LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-13-2008, 02:19 PM   #1
jaco0667
LQ Newbie
 
Registered: Jul 2005
Distribution: Debian, Kubuntu, CentOS, RHEL
Posts: 3

Rep: Reputation: 0
Audit permission denied errors


Is there a log file or a way to create a log file to audit permission errors? For example, when a non-privileged user tries to view the /etc/shadow file a permission denied error will be returned. I am looking for a file that contains the audit for the error or a way to to audit the error. The system is currently running RedHat Enterprise Linux 5 with SELinux.
 
Old 06-13-2008, 03:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Easiest is to install the Audit package, then 'grep shadow /usr/share/doc/audit-*/capp.rules' for rules you can add with 'auditctl' or manually to /etc/audit/audit.rules.
 
Old 06-16-2008, 10:15 AM   #3
jaco0667
LQ Newbie
 
Registered: Jul 2005
Distribution: Debian, Kubuntu, CentOS, RHEL
Posts: 3

Original Poster
Rep: Reputation: 0
Am I right in assuming this will only work for the /etc/shadow file? If that is the case then I would have to create an entry for every file I want to watch? Not sure how well that will work given that I would like to watch every file a user does not have permission to access and audit every attempt. I figured there is a way to do it in with the auditctl. I may just have to do a little more research. Thanks for the suggestion.
 
Old 06-16-2008, 02:15 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by jaco0667 View Post
If that is the case then I would have to create an entry for every file I want to watch? Not sure how well that will work given that I would like to watch every file a user does not have permission to access and audit every attempt.
Maybe explain in detail the compelling reasons for watching what a user doesn't even have DAC rights for?
 
Old 06-16-2008, 02:51 PM   #5
jaco0667
LQ Newbie
 
Registered: Jul 2005
Distribution: Debian, Kubuntu, CentOS, RHEL
Posts: 3

Original Poster
Rep: Reputation: 0
The system stores secure data and users are allowed only to only do certain things. If one of the users attempts to access an object they are not allowed to the system needs to audit this. Basically it is a way to check that users are doing things they are allowed to and not doing anything mischievous. If a user does access something they are not allowed to there needs to be something in place to determine who and what they did.
 
Old 06-17-2008, 04:27 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Because you have to 'auditctl -w' for each and every file you want to watch this doesn't scale well beyond n users. Maybe it would be easier in the end to have SELinux trigger those messages by only allowing those users in under another SELinux context than the default "user_u:system_r:unconfined_t"? See Dan Walsh web log, the xguest and the cashiers examples.

BTW, does your audit trail include the full command history (and output) of whatever users execute on your system? And does it include accounting on the systems they use to log into this machine? If you don't, then how can you be sure you're following the "right" user and not somebody else (temporarily) sharing an account to perform a task? Just curious...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Debian on VBox Read Only File System and Permission Denied Errors The Konqi Kid Debian 5 03-04-2008 05:07 PM
Getting permission denied errors with NFS triley Linux - General 1 08-24-2006 04:39 PM
PHP5 FastCGI session errors (Permission Denied) neocookie Linux - General 2 06-07-2005 12:26 PM
"Permission Denied" errors during start-up (SuSE 9.0) Meowatilla Linux - Software 3 04-14-2004 10:40 AM
./configure errors: permission denied! TippExed Linux - Software 4 09-10-2002 10:50 AM


All times are GMT -5. The time now is 11:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration