From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Dav=c3=ad=c3=b0_Steinn_Geirsson?= Subject: auditd on nonexistent files Date: Mon, 14 Sep 2015 16:01:17 +0000 Message-ID: <55F6EF4D.7050203@sensa.is> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0418182704127387097==" Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t8EG1Poi029846 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 14 Sep 2015 12:01:26 -0400 Received: from sensa-mx-01.sensa.is (sensa-mx-01.sensa.is [194.105.254.10]) by mx1.redhat.com (Postfix) with ESMTPS id CAAD2461D6 for ; Mon, 14 Sep 2015 16:01:23 +0000 (UTC) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0418182704127387097== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="a5DqnELaat8a99EruARBtsVLTt5F3ogPo" --a5DqnELaat8a99EruARBtsVLTt5F3ogPo Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi all, What is the best practice for using auditd for file integrity monitoring?= =46rom the documentation, I have this, which works fine: -a always,exit -F dir=3D/bin -F perm=3Dwa However, it seems that if I have a rule on a nonexistent directory, auditd will fail to add the rule (I assume because it's adding a watch on an inode or something like that?), but it will also just stop reading audit.rules and not add any subsequent rules. This is bad in an environment where we have to have FIM for critical application files, but where another team may be maintaining some of the apps and therefore might remove some watched directories, especially as their mishaps may impact auditing for other parts of the system. Can something be done to get better behaviour here? I see two ways it could be better 1) (the ideal case) auditd will add rules even for nonexistent directories, and when they are created will add a watch for them. If a directory is removed and another created with the same name, auditd will add a watch on the new directory. 2) auditd still cannot add watches to nonexistent directories, but a failed rule add from audit.rules will become a warning rather than an error so subsequent watches still get added. I suspect 1) is not possible, but can I get auditd to behave like in 2)? Best regards, Dav=C3=AD=C3=B0 --a5DqnELaat8a99EruARBtsVLTt5F3ogPo Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJV9u9NAAoJEJncUUVDk/7k/7QP/iVoKRRZf8CZm7PXFLQgKVkq b2iplPdi/spS13cSrany1b9RHhmNHG8ihbBvLtD1MD+32E4l80Igj6SjkEWa2cVJ LIpFrWCTPbvhDheVfJ8hMDDCmbNW9jbjnMDFsL0DGklNXgpkFFWFykx3S2Q9ApNU InVpAdl4v3jvFtHri+8IrbVgneU/u6U8Ln7WUVr0DMg/HN3HR6HAO2G7CU8L/u5v artaIJlzLCJ73ifspE+RcfFwo0byd+/T7hNpRYEa14ZNdvyvZwNKnnQZsDjdaQtG m7vdHk06vtOwulIFzXHWrxM+AkUjCXDTK5jdKPLy1xRbGkhwHZMZWkJ/wJqOTnmb bH70z4KYqCVPKWe/ajgfD4ITdvgcKMWaR1Lr4ZmCljNE43MvIjXAfEcDTKTF3Zn5 hckisxqKcLGQoASMjN3z57DP5lyI540WyQPGbpwJ0dQHf8dsPOUcRcDSAnaIUZgZ YZdJvOz8fQ41Uua+3J5FGDWarn4fjYKH+9c1dsGBmWUTTZxNPebntIJ/He2ZkTRa oy9j5cH2Z67ywqniIBcXfrPC+zhLkAakTpHe8cgI+C7R253DvjgAzg8ggGkKuSIy wpnUh2w2wLe+UakuhrXV+9WuOhQZi+DYmAXSn5M2lOFJ/Qf39uMkW2c5Jtlv7Kd9 AM7S8km7snxoXej4y9NI =nmZh -----END PGP SIGNATURE----- --a5DqnELaat8a99EruARBtsVLTt5F3ogPo-- --===============0418182704127387097== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0418182704127387097==--