NISPOM Auditing
Hello,
I need to log file edit attempts when a user doesn't have permission to
edit a specific file. For example, a non-root user attempts to edit
"/var/log/audit/audit'log" which has a permission setting of 640.
Although the user won't be able to edit the file (permission denied) -
I'd still like to log the attempt. Here's a snippet of my audit.rules
file:
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
-k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
-k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## unauthorized change directory (cd)
-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd
## Watch Files
-w /var/log/audit/audit.log -p rwxa -k audit-log2
Thanks
-Jim
Attachments:
- attachment.html (text/html — 2.7 KB)