audit rules help
Is there someplace good for looking up how to implement different audit specific rules?
I've been scouring the web and having some issues figuring out how to add some new audit rules. basically i want to add rules for mounting, which i believe is just adding a watch to /bin/mount but i also want to look for when users mount a share on a server, from the server side. I believe this would also mean i need to watch nfs/cifs daemons for new exports, or really just recycling those daemons. Hints? Tips? Trick? or better yet doc? Thanks! |
Sure you could include all the various mount binaries but also any mount-related syscalls. A rule for the latter could look like: 'auditctl -a entry,always -S mount -S umount -S umount2 -k SYS_mount'.
|
It sounds like including the mount syscalls is the direction I want to take on the client. Would that only audit if the client was mounting a share? On the server would auditing the mount syscalls catch when a client mounted something on the server?
Auditing someone on the server mounting anything is an auditable action, but I also need to track when clients are mounting a share, and I'm not clear from the response if that is the case. There is also the case where I need to audit any new exports/cifs shares being created. |
Quote:
Quote:
Code:
[sharename] |
Thanks for the hints, I think I have enough to muddle through now. One would think I could test all of this but I don't get much in the way of test systems unfortunately.
|
You mean you don't have a workstation you can use virtualization on?
|
Granted I could do that to my work pc, but its not quite beefy enough to where the performance hit the host would take wouldn't make irritate me. I will probably end up doing that anyways though.
|
1. Well, 'auditctl -a entry,always -S mount -S umount -S umount2 -k SYS_mount' does not seem to audit log any mount request that is send by the NFS Client to the NFS server.
2.CIFS seem to have the facility as indicated ,but there seems none for NFS :-( .. any clue ? 3. NFS Server seems to log following relevant messages in /var/log/messages - but how do I filter it such that it is directed to a particular log file/server (Does the below message come under authpriv.* for rsyslog rule) 2010-12-05T02:59:13.321745+05:18 int002st001 mountd[1390190]: authenticated mount request from son.in.xx.com:794 for /mount_test (/test) Advice appreciated. |
All times are GMT -5. The time now is 01:10 AM. |