On Thursday, September 15, 2011 03:03:06 AM Robin H. Johnson wrote: > In the wake of the kernel.org attack, we're brushing up our security at > Gentoo (I lead our infrastructure/IT team for Gentoo services). One of > our self-identified weaknesses is auditing of changes to files used > elsewhere in our automated verification processes. > > The audit subsystem gives a great general way to do this, but I can't > identify how best to audit changes to a file when the entire path is not > known ahead of time. > > It seems that it would best be accomplished with wildcards: > /var/db/pkg/*/*/CONTENTS
There still is no wildcard support like that. There is auditing of a directory tree which is like /var/* but not /var/*.log. The problem is that file access is on the hotpath inside the kernel. Anything slowing it down will be frowned upon heavily. So, what is done is roughly the equivalent of turning an absolute path into a hash and then doing a hash compare. That is about all the clock cycles the kernel can spare since we do not want a performance hit if it can be avoided. That said, maybe selinux lables can help? If the CONTENTS files had a lable different from other files (perhaps content_t), then you can write a rule something like: -a always,exit -F dir=/var/db/pkg -F obj_type=content_t -k content -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
