help me configure auditd

Maaz · ‎07-23-2008

I want to audit all the read/write operations in /tmp, I did the following
# cat /etc/auditd.rules
-D
-b 256
-e 1
-w /tmp -p rwx -k CFG_tmp

# chkconfig auditd on
# rcauditd on

Now I login as user "faisal", just create a file and delete that file under /tmp
$ cd /tmp
$ touch new.txt
$ rm new.txt

then run the following command..its a very massive/verbose/detailed ouptut... I dont want all those details withing ... all of them are useless for me

please help me configure the audit deamon as i want ;) I am more concern about the more than required information because it means that audit deamon is doing more work than I want .. so please help me configuring the deamon properly.

# ausearch -k CFG_tmp -i
----
type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=1 name=new.txt inode=205172 dev=08:06 mode=file,644 ouid=faisal ogid=users rdev=00:00
type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=0 name=/tmp inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:41:37.578:1466) : cwd=/tmp
type=SYSCALL msg=audit(07/23/08 17:41:37.578:1466) : arch=x86_64 syscall=open success=yes exit=0 a0=7fff00e4e52c a1=941 a2=1b6 a3=0 items=2 ppid=23629 pid=23662 auid=unknown(4294967295) uid=faisal gid=users euid=faisal suid=faisal fsuid=faisal egid=users sgid=users fsgid=users tty=tty2 comm=touch exe=/bin/touch key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:41:40.778:1467) : item=1 name=new.txt inode=205172 dev=08:06 mode=file,644 ouid=faisal ogid=users rdev=00:00
type=PATH msg=audit(07/23/08 17:41:40.778:1467) : item=0 name=/tmp inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:41:40.778:1467) : cwd=/tmp
type=SYSCALL msg=audit(07/23/08 17:41:40.778:1467) : arch=x86_64 syscall=unlink success=yes exit=0 a0=7fffafba653a a1=2 a2=2 a3=0 items=2 ppid=23629 pid=23664 auid=unknown(4294967295) uid=faisal gid=users euid=faisal suid=faisal fsuid=faisal egid=users sgid=users fsgid=users tty=tty2 comm=rm exe=/bin/rm key="CFG_tmp"

starts all the useless stuff till end ...

type=PATH msg=audit(07/23/08 17:45:49.801:1470) : item=1 name=/tmp/sv94.tmp inode=205821 dev=08:06 mode=dir,755 ouid=root ogid=root rdev=00:00
type=PATH msg=audit(07/23/08 17:45:49.801:1470) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:45:49.801:1470) : cwd=/root
type=SYSCALL msg=audit(07/23/08 17:45:49.801:1470) : arch=i386 syscall=rmdir per=400000 success=yes exit=0 a0=ffb6384c a1=f6d1a158 a2=f756c5d0 a3=0 items=2 ppid=1 pid=23132 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=soffice.bin exe=/usr/lib/ooo-2.0/program/soffice.bin key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:45:49.865:1471) : item=1 name=/tmp/OSL_PIPE_0_SingleOfficeIPC_6474b982b398a01e2cba5b2 c351464e inode=205779 dev=08:06 mode=socket,755 ouid=root ogid=root rdev=00:00
type=PATH msg=audit(07/23/08 17:45:49.865:1471) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:45:49.865:1471) : cwd=/root
type=SYSCALL msg=audit(07/23/08 17:45:49.865:1471) : arch=i386 syscall=unlink per=400000 success=yes exit=0 a0=8154e24 a1=2 a2=f756c5d0 a3=8154e20 items=2 ppid=1 pid=23132 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=soffice.bin exe=/usr/lib/ooo-2.0/program/soffice.bin key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:48:55.397:1472) : item=1 name=/tmp/nroff.p23814 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:48:55.397:1472) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:48:55.397:1472) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:48:55.397:1472) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=502010 a1=1c0 a2=0 a3=0 items=2 ppid=23808 pid=23814 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=mktemp exe=/bin/mktemp key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:48:55.501:1473) : item=1 name=/tmp/nroff.p23814 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:48:55.501:1473) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:48:55.501:1473) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:48:55.501:1473) : arch=x86_64 syscall=unlink success=no exit=-21(Is a directory) a0=7fffcb6dde0a a1=7fffcb6dde0a a2=2 a3=0 items=2 ppid=23804 pid=23808 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:48:55.501:1474) : item=1 name=/tmp/nroff.p23814 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:48:55.501:1474) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:48:55.501:1474) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:48:55.501:1474) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=50e8c0 a1=50e8c0 a2=2 a3=0 items=2 ppid=23804 pid=23808 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:49:34.925:1475) : item=1 name=/tmp/nroff.w23845 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:49:34.925:1475) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:49:34.925:1475) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:49:34.925:1475) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=502010 a1=1c0 a2=0 a3=0 items=2 ppid=23839 pid=23845 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=mktemp exe=/bin/mktemp key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:49:35.013:1476) : item=1 name=/tmp/nroff.w23845 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:49:35.013:1476) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:49:35.013:1476) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:49:35.013:1476) : arch=x86_64 syscall=unlink success=no exit=-21(Is a directory) a0=7fffeb274e0a a1=7fffeb274e0a a2=2 a3=0 items=2 ppid=23835 pid=23839 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:49:35.017:1477) : item=1 name=/tmp/nroff.w23845 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:49:35.017:1477) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:49:35.017:1477) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:49:35.017:1477) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=50e8c0 a1=50e8c0 a2=2 a3=0 items=2 ppid=23835 pid=23839 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:50:21.412:1478) : item=1 name=/tmp/nroff.d23884 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:50:21.412:1478) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:50:21.412:1478) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:50:21.412:1478) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=502010 a1=1c0 a2=0 a3=0 items=2 ppid=23878 pid=23884 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=mktemp exe=/bin/mktemp key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:50:21.504:1479) : item=1 name=/tmp/nroff.d23884 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:50:21.504:1479) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:50:21.504:1479) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:50:21.504:1479) : arch=x86_64 syscall=unlink success=no exit=-21(Is a directory) a0=7fff4a099e0a a1=7fff4a099e0a a2=2 a3=0 items=2 ppid=23874 pid=23878 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"
----
type=PATH msg=audit(07/23/08 17:50:21.508:1480) : item=1 name=/tmp/nroff.d23884 inode=205822 dev=08:06 mode=dir,700 ouid=man ogid=man rdev=00:00
type=PATH msg=audit(07/23/08 17:50:21.508:1480) : item=0 name=/tmp/ inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:50:21.508:1480) : cwd=/usr/share/man
type=SYSCALL msg=audit(07/23/08 17:50:21.508:1480) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=50e8c0 a1=50e8c0 a2=2 a3=0 items=2 ppid=23874 pid=23878 auid=unknown(4294967295) uid=man gid=man euid=man suid=man fsuid=man egid=man sgid=man fsgid=man tty=pts0 comm=rm exe=/bin/rm key="CFG_tmp"

Ivan Ferreira · ‎07-23-2008

You must not add a watch for directories, please see man auditctl:

The way that watches work is by tracking the inode internally. This means that if you put a watch on a directory, you will see what appears to be file events, but it is really just the updating of meta data. You might miss a few events by doing this. If you need to watch all files in a directory, its recommended to place an individual watch on each file.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Maaz · ‎07-24-2008

Thanks Dear Ivan for help.

Ok

infect I have to check who has access what other then their own home directory within the /home.... i.e .. if a user "john" access an object(file) other than /home/john.. the information will be logged.

we just want to monitor activities within the /home.

is it possible ?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

help me configure auditd

help me configure auditd

Re: help me configure auditd

Re: help me configure auditd