[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Sample Rules

--- Valdis Kletnieks vt edu wrote:

> I can *guarantee* that something you will eventually
> be asked is:

You are correct. It won't even take long.

> "What auditctl rules do I need to split things into
> classes equivalent to
> the Solaris/AIX/Irix (pick one or more) audit
> classes?"

Chuckle. Irix does not have audit classes.
This is for the simple reason that Solaris
does and the lesson learned is that it is
impossible to find any two people who can
agree on what should be grouped together.
On Irix you have to tell it what events
you want.

> (Am pressed for time, don't have the Irix pointer
> handy)

http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi/srch5 audit/0650/bks/SGI_Admin/books/IA_BakSecAcc/sgi_html/ch06.html#LE77858-PARENT

Of course, neither system audits on a system
call basis. Events are selected by the policy
enforced. This may confound those who don't 
realize that because of this policy perspective
turning on audit for chown() will also enable
audit for chmod().

Chown and chmod are controlled by the
file-system-object-attribute-write policy.
You can (on those U2X systems) monitor
that policy's enforcement in the kernel
but if you want to audit all calls to chmod
you need to watch that policy and filter
out all other system call records.

Casey Schaufler
casey schaufler-ca com

Do you Yahoo!? 
Yahoo! Mail - 250MB free storage. Do more. Manage less. 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]