Auditing file access by application
Richard Guy Briggs
rgb at redhat.com
Mon Jun 12 15:05:04 UTC 2017
On 2017-06-12 10:20, John Petrini wrote:
> Hello,
Hi John,
> We have a need to monitor voicemail directories for any sort of access.
> Basically there is only one application that should be accessing the files.
> If anything else accesses the files we need to log that.
>
> We setup the following to accomplish this but it's doesn't quite do what we
> want.
>
> -a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F
> auid!=voicemail_user -F key=voicemail_watch
>
> voicemail_user is the user that initially starts the process. The problem
> arises when someone logged in under a different account restarts the
> process. From that point forward every time the application accesses that
> directory it results in a log message.
>
> We need other users to be able to be able to log in and restart the process
> so our method here really doesn't work. Is there a way to log only if a
> different application access the directory rather than basing the audit on
> user?
>
> I was hoping to us something like -F exe!="/path/to/application" but it
> looks like this is not supported.
How about trying:
-a never,exit -S all -F exe="/path/to/application" -F dir=/path/to/voicemail -F perm=rwxa -F auid!=voicemail_user -F key=voicemail_watch
-a always,exit -S all -F dir=/path/to/voicemail -F perm=rwxa -F auid!=voicemail_user -F key=voicemail_watch
Meanwhile, I've filed an issue to add negation to "-F exe=".
https://github.com/linux-audit/audit-kernel/issues/53
I hope this helps.
> John Petrini
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list