[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fwd: Syscalls to use



Steve, would you mind giving me a little more guidance on this?

Is there anything more specific you can suggest? 

I don't want to provide a false sense of security to my IA people.
--------------------------
Warron French


---------- Forwarded message ----------
From: warron.french <warron french gmail com>
Date: Tue, Oct 11, 2016 at 2:58 PM
Subject: Syscalls to use
To: linux-audit redhat com


I apologize, but I am not sure how to go about determining the appropriate syscalls to use for various audit goals.

I know that recently I learned to use the ausyscall --dump command to list the ausyscalls; but apparently I mis-understood/interpreted the purpose of 1 or 2 of the syscalls and had to be corrected (thanks Steve).

Anyway, my organization has a goal to audit several things; of which I know how to manage most, for examples:

  1. File & Object
  • Creation (Success/Failure)                                   |  w
  • Access (Success/Failure)                                    |  r
  • Deletion (Success/Failure)                                   |  w
  • Content Modification (Success/Failure)                 |  a
  • Permission Modification (Success/Failure)            |  a
  • Ownership Modification (Success/Failure)             |  a
For these I would have used a watch (-w) rule and set the -p flags to r, w or a as shown above.  From what I understand though, correct me if I am wrong Steve, we should be getting away from the watch rules and move towards Syscalls and using -F path=/path/to/file, or
-F path=/path/to/several_files/   -- is this correct, both for RHEL6 and RHEL7?

Also, I need to audit (Success/Failure) for the following sort of things:
Authentications
Logons
Logoffs

Writes/downloads to external devices/media
Uploads from external devices/media (such as DvD, thumbdrive, etc)

User & Group
events
User:  Creation, deletion, Modification, suspending/locking
Group/Role:  Creation, deletion, modification

Use of Privileged/Special Rights events (such as sudo, su, etc..)
Printing to a print-device
Printing to a file

Thanks in advance for any steering someone could provide to get me moving in the correct direction.

--------------------------
Warron French



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]