From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: auditctl for admin's accessing other user files
Date: Mon, 25 Jun 2018 17:28:39 -0400 [thread overview]
Message-ID: <3554239.iAAqN6rKGg@x2> (raw)
In-Reply-To: <CY4PR03MB3208B81576EF05BD4EDE4752C34A0@CY4PR03MB3208.namprd03.prod.outlook.com>
On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> Hello
> I noticed in the man page for auditctl, an example of how to monitor if
> admins are accessing other user's files. I created a rule like the one in
> the example. This is great that it is pulling the action and user calling
> the action!
>
> The rule
> -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid
>
> I will pull a report on the findings with
> aureport -f -i | grep /home/username/
One other thing to comment on. You might do the report part a little
different. I'd let ausearch do the filtering before it goes to aureport. Its
much more flexible. For example, if you added a key to the rule "admin-access".
Then you can do this:
summary of all accesses
ausearch --start today -k admin-access --raw | aureport --summary -f
summary for a specific dir
ausearch --start today -k admin-access -f /home/username --raw | aureport --summary -f
summary of who did it
ausearch --start today -k admin-access --raw | aureport --summary -u -i
summary for a sepcific admin
ausearch --start today -k admin-access --loginuid admin-name --raw | aureport --summary -f
If you don't use the key in the searches, then you may be getting
unrelated events in the report.
-Steve
> The report is heavier than anticipated so I tried to make an adjustment to
> only capture what happens in the directory -a always,exit -S all -F
> path=/home/username/ -F uid=0 -C auid!=obj_uid ... but that is returning
> with Error sending add rule data request (Invalid argument)
>
> I then tried the below rule; it does not return an error upon add, but when
> I do an auditctl -l there are no rules listed -a always,exit -S all -F
> path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
>
> Is there a preferred way to set the rule, maybe on the inode of the
> directory, but does not lose the ability to see if an admin is doing it
> and what action? I have been adding these on the fly, instead of adding
> to the /etc/audit/audit.rules file, for now.
>
>
> Thanks!
> Nick Skaggs
next prev parent reply other threads:[~2018-06-25 21:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-25 20:59 auditctl for admin's accessing other user files Skaggs, Nicholas C
2018-06-25 21:16 ` Steve Grubb
2018-06-26 13:22 ` Skaggs, Nicholas C
2018-06-25 21:28 ` Steve Grubb [this message]
2018-06-30 2:44 ` warron.french
2018-06-30 13:33 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3554239.iAAqN6rKGg@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox