LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-14-2014, 08:21 AM   #1
kapszone
LQ Newbie
 
Registered: Oct 2014
Posts: 6

Rep: Reputation: Disabled
linux auditd logging


Hi Guys. I have a small issue where we have auditd to report any access/change to certain files by giving -w, example below

-w /etc/audit/audit.rules -p wa

now when I login with my id and then do sudo and modify the file the log gets generated

Oct 14 08:44:07 172.0.0.1 audispd: node=test.com type=CONFIG_CHANGE msg=audit(1413272647.027:369143): auid=3002 ses=6851 op="updated rules" path="/etc/audit/audit.rules" key=(null) list=4 res=1

But when we edit with file by giving this command:
sudo -e /etc/audit/audit.rules

there is no log generated for config change. The only reference to this activity is in PATH log which is no use as it does not tell me the auid and whether it was a change or deletion.
Now as I understood (from my Unix admin) sudo -e copy the file in tmp and make change and then replaces the file in actual directory..so in a nutshell it is a complete replacement of the file, shouldnt this be captured by my watch command mentioned above ? Is the only solution to monitor the whole of directory ?

The only problem is we are monitoring many other files and we dont want to capture all the directories as they will generate lot of logs which we dont need. Any advises please.
 
Old 10-16-2014, 01:20 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by kapszone View Post
so in a nutshell it is a complete replacement of the file, shouldnt this be captured by my watch command mentioned above ?
It should but it clearly doesn't.


Quote:
Originally Posted by kapszone View Post
Is the only solution to monitor the whole of directory ?
Couple of things to try depending on requirements:
- Try specific system calls (see 'ausysycall') for open, write?
- Use an active file integrity checker like Samhain (it can use inotify) and have it inject the appropriate message in audit log (see 'man auditctl')?
 
Old 10-17-2014, 09:42 AM   #3
kapszone
LQ Newbie
 
Registered: Oct 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Managed to get this sorted out, so thought to post it here. Might help someone in future.

so if I watch directory and then if you edit the file by sudo -e the only log you get is on the directory change. Now this is true in one more case where you are watching the directory and the file both, then also the only log it will create is on the watched directory and not a file specific change.


There is not much difference in log for directory or specific file, the only thing is they get logged in SYSCALL log and not under the category of CONFIG_CHANGE.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
The auditd daemon stops logging after deleting audit.log until auditd is restarted Latitude Linux - Security 2 06-20-2013 03:10 PM
Auditd file logging not logging daemon processes Charles Darwin Linux - Newbie 5 04-24-2013 06:14 PM
Auditd question - logging exclusions? charliebrownie Linux - Security 3 06-30-2011 12:00 AM
auditd: auditd startup failed cmschube Red Hat 2 05-11-2009 07:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration