Linux-audit Digest, Vol 28, Issue 1

Thomas, Daniel J. Daniel.Thomas at jhuapl.edu
Wed Jan 3 18:56:52 UTC 2007 

Steve,

In the response below you mention using mount --bind along with exit code logging to track a directory structure.  I'm not familiar with --bind option, but according to the man page, it looks like a way to mount a file system in a second place (similar to MS-DOS "subst" command).  While this is helpful for perhaps replacing a symlink with a "link" that can't be deleted, I don't understand how you would use this for auditing purposes.  Could you elaborate?

Thanks!

-Dan Thomas



Message: 3
Date: Tue, 2 Jan 2007 16:22:22 -0500
From: Steve Grubb <sgrubb at redhat.com>
Subject: Re: Audit rule questions
To: linux-audit at redhat.com
Cc: "Fulda, Paul \(Mission Systems\)" <Paul.Fulda at ngc.com>
Message-ID: <200701021622.22477.sgrubb at redhat.com>
Content-Type: text/plain;  charset="utf-8"

On Tuesday 02 January 2007 15:49, Fulda, Paul (Mission Systems) wrote:
> Is there a way to set a rule to watch particular files in a directory 
> like /etc/*? Â

You can probably use mount --bind option to get this with syscall auditing rules rather than watches. Then use devmajor/minor (-a always,exit -S open -F devmajor=0x1F -F devminor=3 ).

> Can you use wildcards in the rules?

No. This area is very tricky to do right from an implementation point of view. 
Some things to consider:

1) What should the behavior be when subtrees get moved? IOW, we watch /opt/tmp/test/* and /opt/tmp gets renamed to /opt/tmp2 ?

2) What should the behavior be when subtrees get moved into the watched subtree? IOW, we watch /opt/temp/test/* and someone does a mv /opt/temp/test2
/opt/temp/test/test2

3) Should it catch the access via hardlink from outside the watched tree?

4) What should the behavior be if there is a mount point in the watched tree?

5) What should happen when we do mount --move to or from that subtree?

6) What should happen when mount --move the parent of subtree itself?

7) What should happen if tree is mounted elsewhere? (e.g. in chroot jail)

8) What should the behavior be if the directory is polyinstantiated? IOW, we watch /tmp/*  and /tmp is polyinstantiated on a per user & per level basis.

> Also, is there a way to set a rule to grab just non-root user actions 
> on a file?

In RHEL4 using: using watches - no, using syscall audit rules - yes.  
RHEL5/2.6.19 is more flexible and can let you get better control over what is audited with watches.

-Steve

More information about the Linux-audit mailing list