View Full Version : Questions regarding the audit service

14-Mar-2013, 18:07
I have been asked to audit all accesses to a certain directory, and its subdirectories, and have some questions. The directory structure is contained in its own filesystem.

Set up:
- The filesystem is mounted at /abcfiles on a server running SLES 11 SP2 server1.
- /abcfiles is in the /etc/exports file to be exported via NFS.
- The filesystem is available to 7 other SLES 11 SP2 servers for read/write access via NFS.
- The server hosting the filesystem and 3 of the other servers are running WAS. There are 4 servers running IBM HTTP Server.

I need to monitor all accesses to the entire directory structure as it contains sensitive data. My research indicates that an audit rule to monitor a directory can't be wildcarded.

Question 1: If I set up an audit rule to monitor who accesses (read, write, execute, attribute changes) the main directory, will it also monitor that directory's subdirectories or do I have to code a specific rule for each subdirectory?

The majority of the accesses to the directory (and its subdirectories) will be from the application running under WAS. The application is allowed to create/delete and read/write any of the files. I am planning on using directory monitoring instead of syscall's (using the -w switch on the rules) as I think I have a better grasp on this method. I feel that the audit.log file will fill up in several minutes due to the application.

Question 2: Is there a way that I can have audit exclude the accesses from the application running under WAS?

Question 3: Would monitoring of syscall's be better? If so, what would the rule(s) look like?

I think that it is a given that I will need to have the same audit rules in place on every server that accesses the directory structure (even those who access via NFS). I read something about the possibility if using NFS logging to do what I need but haven't found much other than the mention

Question 4: If NFS auditing/logging is the method to use, would it log the accesses from the server hosting the filesystem? I think not but don't know anything about this.



14-Mar-2013, 19:47
Update: I ran some tests and found that specifying rule '-w /abcfiles -p rxwa -k somevalue' will log any acccess/change made in any subdirectories of '/abcfiles'. So I have answered my 'Question 1".

15-Mar-2013, 14:36

It turns out that it was much easier than I thought to suppress the writing of file accesses based on uid and gid. The following is my /etc/audit/audit.rules that accomplished using the audit service to log all accesses to a directory (and all of its files and subdirectories) while also not logging access from the WebSphere application.

Contents of /etc/audit/audit.rules:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

# The following rule disables the logging of accesses to the specified
# directory if the user is WebSphere.
-a exit,never -F dir=/abcfiles/ -F uid=900 -F gid=502

# The following rules log all accesses to the specified directory
# (and subdirectories).
-w /abcfiles/ -p r -k read -k pci
-w /abcfiles/ -p w -k write -k pci
-w /abcfiles/ -p x -k execute -k pci
-w /abcfiles/ -p a -k attribute -k pci

-e 1

15-Mar-2013, 16:08
Hi Harley,

thanks for reporting back, it's good to see people spend time not only asking, but even helping others even if no-one was able to answer one's questions. Oh, and great you could get your problem solved in the first place :)