Auditing file access below a directory
Mont Rothstein
mont.rothstein at gmail.com
Thu Nov 17 00:40:54 UTC 2005
That definitely helps! I already planned to make this hierarchy have its own
partition.
This also gets around the issue of having to know the uid or gid. We plan to
move to a Fedora Directory Server based solution and thus creating rules for
each user was going to be a problem.
Thanks,
-Mont
On 11/16/05, Steve G <linux_4ever at yahoo.com> wrote:
>
> >I've been looking at auditd/auditctl and it seems like only individual
> >files or directories can be watched, but not directory trees.
>
> This is correct. The patches that do file system auditing were rejected
> and we
> were asked to try to combine the hooks with inotify. That was done. I did
> bring
> this up with the audit working group that we should look into this
> capability
> since it seems useful. So, to sum it up...it would need kernel work and
> that will
> take a while.
>
> There is a workaround that may help. If your samba share is on its own
> partition,
> then you can use the devmajor & minor fields in creating an audit rule.
> For
> example, suppose I wanted to do this for /tmp:
>
> [root at endeavor ~]# mount | grep tmp
> none on /dev/shm type tmpfs (rw)
> /dev/hda8 on /tmp type ext3 (rw)
> [root at endeavor ~]# stat /dev/hda8 | grep type
> Device: dh/13d Inode: 919 Links: 1 Device type: 3,8
>
> So the rule would be:
> auditctl -a exit,always -S open -F devmajor=3 -F devminor=8
>
> To test:
> vi /tmp/gconfd-sgrubb/
> ausearch -f gconfd-sgrubb
>
> time->Wed Nov 16 19:17:28 2005
> type=PATH msg=audit(1132186648.942:633): name="/tmp/gconfd-sgrubb/"
> flags=103
> inode=16419 dev=03:08 mode=040700 ouid=4325 ogid=4325 rdev=00:00
> type=CWD msg=audit(1132186648.942:633): cwd="/root"
> type=SYSCALL msg=audit(1132186648.942:633): arch=40000003 syscall=5
> success=yes
> exit=3 a0=92152b0 a1=18800 a2=3 a3=18800 items=1 pid=2937 auid=4325 uid=0
> gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="vim" exe="/usr/bin/vim"
>
> So this works. Hope this helps...
>
> -Steve
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20051116/ee893a41/attachment.htm>
More information about the fedora-selinux-list
mailing list