Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#346974 - 17/08/2011 13:01 syslog.conf Question
Tim
veteran

Registered: 25/04/2000
Posts: 1525
Loc: Arizona
I am setting up a new Linux box, and this one has really odd auditing requirements. One of the requirements is to log every failed attempt to create a file in a directory the user doesn't have access to (such as logging an attempt to touch /etc/testfile ).

It currently isn't logging that, and I can't find any references (google or documentation) on how to enable that. Currently I have the following in my syslog.conf file:

kern.*
daemon.*
syslog.*
lpr,news,uucp,local@,local1,local2,local3,local4,local5,local6.*
authpriv.*
mail.*
cron.*
*.emerg
news.crit
local7.*

Does anybody know what I am missing to log the failed file creation attempt?

Thanks.

Top
#346975 - 17/08/2011 13:47 Re: syslog.conf Question [Re: Tim]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
Its not logged normally. If a message was being generated then it'd appear in the default log file. The syslog.conf file just tells the syslog daemon what to do with the various messages.

The audit system is probably your best bet. I've never had the need to log this though so I've no idea if its possible or not.

Look at the docs for auditd and auditctl.

Top
#346981 - 17/08/2011 18:46 Re: syslog.conf Question [Re: Tim]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14491
Loc: Canada
Originally Posted By: Tim
One of the requirements is to log every failed attempt to create a file in a directory the user doesn't have access to (such as logging an attempt to touch /etc/testfile ).

I don't know offhand, but the hooks to do something like that probably exist in the security model code -- for SELinux and/or apparmor.

But if you control/build your own kernels, then it's like a 2-line patch to just add it to the main kernel source. Sample patch attached.

-ml


Attachments
log_permission_errors.patch (128 downloads)
Description: 2-line patch to log "permission denied" errors on attempts to open files.



Top
#346985 - 18/08/2011 13:22 Re: syslog.conf Question [Re: Tim]
Tim
veteran

Registered: 25/04/2000
Posts: 1525
Loc: Arizona
Awesome, thanks for the help.

Top