From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: auditd on nonexistent files Date: Tue, 15 Sep 2015 06:07:34 -0400 Message-ID: <20150915100734.GY8140@madcap2.tricolour.ca> References: <55F6EF4D.7050203@sensa.is> <20150915101503.0dd9e4d4@ivy-bridge> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline In-Reply-To: <20150915101503.0dd9e4d4@ivy-bridge> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 15/09/15, Steve Grubb wrote: > On Mon, 14 Sep 2015 16:01:17 +0000 > Dav=ED=F0 Steinn Geirsson wrote: > = > > Hi all, > > = > > What is the best practice for using auditd for file integrity > > monitoring? > > = > > From the documentation, I have this, which works fine: > > -a always,exit -F dir=3D/bin -F perm=3Dwa > > = > > However, it seems that if I have a rule on a nonexistent directory, > > auditd will fail to add the rule (I assume because it's adding a watch > > on an inode or something like that?), but it will also just stop > > reading audit.rules and not add any subsequent rules. > > = > > This is bad in an environment where we have to have FIM for critical > > application files, but where another team may be maintaining some of > > the apps and therefore might remove some watched directories, > > especially as their mishaps may impact auditing for other parts of > > the system. > > = > > Can something be done to get better behaviour here? > > = > > I see two ways it could be better > > 1) (the ideal case) auditd will add rules even for nonexistent > > directories, and when they are created will add a watch for them. If a > > directory is removed and another created with the same name, auditd > > will add a watch on the new directory. > = > Which kernel are you using? I want to think this was fixed in kernels > around 2.6.36 or later. This original problem was that the audit > watches are based on inotify which needs an inode. If there's no inode, > you can't place the watch. A watch can be added for a file that does not exist while the containing directory does, but a directory that does not exist (when the containing directory does not exist) does not work. > > 2) auditd still cannot add watches to nonexistent directories, but a > > failed rule add from audit.rules will become a warning rather than an > > error so subsequent watches still get added. > = > Check into adding -i or -c near the top of your rules. > = > -Steve > = > > I suspect 1) is not possible, but can I get auditd to behave like in > > 2)? 1) is not currently implemented, but is worth discussing. > > Dav=ED=F0 - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,= Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545