Hey all,
Been asked from above to monitor and audit certain things on the system, like logins, writes to say /etc/passwd, executing sudo. It was relatively straight forward to set it up so ssh logins/logouts get a audit syslog entry. (To be sent to another host for processing) But when it comes to monitoring file-writes (as an example), I have set: /etc/security/audit_control flags:lo,ss,fw /etc/security/audit_user root:lo,fw:no sysadm:fw:no auditadm:fw:no netadm:fw:no Which does appear to work with: (using /tmp/test file instead of passwd for testing). $ echo hello >> /tmp/test - write ok session 3799375861 by lundman as root:root obj /tmp/test Fabulous - but I also get: write ok session 3799375861 by lundman as root:root obj /.bash_history open(2) - write,trunc ok session 3799375861 by lundman as root:root obj /.bash_history and that is an awfully large hammer. Is there somewhere/how to reduce the audit down? No way to specify a list of files to monitor? Or filter out what gets a syslog entry sent? Is it only "all or nothing" in this case? I can certainly run something like: # auditreduce -o file=/tmp/test |praudit and only see entries for specific files. Is the answer to disable audit log, and run carefully crafted "auditreduce" command from cron which will produce audit syslog entries? That seems cumbersome and delayed. Should I forget audit on the file access parts, and go with fswatcher to send syslog entries? Any insight? ideas? Sincerely, Lund -- Jorgen Lundman | <lund...@lundman.net> Unix Administrator | +81 (0)90-5578-8500 Shibuya-ku, Tokyo | Japan ------------------------------------------ illumos: illumos-discuss Permalink: https://illumos.topicbox.com/groups/discuss/T24246bde0d4cfedf-Mb5d7b23f0625f5cdd6b08b6d Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
