File watch on group
by Ameel Kamboh
I would like to put a watch on a file for rwxa for a
File being accessed by someone who is not in the same group as the file.
For example:
I have a file /var/myapp/logs 640 ntsw:ntsec
So basically I have my application log files that are readable by anyone
in the ntsec group.
However if someone in another group like ntadm group tries to rwxa that
file I would like to log it.
Can this be done using an audit rule?
Ameel Kamboh
SIP Core Network and Security
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh(a)techtrial.com
email: akamboh(a)nortel.com
17 years, 5 months
audit 1.5.4 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Add feed interface to auparse library (John Dennis)
- Apply patch to libauparse for unresolved symbols (#241178)
- Apply patch to add line numbers for file events in libauparse (John Dennis)
- Change seresults to seresult in libauparse (John Dennis)
- Add unit32_t definition to swig (#244210)
- Add support for directory auditing
- Update acct field to be escaped
Please note that the audit event dispatcher will be changing again in the next
release. This is the current area of work and this one is considered
temporary. This release is primarily to get some other needed fixes out for
people to use. I should have a new release soon.
Please let me know if there are any problems with this release.
-Steve
17 years, 5 months
[PATCH] Make IPC mode consistent
by Steve Grubb
Hi,
The mode fields for IPC records are not consistent. Some are hex, others are
octal. This patch makes them all octal.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.18.i686.orig/kernel/auditsc.c linux-2.6.18.i686/kernel/auditsc.c
--- linux-2.6.18.i686.orig/kernel/auditsc.c 2007-05-29 10:27:13.000000000 -0400
+++ linux-2.6.18.i686/kernel/auditsc.c 2007-05-29 10:33:07.000000000 -0400
@@ -941,7 +941,7 @@ static void audit_log_exit(struct audit_
case AUDIT_IPC: {
struct audit_aux_data_ipcctl *axi = (void *)aux;
audit_log_format(ab,
- "ouid=%u ogid=%u mode=%x",
+ "ouid=%u ogid=%u mode=%#o",
axi->uid, axi->gid, axi->mode);
if (axi->osid != 0) {
char *ctx = NULL;
@@ -960,7 +960,7 @@ static void audit_log_exit(struct audit_
case AUDIT_IPC_SET_PERM: {
struct audit_aux_data_ipcctl *axi = (void *)aux;
audit_log_format(ab,
- "qbytes=%lx ouid=%u ogid=%u mode=%x",
+ "qbytes=%lx ouid=%u ogid=%u mode=%#o",
axi->qbytes, axi->uid, axi->gid, axi->mode);
break; }
17 years, 5 months
Why doesn't this rule block syscall records?
by Taylor_Tad@emc.com
I was trying out a syscall entry rule that I thought would block audit
records from system services/daemons that haven't had their audit ID
(auid) set yet. I've tried both:
-a entry,never -S all -F auid=-1
AND
-a entry,never -S all -F auid=4294967295
(4294967295) is the value that shows up in the audit log for these
services. I would have thought this rule was saying that at syscall
entry (for any system call), don't generate an audit event if the auid
is -1 or 4294967295. It seems to have the opposite effect. Have I
missed something? Is this rule not saying what I want?
--Tad Taylor
17 years, 5 months
announcing augrok
by Aron Griffis
Hello,
HP has a tool called augrok which we've used in our CAPP and LSPP
certifications. This tool is essentially an alternative to ausearch
with a significantly more powerful query syntax. Since it's written
in Perl instead of C, it's slower than ausearch, but it provides some
features that make testing audit fun^H^H^Htolerable. ;-)
In the past we've distributed augrok with our test suite at
http://audit-test.sourceforge.net/. This time around we decided the
tool might be interesting to users outside of the test suite, so we
moved it to its own project.
If anybody is interested in augrok, you can find the releases,
mercurial repository and documentation at
http://augrok.sourceforge.net/
Any questions, feel free to drop me a line.
Regards,
Aron
17 years, 5 months
audit 1.5.5 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Add system-config-audit (Miloslav Trmac)
- Correct bug in audit_make_equivalent function (Al Viro)
The system config audit program is a python based GUI that lets you set the
audit rules. Please give this feature a try and let us know what you think.
