RE: auditing access to directories with restricted access
On 2014-06-04, Steve Grubb wrote:
Hello,
On Wednesday, June 04, 2014 12:13:02 PM jon.bird(a)generaldynamics.uk.com
wrote:
> I am trying to set up some audit rules to monitor failed accesses to
> a given folder - here is the basics:
>
[...]
This is a kernel problem. I recall seeing a patch on this mail list
over a year ago purporting to allow audit events when path resolution
failed. The issue as I remember goes something like this...
Files are really identified by device and inode number. In order to be
more user friendly, we allow watches which pass a path name. The
kernel really converts that to device and inode and watches for that.
When an access gets denied such that the path cannot be converted to
the device and inode to see if it matches a rule, then you won't get an event.
Like I said, I have seen a patch that supposedly fixed it by Eric
Paris. But I don't know if it got replaced during some re-writes, or
it didn't make it upstream, or it only provides results some of the
time. But I really think its reasonable to expect to get a denied
event as you described above. Maybe Eric can chime in about this.
-Steve
Thanks for the update, apparently it used to work in the 2.6.3x kernels.. Would be useful
to know about that patch anyway, we are building our system up from scratch so it may be
possible to apply it to our kernel sources. I did have a quick trawl through the archives
but nothing obvious leapt out at me.
Rgs,
Jon.
--
Jon Bird, CEng MBCS
Software Engineer
Electronic Systems
General Dynamics United Kingdom Ltd.
Castleham Road, St Leonards on Sea, East Sussex, TN38 9NJ
Telephone: +441424798278
Email: jon.bird(a)generaldynamics.uk.com
Website: www.generaldynamics.uk.com
This email and any files attached are intended for the addressee and may contain
information of a confidential nature. If you are not the intended recipient, be aware that
this email was sent to you in error and you should not disclose, distribute, print, copy
or make other use of this email or its attachments. Such actions, in fact, may be
unlawful. In compliance with the various Regulations and Acts, General Dynamics United
Kingdom Limited reserves the right to monitor (and examine for viruses) all emails and
email attachments, both inbound and outbound. Email communications and their attachments
may not be secure or error- or virus-free and the company does not accept liability or
responsibility for such matters or the consequences thereof. General Dynamics United
Kingdom Limited, Registered Office: 21 Holborn Viaduct, London EC1A 2DY. Registered in
England and Wales No: 1911653.