Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
auditd not respecting paths?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Whitewolf Fox
Tux's lil' helper
Tux's lil' helper


Joined: 29 Aug 2004
Posts: 78
Location: Ratingen

PostPosted: Fri Apr 12, 2019 2:09 pm    Post subject: auditd not respecting paths? Reply with quote

Hi everyone,

I'm trying configure auditd for one of my machines. I need to grant permission on it for a third party who needs to be able to become root (sudo), but has very tight permissions by policy what they are allowed and what not.
I'd like to see in the auditd logs whenever any file in /etc (and subdirectories) got changed. In auditd docs, I found that a line like this should do the job:

Code:
-w /etc/ -k general_etc_watch


But when I change or add any file (like /etc/fstab), it doesn't show up in auditd's log.
Is there a better way to solve this, rather than add a line like that for ALL files in /etc to the config, explicitly?
_________________
http://www.marc-richter.info
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Fri Apr 12, 2019 10:04 pm    Post subject: Reply with quote

Quote:
Is there a better way to solve this, rather than add a line like that for ALL files in /etc to the config, explicitly?
Uhm.... Use git for tracking changes?
Or perhaps set inotify on /etc (actually, on every single file in /etc, which means you'd have to increase the limit too), for real-time notifications.
Or, if the policy is tight enough, perhaps limit his sudo to a few specific commands?
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 550
Location: France

PostPosted: Tue Apr 16, 2019 1:11 pm    Post subject: Reply with quote

It seems watching subdirs and files into the specified directory is the default behaviour. Some users even wonder how to disable that : https://www.redhat.com/archives/linux-audit/2013-September/msg00057.html

Did you try to remove the final slash ?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum