Re: auditd on nonexistent files
On Mon, 14 Sep 2015 16:01:17 +0000
Davíð Steinn Geirsson <dsg(a)sensa.is> wrote:
Hi all,
What is the best practice for using auditd for file integrity
monitoring?
From the documentation, I have this, which works fine:
-a always,exit -F dir=/bin -F perm=wa
However, it seems that if I have a rule on a nonexistent directory,
auditd will fail to add the rule (I assume because it's adding a watch
on an inode or something like that?), but it will also just stop
reading audit.rules and not add any subsequent rules.
This is bad in an environment where we have to have FIM for critical
application files, but where another team may be maintaining some of
the apps and therefore might remove some watched directories,
especially as their mishaps may impact auditing for other parts of
the system.
Can something be done to get better behaviour here?
I see two ways it could be better
1) (the ideal case) auditd will add rules even for nonexistent
directories, and when they are created will add a watch for them. If a
directory is removed and another created with the same name, auditd
will add a watch on the new directory.
Which kernel are you using? I want to think this was fixed in kernels
around 2.6.36 or later. This original problem was that the audit
watches are based on inotify which needs an inode. If there's no inode,
you can't place the watch.
2) auditd still cannot add watches to nonexistent directories, but a
failed rule add from audit.rules will become a warning rather than an
error so subsequent watches still get added.
Check into adding -i or -c near the top of your rules.
-Steve
I suspect 1) is not possible, but can I get auditd to behave like in
2)?
Best regards,
Davíð