Audit file operations
From MyWiki
Had a request to put controls in place to trace what's going on with some data in given directory. For the first I thought of SELinux then came across the article and decided to give a try to auditd.
Here is what I did after started auditd daemon:
auditctl -a exit,always -S all -p war -F dir=/home/alex -F success=0 -F success=1 -k alex-home
This (if I got it correctly) was supposed to give me traces of all syscalls against files in /home/alex. It didn't for some reason. Need to RTFM and see if I missed something in a hurry.
So, next I asked auditd to 'watch' for it:
auditctl -w /home/alex -p war -k alex-home
and it sure did. Here is few commands I run while in /home/alex:
$ cp cpasswd cpasswd.copy $ rm cpasswd.copy rm: remove write-protected regular file `cpasswd.copy'? y
And a nice audit trail for the above commands that I could see after issuing:
ausearch -k alex-home
---- type=PATH msg=audit(05/07/2009 12:45:47.413:2321) : item=0 name=cpasswd inode=6029477 dev=fd:00 mode=file,500 ouid=alex ogid=alex rdev=00:00 obj=user_u:object_r:user_home_t:s0 type=CWD msg=audit(05/07/2009 12:45:47.413:2321) : cwd=/home/alex type=SYSCALL msg=audit(05/07/2009 12:45:47.413:2321) : arch=x86_64 syscall=open success=yes exit=3 a0=7fffefad1c63 a1=0 a2=0 a3=0 items=1 ppid=24475 pid=24716 auid=alex uid=alex gid=alex euid=alex suid=alex fsuid=alex egid=alex sgid=alex fsgid=alex tty=pts0 ses=272 comm=cp exe=/bin/cp subj=user_u:system_r:unconfined_t:s0 key=alex-home ---- type=PATH msg=audit(05/07/2009 12:45:47.413:2322) : item=1 name=cpasswd.copy inode=6029343 dev=fd:00 mode=file,500 ouid=alex ogid=alex rdev=00:00 obj=user_u:object_r:user_home_t:s0 type=PATH msg=audit(05/07/2009 12:45:47.413:2322) : item=0 name=/home/alex inode=6029319 dev=fd:00 mode=dir,700 ouid=alex ogid=alex rdev=00:00 obj=user_u:object_r:user_home_dir_t:s0 type=CWD msg=audit(05/07/2009 12:45:47.413:2322) : cwd=/home/alex type=SYSCALL msg=audit(05/07/2009 12:45:47.413:2322) : arch=x86_64 syscall=open success=yes exit=4 a0=7fffefad1c6b a1=41 a2=8140 a3=0 items=2 ppid=24475 pid=24716 auid=alex uid=alex gid=alex euid=alex suid=alex fsuid=alex egid=alex sgid=alex fsgid=alex tty=pts0 ses=272 comm=cp exe=/bin/cp subj=user_u:system_r:unconfined_t:s0 key=alex-home ---- type=PATH msg=audit(05/07/2009 12:45:51.938:2323) : item=1 name=cpasswd.copy inode=6029343 dev=fd:00 mode=file,500 ouid=alex ogid=alex rdev=00:00 obj=user_u:object_r:user_home_t:s0 type=PATH msg=audit(05/07/2009 12:45:51.938:2323) : item=0 name=/home/alex inode=6029319 dev=fd:00 mode=dir,700 ouid=alex ogid=alex rdev=00:00 obj=user_u:object_r:user_home_dir_t:s0 type=CWD msg=audit(05/07/2009 12:45:51.938:2323) : cwd=/home/alex type=SYSCALL msg=audit(05/07/2009 12:45:51.938:2323) : arch=x86_64 syscall=unlink success=yes exit=0 a0=7fffcbcf3c6b a1=9962570 a2=2 a3=9962b80 items=2 ppid=24475 pid=24717 auid=alex uid=alex gid=alex euid=alex suid=alex fsuid=alex egid=alex sgid=alex fsgid=alex tty=pts0 ses=272 comm=rm exe=/bin/rm subj=user_u:system_r:unconfined_t:s0 key=alex-home
Just what I was looking for. :-)