Auditing file access by application
John Petrini
jpetrini at coredial.com
Mon Jun 12 14:20:15 UTC 2017
Hello,
We have a need to monitor voicemail directories for any sort of access.
Basically there is only one application that should be accessing the files.
If anything else accesses the files we need to log that.
We setup the following to accomplish this but it's doesn't quite do what we
want.
-a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F
auid!=voicemail_user -F key=voicemail_watch
voicemail_user is the user that initially starts the process. The problem
arises when someone logged in under a different account restarts the
process. From that point forward every time the application accesses that
directory it results in a log message.
We need other users to be able to be able to log in and restart the process
so our method here really doesn't work. Is there a way to log only if a
different application access the directory rather than basing the audit on
user?
I was hoping to us something like -F exe!="/path/to/application" but it
looks like this is not supported.
Thank You,
___
John Petrini
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170612/d02d7b10/attachment.htm>
More information about the Linux-audit
mailing list