Audit logging

[Steve G]

>> No one can turn off auditd unless they are root. Do you have
>> untrusted root users?
>
>We do not have untrusted root users, the problem is we are trying to
>audit ourselves and do it in a way that we could not easily
>circumvent

You will likely need to use the realtime interface and write a program that moves
the data to another machine. I will be writing one in a couple months, but in the
meantime everyone has to cobble together their own solution. Otherwise they can
just do auditctl -e 0 and you are done.

>If i wanted to excluded the following
>
>type=SYSCALL msg=audit(1154617819.471:67475): arch=c000003e syscall=2
>success=yes exit=3 a0=2aaaac31f8e9 a1=0 a2=1b6 a3=0 items=1 pid=25561
>auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>tty=(none) comm="sshd" exe="/usr/sbin/sshd"
>subj=user_u:system_r:unconfined_t:s0-s0:c0.c255
>
>
>-a exclude,always -F msgtype=SYSCALL
> -a exit.always -F uid=0
> -a entry,always -F uid=0
>
>Is this correct ?

These are 3 different rules that form an OR condition. What will happen is
SYSCALL records in the event will be thrown away, any syscall with uid 0 will be
recorded, and a redundant rule will try to do the same thing.

>or can i do something
>- -a exit,

No.



> What are you really trying to record?
>
>Trying to record when people access particular files , which i have
>been looking at the auditctl -w but the examples do not work in the
>documentation 

You have to have the 2.6.18 kernel to get this to work. Otherwise you are limited
to using -F devmajor=xx -F devminor=yy

>such as (found in capp.rules)
>
> -w /var/log/audit/ -k LOG_audit

The above works for 2.6.18 kernel.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com