radzewi
Mission Specialist
Mission Specialist
  • 366 Views

auditctl -w usage

Hello team,

1. I have some consideration about auditctl -w usage

2. There is a Guided Exercise --> Writing Custom Audit Rules in Chapter 6

3. In 2.1 we are asked to execute the following command:

[root@servera ~]# auditctl -w /bin/ -p x -F "auid>=500" -F "euid=0"  -k privileged-execution

4.Next in 2.2 the sample output should show the result logged execution of /bin/true, but in my POV it does not -  it only shows that the configuration of auditd has changed

5. Anyway could you confirm that using auditctl -w with -F options is ok? In auditctl manual we have following information

-w path
Insert a watch for the file system object at path. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning. The way that watches work is by tracking the inode internally. If you place a watch on a file, its the same as using the -F path option on a syscall rule. If you place a watch on a directory, its the same as using the -F dir option on a syscall rule. The -w form of writing watches is for backwards compatibility and the syscall based form is more expressive. Unlike most syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel. The only valid options when using a watch are the -p and -k. If you need to anything fancy like audit a specific user accessing a file, then use the syscall auditing form with the path or dir fields.

thx

0 Kudos
1 Reply
SubuRama
Flight Engineer
Flight Engineer
  • 275 Views

In step 2.2 of Section 6.6 (the guided exercise you are referring to), the result of the ausearch with the key privileged_execution is *only* of type CONFIG_CHANGE

The source code for auditctl is here: https://github.com/linux-audit/audit-userspace/blob/master/src/auditctl.c

Even if you just use the

-w /bin/ -p x -k new_priv and execute /bin/true/ you only get the CONFIG_CHANGE message in the audit.
Even using -p rwxa still gives me only CONFIG_CHANGE.

However, if I have a rule such as
auditctl -w /bin/true -p x -k watch_true
then execute /bin/true and then ausearch -i -k watch_true I get the EXECVE, CWD, PATH, PROCTITLE etc. etc. messages also.

Try ausearch --raw -k watch_true | aureport -f   for example and you will see the syscall event with success yes for syscall 59.(ausyscall shows 59 as execve)

So I am not quite sure what's going on with setting a watch rule on /bin vs a specific executable such /bin/true

0 Kudos
Join the discussion
You must log in to join this conversation.