Re: Best means of capturing audit changes to a certain filename under a path subtree? aka wildcard file watches
On Thursday, September 15, 2011 03:03:06 AM Robin H. Johnson wrote:
In the wake of the kernel.org attack, we're brushing up our
security at
Gentoo (I lead our infrastructure/IT team for Gentoo services). One of
our self-identified weaknesses is auditing of changes to files used
elsewhere in our automated verification processes.
The audit subsystem gives a great general way to do this, but I can't
identify how best to audit changes to a file when the entire path is not
known ahead of time.
It seems that it would best be accomplished with wildcards:
/var/db/pkg/*/*/CONTENTS
There still is no wildcard support like that. There is auditing of a directory tree
which is like /var/* but not /var/*.log. The problem is that file access is on the
hotpath inside the kernel. Anything slowing it down will be frowned upon heavily. So,
what is done is roughly the equivalent of turning an absolute path into a hash and
then doing a hash compare. That is about all the clock cycles the kernel can spare
since we do not want a performance hit if it can be avoided.
That said, maybe selinux lables can help? If the CONTENTS files had a lable different
from other files (perhaps content_t), then you can write a rule something like:
-a always,exit -F dir=/var/db/pkg -F obj_type=content_t -k content
-Steve