From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: auditctl for admin's accessing other user files
Date: Mon, 25 Jun 2018 17:28:39 -0400 [thread overview]
Message-ID: <3554239.iAAqN6rKGg@x2> (raw)
In-Reply-To: <CY4PR03MB3208B81576EF05BD4EDE4752C34A0@CY4PR03MB3208.namprd03.prod.outlook.com>
On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> Hello
> I noticed in the man page for auditctl, an example of how to monitor if
> admins are accessing other user's files. I created a rule like the one in
> the example. This is great that it is pulling the action and user calling
> the action!
>
> The rule
> -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid
>
> I will pull a report on the findings with
> aureport -f -i | grep /home/username/
One other thing to comment on. You might do the report part a little
different. I'd let ausearch do the filtering before it goes to aureport. Its
much more flexible. For example, if you added a key to the rule "admin-access".
Then you can do this:
summary of all accesses
ausearch --start today -k admin-access --raw | aureport --summary -f
summary for a specific dir
ausearch --start today -k admin-access -f /home/username --raw | aureport --summary -f
summary of who did it
ausearch --start today -k admin-access --raw | aureport --summary -u -i
summary for a sepcific admin
ausearch --start today -k admin-access --loginuid admin-name --raw | aureport --summary -f
If you don't use the key in the searches, then you may be getting
unrelated events in the report.
-Steve
> The report is heavier than anticipated so I tried to make an adjustment to
> only capture what happens in the directory -a always,exit -S all -F
> path=/home/username/ -F uid=0 -C auid!=obj_uid ... but that is returning
> with Error sending add rule data request (Invalid argument)
>
> I then tried the below rule; it does not return an error upon add, but when
> I do an auditctl -l there are no rules listed -a always,exit -S all -F
> path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
>
> Is there a preferred way to set the rule, maybe on the inode of the
> directory, but does not lose the ability to see if an admin is doing it
> and what action? I have been adding these on the fly, instead of adding
> to the /etc/audit/audit.rules file, for now.
>
>
> Thanks!
> Nick Skaggs
next prev parent reply other threads:[~2018-06-25 21:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-25 20:59 auditctl for admin's accessing other user files Skaggs, Nicholas C
2018-06-25 21:16 ` Steve Grubb
2018-06-26 13:22 ` Skaggs, Nicholas C
2018-06-25 21:28 ` Steve Grubb [this message]
2018-06-30 2:44 ` warron.french
2018-06-30 13:33 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3554239.iAAqN6rKGg@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.