PDA

View Full Version : SLES 12 SP4 auditd does not work like intended



DerJudge
13-Apr-2019, 09:27
Hi everyone,

I'm just starting to dig into auditd for the first time. By that, I'm hitting a few issues, I do not understand nor find a proper answer on the internet. I hope this group of experienced experts do have answers to my questions:

In https://www.suse.com/documentation/sles-12/book_security/data/sec_audit_scenauconf.html it reads two different things in my understanding:

First:


Creating watches on a directory is not necessarily sufficient if you need events for file access. Events on directory access are only triggered when the directory's inode is updated with metadata changes. To trigger events on file access, add watches for each file to monitor.

But second, in the example below:




-w /var/log/audit/
Set a watch on the directory where the audit log is located. Trigger an event for any type of access attempt to this directory. If you are using log rotation, add watches for the rotated logs as well.


This is my config:


# auditctl -l
-a never,task
-w /etc -p rwxa -k etc
#

When I chdir into /etc and execute "ls" (which should match "r" and/or "x"), nothing is written to the auditd log. First question: Why not?

When I change the config to the following:


# auditctl -l
-a never,task
-w /etc -p rwxa -k etc
-w /etc/fstab -p wa -k fstab

and then open the /etc/fstab in vim, then change and save the file, I receive this:

type=CONFIG_CHANGE msg=audit(1555143757.679:37528): auid=1285194 ses=842 op=updated_rules path="/etc/fstab" key="fstab" list=4 res=1AUID="richtm1"
type=CONFIG_CHANGE msg=audit(1555143757.679:37529): auid=1285194 ses=842 op=updated_rules path="/etc/fstab" key="fstab" list=4 res=1AUID="richtm1"

Second question: Why it states "CONFIG_CHANGE"?

When I then, with the same config for /etc/fstab, do this, nothing is written to the log, even though the file is changed by that:


# echo "" >> /etc/fstab
#

Third question: Why is that?? How can I audit file changes independent on the way/tool they got changed with? How can I configure auditd to log this particular change?

Thanks for your help!

Automatic Reply
19-Apr-2019, 05:30
DerJudge,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- Open a service request: https://www.suse.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot..

Good luck!

Your SUSE Forums Team
http://forums.suse.com