0

I have a Linux machine where I have configured an audit rule for monitoring any types of changes on a file. This is the rule I placed in /etc/audit/audit.rules file:

-w /home/ec2-user/splunk-test/secret-file -p rwxa -k log_everything

This file is under ec2-user ownership, and I have created one more user called as user1. I am trying to access secret-file with this user1, which is permission denied by default (expected). But nothing is being logged in the auditd log file. I have checked keeping 2 windows, simulataneously executing vi function as user1 and on the other window, watching log file changes.

I have tried "vi" as root user, the same is being logged in auditd logs. But when I try the same as user1 user, nothing is being logged in. (FYI, I have permissions of this file as 660) - NO READ PERMISSION TO WORLD.

Am I missing something here (maybe in auditd configuration), for the proper logging of any attempts made to this file? Can someone please help me at the earliest.

serverstackqns
  • 764
  • 3
  • 16
  • 42
  • Permission denied is just access attempt, it does not trigger one of those `-p rwxa'. You can refer to this question and answer : https://unix.stackexchange.com/questions/220250/using-auditd-to-capture-permission-denied-notices – mootmoot May 03 '17 at 07:56
  • @mootmoot: I have edited the question, please check now.. – serverstackqns May 03 '17 at 08:51

1 Answers1

0

Total guess:

You are denied because /home/ec2-user/splunk-test does not set traverse permissions for user1 or /home/ec2-user does not set traverse permissions for user1.

Not because /home/ec2-user/splunk-test/secret-file is not readable for user1. As such, you never actually reach the file but fail to reach from one of its parent directories in the path.

Subsequently there is nothing to report on audit for the file as the file was never reached.

Matthew Ife
  • 23,357
  • 3
  • 55
  • 72