I've been reading some information about configuration of auditd
and I just can't figure this out, what I know how to do
- Log specific system calls by a user
- Log access to a specific file by all users
What I can't figure out is however: how to set up audit daemon so that it logs access (read/write) to ALL files within a folder structure (for example /home
and all subfolders and files within) ONLY for a given user id.
So that if I had a user "bob" with user ID 2053 I would know every file they ever attempted to open or read on filesystem. I am not interested about access to these files by system services or any other user.
Extra question: Is it somehow possible to set up this kind of audit for whole filesystem hierarchy? AFAIK audit doesn't allow that for some reasons
Best Answer
I'd start with something like this:
this will track all file open operations for the user with uid=1000, on all the filesystem; beware that if you run it on an user with a graphical session, this will generate HEAPS of logs, for instance stuff (unwanted, I guess) like:
To refine the rule and have such control over a directory tree, this would turn to:
where:
(you can combine how many -F you want).
giving output like:
which still will contain lots of unwanted stuff, but much better. If system becomes unresponsive because one of your rules taking over, you can execute:
as a panic mode to reset to default (empty) rules.