You are not logged in.
- Topics: Active | Unanswered
#1 2008-12-26 06:16:01
- ConnorBehan
- Package Maintainer (PM)
- From: Long Island NY
- Registered: 2007-07-05
- Posts: 1,359
- Website
ABS quirks / auditing question / kernel request
My original post is below but it's wrong. All I'm asking now is if someone can enable CONFIG_AUDIT in the kernel or tell me a program that lets you spy on files just as well as auditd.
Today when I was making packages, something I haven't done in awhile and badly needed to do again, I noticed exclamation marks appearing beside the filenames in the medit tabs. Those exclamation marks mean that since I last saved the text file in medit, another process edited the file on the disk. Subsequent saving required me to click "yes I'm sure I want to overwrite" in this popup window. This was responsive to my saves. Every time I saved something (a PKGBUILD, a patch, anyting under the /var/abs tree) it was changed half a second later.
I tried to find out what was going on. Inotify-tools told me when the PKGBUILD was being modified but not by what process. Lsof and Glsof had no hope because they don't watch a specific file in real time, they only tell you things that are currently open so I'd need inhuman reflexes to get useful information out of them.
One thing that looks perfect for me is auditd. This page http://www.cyberciti.biz/tips/linux-aud … -file.html says how you can use it to see what process edited what file. I spent a couple hours fine tuning the PKGBUILD of it only to hit the error where auditd says "Connection refused." Every other poster reporting this did so because his or her kernel did not have audit support and sure enough in the kernel26 package, CONFIG_AUDIT is not set.
So I need to ask three things:
1. Does anyone know why my files are being accessed this way in /var/abs?
2. Does anyone know a program compatible with the default kernel26 that could help me investigate?
3. If it's not too much trouble, would the kernel26 maintainers consider adding CONFIG_AUDIT so I don't have to start using a custom kernel over this one triviality?
Thanks alot.
Last edited by ConnorBehan (2008-12-27 00:13:11)
6EA3 F3F3 B908 2632 A9CB E931 D53A 0445 B47A 0DAB
Great things come in tar.xz packages.
Offline
#2 2008-12-26 14:38:13
- rson451
- Member
- From: Annapolis, MD USA
- Registered: 2007-04-15
- Posts: 1,233
- Website
Re: ABS quirks / auditing question / kernel request
Why don't you move the PKGBUILDS you are editing to /var/abs/local or some other build location as suggested in the wiki, then see if the file is still being accessed?
archlinux - please read this and this — twice — then ask questions.
--
http://rsontech.net | http://github.com/rson
Offline
#3 2008-12-26 16:11:44
- Heller_Barde
- Member
- Registered: 2008-04-01
- Posts: 245
Re: ABS quirks / auditing question / kernel request
I would look whether they actually change, maybe it's some malicious code appending bad stuff to anything it finds *shrug* (whyever it would choose anything out of your $PATH is beyond me though)
cheers Barde
Offline
#4 2008-12-26 19:39:32
- ConnorBehan
- Package Maintainer (PM)
- From: Long Island NY
- Registered: 2007-07-05
- Posts: 1,359
- Website
Re: ABS quirks / auditing question / kernel request
It was everything in /var/abs including /var/abs/local, but I confess the files didn't look like they were changing. Maybe some process added a new line to the end and another process took the new line away again 1ms later.
Last edited by ConnorBehan (2008-12-26 19:40:30)
6EA3 F3F3 B908 2632 A9CB E931 D53A 0445 B47A 0DAB
Great things come in tar.xz packages.
Offline
#5 2008-12-26 20:24:49
- monstermudder78
- Member
- Registered: 2008-05-18
- Posts: 120
Re: ABS quirks / auditing question / kernel request
This happens to me ALWAYS and ONLY when I am using Medit and Thunar is open. I just assumed Thunar was editing the last accessed time or something similar on the file after I saved it.
Offline
#6 2008-12-27 00:12:06
- ConnorBehan
- Package Maintainer (PM)
- From: Long Island NY
- Registered: 2007-07-05
- Posts: 1,359
- Website
Re: ABS quirks / auditing question / kernel request
Oh thanks monster, Thunar was open for me too. And it happened again today in /home so it's nothing to do with ABS. I guess my question now is:
Could someone enable CONFIG_AUDIT in kernel26 or tell me a way to audit with the kernel I have out of curiosity?
6EA3 F3F3 B908 2632 A9CB E931 D53A 0445 B47A 0DAB
Great things come in tar.xz packages.
Offline
#7 2008-12-27 00:23:05
- fwojciec
- Member
- Registered: 2007-05-20
- Posts: 1,411
Re: ABS quirks / auditing question / kernel request
Could someone enable CONFIG_AUDIT in kernel26 or tell me a way to audit with the kernel I have out of curiosity?
Make a feature request on the bug tracker -- that's the proper way to do it. A request on the forum will most likely go unnoticed and unanswered.
Offline
#8 2008-12-27 16:26:40
- monstermudder78
- Member
- Registered: 2008-05-18
- Posts: 120
Re: ABS quirks / auditing question / kernel request
Oh thanks monster, Thunar was open for me too. And it happened again today in /home so it's nothing to do with ABS. I guess my question now is:
Could someone enable CONFIG_AUDIT in kernel26 or tell me a way to audit with the kernel I have out of curiosity?
No problem, I'm glad I could help. I was a little unsure of what was going on myself until I stumbled on to the connection. If you figure out what is going on could you try and pass that along? I am curious to know the answer but not knowledgeable enough to dig into kernel audits to figure it out 
Offline