Skaggs, Nicholas C
2018-06-25 20:59:59 UTC
Hello
I noticed in the man page for auditctl, an example of how to monitor if admins are accessing other user's files. I created a rule like the one in the example. This is great that it is pulling the action and user calling the action!
The rule
-a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid
I will pull a report on the findings with
aureport -f -i | grep /home/username/
The report is heavier than anticipated so I tried to make an adjustment to only capture what happens in the directory
-a always,exit -S all -F path=/home/username/ -F uid=0 -C auid!=obj_uid
... but that is returning with Error sending add rule data request (Invalid argument)
I then tried the below rule; it does not return an error upon add, but when I do an auditctl -l there are no rules listed
-a always,exit -S all -F path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
Is there a preferred way to set the rule, maybe on the inode of the directory, but does not lose the ability to see if an admin is doing it and what action? I have been adding these on the fly, instead of adding to the /etc/audit/audit.rules file, for now.
Thanks!
Nick Skaggs
I noticed in the man page for auditctl, an example of how to monitor if admins are accessing other user's files. I created a rule like the one in the example. This is great that it is pulling the action and user calling the action!
The rule
-a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid
I will pull a report on the findings with
aureport -f -i | grep /home/username/
The report is heavier than anticipated so I tried to make an adjustment to only capture what happens in the directory
-a always,exit -S all -F path=/home/username/ -F uid=0 -C auid!=obj_uid
... but that is returning with Error sending add rule data request (Invalid argument)
I then tried the below rule; it does not return an error upon add, but when I do an auditctl -l there are no rules listed
-a always,exit -S all -F path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
Is there a preferred way to set the rule, maybe on the inode of the directory, but does not lose the ability to see if an admin is doing it and what action? I have been adding these on the fly, instead of adding to the /etc/audit/audit.rules file, for now.
Thanks!
Nick Skaggs