Hi everyone,
I’m just starting to dig into auditd for the first time. By that, I’m hitting a few issues, I do not understand nor find a proper answer on the internet. I hope this group of experienced experts do have answers to my questions:
In https://www.suse.com/documentation/sles-12/book_security/data/sec_audit_scenauconf.html it reads two different things in my understanding:
First:
But second, in the example below:
This is my config:
# auditctl -l
-a never,task
-w /etc -p rwxa -k etc
#
When I chdir into /etc and execute “ls” (which should match “r” and/or “x”), nothing is written to the auditd log. First question: Why not?
When I change the config to the following:
# auditctl -l
-a never,task
-w /etc -p rwxa -k etc
-w /etc/fstab -p wa -k fstab
and then open the /etc/fstab in vim, then change and save the file, I receive this:
type=CONFIG_CHANGE msg=audit(1555143757.679:37528): auid=1285194 ses=842 op=updated_rules path="/etc/fstab" key="fstab" list=4 res=1AUID="richtm1"
type=CONFIG_CHANGE msg=audit(1555143757.679:37529): auid=1285194 ses=842 op=updated_rules path="/etc/fstab" key="fstab" list=4 res=1AUID="richtm1"
Second question: Why it states “CONFIG_CHANGE”?
When I then, with the same config for /etc/fstab, do this, nothing is written to the log, even though the file is changed by that:
# echo "" >> /etc/fstab
#
Third question: Why is that?? How can I audit file changes independent on the way/tool they got changed with? How can I configure auditd to log this particular change?
Thanks for your help!