Thank you very much, Steve! Very helpful info! I also added some of the variations of the reporting you suggested using ausearch. Good stuff.
N. On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote: > Hello > I noticed in the man page for auditctl, an example of how to monitor > if admins are accessing other user's files. I created a rule like the > one in the example. This is great that it is pulling the action and > user calling the action! > > The rule > -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid You might also want to add -F auid>=1000 -F auid!=4294967295 So that you get events caused by people and not system daemons. This might be all that you need to do. > I will pull a report on the findings with aureport -f -i | grep > /home/username/ > > The report is heavier than anticipated so I tried to make an > adjustment to only capture what happens in the directory -a > always,exit -S all -F path=/home/username/ -F uid=0 -C auid!=obj_uid > ... but that is returning with Error sending add rule data request > (Invalid argument) You should use the "dir" option rather than "path". A full example would be: -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -Steve > I then tried the below rule; it does not return an error upon add, but > when I do an auditctl -l there are no rules listed -a always,exit -S > all -F path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid > > Is there a preferred way to set the rule, maybe on the inode of the > directory, but does not lose the ability to see if an admin is doing > it and what action? I have been adding these on the fly, instead of > adding to the /etc/audit/audit.rules file, for now. > > > Thanks! > Nick Skaggs -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
