Auditing file access below a directory
Steve G
linux_4ever at yahoo.com
Thu Nov 17 00:20:51 UTC 2005
>I've been looking at auditd/auditctl and it seems like only individual
>files or directories can be watched, but not directory trees.
This is correct. The patches that do file system auditing were rejected and we
were asked to try to combine the hooks with inotify. That was done. I did bring
this up with the audit working group that we should look into this capability
since it seems useful. So, to sum it up...it would need kernel work and that will
take a while.
There is a workaround that may help. If your samba share is on its own partition,
then you can use the devmajor & minor fields in creating an audit rule. For
example, suppose I wanted to do this for /tmp:
[root at endeavor ~]# mount | grep tmp
none on /dev/shm type tmpfs (rw)
/dev/hda8 on /tmp type ext3 (rw)
[root at endeavor ~]# stat /dev/hda8 | grep type
Device: dh/13d Inode: 919 Links: 1 Device type: 3,8
So the rule would be:
auditctl -a exit,always -S open -F devmajor=3 -F devminor=8
To test:
vi /tmp/gconfd-sgrubb/
ausearch -f gconfd-sgrubb
time->Wed Nov 16 19:17:28 2005
type=PATH msg=audit(1132186648.942:633): name="/tmp/gconfd-sgrubb/" flags=103
inode=16419 dev=03:08 mode=040700 ouid=4325 ogid=4325 rdev=00:00
type=CWD msg=audit(1132186648.942:633): cwd="/root"
type=SYSCALL msg=audit(1132186648.942:633): arch=40000003 syscall=5 success=yes
exit=3 a0=92152b0 a1=18800 a2=3 a3=18800 items=1 pid=2937 auid=4325 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="vim" exe="/usr/bin/vim"
So this works. Hope this helps...
-Steve
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
More information about the selinux
mailing list