Any pointers for troubleshooting auditd missing events for file reads, edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5? http://security.stackexchange.com/q/89009/56827

On Mon, 2015-05-11 at 15:52 -0400, Steve Grubb wrote: > On Monday, May 11, 2015 11:50:19 AM Bill Jackson III wrote: > > Any pointers for troubleshooting auditd missing events for file reads, > > edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5? > > > > http://security.stackexchange.com/q/89009/56827 > > The -w notation is the same as > > -a always,exit -F path=XXX -F perms=rwa > > What this does is audit the following functions defined in the syscall > classifiers > : > http://lxr.free-electrons.com/source/include/asm-generic/audit_read.h > http://lxr.free-electrons.com/source/include/asm-generic/audit_write.h > http://lxr.free-electrons.com/source/include/asm-generic/audit_change_attr.h > > You are not going to get a hit for each and every read system call because > read is not audited. Bill, Is your question "Can one apply a file watch using auditd if the file does not exist?" then I believe the answer is no.

Options would be - as part of your application deployment standard operating procedures (SOPs) add appropriate watches to audit.rules and restart the auditd service - keep all you sensitive files in one directory location, set a directory watch on this directory tree and then as part of your application deployment SOPs, place the real files in the sensitive file area and then link to them from the application area. (I've just tried this on a fc22 system and it works) Regards