Comprehensive Documentation on the Linux Audit Framework
Steve Grubb
sgrubb at redhat.com
Tue Jun 6 19:08:47 UTC 2023
On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote:
> Thanks. Could you also point to portions in the codebase where these
> functions are called for monitoring file access?
I'll let Richard or Paul point to the place in the kernel if that's
necessary. I think there's a fundamental mismatch and it might not matter.
> The reason I'm asking for this is that I'm trying to provide auditing for
> files of a specific type and I'm trying to understand how would that work.
The way the audit system works is there is a rule engine in the kernel. User
space loads the rules and and listens for events. The kernel does all the
work. This rule matching can be done by a limited set of attributes which for
a file would be path, kind of access, who is accessing it, program accessing
it, portions of se linux labeling, and a few other things.
You cannot match by type or anything that looks like a glob. You can arrange
them in a directory and watch the whole directory. You can create a script
that looks for files of a certain type and load rules specifically for them
into the kernel (with a specific key so you can find them later). Or you can
plug into auditd as a plugin and filter the events and write them to your own
log.
There might be some other approaches such as using fanotify and filtering
those events yourself.
-Steve
More information about the Linux-audit
mailing list