auditctl -F dir= is there a way to say watch all directories except this one?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
auditctl -F dir= is there a way to say watch all directories except this one?
Good Morning,
I want to make my audit system calls specific to the filesystem. I have a specific directory that I know I don't want to watch. Does anyone know if there is a "not" syntax to the -F dir= directive? If not, can I specify multiple -F dir= on a given rule so that I can add all of the directories I want to watch?
I saw that in the man page as well. So, we went on one of the development servers and tried adding "-F dir!=/mine" and restarted auditd. It complained that there was an error in that line. It seems the man page isn't quite accurate.
I also tried adding "-F dir=/boot -F dir=/etc -F dir=/var" and it complained again. Apparently you can only have one? Thanks for the suggestions, though!
Good. Better than trying out stuff on production servers.
Quote:
Originally Posted by bradvan
and tried adding "-F dir!=/mine" and restarted auditd. It complained that there was an error in that line. It seems the man page isn't quite accurate.
First of all you don't need to restart the audit service: use 'auditctl' to list, delete, edit or add rules. Second I don't know what distribution you use and what the exact rule was you tried to load.
Quote:
Originally Posted by bradvan
I also tried adding "-F dir=/boot -F dir=/etc -F dir=/var" and it complained again. Apparently you can only have one?
No you definitely can have multiple. The thing is you have to understand my ESP is at an all time low so again I don't know which rule you tried to load.
Here is a copy of my audit rules. I believe the vast majority of the audit records are coming from the last six system calls. I'd like to tell the auditd daemon not to run these on the directory /mydir. All of the project software runs under there. I just want the audit daemon to watch the system directories.
Code:
-D
-e 1
-b 16394
-f 1
-a exit,never -F auid>2147483645
-a exit,always -F arch=b32 -S adjtimex -S clock_settime -S settimeofday -k time-change
-a exit,always -F arch=b64 -S adjtimex -S clock_settime -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change
-a exit,always -F arch=b64 -S sethostname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/passwd -p wa -k passwd-file
-w /etc/shadow -p wa -k passwd-file
-w /etc/audit/auditd.conf -p wa -k audit-file
-w /etc/audit/audit.rules -p wa -k audit-file
-w /etc/ntp.conf -p wa -k etc-file
-w /etc/exports -p wa -k etc-file
-w /etc/hosts.allow -p wa -k etc-file
-w /etc/hosts.deny -p wa -k etc-file
-w /etc/at.allow -p wa -k etc-file
-w /etc/at.deny -p wa -k etc-file
-w /etc/group -p wa -k etc-file
-w /etc/security/opasswd -p wa -k etc-file
-w /etc/login.defs -p wa -k etc-file
-w /etc/security -p wa -k etc-file
-w /etc/shells -p wa -k etc-file
-w /etc/profile -p wa -k etc-file
-w /etc/bashrc -p wa -k etc-file
-w /etc/csh.cshrc -p wa -k etc-file
-w /etc/csh.login -p wa -k etc-file
-w /etc/sysconfig -p wa -k etc-file
-w /etc/inittab -p wa -k etc-file
-w /etc/rc.d/init.d -p wa -k etc-file
-w /etc/rc.d/init.d/auditd -p wa -k etc-file
-w /etc/rc.local -p wa -k etc-file
-w /etc/rc.sysinit -p wa -k etc-file
-w /etc/xinetd.conf -p wa -k etc-file
-w /etc/xinetd.d -p wa -k etc-file
-w /etc/ld.so.conf -p wa -k etc-file
-w /etc/ls.so.conf.d -p wa -k etc-file
-w /etc/system.conf -p wa -k etc-file
-w /etc/modprobe.conf -p wa -k etc-file
-w /etc/pam.d -p wa -k etc-file
-w /etc/ssh/sshd_config -p wa -k etc-file
-w /etc/rsyslog.conf -p wa -k etc-file
-w /etc/snmpd.conf -p wa -k etc-file
-w /etc/resolv.conf -p wa -k etc-file
-w /etc/nsswitch.conf -p wa -k etc-file
-w /etc/host.conf -p wa -k etc-file
-w /etc/krb5.conf -p wa -k etc-file
-w /etc/default -p wa -k etc-file
-w /etc/fstab -p wa -k etc-file
-w /etc/auto.master -p wa -k etc-file
-w /etc/auto.misc -p wa -k etc-file
-w /etc/auto.net -p wa -k etc-file
-w /etc/auto.smb -p wa -k etc-file
-w /etc/securetty -p wa -k etc-file
-w /etc/aliases -p wa -k mail-file
