Audit file operations

From MyWiki

Jump to: navigation, search

Had a request to put controls in place to trace what's going on with some data in given directory. For the first I thought of SELinux then came across the article and decided to give a try to auditd.

Here is what I did after started auditd daemon: 

auditctl -a exit,always -S all -p war -F dir=/home/alex -F success=0 -F success=1 -k alex-home

This (if I got it correctly) was supposed to give me traces of all syscalls against files in /home/alex. It didn't for some reason. Need to RTFM and see if I missed something in a hurry.

So, next I asked auditd to 'watch' for it: 

auditctl -w /home/alex -p war -k alex-home

and it sure did. Here is few commands I run while in /home/alex: 

$ cp cpasswd cpasswd.copy
$ rm cpasswd.copy
  rm: remove write-protected regular file `cpasswd.copy'? y

And a nice audit trail for the above commands that I could see after issuing: 

ausearch -k alex-home

----
type=PATH msg=audit(05/07/2009 12:45:47.413:2321) : item=0 name=cpasswd
inode=6029477 dev=fd:00 mode=file,500 ouid=alex ogid=alex
rdev=00:00 obj=user_u:object_r:user_home_t:s0
type=CWD msg=audit(05/07/2009 12:45:47.413:2321) :  cwd=/home/alex
type=SYSCALL msg=audit(05/07/2009 12:45:47.413:2321) : arch=x86_64
syscall=open success=yes exit=3 a0=7fffefad1c63 a1=0 a2=0 a3=0 items=1
ppid=24475 pid=24716 auid=alex uid=alex gid=alex euid=alex
suid=alex fsuid=alex egid=alex sgid=alex fsgid=alex
tty=pts0 ses=272 comm=cp exe=/bin/cp subj=user_u:system_r:unconfined_t:s0
key=alex-home
----
type=PATH msg=audit(05/07/2009 12:45:47.413:2322) : item=1
name=cpasswd.copy inode=6029343 dev=fd:00 mode=file,500 ouid=alex
ogid=alex rdev=00:00 obj=user_u:object_r:user_home_t:s0
type=PATH msg=audit(05/07/2009 12:45:47.413:2322) : item=0
name=/home/alex inode=6029319 dev=fd:00 mode=dir,700 ouid=alex
ogid=alex rdev=00:00 obj=user_u:object_r:user_home_dir_t:s0
type=CWD msg=audit(05/07/2009 12:45:47.413:2322) :  cwd=/home/alex
type=SYSCALL msg=audit(05/07/2009 12:45:47.413:2322) : arch=x86_64
syscall=open success=yes exit=4 a0=7fffefad1c6b a1=41 a2=8140 a3=0 items=2
ppid=24475 pid=24716 auid=alex uid=alex gid=alex euid=alex
suid=alex fsuid=alex egid=alex sgid=alex fsgid=alex
tty=pts0 ses=272 comm=cp exe=/bin/cp subj=user_u:system_r:unconfined_t:s0
key=alex-home
----
type=PATH msg=audit(05/07/2009 12:45:51.938:2323) : item=1
name=cpasswd.copy inode=6029343 dev=fd:00 mode=file,500 ouid=alex
ogid=alex rdev=00:00 obj=user_u:object_r:user_home_t:s0
type=PATH msg=audit(05/07/2009 12:45:51.938:2323) : item=0
name=/home/alex inode=6029319 dev=fd:00 mode=dir,700 ouid=alex
ogid=alex rdev=00:00 obj=user_u:object_r:user_home_dir_t:s0
type=CWD msg=audit(05/07/2009 12:45:51.938:2323) :  cwd=/home/alex
type=SYSCALL msg=audit(05/07/2009 12:45:51.938:2323) : arch=x86_64
syscall=unlink success=yes exit=0 a0=7fffcbcf3c6b a1=9962570 a2=2
a3=9962b80 items=2 ppid=24475 pid=24717 auid=alex uid=alex
gid=alex euid=alex suid=alex fsuid=alex egid=alex
sgid=alex fsgid=alex tty=pts0 ses=272 comm=rm exe=/bin/rm
subj=user_u:system_r:unconfined_t:s0 key=alex-home

Just what I was looking for. :-)

Retrieved from "http://markelov.org/wiki/index.php?title=Audit_file_operations"
Personal tools