Re: Regarding Auditing on RHEL 7.1
On Wednesday, February 24, 2016 07:04:08 AM Sarthak Jain wrote:
I am Sarthak Jain working in MicroFocus. I want your small help to
clarify
one of my doubt regarding the kernel auditing on RHEL 7.1. I hope you are
the right person to contact. It will just 2 min (max :P) to go through the
problem.
Assumption: Ideally, if we change the configuration file (for ex-
/etc/hosts), we should be getting audit events for it.
Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we
modify this file, then audit events are coming as attached in file -
'file1.txt'.
Problem: Let say if we change the permissions of the '/etc/hosts' to
(rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" event at
all.
That is because the audit configuration has not changed. Config change events
are specific to changes in the audit system itself. What you get on this is
syscall event with a path
If you want to get events on changing permissions on a file, then you would put
a rule like this:
-a always,exit -F path=/etc/hosts -F perms=a -F key=permission-change
After modifying the file with chmod, then run:
ausearch --start today -k permission-change
I have attached the file - 'file2.txt' for your reference.
Can you
please clarify this ? Is it a kernel level bug?
No. Its doing what it should.
-Steve