Steve, I am a bit new at using mail lists, but I joined this one to get help on setting up auditd for NISPOM chapter 8.
Below you say the nispom.rules has been updated several times. Where is the latest version located? In the nispom.rules version in your post in the archive, the comments said several NISPOM audit requirements were met by other programs (1(b) by patches to login, gdm, and openssh; 1(d) by patches to libpam; 1(e) & 1(f) by patches to pam_tally). Can these patches be downloaded from somewhere? Do the patches work with SuSE 10.1 or 10.2? Sorry I come from a non-RH distro background. Our choice of SuSE came from the long historic past. I rather not have to switch several machines to RH in order to meet NISPOM requirements, but I could if absolutely necessary. Brian K. Whatcott Senior Software and Systems Engineer Millennium Engineering Integration (719) 264-4310, FAX (719) 264-4318 (719) 331-5100 (Cell) [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Grubb Sent: Friday, April 13, 2007 12:32 PM To: Timothy R. Chavez Cc: Linux Audit Subject: Re: [RFC] NISPOM audit rules - first draft On Friday 13 April 2007 14:24, Timothy R. Chavez wrote: > Wow... finally just getting to these. Just a couple quick comments below. The nispom.rules file has been updated several times since this was initially posted. > > ## unsuccessful modifications > > -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k > > mods -a exit,always -S renameat -F exit=-13 -k mods -a exit,always > > -F perm=a -F exit=-13 -k mods > > No system call specified... That's what the magic of "perm" is. It selects all syscalls that match the changing of attribute. -Steve -- Linux-audit mailing list [EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/linux-audit
