Administrators with the appropriate privileges can set ACL entries to audit access attempts for specific files or specific directories.
The following rights profiles enable administrators to view and modify audit ACLs:
Object Access Management
Media Backup
Media Restore
Local, NFS, and SMB access or failed access to a ZFS file or directory may result in the generation of an audit record, depending on that file or directory's audit ACL entries.
You cannot view or modify the Audit ACEs of a ZFS ACL without the file_audit privilege.
For remote callers to be able to view or set audit ACL entries:
NFS client callers must be root and must have root access on the server, for example, where the client host has been given root access on the server NFS share. Note that this NFS option has security vulnerabilities and is not recommended.
SMB client callers must be in an SMB group, with a SID, which has an Administrator, Backup, or Restore privilege. Backup and restore operations may require reading and setting ACL's which contain audit ACEs.
Caution - Unprivileged users can perform some tasks that affect the ACL for files and could lose audit information for those files. For example, users could rename another file to replace an existing file that has an audit ACL, thus losing the ACL information. Given this limitation, administrators might want to create default audit ACLs on directories in order to better monitor files in those directories. In addition, some interfaces may update files without preserving the ACL, including the passwd command and other commands that affect password management, such as the useradd command. Administrators should use the appropriate commands when updating system files in order to preserve the ACL, using commands such as chmod, pfedit, remove, rename, or vim. |
The procedures for setting audit ACL entries have been built into existing procedures for modifying ACL entries.
Use the following command syntax to set Trivial ACL audit entries:
chmod [options] A[index]{+|=}owner@ |group@ |everyone@: \
access-permissions/...[:inheritance-flags]: \
successful_access|failed access:audit file ...
chmod [options] A-owner@, group@, everyone@: \ access-permissions/...[:inheritance-flags]: \ successful_access|failed access:audit file ...
As shown in this syntax, the chmod command includes the audit option. The command also includes a variable specifying that successful access attempts, failed access attempts, or both will be audited.
In this example, a trivial ACL exists on a directory named dir1. Run the following command to set an audit requirement for that directory.
# chmod A+everyone@:read_data/read_attributes/read_acl:failed_access:audit dir1
This command specifies that whenever a person in the everyone group tries to access dir1 and fails, that access failure is recorded in the audit log.
To view revised ACL settings for this file, run the following command.
# ls -v
total 1
drwxr-xr-x 2 foo staff 2 Feb 1 19:28 dir1
0:everyone@:list_directory/read_data/read_attributes/read_acl
:failed_access:audit
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/read_acl/write_acl/write_owner
/synchronize:allow
2:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
3:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
Almost all of the records that can be generated by per-object auditing are existing events in existing classes, so you can search as you usually do by class and then scan for per-file events. Use the auditreduce command to select records by audit classes, including the syntax described in the audit_flags(7) man page to select failed events or successful events. To search for audit records related to a specific file, use the auditreduce command with the –o option and the file=pathname variable. For instructions, see Selecting Audit Events to Be Displayed.
For further information, see the auditreduce(8) and audit_flags(7) man pages.