I have been asked to audit all accesses to a certain directory, and its subdirectories, and have some questions. The directory structure is contained in its own filesystem.

Set up:

• The filesystem is mounted at /abcfiles on a server running SLES 11 SP2 server1.
• /abcfiles is in the /etc/exports file to be exported via NFS.
• The filesystem is available to 7 other SLES 11 SP2 servers for read/write access via NFS.
• The server hosting the filesystem and 3 of the other servers are running WAS. There are 4 servers running IBM HTTP Server.

I need to monitor all accesses to the entire directory structure as it contains sensitive data. My research indicates that an audit rule to monitor a directory can’t be wildcarded.

Question 1: If I set up an audit rule to monitor who accesses (read, write, execute, attribute changes) the main directory, will it also monitor that directory’s subdirectories or do I have to code a specific rule for each subdirectory?

The majority of the accesses to the directory (and its subdirectories) will be from the application running under WAS. The application is allowed to create/delete and read/write any of the files. I am planning on using directory monitoring instead of syscall’s (using the -w switch on the rules) as I think I have a better grasp on this method. I feel that the audit.log file will fill up in several minutes due to the application.

Question 2: Is there a way that I can have audit exclude the accesses from the application running under WAS?

Question 3: Would monitoring of syscall’s be better? If so, what would the rule(s) look like?

I think that it is a given that I will need to have the same audit rules in place on every server that accesses the directory structure (even those who access via NFS). I read something about the possibility if using NFS logging to do what I need but haven’t found much other than the mention

Question 4: If NFS auditing/logging is the method to use, would it log the accesses from the server hosting the filesystem? I think not but don’t know anything about this.

Thanks.

Harley

Update: I ran some tests and found that specifying rule ‘-w /abcfiles -p rxwa -k somevalue’ will log any acccess/change made in any subdirectories of ‘/abcfiles’. So I have answered my 'Question 1".

Solved!

It turns out that it was much easier than I thought to suppress the writing of file accesses based on uid and gid. The following is my /etc/audit/audit.rules that accomplished using the audit service to log all accesses to a directory (and all of its files and subdirectories) while also not logging access from the WebSphere application.

Contents of /etc/audit/audit.rules:

This file contains the auditctl rules that are loaded

whenever the audit daemon is started via the initscripts.

The rules are simply the parameters that would be passed

to auditctl.

First rule - delete all

-D

Increase the buffers to survive stress events.

Make this bigger for busy systems

-b 320

Feel free to add below this line. See auditctl man page

The following rule disables the logging of accesses to the specified

directory if the user is WebSphere.

-a exit,never -F dir=/abcfiles/ -F uid=900 -F gid=502

The following rules log all accesses to the specified directory

(and subdirectories).

-w /abcfiles/ -p r -k read -k pci
-w /abcfiles/ -p w -k write -k pci
-w /abcfiles/ -p x -k execute -k pci
-w /abcfiles/ -p a -k attribute -k pci

-e 1

Hi Harley,

thanks for reporting back, it’s good to see people spend time not only asking, but even helping others even if no-one was able to answer one’s questions. Oh, and great you could get your problem solved in the first place

Regards,
Jens