Not seeing access denied audit messages in restricted subdirectories
John T Olson
jtolson at us.ibm.com
Fri Nov 8 20:39:58 UTC 2019
Greetings,
I have the following 2 audit rules set up:
-a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1
-a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1
I have a directory structure like the following:
(13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/
total 257
drwx------. 3 root root 4096 Nov 7 12:46 .
drwxr-xr-x. 15 root root 262144 Nov 7 12:50 ..
drwx------. 2 root root 4096 Nov 7 12:46 test2
Essentially, directory "/gpfs/fs1/test/" is owned by root and has
permissions 700. The subdirectory underneath it (with
path /gpfs/fs1/test/test2) is also owned by root and has permissions 700.
When I have a non-root user attempt to list the contents of directory
"/gpfs/fs1/test/" I receive an audit message for the denied access.
However, when the non-root user attempts to list the contents of the
subdirectory (/gpfs/fs1/test/test2), there is no audit message generated.
Does anyone know why this is and how I get audit messages in both cases?
Thanks,
John
John T. Olson, Ph.D., MI.C., K.EY.
Master Inventor, Software Defined Storage
957/9032-1 Tucson, AZ, 85744
(520) 799-5185, tie 321-5185 (FAX: 520-799-4237)
Email: jtolson at us.ibm.com
Follow me on twitter: @John_T_Olson
"Do or do not. There is no try." - Yoda
Olson's Razor:
Any situation that we, as humans, can encounter in life
can be modeled by either an episode of The Simpsons
or Seinfeld.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20191108/82aa0829/attachment.htm>
More information about the Linux-audit
mailing list