0

I try to create an auditctl rule for the following situation: There is a file created by root, owned by root, and with chmod 700. So no other user except root can read or write to it.

When I then try to do something using another user, I get an permission denied.

But this doesn't show up in the audit log and I can not find a working rule. I tried multiple rules:

-a always,exit -F arch=b64 -S all -F path=/home/test/test.txt -F success!=0 -k permission_denied.

or from another thread here (this should show it for all files!)

-a always,exit -F arch=b64 -S open,openat -F exit=-EPERM -F key=permission_denied
-a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -F key=permission_denied

any ideas? Thanks.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Arpton
  • 33
  • 6
  • Duplicate of https://unix.stackexchange.com/questions/16828/what-roles-do-dac-file-permissions-acl-and-mac-selinux-play-in-linux-file-s ? "SELinux policy rules are not used if DAC rules deny access first." – Jeff Schaller Jun 30 '20 at 12:04
  • I disabled SELinux – Arpton Jun 30 '20 at 12:10

1 Answers1

1

Problem solved. The logging was actually working, but in my rule file I already had the rule

-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid!=4294967295 -k file_access_denied

which monitors all attempts on all files. I forgot about that rule, and audit only logs the first instance of the rule. Because of that, the file specific rule did not appear to work, because the first rule was already used.

Arpton
  • 33
  • 6