Using audit to find out unauthorized access

Omarine has set up an audit rule in the file /etc/audit/rules.d/access-other.rules as follows

-a always,exit -F arch=b64 -S openat -F dir=/home/ -F success=0 -C uid!=obj_uid -k access-other

The meaning is as follows:

  • -a always,exit: Add the rule at the end of the ‘exit’ list that is used every time a system call exits. An audit event is always created when the rule is triggered from the kernel’s rule matching machine.
  • -F arch=b64: -F indicates a rule field. In this case, the syscall’s 64-bit CPU architecture is applied.
  • -S openat: Apply to the syscall ‘openat’. A system call can be indicated by number instead of name. They can be found in the <sys/syscall.h> header file. The system call number for openat is 257.
  • -F dir=/home/: Watch the /home directory.
  • -F success=0: Apply for failed exit code.
  • -C uid!=obj_uid: -C indicates the comparison. In this case, the user ID must be different from the object’s UID (such as a file or directory).
  • -k access-other: The key associated with the rule is ‘access-other’, which can be used to search for events by key.

This rule can be used to detect unauthorized access by a user to another user’s file or directory (uid!=obj_uid and success=0). We take the example of the user tho reading the user tuyen’s /home/tuyen/.config/arkrc private configuration file. The current login user is tuyen. We use su to switch to user tho and view the file with the cat command

Access denied, it is an unauthorized access. Now we find the event with the key ‘access-other’ and the failed exit code, as the root user:

ausearch -k access-other --success no

The result is as follows

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.