Date: Thu, 2 Dec 2010 18:43:52 -0500 (EST) From: Garrett Wollman <wollman@khavrinen.csail.mit.edu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/152796: fcntl(2) audit records should not be labeled "file attribute modify" Message-ID: <201012022343.oB2Nhqjq082224@khavrinen.csail.mit.edu> Resent-Message-ID: <201012030010.oB30ABCr073816@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152796 >Category: kern >Synopsis: fcntl(2) audit records should not be labeled "file attribute modify" >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 03 00:10:11 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Garrett Wollman >Release: FreeBSD 8.1-RELEASE-p2 amd64 >Organization: MIT Computer Science & Artificial Intelligence Lab >Environment: 8.1 system with auditing turned on >Description: /etc/security/audit_class describes class 0x8 as "file attribute modify". This seems like a reasonable thing to audit, but unfortunately, all calls to fcntl(2) -- which does not modify any file attributes -- are included in this category. Any program which uses POSIX-style locking will flood the audit file with spurious audit records, while the interesting system calls (those that call VOP_SETATTR) will be buried. (And for whatever reason, auditreduce(1) deosn't appear to perform as advertised when given the "-v" flag.) >How-To-Repeat: Enable auditing with class "fm". praudit /var/audit/current. Hit ^C when all you see is "fcntl(2)". >Fix: Move fcntl to a different audit class (probably "other" or maybe "ioctl"). >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201012022343.oB2Nhqjq082224>