Operating System - Linux
1839301 Members
2923 Online
110138 Solutions
New Discussion

Re: help me configure auditd

 
Maaz
Valued Contributor

help me configure auditd

I want to audit all the read/write operations in /tmp, I did the following
# cat /etc/auditd.rules
-D
-b 256
-e 1
-w /tmp -p rwx -k CFG_tmp

# chkconfig auditd on
# rcauditd on

Now I login as user "faisal", just create a file and delete that file under /tmp
$ cd /tmp
$ touch new.txt
$ rm new.txt

then run the following command..its a very massive/verbose/detailed ouptut... I dont want all those details withing ... all of them are useless for me

please help me configure the audit deamon as i want ;) I am more concern about the more than required information because it means that audit deamon is doing more work than I want .. so please help me configuring the deamon properly.

# ausearch -k CFG_tmp -i
----
type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=1 name=new.txt inode=205172 dev=08:06 mode=file,644 ouid=faisal ogid=users rdev=00:00
type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=0 name=/tmp inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:41:37.578:1466) : cwd=/tmp
type=SYSCALL msg=audit(07/23/08 17:41:37.578:1466) : arch=x86_64 syscall=open success=yes exit=0 a0=7fff00e4e52c a1=941 a2=1b6 a3=0 items=2 ppid=23629 pid=23662 auid=unknown(4294967295) uid=faisal gid=users euid=faisal suid=faisal fsuid=faisal egid=users sgid=users fsgid=users tty=tty2 comm=touch exe=/bin/touch key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:41:40.778:1467) : item=1 name=new.txt inode=205172 dev=08:06 mode=file,644 ouid=faisal ogid=users rdev=00:00
type=PATH msg=audit(07/23/08 17:41:40.778:1467) : item=0 name=/tmp inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:41:40.778:1467) : cwd=/tmp
type=SYSCALL msg=audit(07/23/08 17:41:40.778:1467) : arch=x86_64 syscall=unlink success=yes exit=0 a0=7fffafba653a a1=2 a2=2 a3=0 items=2 ppid=23629 pid=23664 auid=unknown(4294967295) uid=faisal gid=users euid=faisal suid=faisal fsuid=faisal egid=users sgid=users fsgid=users tty=tty2 comm=rm exe=/bin/rm key="CFG_tmp"

starts all the useless stuff till end ...

type=PATH msg=audit(07/23/08 17:45:49.801:1470) : item=1 name=/tmp/sv94.tmp inode=205821 dev=08:06 mode=dir,755 ouid=root ogid=root rdev=00:00
type=PATH msg=audit(07/23/08 17:45:49.801:1470) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:45:49.801:1470) : cwd=/root
type=SYSCALL msg=audit(07/23/08 17:45:49.801:1470) : arch=i386 syscall=rmdir per=400000 success=yes exit=0 a0=ffb6384c a1=f6d1a158 a2=f756c5d0 a3=0 items=2 ppid=1 pid=23132 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=soffice.bin exe=/usr/lib/ooo-2.0/program/soffice.bin key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:45:49.865:1471) : item=1 name=/tmp/OSL_PIPE_0_SingleOfficeIPC_6474b982b398a01e2cba5b2 c351464e inode=205779 dev=08:06 mode=socket,755 ouid=root ogid=root rdev=00:00
type=PATH msg=audit(07/23/08 17:45:49.865:1471) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:45:49.865:1471) : cwd=/root
type=SYSCALL msg=audit(07/23/08 17:45:49.865:1471) : arch=i386 syscall=unlink per=400000 success=yes exit=0 a0=8154e24 a1=2 a2=f756c5d0 a3=8154e20 items=2 ppid=1 pid=23132 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=soffice.bin exe=/usr/lib/ooo-2.0/program/soffice.bin key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:48:55.397:1472) : item=1 name=/tmp/nroff.p23814 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:48:55.397:1472) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:48:55.397:1472) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:48:55.397:1472) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=502010 a1=1c0 a2=0 a3=0 items=2 ppid=23808 pid=23814 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=mktemp exe=/bin/mktemp key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:48:55.501:1473) : item=1 name=/tmp/nroff.p23814 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:48:55.501:1473) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:48:55.501:1473) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:48:55.501:1473) : arch=x86_64 syscall=unlink success=no exit=-21(Is a directory) a0=7fffcb6dde0a a1=7fffcb6dde0a a2=2 a3=0 items=2 ppid=23804 pid=23808 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:48:55.501:1474) : item=1 name=/tmp/nroff.p23814 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:48:55.501:1474) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:48:55.501:1474) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:48:55.501:1474) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=50e8c0 a1=50e8c0 a2=2 a3=0 items=2 ppid=23804 pid=23808 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:49:34.925:1475) : item=1 name=/tmp/nroff.w23845 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:49:34.925:1475) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:49:34.925:1475) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:49:34.925:1475) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=502010 a1=1c0 a2=0 a3=0 items=2 ppid=23839 pid=23845 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=mktemp exe=/bin/mktemp key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:49:35.013:1476) : item=1 name=/tmp/nroff.w23845 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:49:35.013:1476) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:49:35.013:1476) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:49:35.013:1476) : arch=x86_64 syscall=unlink success=no exit=-21(Is a directory) a0=7fffeb274e0a a1=7fffeb274e0a a2=2 a3=0 items=2 ppid=23835 pid=23839 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:49:35.017:1477) : item=1 name=/tmp/nroff.w23845 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:49:35.017:1477) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:49:35.017:1477) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:49:35.017:1477) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=50e8c0 a1=50e8c0 a2=2 a3=0 items=2 ppid=23835 pid=23839 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:50:21.412:1478) : item=1 name=/tmp/nroff.d23884 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:50:21.412:1478) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:50:21.412:1478) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:50:21.412:1478) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=502010 a1=1c0 a2=0 a3=0 items=2 ppid=23878 pid=23884 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=mktemp exe=/bin/mktemp key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:50:21.504:1479) : item=1 name=/tmp/nroff.d23884 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:50:21.504:1479) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:50:21.504:1479) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:50:21.504:1479) : arch=x86_64 syscall=unlink success=no exit=-21(Is a directory) a0=7fff4a099e0a a1=7fff4a099e0a a2=2 a3=0 items=2 ppid=23874 pid=23878 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:50:21.508:1480) : item=1 name=/tmp/nroff.d23884 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:50:21.508:1480) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:50:21.508:1480) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:50:21.508:1480) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=50e8c0 a1=50e8c0 a2=2 a3=0 items=2 ppid=23874 pid=23878 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
2 REPLIES 2
Ivan Ferreira
Honored Contributor

Re: help me configure auditd

You must not add a watch for directories, please see man auditctl:

The way that watches work is by tracking the inode internally. This means that if you put a watch on a directory, you will see what appears to be file events, but it is really just the updating of meta data. You might miss a few events by doing this. If you need to watch all files in a directory, its recommended to place an individual watch on each file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Maaz
Valued Contributor

Re: help me configure auditd

Thanks Dear Ivan for help.

Ok

infect I have to check who has access what other then their own home directory within the /home.... i.e .. if a user "john" access an object(file) other than /home/john.. the information will be logged.

we just want to monitor activities within the /home.

is it possible ?