[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Status of /etc/audit/filter.conf

On Mon, 2007-04-23 at 16:09 -0400, Aaron Lippold wrote:
> I have a security checking script that is complaining that my system
> is not able to audit all discretionary access to control permission
> modifications.
> To verify this it is looking for /etc/audit/filter.conf
> Is this still the correct place to look on RHEL4/5? I'd assume not
> since I can't find a man page on audit-filter.conf anymore.

filter.conf was a LAuS configuration file, which is no longer used.
Auditing in RHEL4 and RHEL 5 is entirely unrelated to LAuS. The
approximately corresponding information is in /etc/audit.rules (RHEL4)
or /etc/audit/audit.rules (RHEL5) iirc.

> If not, where and how would I add this feature to my audit configuration?

That really depends what 'discretionary access to control permission
modifications' actually means to the person who wrote it ;) I'm guessing
it refers to auditing the chmod family of system calls, in which case
you would add the following line to /etc/audit/audit.rules in RHEL 5:

-a entry,always -S chmod -S fchmod

and start the audit daemon. These calls will then be logged
in /var/log/audit.log.

Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]