auditctl examples?

auditctl examples?

[David Slater]

I am interested in using auditctl, but am having trouble understanding 
how to do so using the man page.  I apologize if this is not the 
appropriate forum for this question, but it appears to be the logical 
path thus far.  Specifically, I would like to understand the concept of 
adding a watch to a filesystem
object.  I would like to generate an audit entry in 
/var/log/audit/audit.log each time a restricted directory is accessed.  
It would be greatly appreciated if anyone could forward examples of 
doing so.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: auditctl examples?

[Steve G]

>I apologize if this is not the appropriate forum for this question, but it
appears
>to be the logical path thus far.

linux-audit might be a better place
(http://www.redhat.com/mailman/listinfo/linux-audit), but this is fine.

>Specifically, I would like to understand the concept of adding a watch to a 
>filesystem object.  I would like to generate an audit entry in
>/var/log/audit/audit.log each time a restricted directory is accessed.

You cannot write one rule that checks access of a directory. The rules have to be
written for the object that is being accessed. A watch on a directory will get
you changes to the directory entries which is not exactly what you might expect.
The RHEL4 watches are somewhat based on inode auditing.

[root@endeavor ~]# mkdir /home/secret
[root@endeavor ~]# touch /home/secret/noread.txt
[root@endeavor ~]# auditctl -w /home/secret/noread.txt
[root@endeavor ~]# cat /home/secret/noread.txt
[root@endeavor ~]# ausearch -ts 17:15:00 -f noread.txt
----
time->Tue Feb  7 17:20:17 2006
type=PATH msg=audit(1139350817.975:1048): name="/home/secret/noread.txt"
flags=101  inode=459666 dev=03:03 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1139350817.975:1048):  cwd="/root"
type=FS_INODE msg=audit(1139350817.975:1048): inode=459666 inode_uid=0
inode_gid=0 inode_dev=03:03 inode_rdev=00:00
type=FS_WATCH msg=audit(1139350817.975:1048): watch_inode=459666
watch="noread.txt" filterkey= perm=0 perm_mask=4
type=SYSCALL msg=audit(1139350817.975:1048): arch=40000003 syscall=5 success=yes
exit=3 a0=bff90c12 a1=8000 a2=0 a3=8000 items=1 pid=3929 auid=4325 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cat" exe="/bin/cat"

The audit watches only work on the RHEL4 kernel for now. There is ongoing work to
make a new filesystem audit framework, but its not upstream. This framework
should have the ability to set a watch on a dir and get accesses for files it
contains.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: auditctl examples?

[David Caplan]

David,

You said you are interested in using auditctl to do your auditing, but 
you can also get what you want with selinux policy. It's relatively more 
involved because you actually have to add the auditing to the policy 
(i.e., you have to edit the policy source, build it, and load it) versus 
the command-line ease of auditctl. The benefit is that you can audit the 
exact access you care about.  For example you can audit any access just 
to the directory (assuming it was labeled with restrict_t):

auditallow * restrict_t:dir *;

The above line audits any access granted to directories labeled as 
restrict_t (note that it does not *grant* any access and all denied 
access attempts are automatically audited). Or you can specify exactly 
who gets audited and for exactly which permissions (i.e., replace the 
'*'s with actual types and permissions). You could also wrap the audit 
statement(s) in a conditional expression so you could turn it on and off 
without reloading/rebuilding the policy.

Another difference with using policy to do this is that you can easily 
audit access to all directories labeled a particular way instead of 
having to specify every path. You can also audit access to particular 
files in the directory the same way.

David

David Slater wrote:
> I am interested in using auditctl, but am having trouble understanding 
> how to do so using the man page.  I apologize if this is not the 
> appropriate forum for this question, but it appears to be the logical 
> path thus far.  Specifically, I would like to understand the concept of 
> adding a watch to a filesystem
> object.  I would like to generate an audit entry in 
> /var/log/audit/audit.log each time a restricted directory is accessed.  
> It would be greatly appreciated if anyone could forward examples of 
> doing so.
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov 
> with
> the words "unsubscribe selinux" without quotes as the message.


-- 
__________________________________

David Caplan     410 290 1411 x105
dac@tresys.com
Tresys Technology, LLC
8840 Stanford Blvd., Suite 2100
Columbia, MD 21045

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: auditctl examples?

[Steve G]

>You said you are interested in using auditctl to do your auditing, but 
>you can also get what you want with selinux policy.

This is true, but I wouldn't recommend that. Its too easy to make a typo and
cause unexpected problems later. In general, people should never need to modify
policy. It makes too many support problems when everyone has tweeked their
policy.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: auditctl examples?

[David Caplan]

Steve G wrote:
>> You said you are interested in using auditctl to do your auditing, but 
>> you can also get what you want with selinux policy.
> 
> This is true, but I wouldn't recommend that. Its too easy to make a typo and
> cause unexpected problems later. In general, people should never need to modify
> policy. It makes too many support problems when everyone has tweeked their
> policy.
> 

I suggested it because you stated in your response that auditctl does 
not support exactly what he wants to do. I agree with you that in 
general people should not have to modify their policy directly. I do 
think it is appropriate to "tweek" the policy when you have a specific 
protection/security requirement that is not addressed by the standard 
policy.

-- 
__________________________________

David Caplan     410 290 1411 x105
dac@tresys.com
Tresys Technology, LLC
8840 Stanford Blvd., Suite 2100
Columbia, MD 21045

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.