LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Audit permission denied errors (https://www.linuxquestions.org/questions/linux-security-4/audit-permission-denied-errors-649121/)

jaco0667 06-13-2008 02:19 PM
Audit permission denied errors
 
Is there a log file or a way to create a log file to audit permission errors? For example, when a non-privileged user tries to view the /etc/shadow file a permission denied error will be returned. I am looking for a file that contains the audit for the error or a way to to audit the error. The system is currently running RedHat Enterprise Linux 5 with SELinux.

unSpawn 06-13-2008 03:01 PM
Easiest is to install the Audit package, then 'grep shadow /usr/share/doc/audit-*/capp.rules' for rules you can add with 'auditctl' or manually to /etc/audit/audit.rules.

jaco0667 06-16-2008 10:15 AM
Am I right in assuming this will only work for the /etc/shadow file? If that is the case then I would have to create an entry for every file I want to watch? Not sure how well that will work given that I would like to watch every file a user does not have permission to access and audit every attempt. I figured there is a way to do it in with the auditctl. I may just have to do a little more research. Thanks for the suggestion.

unSpawn 06-16-2008 02:15 PM
Quote:
Originally Posted by jaco0667 (Post 3186322)
If that is the case then I would have to create an entry for every file I want to watch? Not sure how well that will work given that I would like to watch every file a user does not have permission to access and audit every attempt.
Maybe explain in detail the compelling reasons for watching what a user doesn't even have DAC rights for?

jaco0667 06-16-2008 02:51 PM
The system stores secure data and users are allowed only to only do certain things. If one of the users attempts to access an object they are not allowed to the system needs to audit this. Basically it is a way to check that users are doing things they are allowed to and not doing anything mischievous. If a user does access something they are not allowed to there needs to be something in place to determine who and what they did.

unSpawn 06-17-2008 04:27 AM
Because you have to 'auditctl -w' for each and every file you want to watch this doesn't scale well beyond n users. Maybe it would be easier in the end to have SELinux trigger those messages by only allowing those users in under another SELinux context than the default "user_u:system_r:unconfined_t"? See Dan Walsh web log, the xguest and the cashiers examples.

BTW, does your audit trail include the full command history (and output) of whatever users execute on your system? And does it include accounting on the systems they use to log into this machine? If you don't, then how can you be sure you're following the "right" user and not somebody else (temporarily) sharing an account to perform a task? Just curious...


All times are GMT -5. The time now is 09:54 AM.