[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: CAPP Auditing with RHEL-4 U2 (fwd)

> The instructions were a bit bare (i probably missed the obvious ones).
> I copied over the capp.rules to /etc/audit.rules and restarted the
> auditd.

This is good so far. Note, the audit subsystem requires kernel components to 
work correctly. This means you need to be running kernel-2.6.9-16. You 
probably are, but I want to make sure.

> On our other systems if I do similar things and then do a 'cat 
> /etc/shadow', I see a dmesg statement saying that I have been a bad
> boy.  Nothing with this version of audit

I just tried this and I get the following:

ausearch -ts 20:50:00 -f shadow -i
type=PATH msg=audit(08/23/05 20:51:28.318:1249) : name=/etc/shadow 
flags=follow,open inode=213853 dev=03:02 mode=file,400 ouid=root ogid=root 
type=CWD msg=audit(08/23/05 20:51:28.318:1249) :  cwd=/root
type=FS_INODE msg=audit(08/23/05 20:51:28.318:1249) : inode=213853 
inode_uid=root inode_gid=root inode_dev=03:02 inode_rdev=00:00
type=FS_WATCH msg=audit(08/23/05 20:51:28.318:1249) : watch_inode=213853 
watch=shadow filterkey=CFG_shadow perm= perm_mask=read
type=SYSCALL msg=audit(08/23/05 20:51:28.318:1249) : arch=i386 syscall=open 
success=yes exit=3 a0=bffa0c1e a1=8000 a2=0 a3=8000 items=1 pid=2840 
auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root 
sgid=root fsgid=root comm=cat exe=/bin/cat

This shows that the cat program was run by root who originally logged in as 
sgrubb and triggered a read file system watch on /etc/shadow and was 

> I looked in /var/log/audit/audit.log.. nothing about me trying to open
> the file that I could see. An ausearch shows some action, but nothing
> as explicite as when I try to do something selinux says is bad.

Not sure what's wrong. Are you on the new kernel? Is auditd running? Does 
"auditctl -l | grep shadow" show any rule?

> So what I am wondering is:
> 1) what extra capabilities will auditd have (syslog, logwatch support,
> etc?)

The idea is not to send events to syslog. Some information is lost letting 
things go there and CAPP style audit systems have many requirements that 
syslog doesn't begin to fulfill. For example, space checking and taking the 
system to maintenance mode (single user) if disk space gets below a certain 
threshold. But for the detection to be accurate, /var/log/audit should be its 
own partition.

> 2) what steps did I miss (do I need a supplemental Selinux strict for 
> the box?) 

No. Does auditctl -l show rules?

> 3) what can I do to better help this project? 

We are always looking for feedback & testers. Most of the audit discussion is 
at the linux-audit mail list. You can find information about it here:


Its a fairly focused group working on just the audit aspect of linux.

Hope this helps...

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]