questions about auditing on a new RH 6 box

Steve Grubb sgrubb at redhat.com
Fri Jan 14 19:57:23 UTC 2011


On Friday, January 14, 2011 02:26:40 pm Tangren, Bill wrote:
> #Ensure that failed attempts at using the following system calls are
>  audited
> -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F
> success=1 -F  exit!=-11
> 
> Which says audit mknod calls that are successful and the exit code is not
> EAGAIN.
> 
> Are you sure this is what you intended? 
> 
> ******************
> The comments above each line are excerpts from the regulations. 

The last rule does not match the comment for starters. It would be something like 
this:

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F
 success=0

But this is overlapping the other rules right above it. Let's look:

#Ensure that the following system calls are audited for the current logged in
#user and for root
#Ensure that failed attempts at using the following system calls are audited

So the first is all use for anyone logged in except the system. The second one is all 
failed use regardless of someone logged in or not, so that is just 2 rules (assuming 
you don't want EAGAIN):

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F auid!=-1 -F 
exit!=-11 -k user-root-syscalls
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F 
exit!=-11 -k failed-syscalls

You may have other rules that do not match the requirements.

-Steve




More information about the Linux-audit mailing list