no logging of successful events?
Brian LaMere
brianl at clinicomp.com
Mon Aug 18 20:43:19 UTC 2008
> The recent versions of the audit system ships with a stig.rules file
> that give
> what I believe to be a correct rule set. What the official docs say to
> do is
> another thing. :) Take a look at that file and see how I do the
> unauthorized
> file access.
Excellent! I had simply changed to the following, in a minimalistic
approach:
----------------------------------------------------
-w /etc/auditd.conf
-w /etc/audit.rules
-a exit,always -S open -F success=0
-a exit,always -S rmdir -S unlink -S chmod -S fchmod -S chown -S fchown
-S lchown -F success!=0
-a exit,always -S settimeofday -S setrlimit -S setdomainname -S
sched_setparam -S sched_setscheduler -S acct -S reboot -S swapon
-------------------------------------------------
Was grouping by failed, successful, and both. Did this due to reading
that every audit rule is tested for every syscall, which...yeah, makes
me want to group things.
That being said, stig.rules is extensive; any warning on what the
performance impact will be?
Also, when looking for the newer builds on your site
http://people.redhat.com/sgrubb/audit/ - I noticed "1.7 -> 1.8 Remote
logging and finishing up IDS/IPS plugin." That would be wonderously
fabulous, and I look forward to it. Any thoughts on whether it will be
pulled into RHEL5, or whether I'd have to wait until RHEL6?
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080818/705150b7/attachment.htm>
More information about the Linux-audit
mailing list