Hi, On 09/15/2015 09:15 AM, Steve Grubb wrote: > On Mon, 14 Sep 2015 16:01:17 +0000 > Davíð Steinn Geirsson <[email protected]> wrote: > >> Hi all, >> >> What is the best practice for using auditd for file integrity >> monitoring? >> >> From the documentation, I have this, which works fine: >> -a always,exit -F dir=/bin -F perm=wa >> >> However, it seems that if I have a rule on a nonexistent directory, >> auditd will fail to add the rule (I assume because it's adding a watch >> on an inode or something like that?), but it will also just stop >> reading audit.rules and not add any subsequent rules. >> >> This is bad in an environment where we have to have FIM for critical >> application files, but where another team may be maintaining some of >> the apps and therefore might remove some watched directories, >> especially as their mishaps may impact auditing for other parts of >> the system. >> >> >> Can something be done to get better behaviour here? >> >> I see two ways it could be better >> 1) (the ideal case) auditd will add rules even for nonexistent >> directories, and when they are created will add a watch for them. If a >> directory is removed and another created with the same name, auditd >> will add a watch on the new directory. > > Which kernel are you using? I want to think this was fixed in kernels > around 2.6.36 or later. This original problem was that the audit > watches are based on inotify which needs an inode. If there's no inode, > you can't place the watch.
The machines I'm working with are RHEL6 with 2.6.32, but I just tried with a machine with a 3.18 kernel and got the same behaviour. > > >> 2) auditd still cannot add watches to nonexistent directories, but a >> failed rule add from audit.rules will become a warning rather than an >> error so subsequent watches still get added. > > Check into adding -i or -c near the top of your rules. Thanks, that helps for a workaround. Not sure how I missed that in the manpage. > > -Steve > > >> I suspect 1) is not possible, but can I get auditd to behave like in >> 2)? >> >> Best regards, >> Davíð >> >
signature.asc
Description: OpenPGP digital signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
