Audit rule questions

[Steve Grubb]

On Tuesday 02 January 2007 15:49, Fulda, Paul (Mission Systems) wrote:
> Is there a way to set a rule to watch particular files in a directory
> like /etc/*?  

You can probably use mount --bind option to get this with syscall auditing 
rules rather than watches. Then use devmajor/minor (-a always,exit -S open -F 
devmajor=0x1F -F devminor=3 ).

> Can you use wildcards in the rules?

No. This area is very tricky to do right from an implementation point of view. 
Some things to consider:

1) What should the behavior be when subtrees get moved? IOW, we 
watch /opt/tmp/test/* and /opt/tmp gets renamed to /opt/tmp2 ?

2) What should the behavior be when subtrees get moved into the watched 
subtree? IOW, we watch /opt/temp/test/* and someone does a mv /opt/temp/test2
/opt/temp/test/test2

3) Should it catch the access via hardlink from outside the watched tree?

4) What should the behavior be if there is a mount point in the watched tree?

5) What should happen when we do mount --move to or from that subtree?

6) What should happen when mount --move the parent of subtree itself?

7) What should happen if tree is mounted elsewhere? (e.g. in chroot jail)

8) What should the behavior be if the directory is polyinstantiated? IOW, we 
watch /tmp/*  and /tmp is polyinstantiated on a per user & per level basis.

> Also, is there a way to set a rule to grab just non-root user actions on
> a file?

In RHEL4 using: using watches - no, using syscall audit rules - yes.  
RHEL5/2.6.19 is more flexible and can let you get better control over what is 
audited with watches.

-Steve