auditd on nonexistent files
Richard Guy Briggs
rgb at redhat.com
Tue Sep 15 10:07:34 UTC 2015
On 15/09/15, Steve Grubb wrote:
> On Mon, 14 Sep 2015 16:01:17 +0000
> Davíð Steinn Geirsson <dsg at sensa.is> wrote:
>
> > Hi all,
> >
> > What is the best practice for using auditd for file integrity
> > monitoring?
> >
> > From the documentation, I have this, which works fine:
> > -a always,exit -F dir=/bin -F perm=wa
> >
> > However, it seems that if I have a rule on a nonexistent directory,
> > auditd will fail to add the rule (I assume because it's adding a watch
> > on an inode or something like that?), but it will also just stop
> > reading audit.rules and not add any subsequent rules.
> >
> > This is bad in an environment where we have to have FIM for critical
> > application files, but where another team may be maintaining some of
> > the apps and therefore might remove some watched directories,
> > especially as their mishaps may impact auditing for other parts of
> > the system.
> >
> > Can something be done to get better behaviour here?
> >
> > I see two ways it could be better
> > 1) (the ideal case) auditd will add rules even for nonexistent
> > directories, and when they are created will add a watch for them. If a
> > directory is removed and another created with the same name, auditd
> > will add a watch on the new directory.
>
> Which kernel are you using? I want to think this was fixed in kernels
> around 2.6.36 or later. This original problem was that the audit
> watches are based on inotify which needs an inode. If there's no inode,
> you can't place the watch.
A watch can be added for a file that does not exist while the containing
directory does, but a directory that does not exist (when the containing
directory does not exist) does not work.
> > 2) auditd still cannot add watches to nonexistent directories, but a
> > failed rule add from audit.rules will become a warning rather than an
> > error so subsequent watches still get added.
>
> Check into adding -i or -c near the top of your rules.
>
> -Steve
>
> > I suspect 1) is not possible, but can I get auditd to behave like in
> > 2)?
1) is not currently implemented, but is worth discussing.
> > Davíð
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list