auditctl for admin's accessing other user files

[Skaggs, Nicholas C]

Thank you very much, Steve! Very helpful info!

I also added some of the variations of the reporting you suggested using ausearch. Good stuff.

N.

On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> Hello
> I noticed in the man page for auditctl, an example of how to monitor 
> if admins are accessing other user's files. I created a rule like the 
> one in the example. This is great that it is pulling the action and 
> user calling the action!
> 
> The rule
> -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid

You might also want to add     -F auid>=1000 -F auid!=4294967295
So that you get events caused by people and not system daemons. This might be all that you need to do.

> I will pull a report on the findings with aureport -f -i | grep 
> /home/username/
> 
> The report is heavier than anticipated so I tried to make an 
> adjustment to only capture what happens in the directory -a 
> always,exit -S all -F path=/home/username/ -F uid=0 -C auid!=obj_uid 
> ... but that is returning with  Error sending add rule data request 
> (Invalid argument)

You should use the "dir" option rather than "path". A full example would be:
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid

-Steve

> I then tried the below rule; it does not return an error upon add, but 
> when I do an auditctl -l there are no rules listed -a always,exit -S 
> all -F path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
> 
> Is there a preferred  way to set the rule, maybe on the inode of the 
> directory, but does not lose the ability to see if an admin is doing 
> it and what action?  I have been adding these on the fly, instead of 
> adding to the /etc/audit/audit.rules file, for now.
> 
> 
> Thanks!
> Nick Skaggs