Lockheed Martin Proprietary/Export Controlled Information
Hi, we have what I think is a new but undesirable result trying to audit access failures on files in a NISPOM audit configuration.
We are not seeing audit events for the access failures if the file has a parent directory in the path that blocks access.
If an unprivileged user attempts to change /var/test/bin/file there is no audit event recorded, either for the file or the parent directory /var/test/bin.
Our theory is that the failure to open the /var/test/bin directory causes the audit path to be broken, or something to the like, please excuse my terminology faux pas.
This is happening on the following configuration:
- Kernel - 2.6.18-238.5.1.el5
- Auditd - 1.7.18-2.el5
We have tried the following auditd rules (among others), no change in result:
- -w /var/test/bin/file –p rwxa
- -a exit,always –S open –F path=/var/test/bin/file –F success=0
- -a exit,always –S open –R dir=/var/test/ -F success=0
And, this is something New, we have been using watches to audit this file for years with previous kernel and auditd versions, such as:
- Kernel - 2.6.9-100.ELsmp
- Auditd - 1.0.16-4.el4_8.1
On this system we get audit events for access failures using a simple file watch.
Are we missing something obvious?
Thanks! For any help,
Tom Call, LMCO