NISPOM Auditing
Steve Grubb
sgrubb at redhat.com
Wed May 21 17:14:32 UTC 2008
On Wednesday 21 May 2008 12:01:52 Mathis, Jim wrote:
> Is there a way to setup a watch log to report if a user attempted to
> "cd" to a directory that they didn't have permission to access.
No, a watch applies to file ops and not the chdir syscall. However, you can
create a syscall audit rule that works sometimes:
-a always,exit -S chdir -F path=/dir/dir1/dir2 -k evil-cd
This will catch the case where they have permission to cd into that directory.
But if they don't have permission to go beyond dir in the above example, then
you have to resort to something more like:
-a always,exit -S chdir -F exit=-EACCES -k evil-cd
Which gets it and every other cd that fails due to permissions. This is
because the path lookup inside the kernel never completes due to permissions,
so the audit system has no full path to check against. You can cut down the
false positives by adding -F auid>=500. And also use the -F arch=b32 and
b64 for biarch systems.
-Steve
More information about the Linux-audit
mailing list