From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: NISPOM Auditing Date: Wed, 21 May 2008 13:14:32 -0400 Message-ID: <200805211314.32834.sgrubb@redhat.com> References: <673954B3D6E9A14199B78659C4AD37EE0422D137@emss04m05.us.lmco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <673954B3D6E9A14199B78659C4AD37EE0422D137@emss04m05.us.lmco.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday 21 May 2008 12:01:52 Mathis, Jim wrote: > Is there a way to setup a watch log to report if a user attempted to > "cd" to a directory that they didn't have permission to access. No, a watch applies to file ops and not the chdir syscall. However, you can create a syscall audit rule that works sometimes: -a always,exit -S chdir -F path=/dir/dir1/dir2 -k evil-cd This will catch the case where they have permission to cd into that directory. But if they don't have permission to go beyond dir in the above example, then you have to resort to something more like: -a always,exit -S chdir -F exit=-EACCES -k evil-cd Which gets it and every other cd that fails due to permissions. This is because the path lookup inside the kernel never completes due to permissions, so the audit system has no full path to check against. You can cut down the false positives by adding -F auid>=500. And also use the -F arch=b32 and b64 for biarch systems. -Steve