Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Is there a log file or a way to create a log file to audit permission errors? For example, when a non-privileged user tries to view the /etc/shadow file a permission denied error will be returned. I am looking for a file that contains the audit for the error or a way to to audit the error. The system is currently running RedHat Enterprise Linux 5 with SELinux.
Am I right in assuming this will only work for the /etc/shadow file? If that is the case then I would have to create an entry for every file I want to watch? Not sure how well that will work given that I would like to watch every file a user does not have permission to access and audit every attempt. I figured there is a way to do it in with the auditctl. I may just have to do a little more research. Thanks for the suggestion.
If that is the case then I would have to create an entry for every file I want to watch? Not sure how well that will work given that I would like to watch every file a user does not have permission to access and audit every attempt.
Maybe explain in detail the compelling reasons for watching what a user doesn't even have DAC rights for?
The system stores secure data and users are allowed only to only do certain things. If one of the users attempts to access an object they are not allowed to the system needs to audit this. Basically it is a way to check that users are doing things they are allowed to and not doing anything mischievous. If a user does access something they are not allowed to there needs to be something in place to determine who and what they did.
Because you have to 'auditctl -w' for each and every file you want to watch this doesn't scale well beyond n users. Maybe it would be easier in the end to have SELinux trigger those messages by only allowing those users in under another SELinux context than the default "user_u:system_r:unconfined_t"? See Dan Walsh web log, the xguest and the cashiers examples.
BTW, does your audit trail include the full command history (and output) of whatever users execute on your system? And does it include accounting on the systems they use to log into this machine? If you don't, then how can you be sure you're following the "right" user and not somebody else (temporarily) sharing an account to perform a task? Just curious...