Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
Re: Auditing file access below a directory: msg#00145
|
Subject: |
Re: Auditing file access below a directory |
I finally got my new server setup with a dedicated (logical)
partition. I tried setting up auditing on the partition but it
isn't working.
My first suspicion is the version of auditd. I am using the
default that is in RHEL 4 which is 1.0.3. Should this version
work or do I need to upgrade to 1.1-1?
If I do need to upgrade then do you know how to uninstall the previous
version? I tried to install 1.1-1 but after the --rebuild I tried
to double-click the RPMs and it complained about the 1.0.3 version
wanted its lib rpm.
Thanks,
-Mont
On 11/16/05, Steve G <linux_4ever@xxxxxxxxx> wrote:
>I've been looking at auditd/auditctl and it seems like only individual
>files or directories can be watched, but not directory trees.
This is correct. The patches that do file system auditing were rejected and we
were asked to try to combine the hooks with inotify. That was done. I did bring
this up with the audit working group that we should look into this capability
since it seems useful. So, to sum it up...it would need kernel work and that will
take a while.
There is a workaround that may help. If your samba share is on its own partition,
then you can use the devmajor & minor fields in creating an audit rule. For
example, suppose I wanted to do this for /tmp:
[root@endeavor ~]# mount | grep tmp
none on /dev/shm type tmpfs (rw)
/dev/hda8 on /tmp type ext3 (rw)
[root@endeavor ~]# stat /dev/hda8 | grep type
Device:
dh/13d Inode:
919 Links:
1 Device type: 3,8
So the rule would be:
auditctl -a exit,always -S open -F devmajor=3 -F devminor=8
To test:
vi /tmp/gconfd-sgrubb/
ausearch -f gconfd-sgrubb
time->Wed Nov 16 19:17:28 2005
type=PATH msg=audit(1132186648.942:633): name="/tmp/gconfd-sgrubb/" flags=103
inode=16419 dev=03:08 mode=040700 ouid=4325 ogid=4325 rdev=00:00
type=CWD msg=audit(1132186648.942:633): cwd="/root"
type=SYSCALL msg=audit(1132186648.942:633): arch=40000003 syscall=5 success=yes
exit=3 a0=92152b0 a1=18800 a2=3 a3=18800 items=1 pid=2937 auid=4325 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="vim" exe="/usr/bin/vim"
So this works. Hope this helps...
-Steve
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
|
| |
