Re: auditing subsystem

From: Chris Wright
Date: Fri Mar 04 2005 - 01:43:48 EST


* Russell Miller (rmiller@xxxxxxxxxxxx) wrote:
> I've been doing a lot of research on this, and I keep coming up with things
> that don't work, have been abandoned, or are almost impossible to find or get
> working. So I'll ask here. Maybe one of the ultra-elightened linux gods
> will have a ready answer.

You'll have better luck using linux-audit list.

> I want to be able to audit system calls - I want to log when files are opened,
> created, changed, deleted, etc. Preferably I would like to do it without
> having to apply kernel patches, using vanilla (or close to vanilla) kernel.
> If this isn't possible, my net preference is to use a module. If this isn't
> possible, well, I'll do what I have to.

No patches needed (although you will want 2.6.11 because the inode filter
was busted, and you'll likely want to use it), for opened anyway. You'll
need an additional auditfs patch for created/deleted/changed(for more
than just knowing open w/ write access) and it's not a stable patch yet.

> I notice there is a CONFIG_AUDIT option. Is this what I am looking for, and
> how do I use it? /dev/audit seems not to work...

You'll need auditd, auditctl, and some rules to capture what you care
about.

For example:

To watch accesses to /etc/passwd (not creation/deletion events).

# auditd
# auditctl -a entry,possible -S open
# auditctl -a exit,always -S open -F inode=(inode of /etc/passwd)

--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/