auditctl -F dir= is there a way to say watch all directories except this one?

bradvan · 03-28-2012, 06:30 AM

Good Morning,

I want to make my audit system calls specific to the filesystem. I have a specific directory that I know I don't want to watch. Does anyone know if there is a "not" syntax to the -F dir= directive? If not, can I specify multiple -F dir= on a given rule so that I can add all of the directories I want to watch?

Thanks!

unSpawn · 03-29-2012, 03:54 PM

Quote:

Originally Posted by bradvan

Does anyone know if there is a "not" syntax to the -F dir= directive?

See 'man auditctl': -F [n=v | n!=v | .

Quote:

Originally Posted by bradvan

can I specify multiple -F dir= on a given rule

Yes you can but you can't set a watch on inode 2 aka "/" and the directory can't be a subdirectory of one that's already watched.

bradvan · 03-30-2012, 04:32 AM

I saw that in the man page as well. So, we went on one of the development servers and tried adding "-F dir!=/mine" and restarted auditd. It complained that there was an error in that line. It seems the man page isn't quite accurate.

I also tried adding "-F dir=/boot -F dir=/etc -F dir=/var" and it complained again. Apparently you can only have one? Thanks for the suggestions, though!

unSpawn · 03-30-2012, 10:23 AM

Quote:

Originally Posted by bradvan

we went on one of the development servers

Good. Better than trying out stuff on production servers.

Quote:

Originally Posted by bradvan

and tried adding "-F dir!=/mine" and restarted auditd. It complained that there was an error in that line. It seems the man page isn't quite accurate.

First of all you don't need to restart the audit service: use 'auditctl' to list, delete, edit or add rules. Second I don't know what distribution you use and what the exact rule was you tried to load.

Quote:

Originally Posted by bradvan

I also tried adding "-F dir=/boot -F dir=/etc -F dir=/var" and it complained again. Apparently you can only have one?

No you definitely can have multiple. The thing is you have to understand my ESP is at an all time low so again I don't know which rule you tried to load.

bradvan · 03-31-2012, 09:45 AM

Crap, you forgot to turn on ESP.

Here is a copy of my audit rules. I believe the vast majority of the audit records are coming from the last six system calls. I'd like to tell the auditd daemon not to run these on the directory /mydir. All of the project software runs under there. I just want the audit daemon to watch the system directories.

Code:

-D
-e 1
-b 16394
-f 1
-a exit,never -F auid>2147483645
-a exit,always -F arch=b32 -S adjtimex -S clock_settime -S settimeofday -k time-change
-a exit,always -F arch=b64 -S adjtimex -S clock_settime -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change

-a exit,always -F arch=b64 -S sethostname -k system-locale
-w /etc/issue                   -p wa -k system-locale
-w /etc/issue.net              -p wa -k system-locale
-w /etc/hosts                   -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

-w /etc/passwd -p wa -k passwd-file
-w /etc/shadow -p wa -k passwd-file

-w /etc/audit/auditd.conf -p wa -k audit-file
-w /etc/audit/audit.rules  -p wa -k audit-file

-w /etc/ntp.conf   -p wa -k etc-file
-w /etc/exports    -p wa -k etc-file
-w /etc/hosts.allow -p wa -k etc-file
-w /etc/hosts.deny  -p wa -k etc-file
-w /etc/at.allow      -p wa -k etc-file
-w /etc/at.deny      -p wa -k etc-file
-w /etc/group        -p wa -k etc-file
-w /etc/security/opasswd -p wa -k etc-file
-w /etc/login.defs   -p wa -k etc-file
-w /etc/security     -p wa -k etc-file
-w /etc/shells        -p wa -k etc-file
-w /etc/profile       -p wa -k etc-file
-w /etc/bashrc      -p wa -k etc-file
-w /etc/csh.cshrc   -p wa -k etc-file
-w /etc/csh.login    -p wa -k etc-file
-w /etc/sysconfig   -p wa -k etc-file
-w /etc/inittab       -p wa -k etc-file
-w /etc/rc.d/init.d  -p wa -k etc-file
-w /etc/rc.d/init.d/auditd -p wa -k etc-file
-w /etc/rc.local      -p wa -k etc-file
-w /etc/rc.sysinit    -p wa -k etc-file
-w /etc/xinetd.conf  -p wa -k etc-file
-w /etc/xinetd.d     -p wa -k etc-file
-w /etc/ld.so.conf  -p wa -k etc-file
-w /etc/ls.so.conf.d -p wa -k etc-file
-w /etc/system.conf -p wa -k etc-file
-w /etc/modprobe.conf -p wa -k etc-file
-w /etc/pam.d             -p wa -k etc-file
-w /etc/ssh/sshd_config -p wa -k etc-file
-w /etc/rsyslog.conf      -p wa -k etc-file
-w /etc/snmpd.conf      -p wa -k etc-file
-w /etc/resolv.conf       -p wa -k etc-file
-w /etc/nsswitch.conf   -p wa -k etc-file
-w /etc/host.conf         -p wa -k etc-file
-w /etc/krb5.conf         -p wa -k etc-file
-w /etc/default            -p wa -k etc-file
-w /etc/fstab               -p wa -k etc-file
-w /etc/auto.master     -p wa -k etc-file
-w /etc/auto.misc        -p wa -k etc-file
-w /etc/auto.net          -p wa -k etc-file
-w /etc/auto.smb        -p wa -k etc-file
-w /etc/securetty        -p wa -k etc-file

