Re: Seeking auditd help
On Mon, 2015-05-11 at 15:52 -0400, Steve Grubb wrote:
On Monday, May 11, 2015 11:50:19 AM Bill Jackson III wrote:
> Any pointers for troubleshooting auditd missing events for file reads,
> edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5?
>
> http://security.stackexchange.com/q/89009/56827
The -w notation is the same as
-a always,exit -F path=XXX -F perms=rwa
What this does is audit the following functions defined in the syscall
classifiers
:
http://lxr.free-electrons.com/source/include/asm-generic/audit_read.h
http://lxr.free-electrons.com/source/include/asm-generic/audit_write.h
http://lxr.free-electrons.com/source/include/asm-generic/audit_change_attr.h
You are not going to get a hit for each and every read system call because
read is not audited.
Bill,
Is your question
"Can one apply a file watch using auditd if the file does not exist?"
then I believe the answer is no.
Options would be
- as part of your application deployment standard operating procedures
(SOPs) add appropriate watches to audit.rules and restart the auditd
service
- keep all you sensitive files in one directory location, set a
directory watch on this directory tree and then as part of your
application deployment SOPs, place the real files in the sensitive file
area and then link to them from the application area. (I've just tried
this on a fc22 system and it works)
Regards