Auditd Configuration

listreq · 06-22-2010, 08:15 AM

Hi All;

I need watch to write/read operations from all directorys in root(/), but not watch /proc and /dev paths?

How to configure /etc/audit/audit.rules file for this action?

Thanks,
Best Regards

unSpawn · 06-22-2010, 10:23 AM

Welcome to LQ. Hope you like it here.

Did you read man 'audit.rules'?
Have you checked CAPP / NISPOM / et cetera rulesets available on your system to get an idea about how to write rules?
What have rules you tried?
Can you post those examples?
Did you read 'man auditctl'? (The "-w path" explanation wrt inserting watches at the top level directory should be a hint.)

listreq · 06-22-2010, 01:16 PM

Quote:

Originally Posted by unSpawn

Welcome to LQ. Hope you like it here.

Did you read man 'audit.rules'?
Have you checked CAPP / NISPOM / et cetera rulesets available on your system to get an idea about how to write rules?
What have rules you tried?
Can you post those examples?
Did you read 'man auditctl'? (The "-w path" explanation wrt inserting watches at the top level directory should be a hint.)

Thank you for your delicacy.

Example, i write this rule to audit.rules file; with -w parameter:

-w /home -p w -k WriteProcess
-w /home -p r -k ReadProcess

This is running, but this technic require write all directory names(listed all top directory names from top level root directory).

Example: /home, /etc, /opt ...

But yet, i need this directory names automatically watch with audit daemon. If adding directory to system, this directory not watching(if not adding manually).

e.g. -> user added directory to /testing(mkdir /testing). At work, not watch write permissions, because not defined to audit.rules file.

I have try -W parameter, for remove a watch from watching list after watch root directory with -w. But, not working?

-w / -p w
-W /proc

Quote:

man auditctl:
-W path
Remove a watch for the file system object at path.

Hope i explain to.

Thank you.

// EDIT: Sorry for my bad english.

unSpawn · 06-23-2010, 06:08 AM

Quote:

Originally Posted by listreq

this technic require write all directory names (listed all top directory names from top level root directory). (..) But yet, i need this directory names automatically watch with audit daemon. If adding directory to system, this directory not watching (if not adding manually). e.g. -> user added directory to /testing(mkdir /testing). At work, not watch write permissions, because not defined to audit.rules file.

Top level directories aren't added commonly and don't change (nor should they) so you could use 'find / -maxdepth 1 -type d -iname "[a-z]*" | egrep -ve "^/(media|selinux|dev|sys|proc|lost\+found)"|while read TOPDIR; do echo auditctl -w "${TOPDIR}" -p w -k write_${TOPDIR//\//}; done'. With respect to a user adding a directory to /testing (say /testing/username) watches are recursive, so they should be picked up. Let me know if they aren't.

Quote:

Originally Posted by listreq

I have try -W parameter, for remove a watch from watching list after watch root directory with -w. But, not working?

Best give auditctl the full command line. So if you used "-w /home -p w -k WriteProcess" then try "-W /home -p w -k WriteProcess". If that doesn't work then try reloading the Auditd service. That's not elegant but unless you wrote your rules to /etc/audit/audit.rules that should work. If you did write your rules to /etc/audit/audit.rules then comment out the "wrong" rules and then restart the Auditd service.

GrapefruiTgirl · 06-23-2010, 02:14 PM

This thread has been moved to "Security" so that it may get the exposure it deserves.

Sasha

listreq · 06-28-2010, 02:25 AM

Quote:

Originally Posted by unSpawn

Top level directories aren't added commonly and don't change (nor should they) so you could use 'find / -maxdepth 1 -type d -iname "[a-z]*" | egrep -ve "^/(media|selinux|dev|sys|proc|lost\+found)"|while read TOPDIR; do echo auditctl -w "${TOPDIR}" -p w -k write_${TOPDIR//\//}; done'. With respect to a user adding a directory to /testing (say /testing/username) watches are recursive, so they should be picked up. Let me know if they aren't.

Best give auditctl the full command line. So if you used "-w /home -p w -k WriteProcess" then try "-W /home -p w -k WriteProcess". If that doesn't work then try reloading the Auditd service. That's not elegant but unless you wrote your rules to /etc/audit/audit.rules that should work. If you did write your rules to /etc/audit/audit.rules then comment out the "wrong" rules and then restart the Auditd service.

Thank you for your reply.

I think easyl configuration for full disk watching; but not. Okay, all directory names adding to rules file; and maybe follow new directory names add to system.

Thank You
Best Regards