-w /etc/aliases           -p wa -k mail-file
-w /etc/mail/access    -p wa -k mail-file
-w /etc/mail/access.db -p wa -k mail-file
-w /etc/mail/domaintable -p wa -k mail-file
-w /etc/mail/domaintable.db -p wa -k mail-file
-w /etc/mail/helpfile            -p wa -k mail-file
-w /etc/mail/local-host-names -p wa -k mail-file
-w /etc/mail/mailertable         -p wa -k mail-file
-w /etc/mail/mailertable.db   -p wa -k mail-file
-w /etc/mail/Makefile           -p wa -k mail-file
-w /etc/mail/sendmail.cf      -p wa -k mail-file
-w /etc/mail/sendmail.mc    -p wa -k mail-file
-w /etc/mail/submit.cf         -p wa -k mail-file
-w /etc/mail/submit.mc        -p wa -k mail-file
-w /etc/mail/trusted-users   -p wa -k mail-file
-w /etc/mail/virtusertable   -p wa -k mail-file
-w /etc/mail/virtusertable.db -p wa -k mail-file

-w /etc/cron.allow      -p wa -k cron-file
-w /etc/cron.deny       -p wa -k cron-file
-w /etc/cron.d            -p wa -k cron-file
-w /etc/cron.daily       -p wa -k cron-file
-w /etc/cron.hourly     -p wa -k cron-file
-w /etc/cron.monthly  -p wa -k cron-file
-w /etc/cron.weekly   -p wa -k cron-file
-w /etc/crontab         -p wa -k cron-file
-w /etc/anacrontab    -p wa -k cron-file

-w /var/spool/at  -p wa -k var-file
-w /var/log/lastlog -p wa -k var-file

-w /etc/sudoers -p wa -k sudo-file

-a exit,always -F arch=b32 -S write -S capset -S chroot -S creat -S execve -S link -S mkdir -S mknod -S pivot_root -S quotactl -S reboot -S rmdir -S setdomainname -S sethostname -S setsid -S settimeofday -S setuid -S stty -S symlink -F auid=!0 -F uid=0 -k su-root
-a exit,always -F arch=b32 -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lchown32 -S chmod -S fchmod -k su-root
-a exit,always -F arch=b64 -S write -S capset -S chroot -S creat -S execve -S link -S mkdir -S mknod -S pivot_root -S quotactl -S reboot -S rmdir -S setdomainname -S sethostname -S setsid -S settimeofday -S setuid -S symlink -F auid!=0 -F uid=0 -k su-root
-a exit,always -F arch=b64 -S chown -S fchown -S lchown -S chmod -S fchmod -k su-root

-a exit,always -F arch=b32 -S chmod -S fchmod -S chown -S fchown -S lchown -S creat -S truncate
-a exit,always -F arch=b64 -S chmod -S fchmod -S chown -S fchown -S lchown -S creat -S truncate
-a exit,always -F arch=b32 -S ftruncate -S unlink -S rename -S link -S symlink -S mknod -S mount
-a exit,always -F arch=b64 -S ftruncate -S unlink -S rename -S link -S symlink -S mknod -S mount
-a exit,always -F arch=b32 -S umount -S umount2 -S clone -S umask
-a exit,always -F arch=b64 -S umount2 -S clone -S umask

I tried adding "-F dir!=/mydir" and it did not like that syntax. Is the -F dir directory acting an a per mounted file system or just a directory? That may be my problem with my second try. I tried listing all of the top level directories each with it's own -F dir=. If it is a file system directive, then I only have / and /mydir. So, "-F dir=/" should be sufficient. I'll have to give this a try when I get back to work on Monday.

Thanks!

unSpawn · 04-01-2012, 05:15 AM

Quote:

Originally Posted by bradvan

I tried adding "-F dir!=/mydir" and it did not like that syntax. Is the -F dir directory acting an a per mounted file system or just a directory? That may be my problem with my second try. I tried listing all of the top level directories each with it's own -F dir=. If it is a file system directive, then I only have / and /mydir. So, "-F dir=/" should be sufficient.

I don't actually know if "-F dir" is FS-based but if you only have / and /mydir then you've got a problem as you are not allowed to insert a watch at the toplevel anyway. Could run this as a test?:

Code:

ALLDIRS=$(find / -maxdepth 1 -type d|egrep -v "(/|/lost.*|/selinux|/proc|/sys)$"|awk '{print "-F dir="$1}'|xargs)
auditctl -a always,exit -S chmod -S fchmod -S chown -S chown32 $ALLDIRS -k TEST

bradvan · 04-02-2012, 05:17 AM

Well, I did try that last week, but tried it again this morning. I modified a little as follows:

Code:

ALLDIRS=$(find / -maxdepth 1 -type d|egrep -v "(/|/lost.*|/selinux|/proc|/sys|/mydir|/tmp|/mnt|/media|/dev|/srv|/cgroup)$"|awk '{print "-F dir="$1}'|xargs)
auditctl -a always,exit -F arch=b64 -S chmod -S fchmod -S chown -S chown32 $ALLDIRS -k TEST

It complained about 32/64 bit mismatch if I didn't add the arch= portion. It still errored with Invalid argument. Same thing I got last week when I tried adding multiple directories. Running the find on this system produced:

Code:

-F dir=/etc -F dir=/var -F dir=/lib -F dir=/sbin -F dir=/lib64 -F dir=/usr -F dir=/boot -F dir=/opt -F dir=/bin -F dir=/root

I think that even though the man page states you may have up to 64 "-F" fields passwd, its not necessarily true for all options. Likewise, even though the man page states n!=v as a valid option, it doesn't seem to work with dir. I tried it with "-F dir!=/mydir" and it gives invalid argument. I guess there just isn't a way to watch (or not watch) a specific file system with the current audit daemon. Thanks so much for your suggestions.