Syscalls

Johnston Mark (UK) Mark.Johnston at o2.com
Wed Feb 28 12:23:45 UTC 2007 

We're trying to setup auditing to match a few policy requirements. The
ones that I'm struggling with are the following:

1) Using auditd to check for system start/stop. In "man syscalls" it
shows shutdown, but auditd doesn't like it when I use this for a system
call. Would also have been nice to track any time someone uses init.

2) Use aureport to show logins (failed and successful). I've logged into
our system with failed and successful tries, and it's visible in
audit.log, but it doesn't show anything under aureport, the count is 0.

3) Were trying to log anytime someone is unsuccessful in doing
something. We've tried the open command with success!=0 as per the
example in the man page, but we get a whole bunch of stuff in the logs,
not the failed attempts

4) Were trying to track all usage by the root user, again we are getting
a whole bunch of other stuff in the logs, not actions by the user root
only.

5) We are trying to track changes to the system date and time. I've been
using the example in capp.rules, but all we get is ntpd, not the usage
of date, which we would like.

Thanks
Mark 



-----Original Message-----
From: linux-audit-bounces at redhat.com
[mailto:linux-audit-bounces at redhat.com] On Behalf Of Steve Grubb
Sent: 28 February 2007 11:44
To: linux-audit at redhat.com
Cc: Johnston Mark (UK)
Subject: Re: Syscalls

On Wednesday 28 February 2007 06:07:28 Johnston Mark (UK) wrote:
> Is there a place where I can get all the supported syscalls for audit
> version 1.2.9-6.4. There are a couple of things that I'm trying to do
> like watching for the shutdown and init command (looking for system
> reboots), and looking for changes to the date (I've got the time
part).

Yes, this is the place. What do you need help with?

-Steve

--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit



This electronic message contains information from O2 which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address below) immediately.
O2 (UK) Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in England and Wales: 1743099. VAT number: GB 778 6037 85

More information about the Linux-audit mailing list