From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditctl for admin's accessing other user files
Date: Mon, 25 Jun 2018 17:16:46 -0400
Message-ID: <5616915.p1W4tiME2l@x2>
References: <CY4PR03MB3208B81576EF05BD4EDE4752C34A0@CY4PR03MB3208.namprd03.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CY4PR03MB3208B81576EF05BD4EDE4752C34A0@CY4PR03MB3208.namprd03.prod.outlook.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> Hello
> I noticed in the man page for auditctl, an example of how to monitor if
> admins are accessing other user's files. I created a rule like the one in
> the example. This is great that it is pulling the action and user calling
> the action!
> 
> The rule
> -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid

You might also want to add     -F auid>=1000 -F auid!=4294967295
So that you get events caused by people and not system daemons. This might be 
all that you need to do.

> I will pull a report on the findings with
> aureport -f -i | grep /home/username/
> 
> The report is heavier than anticipated so I tried to make an adjustment to
> only capture what happens in the directory -a always,exit -S all -F
> path=/home/username/ -F uid=0 -C auid!=obj_uid ... but that is returning
> with  Error sending add rule data request (Invalid argument)

You should use the "dir" option rather than "path". A full example would be:
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295
-C auid!=obj_uid

-Steve

> I then tried the below rule; it does not return an error upon add, but when
> I do an auditctl -l there are no rules listed -a always,exit -S all -F
> path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
> 
> Is there a preferred  way to set the rule, maybe on the inode of the
> directory, but does not lose the ability to see if an admin is doing it
> and what action?  I have been adding these on the fly, instead of adding
> to the /etc/audit/audit.rules file, for now.
> 
> 
> Thanks!
> Nick Skaggs