Using audit to find out unauthorized access


(0 comments)

Omarine has set up an audit rule in the file /etc/audit/rules.d/access-other.rules as follows

-a always,exit -F arch=b64 -S openat -F dir=/home/ -F success=0 -C uid!=obj_uid -k access-other


The meaning is as follows:

  • -a always,exit: Add the rule at the end of the ‘exit’ list that is used every time a system call exits. An audit event is always created when the rule is triggered from the kernel's rule matching machine.
  • -F arch=b64: -F indicates a rule field. In this case, the syscall's 64-bit CPU architecture is applied.
  • -S openat: Apply to the syscall ‘openat’. A system call can be indicated by number instead of name. They can be found in the <sys/syscall.h> header file. The system call number for openat is 257.
  • -F dir=/home/: Watch the /home directory.
  • -F success=0: Apply for failed exit code.
  • -C uid!=obj_uid: -C indicates the comparison. In this case, the user ID must be different from the object's UID (such as a file or directory).
  • -k access-other: The key associated with the rule is 'access-other', which can be used to search for events by key.


This rule can be used to detect unauthorized access by a user to another user's file or directory (uid!=obj_uid and success=0). We take the example of the user tho reading the user tuyen's /home/tuyen/.config/arkrc private configuration file. The current login user is tuyen. We use su to switch to user tho and view the file with the cat command



Access denied, it is an unauthorized access. Now we find the event with the key 'access-other' and the failed exit code, as the root user:


ausearch -k access-other --success no


The result is as follows



Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required


What is 8 × 1?

required