Is there a linux log for when a user is denied access to files due to permissions

Question

Is there a log file which keeps track of things users try to do and are denied due to regular unix file permissions. I know selinux does things, but a lot of the time the good ole' file permissions stop them first. When this happens, is there a log that gets printed to.

Thanks

score 10 · Answer 1 · answered Jul 31 '09 at 17:02

10

How to set up and use auditd in Linux:

http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

answered Jul 31 '09 at 17:02

Marcin

2,391
1
17
14

score 5 · Answer 2 · answered Jul 31 '09 at 16:17

5

No, that's not logged.

answered Jul 31 '09 at 16:17

Kristof Provost

323
2
5

score 2 · Answer 3 · answered Aug 01 '09 at 02:48

2

Auditctl allows you to log access to files, including access denied.

From the manpage:

To see unsuccessful open call's:

auditctl -a exit,always -S open -F success!=0

answered Aug 01 '09 at 02:48

SirStan

2,373
15
19

score 1 · Answer 4 · answered Aug 01 '09 at 01:00

1

You might want to check out AppArmor (download info at the end).

By default most distros don't log that.

answered Aug 01 '09 at 01:00

jedberg

2,301
22
22

more specifically, aa-logprof – LiraNuna Aug 01 '09 at 10:08

score 1 · Answer 5 · edited Apr 13 '17 at 12:37

I was trying to solve this problem myself recently. I found the answer within the audit.rules manpage:

Examples

The following rule shows how to audit failed access to files due permission problems. Note that it takes two rules for each arch ABI to audit this since file access can fail with two different failure codes indicating permission problems.
-a always,exit -F arch=b32 -S open -S openat -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S open -S openat -F exit=-EPERM -k access
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access

My unabashed answer to my own question.

score 0 · Answer 6 · answered Aug 01 '09 at 02:33

No, in stock configurations there isn't anything that directly shows "user bibby was denied access to /root"

You might be able to find auditing software that may have enhanced auditing or maybe software (like SeLinux) that uses more complex ACL access to files and it may log things, but even Windows doesn't log such permission errors (there are utilities with Sysinternals that show on-the-fly access denied errors for Windows, though).

I don't think I've even run across any utilities similar that that functionality in Unix systems.

You can try looking for "incidental" things in logs, like mail or web server programs that log errors trying to access particular file paths that as an administrator you know should be there.

If you're interested in security on your system to keep pesky users from acting pesky, you can try some of the utilities listed here and see if they will help you.

score -3 · Answer 7 · answered Jul 31 '09 at 16:20

-3

if user can not login due to permissions, user would get "permission denied" on his screen and will be in / nothing goes in the log, but its visible to user

answered Jul 31 '09 at 16:20

alexus

13,112
32
117
174

Is there a linux log for when a user is denied access to files due to permissions

7 Answers7

Linked