STIG issue with auditctl -l
leam hall
leamhall at gmail.com
Thu Nov 20 16:03:18 UTC 2014
On Thu, Nov 20, 2014 at 10:52 AM, LC Bruzenak <lenny at magitekltd.com> wrote:
> On 11/20/2014 09:42 AM, leam hall wrote:
>> The RHEL 6 STIG says:
>>
>> auditctl -l | grep syscall | grep chmod
>>
>> Should return lines referring to chmod. Those lines are in my
>> audit.rules. Just doing an:
>>
>> auditctl -l | grep syscall
>>
>> Returns nothing. I've got no issues telling the STIG folks how to do
>> their work, but wanted to make sure I know what I'm talking about
>> first.
>>
>> Am I missing something if there's no "syscall" line(s) returned?
>>
>> Thanks!
>>
>> Leam
>>
>
> The auditctl command returns the rules loaded into the kernel.
> Looks to me as if you might not have a running auditd or else your rules
> were not all successfully loaded.
> This can happen if there was an error inside the ruleset and you didn't
> have the "-c" or "-i" flag set to continue loading the rules.
> Check your syslog for any errors on startup; also just auditctl -l and
> compare the loaded rules against your file.
>
> HTH,
> LCB
>
> --
> LC (Lenny) Bruzenak
> lenny at magitekltd.com
Hmm... I played with chmod; removed fchmodat. The audit daemon says
it's running.
service auditd status
auditd (pid 609) is running...
Before the mod:
auditctl -l | grep chmod
-a always,exit -F arch=i386 -S chmod,fchmod,fchmodat -F key=perm_mod
-a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod
After editing audit.rules and restarting auditd:
auditctl -l | grep chmod
-a always,exit -F arch=i386 -S chmod,fchmod -F key=perm_mod
-a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod
Where's the best place to put debug flags?
Thanks!
Leam
--
Mind on a Mission
More information about the Linux-audit
mailing list