Please note that the audit event dispatcher will be changing again in the next
release. This is the current area of work and this one is considered
temporary. This release is primarily to get some other needed fixes out for
people to use. I should have a new release soon.
Please let me know if there are any problems with this release.
-Steve
17 years, 5 months
How to Set Watches for NFS Automounts?
by Taylor_Tad@emc.com
I'm trying to figure out a way to set file system watches for NFS file
systems that are automounted (i.e., they get mounted automatically when
someone accesses them).
When an NFS file system is already mounted, it's straightforward to set
a watch on the path, however, for automounted file systems, you can't
set a watch when the file system isn't mounted. Any suggestions as to
the best way to go about doing this?
Thanks,
--Tad Taylor
17 years, 5 months
file change tracking
by Simmons Jr,Felix
All,
Ok, let me preface by saying I'm an auditd novice. Ok, so I've basically
gotten a watch on 3 files and a filter to never log mount syscalls, with
the following rules:
[root@XXXX audit]# auditctl -l
AUDIT_LIST: exit,never syscall=mount
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/important,
filterkey=important_file, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/shadow,
filterkey=important_file, perms=wa, valid=0
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/auditd_test/passwd,
filterkey=important_file, perms=wa, valid=0
I'm only interested in when the file is written to or appended (hence
the wa). However, I'm running into something that I was hoping I could
get confirmed on this list. When I vi one of the files, and quit without
writing content to the file, I get the following lines to my audit.log:
type=SYSCALL msg=audit(1184082224.278:6396): arch=c000003e syscall=21
success=yes exit=0 a0=75d930 a1=2 a2=0 a3=1 items=1 pid=28804
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="vim" exe="/usr/bin/vim"
type=FS_WATCH msg=audit(1184082224.278:6396): watch_inode=36339931
watch="passwd" filterkey=important_file perm=10 perm_mask=2
type=FS_INODE msg=audit(1184082224.278:6396): inode=36339931 inode_uid=0
inode_gid=0 inode_dev=68:02 inode_rdev=00:00
type=CWD msg=audit(1184082224.278:6396): cwd="/var/tmp/auditd_test"
type=PATH msg=audit(1184082224.278:6396): name="passwd" flags=401
inode=36339931 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
(that's not the -i view so bear with the actual numbers).
Could someone confirm for me what Vi is doing to the file that pops a
perm_mask=2 (write) event?
On a side note, when I do actually write to the file (via vi or
redirecting text) I get 7 separate type=FS_WATCH....perm_mask=2 events.
I can live with the multiples but anyone have any idea why I see that
for one file write?
Thanks in advance
Felix
(running audit-1.0.14-1.EL4 on a RHEL box with a 2.6.9-42.0.10.Elsmp
kernel)
If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages(a)edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure
17 years, 5 months
Filesystem filling up ...
by Aaron Lippold
Hello,
I was hoping some smarter audit folks than I could look at this small
set of rules and let me know if anythings seem: 1) way too broad 2)
would fill up a file system fast 3) could use improvement
cat << 'EOF' > /etc/audit/audit.rules
## Submitted by JasonM at FSO.
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Feel free to add below this line. See auditctl man page
# Increase the buffers to survive stress events
-b 256
-e 1
# Audit Failed opens
-a exit,always -S open -F success!=0
#
# Audit success and failure of delete
-a exit,always -S unlink -S rmdir
#
# Audit success and failure of admin actions
#-a task,always -F uid=0
-w /var/log/audit/ -k ADMIN
-w /etc/auditd.conf -k ADMIN
-w /etc/audit.rules -k ADMIN
-a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit
-a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler
EOF
Some of my end users are saying their logging a lot of audits. We are
using the same kickstart file but my test systems are not filling up.
Thanks for the help.
Aaron
17 years, 5 months
Problem Sending Watch List
by Taylor_Tad@emc.com
I know I've found something about this issue before, but for the life of
me I can't find it now. I'm trying to set a watch list on a modified
RHEL 4.2 system and I get the error messge:
Error sending watch list request (Operation not supported)
I know this works on later versions of RHEL 4.x, but I don't remember
which component has the fix (kernel, audit, what?). Sorry to ask about
this but searching the mailing list archive and the 'net hasn't lead me
to the answer.
Thanks,
--Tad
17 years, 5 months
