Solved Auditing: How to log "permission denied" events?

amity88

amity88

Hi guys,
I'm looking for a way to record events when an user tries to access or execute a command/file that he doesn't have permissions to.

So far, it seems like auditd is the way to go but I just can't get the configuration right. I've tried using ex,pc and na classes but the logs are full of noise and doesn't have the information I'm interested in (the permission denied events).

Any pointers with this would be great!
thanks,
Amit
 
It's been a while since I messed with auditing myself, but have you tried using -ex and -fr?

If I recall correctly then the system doesn't really differentiate on the reason an event failed merely that it failed. So if a user tries to read a file yet doesn't succeed then the system doesn't care if this was caused by lack of permissions, hardware error or maybe even network errors (think NFS share). All it does is spot the failed read and then log that.

As such my idea: have you tried only logging the failed attempts?
 
I've tried logging only failed events using -ex and -fr. My problem is that it logs many extra events.
e.g. On permission denied, there would be 3 events logged:
1. failure: [excve] no such file or directory (this is because the binary was not found in the first path in the search list)
2. failure: [readlink] no such file or directory (trying to access /etc/malloc.conf.... not sure why)
3. failure: [openat] permission denied

I want to get only the 3rd event. The weird thing is that if I use ^fr, it still logs the events corresponding to fr class.... any idea why?
here is my audit_control ( audit_user is left blank)
Code: 
dir:/var/audit
dist:off
host:127.0.0.1
flags:^fr
#flags:lo,-aa,-ex,-fd,-fc,-fw,-pc
minfree:50
naflags:^fr
policy:cnt,argv
filesz:5M
expire-after:10M
 
Okay, I've got it working... finally! :)
  1. I found out that the user being audited must log off and back in before the flags take effect.
  2. It is possible to use a small script to extract out just the permission denials from the audit trails and put it in a regular text log file. I'm pasting the configuration and the script below.
  3. All I need to do is to put the script in a crontab
audit_control
Code: 
dir:/var/audit
dist:off
host:127.0.0.1
flags:-fr,-fc,-fd,-fw,-fm,-ex
#flags:lo,-aa,-ex,-fd,-fc,-fw,-pc
minfree:50
naflags:-fr,-fc,-fd,-fw,-fm
policy:cnt,argv
filesz:5M
expire-after:10M
script
Code: 
#!/bin/sh
/usr/sbin/auditreduce /var/audit/current | /usr/sbin/praudit -l | /usr/bin/grep "Permission denied" >> /var/log/auditd_denials.log
chmod 640 /var/log/auditd_denials.log
chown root:wheel /var/log/auditd_denials.log
audit -n
 
You must log in or register to reply here.
Back
Top