On Wednesday, February 24, 2016 07:04:08 AM Sarthak Jain wrote: > I am Sarthak Jain working in MicroFocus. I want your small help to clarify > one of my doubt regarding the kernel auditing on RHEL 7.1. I hope you are > the right person to contact. It will just 2 min (max :P) to go through the > problem. > > Assumption: Ideally, if we change the configuration file (for ex- > /etc/hosts), we should be getting audit events for it. > > Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we > modify this file, then audit events are coming as attached in file - > 'file1.txt'. > > Problem: Let say if we change the permissions of the '/etc/hosts' to > (rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" event at > all.
That is because the audit configuration has not changed. Config change events are specific to changes in the audit system itself. What you get on this is syscall event with a path If you want to get events on changing permissions on a file, then you would put a rule like this: -a always,exit -F path=/etc/hosts -F perms=a -F key=permission-change After modifying the file with chmod, then run: ausearch --start today -k permission-change > I have attached the file - 'file2.txt' for your reference. Can you > please clarify this ? Is it a kernel level bug? No. Its doing what it should. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit