Re: Comprehensive Documentation on the Linux Audit Framework
On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote:
Thanks. Could you also point to portions in the codebase where these
functions are called for monitoring file access?
I'll let Richard or Paul point to the place in the kernel if that's
necessary. I think there's a fundamental mismatch and it might not matter.
The reason I'm asking for this is that I'm trying to provide
auditing for
files of a specific type and I'm trying to understand how would that work.
The way the audit system works is there is a rule engine in the kernel. User
space loads the rules and and listens for events. The kernel does all the
work. This rule matching can be done by a limited set of attributes which for
a file would be path, kind of access, who is accessing it, program accessing
it, portions of se linux labeling, and a few other things.
You cannot match by type or anything that looks like a glob. You can arrange
them in a directory and watch the whole directory. You can create a script
that looks for files of a certain type and load rules specifically for them
into the kernel (with a specific key so you can find them later). Or you can
plug into auditd as a plugin and filter the events and write them to your own
log.
There might be some other approaches such as using fanotify and filtering
those events yourself.
-Steve