* Seeking auditd help @ 2015-05-11 18:50 Bill Jackson III 2015-05-11 19:52 ` Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: Bill Jackson III @ 2015-05-11 18:50 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 178 bytes --] Any pointers for troubleshooting auditd missing events for file reads, edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5? http://security.stackexchange.com/q/89009/56827 [-- Attachment #1.2: Type: text/html, Size: 289 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Seeking auditd help 2015-05-11 18:50 Seeking auditd help Bill Jackson III @ 2015-05-11 19:52 ` Steve Grubb 2015-05-12 1:36 ` Burn Alting 0 siblings, 1 reply; 4+ messages in thread From: Steve Grubb @ 2015-05-11 19:52 UTC (permalink / raw) To: linux-audit; +Cc: Bill Jackson III On Monday, May 11, 2015 11:50:19 AM Bill Jackson III wrote: > Any pointers for troubleshooting auditd missing events for file reads, > edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5? > > http://security.stackexchange.com/q/89009/56827 The -w notation is the same as -a always,exit -F path=XXX -F perms=rwa What this does is audit the following functions defined in the syscall classifiers : http://lxr.free-electrons.com/source/include/asm-generic/audit_read.h http://lxr.free-electrons.com/source/include/asm-generic/audit_write.h http://lxr.free-electrons.com/source/include/asm-generic/audit_change_attr.h You are not going to get a hit for each and every read system call because read is not audited. -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Seeking auditd help 2015-05-11 19:52 ` Steve Grubb @ 2015-05-12 1:36 ` Burn Alting 2015-05-12 12:13 ` Richard Guy Briggs 0 siblings, 1 reply; 4+ messages in thread From: Burn Alting @ 2015-05-12 1:36 UTC (permalink / raw) To: Steve Grubb; +Cc: Bill Jackson III, linux-audit On Mon, 2015-05-11 at 15:52 -0400, Steve Grubb wrote: > On Monday, May 11, 2015 11:50:19 AM Bill Jackson III wrote: > > Any pointers for troubleshooting auditd missing events for file reads, > > edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5? > > > > http://security.stackexchange.com/q/89009/56827 > > The -w notation is the same as > > -a always,exit -F path=XXX -F perms=rwa > > What this does is audit the following functions defined in the syscall > classifiers > : > http://lxr.free-electrons.com/source/include/asm-generic/audit_read.h > http://lxr.free-electrons.com/source/include/asm-generic/audit_write.h > http://lxr.free-electrons.com/source/include/asm-generic/audit_change_attr.h > > You are not going to get a hit for each and every read system call because > read is not audited. Bill, Is your question "Can one apply a file watch using auditd if the file does not exist?" then I believe the answer is no. Options would be - as part of your application deployment standard operating procedures (SOPs) add appropriate watches to audit.rules and restart the auditd service - keep all you sensitive files in one directory location, set a directory watch on this directory tree and then as part of your application deployment SOPs, place the real files in the sensitive file area and then link to them from the application area. (I've just tried this on a fc22 system and it works) Regards ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Seeking auditd help 2015-05-12 1:36 ` Burn Alting @ 2015-05-12 12:13 ` Richard Guy Briggs 0 siblings, 0 replies; 4+ messages in thread From: Richard Guy Briggs @ 2015-05-12 12:13 UTC (permalink / raw) To: Burn Alting; +Cc: Bill Jackson III, linux-audit On 15/05/12, Burn Alting wrote: > On Mon, 2015-05-11 at 15:52 -0400, Steve Grubb wrote: > > On Monday, May 11, 2015 11:50:19 AM Bill Jackson III wrote: > > > Any pointers for troubleshooting auditd missing events for file reads, > > > edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5? > > > > > > http://security.stackexchange.com/q/89009/56827 > > > > The -w notation is the same as > > > > -a always,exit -F path=XXX -F perms=rwa > > > > What this does is audit the following functions defined in the syscall > > classifiers > > : > > http://lxr.free-electrons.com/source/include/asm-generic/audit_read.h > > http://lxr.free-electrons.com/source/include/asm-generic/audit_write.h > > http://lxr.free-electrons.com/source/include/asm-generic/audit_change_attr.h > > > > You are not going to get a hit for each and every read system call because > > read is not audited. > > Bill, > > Is your question > > "Can one apply a file watch using auditd if the file does not exist?" > > then I believe the answer is no. There is a patch set coming to be able to address this case if the directory exists. Down the road, I'm hoping to be able to accomodate non-existant directories too. > Options would be > - as part of your application deployment standard operating procedures > (SOPs) add appropriate watches to audit.rules and restart the auditd > service > - keep all you sensitive files in one directory location, set a > directory watch on this directory tree and then as part of your > application deployment SOPs, place the real files in the sensitive file > area and then link to them from the application area. (I've just tried > this on a fc22 system and it works) > > Regards - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-12 12:13 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-05-11 18:50 Seeking auditd help Bill Jackson III 2015-05-11 19:52 ` Steve Grubb 2015-05-12 1:36 ` Burn Alting 2015-05-12 12:13 ` Richard Guy Briggs
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox