|
|
The following events record actions related to file access, control, and creation. These events can be expected to occur during normal system operations; however, they may indicate a security problem if they occur in unusual patterns. For example, several changes of the access permissions to the same object may indicate that two processes may be attempting to signal each other, based on the accessibility of a file.
Note that much of the security of the system depends on proper use of the access control mechanisms. If access permissions are not set appropriately, it is possible for users to see data that they should not be allowed to view. It is a good idea to audit all events in this group to verify that the system's access permissions are always set appropriately.
The events listed in the following table record changes in the DAC permissions for objects (that is, file permissions). Access permissions are set by object owners at their discretion. The file_acl and ipc_acl events are recorded only on systems that have the Access Control List (ACL) Utilities installed.
Discretionary access control events
| Event | Description | Manual page | Object audit |
|---|---|---|---|
| dac_mode | change mode of an object | chmod(2), UNRESOLVED XREF-0 fchmod(S) | Y |
| dac_own_grp | change owner or group of an object | chown(2), UNRESOLVED XREF-0 fchown(S), UNRESOLVED XREF-0 lchown(S), chgrp(1), chown(1) | Y |
| fd_acl | change file access control lists via file descriptor | facl(S) | Y |
| file_acl | change file access control lists via pathname | acl(S) | Y |
| ipc_acl | change IPC access control lists | aclipc(S) | Y |
The occurrence of directory and file access events are part of the normal activity of a system. However, these events may indicate problems if they occur in unusual patterns. For example, it is possible for two processes to signal each other, based on the accessibility of a file. These signals are used to pass data between the processes in violation of access control permissions. In this case, a process would have an unusual number of access events for the same object, and the events would alternate between success and failure.
Directory and file access events
| Event | Description | Manual page | Object audit |
|---|---|---|---|
| access | determine accessibility of a file | access(S) | Y |
| chg_times | change file access and modification times | utime(S) | Y |
| open_rd | open an object for reading | open(S) | Y |
| open_wr | open an object for writing | open(S) | Y |
| recvfd | receive file descriptor | NA | Y |
| status | get file status | stat(2), UNRESOLVED XREF-0 fstat(S) | Y |
The occurrence of directory and file creation events are part of the normal activity of a system. However, these events may indicate problems if they occur in unusual patterns.
Directory and file creation events
| Event | Description | Manual page | Object audit |
|---|---|---|---|
| create | create a new filesystem object | creat(S) | Y |
| link | create a link to an object | link(S) | Y |
| mk_dir | make a directory | mkdir(S) | Y |
| rm_dir | remove a directory | rmdir(S) | Y |
| unlink | unlink an object | unlink(S) | Y |
The following events record actions that involve symbolic links. Symbolic links are inodes that contain the pathname of another filesystem object. References to the symbolic link become references to the named object. Symbolic links can be used to create links between objects that span filesystems.
Symbolic link events
| Event | Description | Manual page | Object audit |
|---|---|---|---|
| sym_create | create a symbolic link | symlink(S) | Y |
| sym_status | get status of symbolic link | UNRESOLVED XREF-0 lstat(S) | Y |
The following events record actions that involve path changes.
Path change events
| Event | Description | Manual page | Object audit |
|---|---|---|---|
| chg_dir | change working directory | chdir(2), UNRESOLVED XREF-0 fchdir(S) | Y |
| chg_root | change root directory | chroot(S) | Y |
| chg_nm | change filename | rename(S) | Y |