From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit rule questions
Date: Tue, 2 Jan 2007 16:22:22 -0500
Message-ID: <200701021622.22477.sgrubb@redhat.com>
References: <2215BB5C14D99F4B9EC6517FD72AFC01807C96@XMBVAD01.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2215BB5C14D99F4B9EC6517FD72AFC01807C96@XMBVAD01.northgrum.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Fulda, Paul (Mission Systems)" <Paul.Fulda@ngc.com>
List-Id: linux-audit@redhat.com

On Tuesday 02 January 2007 15:49, Fulda, Paul (Mission Systems) wrote:
> Is there a way to set a rule to watch particular files in a directory
> like /etc/*? =C2=A0

You can probably use mount --bind option to get this with syscall auditin=
g=20
rules rather than watches. Then use devmajor/minor (-a always,exit -S ope=
n -F=20
devmajor=3D0x1F -F devminor=3D3 ).

> Can you use wildcards in the rules?

No. This area is very tricky to do right from an implementation point of =
view.=20
Some things to consider:

1) What should the behavior be when subtrees get moved? IOW, we=20
watch /opt/tmp/test/* and /opt/tmp gets renamed to /opt/tmp2 ?

2) What should the behavior be when subtrees get moved into the watched=20
subtree? IOW, we watch /opt/temp/test/* and someone does a mv /opt/temp/t=
est2
/opt/temp/test/test2

3) Should it catch the access via hardlink from outside the watched tree?

4) What should the behavior be if there is a mount point in the watched t=
ree?

5) What should happen when we do mount --move to or from that subtree?

6) What should happen when mount --move the parent of subtree itself?

7) What should happen if tree is mounted elsewhere? (e.g. in chroot jail)

8) What should the behavior be if the directory is polyinstantiated? IOW,=
 we=20
watch /tmp/*  and /tmp is polyinstantiated on a per user & per level basi=
s.

> Also, is there a way to set a rule to grab just non-root user actions o=
n
> a file?

In RHEL4 using: using watches - no, using syscall audit rules - yes. =20
RHEL5/2.6.19 is more flexible and can let you get better control over wha=
t is=20
audited with watches.

-Steve