NISPOM Auditing
Mathis, Jim
jim.mathis at lmco.com
Thu May 22 20:28:41 UTC 2008
Hello,
I need to log file edit attempts when a user doesn't have permission to
edit a specific file. For example, a non-root user attempts to edit
"/var/log/audit/audit'log" which has a permission setting of 640.
Although the user won't be able to edit the file (permission denied) -
I'd still like to log the attempt. Here's a snippet of my audit.rules
file:
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
-k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
-k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## unauthorized change directory (cd)
-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd
## Watch Files
-w /var/log/audit/audit.log -p rwxa -k audit-log2
Thanks
-Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080522/c707f1c4/attachment.htm>
More information about the Linux-audit
mailing list