Re: Auditing file access below a directory

That definitely helps!  I already planned to make this hierarchy have its own partition.

This also gets around the issue of having to know the uid or gid. 
We plan to move to a Fedora Directory Server based solution and thus
creating rules for each user was going to be a problem.

Thanks,
-Mont

On 11/16/05, Steve G <linux_4ever@xxxxxxxxx> wrote:

>I've been looking at auditd/auditctl and it seems like only individual
>files or directories can be watched, but not directory trees.

This is correct. The patches that do file system auditing were rejected and we
were asked to try to combine the hooks with inotify. That was done. I did bring
this up with the audit working group that we should look into this capability
since it seems useful. So, to sum it up...it would need kernel work and that will
take a while.

There is a workaround that may help. If your samba share is on its own partition,
then you can use the devmajor & minor fields in creating an audit rule. For
example, suppose I wanted to do this for /tmp:

[root@endeavor ~]# mount | grep tmp
none on /dev/shm type tmpfs (rw)
/dev/hda8 on /tmp type ext3 (rw)
[root@endeavor ~]# stat /dev/hda8 | grep type
Device: dh/13d  Inode: 919         Links: 1     Device type: 3,8

So the rule would be:
auditctl -a exit,always -S open -F devmajor=3 -F devminor=8

To test:
vi /tmp/gconfd-sgrubb/
ausearch -f gconfd-sgrubb

time->Wed Nov 16 19:17:28 2005
type=PATH msg=audit(1132186648.942:633): name="/tmp/gconfd-sgrubb/" flags=103
inode=16419 dev=03:08 mode=040700 ouid=4325 ogid=4325 rdev=00:00
type=CWD msg=audit(1132186648.942:633):  cwd="/root"
type=SYSCALL msg=audit(1132186648.942:633): arch=40000003 syscall=5 success=yes
exit=3 a0=92152b0 a1=18800 a2=3 a3=18800 items=1 pid=2937 auid=4325 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="vim" exe="/usr/bin/vim"

So this works. Hope this helps...

-Steve




__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com