Audit permission denied errors
Is there a log file or a way to create a log file to audit permission errors? For example, when a non-privileged user tries to view the /etc/shadow file a permission denied error will be returned. I am looking for a file that contains the audit for the error or a way to to audit the error. The system is currently running RedHat Enterprise Linux 5 with SELinux.
|
Easiest is to install the Audit package, then 'grep shadow /usr/share/doc/audit-*/capp.rules' for rules you can add with 'auditctl' or manually to /etc/audit/audit.rules.
|
Am I right in assuming this will only work for the /etc/shadow file? If that is the case then I would have to create an entry for every file I want to watch? Not sure how well that will work given that I would like to watch every file a user does not have permission to access and audit every attempt. I figured there is a way to do it in with the auditctl. I may just have to do a little more research. Thanks for the suggestion.
|
Quote:
|
The system stores secure data and users are allowed only to only do certain things. If one of the users attempts to access an object they are not allowed to the system needs to audit this. Basically it is a way to check that users are doing things they are allowed to and not doing anything mischievous. If a user does access something they are not allowed to there needs to be something in place to determine who and what they did.
|
Because you have to 'auditctl -w' for each and every file you want to watch this doesn't scale well beyond n users. Maybe it would be easier in the end to have SELinux trigger those messages by only allowing those users in under another SELinux context than the default "user_u:system_r:unconfined_t"? See Dan Walsh web log, the xguest and the cashiers examples.
BTW, does your audit trail include the full command history (and output) of whatever users execute on your system? And does it include accounting on the systems they use to log into this machine? If you don't, then how can you be sure you're following the "right" user and not somebody else (temporarily) sharing an account to perform a task? Just curious... |
All times are GMT -5. The time now is 09:54 AM. |