trouble with a number of audit rules
Bill Tangren
bjt at aa.usno.navy.mil
Mon Jan 29 22:33:10 UTC 2007
Steve Grubb wrote:
> On Monday 29 January 2007 16:57, Bill Tangren wrote:
>> 1)
>> # Ensures that any reads of the audit log by the current user that's logged
>> is # audited. It might be beneficial to create a rule for each of the 5
>> logs # that are generated.
>>
>> RULE:
>> -w /var/log/audit/audit.log -p r -F auid=-1
This is in the capp.rules too.
>
> On RHEL4, syscall auditing and file system auditing cannot be mixed on the
> same line. Watches can only take -p & -k parameters.
>
>> 2)
>> # Ensures that any user who mounts or unmounts a device is audited
>>
>> RULE:
>> -a exit,always -S mount -S umount
>
> Are you on x86_64? If so, you should use umount2. I believe this is documented
> in capp.rules.
Yes, x86_64. I missed this one in capp.rules. Damn.
>
>> 3)
>> # ensures auditing whenever the reboot command is sent to the kernel
>>
>> RULE:
>> -a always,entry -S socketcall -F a0=13
>
> x86_64? If so use the syscall, shutdown. (offhand, I don't know why you would
> need to audit shutdown.)
>
>> 4)
>> # Ensures auditing of any unauthorized access to roots home directory.
>>
>> RULE:
>> -w /root -p rw -F uid!=0
I'll have to think some more about how to do this one.
>
> see #1 above
>
>> 5)
>> #Ensure that failed use of the following system calls is audited
>>
>> RULE:
>> -a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0
>> -F auid=-1 -F auid=0
>
> stime is valid on i386. maybe settimeofday?
Yes, settimeofday worked.
>
> -Steve
>
Thanks, Steve.
More information about the Linux-audit
mailing list