[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Logging failed open() calls on /var/log/audit/audit.log



Hi Robert,

Robert Giles wrote:     [Tue Jun 27 2006, 04:43:10PM EDT]
> Howdy folks - I'm running audit-1.2.2 with the latest audit-current git 
> tree (lspp.b20)...
> 
> The filesystem auditing seems to be working fine for all files *except* 
> the audit.log file.
> 
> For example, I do this:
> auditctl -w /etc/shadow
> auditctl -w /var/log/audit/audit.log
> 
> The audit daemon generates audit events for both successful and failed 
> open() calls to /etc/shadow, but only records *successful* accesses to 
> /var/log/audit/audit.log.
> 
> So if I attempt to access /etc/shadow as a regular user, a "success=no" 
> audit event is generated to indicate read failure - but if a regular user 
> attempts to read /var/log/audit/audit.log, nothing happens (no audit event 
> whatsoever is created).

This is because the regular doesn't have permissions to read
/var/log/audit.  Since the path didn't fully resolve to
/var/log/audit/audit.log, the user didn't actually fail to access
audit.log, they failed to access /var/log/audit.

If you would like to see a record in this case, you must add a watch
for /var/log/audit.

> *Successful* reads of /var/log/audit/audit.log (ie: as super-user) do 
> indeed generate the appropriate audit event in audit.log ("success=yes").
> 
> Is this the way the audit daemon is supposed to work?  (some kind of race 
> condition if the audit daemon fully audits its own audit trail?)
> 
> (this question may seem unusual, but we're trying to audit "unsuccessful 
> attempts to access security-relevant objects"...  the audit trail itself 
> constitutes a "security-relevant object").
> 
> Thanks again!

Hope this helps.

Amy


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]