Audit Filtering on Executable Pathname12 Feb 2016 tags: audit
As part of Linux 4.3 we added the ability to selectively filter based on an executable pathname and not just the executable’s current PID. This post is a quick introduction to the new functionality using ‘/usr/bin/echo’ as a simple example.
In order to use the new audit by executable functionality you need to make sure you are running Linux 4.3 or greater, and the audit userspace tools version 2.5 or greater. For this example I’m using a Fedora Rawhide system with a Linux 4.5 development kernel and the audit v2.5 userspace.
First, I’m going to clear any existing audit rules from the system and create a new rule to generate an audit event whenever the ‘/usr/bin/echo’ application calls the write() system call; I’m also going to have the kernel mark these records with the ‘testing’ key for easier parsing by ‘ausearch’ later. It is important to note that this is just a simple example to demonstrate the functionality, the new ‘-F exe=…’ audit filter can used as part of larger, more complex rules.
With the new rule loaded into the kernel we simply need to execute ‘/usr/bin/echo’. It is important to specify the full path for the echo command as some shells, including bash, default to a built-in if an absolute executable path for echo is not given.
We can now check the audit log to see if any events have occurred that match the ‘testing’ key we used when we created our new audit by executable rule.
In this case we see two audit events have been recorded in the audit log. The first event consists of a single CONFIG_CHANGE record and was generated when we loaded the new rule into the kernel. The second event was generated by our newly created audit by executable rule and show ‘/usr/bin/echo’ using the write() syscall. For such a simple application as ‘/bin/true’ this is exactly what we would expect, and an indication that everything is working correctly.