From: David Caplan <dac@tresys.com>
To: David Slater <ds@hypertechsystems.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: auditctl examples?
Date: Wed, 08 Feb 2006 09:02:40 -0500 [thread overview]
Message-ID: <43E9FA00.4070304@tresys.com> (raw)
In-Reply-To: <43E9024D.9030304@hypertechsystems.com>
David,
You said you are interested in using auditctl to do your auditing, but
you can also get what you want with selinux policy. It's relatively more
involved because you actually have to add the auditing to the policy
(i.e., you have to edit the policy source, build it, and load it) versus
the command-line ease of auditctl. The benefit is that you can audit the
exact access you care about. For example you can audit any access just
to the directory (assuming it was labeled with restrict_t):
auditallow * restrict_t:dir *;
The above line audits any access granted to directories labeled as
restrict_t (note that it does not *grant* any access and all denied
access attempts are automatically audited). Or you can specify exactly
who gets audited and for exactly which permissions (i.e., replace the
'*'s with actual types and permissions). You could also wrap the audit
statement(s) in a conditional expression so you could turn it on and off
without reloading/rebuilding the policy.
Another difference with using policy to do this is that you can easily
audit access to all directories labeled a particular way instead of
having to specify every path. You can also audit access to particular
files in the directory the same way.
David
David Slater wrote:
> I am interested in using auditctl, but am having trouble understanding
> how to do so using the man page. I apologize if this is not the
> appropriate forum for this question, but it appears to be the logical
> path thus far. Specifically, I would like to understand the concept of
> adding a watch to a filesystem
> object. I would like to generate an audit entry in
> /var/log/audit/audit.log each time a restricted directory is accessed.
> It would be greatly appreciated if anyone could forward examples of
> doing so.
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
--
__________________________________
David Caplan 410 290 1411 x105
dac@tresys.com
Tresys Technology, LLC
8840 Stanford Blvd., Suite 2100
Columbia, MD 21045
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-02-08 14:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-07 20:25 auditctl examples? David Slater
2006-02-07 22:26 ` Steve G
2006-02-08 14:02 ` David Caplan [this message]
2006-02-08 14:57 ` Steve G
2006-02-08 15:25 ` David Caplan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43E9FA00.4070304@tresys.com \
--to=dac@tresys.com \
--cc=ds@hypertechsystems.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.