-w /etc/mail/access -p wa -k mail-file
-w /etc/mail/access.db -p wa -k mail-file
-w /etc/mail/domaintable -p wa -k mail-file
-w /etc/mail/domaintable.db -p wa -k mail-file
-w /etc/mail/helpfile -p wa -k mail-file
-w /etc/mail/local-host-names -p wa -k mail-file
-w /etc/mail/mailertable -p wa -k mail-file
-w /etc/mail/mailertable.db -p wa -k mail-file
-w /etc/mail/Makefile -p wa -k mail-file
-w /etc/mail/sendmail.cf -p wa -k mail-file
-w /etc/mail/sendmail.mc -p wa -k mail-file
-w /etc/mail/submit.cf -p wa -k mail-file
-w /etc/mail/submit.mc -p wa -k mail-file
-w /etc/mail/trusted-users -p wa -k mail-file
-w /etc/mail/virtusertable -p wa -k mail-file
-w /etc/mail/virtusertable.db -p wa -k mail-file
-w /etc/cron.allow -p wa -k cron-file
-w /etc/cron.deny -p wa -k cron-file
-w /etc/cron.d -p wa -k cron-file
-w /etc/cron.daily -p wa -k cron-file
-w /etc/cron.hourly -p wa -k cron-file
-w /etc/cron.monthly -p wa -k cron-file
-w /etc/cron.weekly -p wa -k cron-file
-w /etc/crontab -p wa -k cron-file
-w /etc/anacrontab -p wa -k cron-file
-w /var/spool/at -p wa -k var-file
-w /var/log/lastlog -p wa -k var-file
-w /etc/sudoers -p wa -k sudo-file
-a exit,always -F arch=b32 -S write -S capset -S chroot -S creat -S execve -S link -S mkdir -S mknod -S pivot_root -S quotactl -S reboot -S rmdir -S setdomainname -S sethostname -S setsid -S settimeofday -S setuid -S stty -S symlink -F auid=!0 -F uid=0 -k su-root
-a exit,always -F arch=b32 -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lchown32 -S chmod -S fchmod -k su-root
-a exit,always -F arch=b64 -S write -S capset -S chroot -S creat -S execve -S link -S mkdir -S mknod -S pivot_root -S quotactl -S reboot -S rmdir -S setdomainname -S sethostname -S setsid -S settimeofday -S setuid -S symlink -F auid!=0 -F uid=0 -k su-root
-a exit,always -F arch=b64 -S chown -S fchown -S lchown -S chmod -S fchmod -k su-root
-a exit,always -F arch=b32 -S chmod -S fchmod -S chown -S fchown -S lchown -S creat -S truncate
-a exit,always -F arch=b64 -S chmod -S fchmod -S chown -S fchown -S lchown -S creat -S truncate
-a exit,always -F arch=b32 -S ftruncate -S unlink -S rename -S link -S symlink -S mknod -S mount
-a exit,always -F arch=b64 -S ftruncate -S unlink -S rename -S link -S symlink -S mknod -S mount
-a exit,always -F arch=b32 -S umount -S umount2 -S clone -S umask
-a exit,always -F arch=b64 -S umount2 -S clone -S umask
I tried adding "-F dir!=/mydir" and it did not like that syntax. Is the -F dir directory acting an a per mounted file system or just a directory? That may be my problem with my second try. I tried listing all of the top level directories each with it's own -F dir=. If it is a file system directive, then I only have / and /mydir. So, "-F dir=/" should be sufficient. I'll have to give this a try when I get back to work on Monday.
I tried adding "-F dir!=/mydir" and it did not like that syntax. Is the -F dir directory acting an a per mounted file system or just a directory? That may be my problem with my second try. I tried listing all of the top level directories each with it's own -F dir=. If it is a file system directive, then I only have / and /mydir. So, "-F dir=/" should be sufficient.
I don't actually know if "-F dir" is FS-based but if you only have / and /mydir then you've got a problem as you are not allowed to insert a watch at the toplevel anyway. Could run this as a test?:
It complained about 32/64 bit mismatch if I didn't add the arch= portion. It still errored with Invalid argument. Same thing I got last week when I tried adding multiple directories. Running the find on this system produced:
I think that even though the man page states you may have up to 64 "-F" fields passwd, its not necessarily true for all options. Likewise, even though the man page states n!=v as a valid option, it doesn't seem to work with dir. I tried it with "-F dir!=/mydir" and it gives invalid argument. I guess there just isn't a way to watch (or not watch) a specific file system with the current audit daemon. Thanks so much for your suggestions.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.