Hi,
I am trying to set up some audit rules to monitor failed accesses to a given folder - here
is the basics:
-a exit,always -S open -k fk_open -F dir=/recorder/ -F success=0
Here are the permissions on the folder:
drwxrwx--- 3 red red 4096 Jun 4 10:39 recorder
and the contents:
drwxrwx--- 3 red red 4096 Jun 4 12:05 .
drwxr-xr-x 21 root root 1024 Jun 4 10:38 ..
drwx------ 2 root root 16384 Apr 24 15:49 lost+found
-rw-rw---- 1 root root 6 Jun 4 12:05 test.txt
If I run as user "red" ie. Who does have permission to write to this folder but
then try and replace the "text.txt" file (which is owned by root) I get:
reduser@unit:~ echo test >test.txt
-sh: can't create test.txt: Permission denied
Along with a corresponding entry in the audit log which is what I'm expected.
However if I run as another use which does not have permission to access this folder and
try the same thing:
blackuser@unit:~ echo test >/recorder/test.txt
-sh: can't create /recorder/test.txt: Permission denied
But I don't get anything captured in the audit log. I've tried a few incarnations
of the rule, including setting up similar arrangements and having the daemon monitor the
parent folder (thinking the access will show up there) but I can't get this scenario
to be detected by the audit daemon. If I remove the file system filter (ie. So I see all
failed accesses) then it does get logged but this generates way too much traffic to be of
much use. I've also done an strace call around the command and verified that (in this
latter scenario) is it definitely the open call which is generating the permission denied
error and it is.
This is using audit-2.3.6 on a 3.2.55 kernel.
Any help appreciated,
Jon.
--
Jon Bird, CEng MBCS
Software Engineer
Electronic Systems
General Dynamics United Kingdom Ltd.
Castleham Road, St Leonards on Sea, East Sussex, TN38 9NJ
Telephone: +441424798278
Email: jon.bird(a)generaldynamics.uk.com
Website:
www.generaldynamics.uk.com
This email and any files attached are intended for the addressee and may contain
information of a confidential nature. If you are not the intended recipient, be aware that
this email was sent to you in error and you should not disclose, distribute, print, copy
or make other use of this email or its attachments. Such actions, in fact, may be
unlawful. In compliance with the various Regulations and Acts, General Dynamics United
Kingdom Limited reserves the right to monitor (and examine for viruses) all emails and
email attachments, both inbound and outbound. Email communications and their attachments
may not be secure or error- or virus-free and the company does not accept liability or
responsibility for such matters or the consequences thereof. General Dynamics United
Kingdom Limited, Registered Office: 21 Holborn Viaduct, London EC1A 2DY. Registered in
England and Wales No: 1911653.