3

I want to monitor a particular directory using auditd, so that any changes are logged. I've created a rule using:

auditctl -w /etc/my_path_to_monitor -p wa -k my_rule

This works great for everything I've tested so far, except changes made with chattr, such as:

chattr +S /etc/my_path_to_monitor/a_file

The use of chattr isn't resulting in any auditd log messages - how can I have such changes audited with auditd?

UPDATE: I found an ancient thread about auditd not logging chattr syscalls. It does get auditd logging the calls, but it doesn't relate them to the files they affect - so I'm still stuck.

Improve this question

1 Answer 1

Reset to default
1

I read the manual, came to the same conclusion for configuration, and got the same result for logging. Experimenting, I found that the goal can be achieved with the following configuration.

auditctl -w /etc/my_path_to_monitor -p warx -k my_rule

To offer an additional resource for audit, should you intend to further configure audit, the RedHat Security Technical Implementation Guide (STIG) produced by Defense Information Systems Agency (DISA) has an excellent baseline of audit rules. These are still mostly applicable to whichever distribution Linux you might be using, perhaps with a bit of interpolation to match the system with which you are working.

Improve this answer
2
  • That's odd that you detected changes by adding logging for read and execute. I purposely don't want to enable read logging, because it will produce far too many logs. Do you know why the rx options pick up attribute changes? Commented Feb 22, 2018 at 21:06
  • Sorry, no. I do not understand why it works. Commented Feb 22, 2018 at 21:08

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.