questions about auditing on a new RH 6 box
Steve Grubb
sgrubb at redhat.com
Fri Jan 14 19:57:23 UTC 2011
On Friday, January 14, 2011 02:26:40 pm Tangren, Bill wrote:
> #Ensure that failed attempts at using the following system calls are
> audited
> -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F
> success=1 -F exit!=-11
>
> Which says audit mknod calls that are successful and the exit code is not
> EAGAIN.
>
> Are you sure this is what you intended?
>
> ******************
> The comments above each line are excerpts from the regulations.
The last rule does not match the comment for starters. It would be something like
this:
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F
success=0
But this is overlapping the other rules right above it. Let's look:
#Ensure that the following system calls are audited for the current logged in
#user and for root
#Ensure that failed attempts at using the following system calls are audited
So the first is all use for anyone logged in except the system. The second one is all
failed use regardless of someone logged in or not, so that is just 2 rules (assuming
you don't want EAGAIN):
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F auid!=-1 -F
exit!=-11 -k user-root-syscalls
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F
exit!=-11 -k failed-syscalls
You may have other rules that do not match the requirements.
-Steve
More information about the Linux-audit
mailing list