Audit config for NISPOM req's
Kirkwood, David A.
DAVID.A.KIRKWOOD at saic.com
Fri Jan 12 16:09:43 UTC 2007
I'm using RHEL4U4 and do not have autail. Where'd it come from? Also,
the doc I have does not metion the -rwxa option for watches. Am I
missing some
Updates, or do I need to upgrade or is the documentation lagging?
Separate question. With the watches I have enabled, I never am able to
tie a user to an access violation. How do I do that?
Sorry if I am a little behind. I can only look at this group's mail
messages intermittently do to other responsibilities. I thought I was
near submitting
A system for government approval, but now I am not so sure.
Thanks,
David
-----Original Message-----
From: linux-audit-bounces at redhat.com
[mailto:linux-audit-bounces at redhat.com] On Behalf Of Wieprecht, Karen M.
Sent: Thursday, January 11, 2007 2:19 PM
To: Steve Grubb; Curtas, Anthony R.
Cc: linux-audit at redhat.com; Thomas, Daniel J.
Subject: RE: Audit config for NISPOM req's
The auditctl man page for audit-1.0.14-1EL4 says the following (which
appears to be incorrect):
To see unsuccessful open calls's:
auditctl -a exit,always -S open -F success!=0
but an email you sent out a bit ago says this:
>> If you wanted all unsuccessful opens, I'd rewrite as:
>>
>> -a exit,always -S open -F success!=1
This makes a lot more sense, and I assume that this is the correct
syntax. You might want to check to see if this has already been
corrected in the man pages for upcoming releases.
I was hoping that this setting by itself (-a exit,always -S open -F
success!=1) would show me any failed file opens on the whole machine,
so I don't understand why I don't get any audit events with this
configuration. I thought that maybe I also have to have a watch set on
a file, then tell auditd which events I want to collect with the "-a
exit,always -S open -F success!=1" setting, but that didn't do it
either. Here's what I was testing
/etc/audit.rules :
-D
-w /etc/nsswitch.conf -rwxa
-a exit,always -S open -F success!=1
Then
service auditd reload
service auditd rotate
autail -f /var/log/audit/audit.log
Then in another window, as a non-prived user
rm /etc/nsswitch.conf
cat /dev/null > /etc/nsswitch.conf
chown karen /etc/nsswitch.conf
chmod 777 /etc/nsswitch.conf
cat somefile >> /etc/nsswitch.conf
I get lots of permission denied messages at the command line, but
nothing in the audit log relating to karen messing around with
/etc/nsswitch.conf.
I must still be missing some basic understanding of how this all works.
Any helpful suggestions would be greatly appreciated.
Karen Wieprecht
Thanks,
Karen Wieprecht
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list