From: "Davíð Steinn Geirsson" <dsg@sensa.is>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: auditd on nonexistent files
Date: Tue, 15 Sep 2015 09:25:01 +0000 [thread overview]
Message-ID: <55F7E3ED.1090809@sensa.is> (raw)
In-Reply-To: <20150915101503.0dd9e4d4@ivy-bridge>
[-- Attachment #1.1: Type: text/plain, Size: 2178 bytes --]
Hi,
On 09/15/2015 09:15 AM, Steve Grubb wrote:
> On Mon, 14 Sep 2015 16:01:17 +0000
> Davíð Steinn Geirsson <dsg@sensa.is> wrote:
>
>> Hi all,
>>
>> What is the best practice for using auditd for file integrity
>> monitoring?
>>
>> From the documentation, I have this, which works fine:
>> -a always,exit -F dir=/bin -F perm=wa
>>
>> However, it seems that if I have a rule on a nonexistent directory,
>> auditd will fail to add the rule (I assume because it's adding a watch
>> on an inode or something like that?), but it will also just stop
>> reading audit.rules and not add any subsequent rules.
>>
>> This is bad in an environment where we have to have FIM for critical
>> application files, but where another team may be maintaining some of
>> the apps and therefore might remove some watched directories,
>> especially as their mishaps may impact auditing for other parts of
>> the system.
>>
>>
>> Can something be done to get better behaviour here?
>>
>> I see two ways it could be better
>> 1) (the ideal case) auditd will add rules even for nonexistent
>> directories, and when they are created will add a watch for them. If a
>> directory is removed and another created with the same name, auditd
>> will add a watch on the new directory.
>
> Which kernel are you using? I want to think this was fixed in kernels
> around 2.6.36 or later. This original problem was that the audit
> watches are based on inotify which needs an inode. If there's no inode,
> you can't place the watch.
The machines I'm working with are RHEL6 with 2.6.32, but I just tried
with a machine with a 3.18 kernel and got the same behaviour.
>
>
>> 2) auditd still cannot add watches to nonexistent directories, but a
>> failed rule add from audit.rules will become a warning rather than an
>> error so subsequent watches still get added.
>
> Check into adding -i or -c near the top of your rules.
Thanks, that helps for a workaround. Not sure how I missed that in the
manpage.
>
> -Steve
>
>
>> I suspect 1) is not possible, but can I get auditd to behave like in
>> 2)?
>>
>> Best regards,
>> Davíð
>>
>
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2015-09-15 9:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-14 16:01 auditd on nonexistent files Davíð Steinn Geirsson
2015-09-15 9:15 ` Steve Grubb
2015-09-15 9:25 ` Davíð Steinn Geirsson [this message]
2015-09-15 10:07 ` Richard Guy Briggs
2015-09-16 7:56 ` Florian Crouzat
2015-09-18 0:22 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55F7E3ED.1090809@sensa.is \
--to=dsg@sensa.is \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox