* RE: Linux-audit Digest, Vol 28, Issue 1
[not found] <20070103170022.1903E735C6@hormel.redhat.com>
@ 2007-01-03 18:56 ` Thomas, Daniel J.
2007-01-04 13:44 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Thomas, Daniel J. @ 2007-01-03 18:56 UTC (permalink / raw)
To: linux-audit
Steve,
In the response below you mention using mount --bind along with exit code logging to track a directory structure. I'm not familiar with --bind option, but according to the man page, it looks like a way to mount a file system in a second place (similar to MS-DOS "subst" command). While this is helpful for perhaps replacing a symlink with a "link" that can't be deleted, I don't understand how you would use this for auditing purposes. Could you elaborate?
Thanks!
-Dan Thomas
Message: 3
Date: Tue, 2 Jan 2007 16:22:22 -0500
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit rule questions
To: linux-audit@redhat.com
Cc: "Fulda, Paul \(Mission Systems\)" <Paul.Fulda@ngc.com>
Message-ID: <200701021622.22477.sgrubb@redhat.com>
Content-Type: text/plain; charset="utf-8"
On Tuesday 02 January 2007 15:49, Fulda, Paul (Mission Systems) wrote:
> Is there a way to set a rule to watch particular files in a directory
> like /etc/*? Â
You can probably use mount --bind option to get this with syscall auditing rules rather than watches. Then use devmajor/minor (-a always,exit -S open -F devmajor=0x1F -F devminor=3 ).
> Can you use wildcards in the rules?
No. This area is very tricky to do right from an implementation point of view.
Some things to consider:
1) What should the behavior be when subtrees get moved? IOW, we watch /opt/tmp/test/* and /opt/tmp gets renamed to /opt/tmp2 ?
2) What should the behavior be when subtrees get moved into the watched subtree? IOW, we watch /opt/temp/test/* and someone does a mv /opt/temp/test2
/opt/temp/test/test2
3) Should it catch the access via hardlink from outside the watched tree?
4) What should the behavior be if there is a mount point in the watched tree?
5) What should happen when we do mount --move to or from that subtree?
6) What should happen when mount --move the parent of subtree itself?
7) What should happen if tree is mounted elsewhere? (e.g. in chroot jail)
8) What should the behavior be if the directory is polyinstantiated? IOW, we watch /tmp/* and /tmp is polyinstantiated on a per user & per level basis.
> Also, is there a way to set a rule to grab just non-root user actions
> on a file?
In RHEL4 using: using watches - no, using syscall audit rules - yes.
RHEL5/2.6.19 is more flexible and can let you get better control over what is audited with watches.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Linux-audit Digest, Vol 28, Issue 1
2007-01-03 18:56 ` Linux-audit Digest, Vol 28, Issue 1 Thomas, Daniel J.
@ 2007-01-04 13:44 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2007-01-04 13:44 UTC (permalink / raw)
To: linux-audit; +Cc: Thomas, Daniel J.
On Wednesday 03 January 2007 13:56, Thomas, Daniel J. wrote:
> In the response below you mention using mount --bind along with exit code
> logging to track a directory structure.
Working on it. I'll try to post something later.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-01-04 13:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20070103170022.1903E735C6@hormel.redhat.com>
2007-01-03 18:56 ` Linux-audit Digest, Vol 28, Issue 1 Thomas, Daniel J.
2007-01-04 13:44 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox