: newclosed

Believed to be fixed by changeset [488].

Note: See TracTickets for help on using tickets.