On 2017-06-12 10:20, John Petrini wrote:
Hello,
Hi John,
We have a need to monitor voicemail directories for any sort of
access.
Basically there is only one application that should be accessing the files.
If anything else accesses the files we need to log that.
We setup the following to accomplish this but it's doesn't quite do what we
want.
-a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F
auid!=voicemail_user -F key=voicemail_watch
voicemail_user is the user that initially starts the process. The problem
arises when someone logged in under a different account restarts the
process. From that point forward every time the application accesses that
directory it results in a log message.
We need other users to be able to be able to log in and restart the process
so our method here really doesn't work. Is there a way to log only if a
different application access the directory rather than basing the audit on
user?
I was hoping to us something like -F exe!="/path/to/application" but it
looks like this is not supported.
How about trying:
-a never,exit -S all -F exe="/path/to/application" -F dir=/path/to/voicemail -F
perm=rwxa -F auid!=voicemail_user -F key=voicemail_watch
-a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F auid!=voicemail_user -F
key=voicemail_watch
Meanwhile, I've filed an issue to add negation to "-F exe=".
https://github.com/linux-audit/audit-kernel/issues/53
I hope this helps.
John Petrini
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635