I downloaded the 1.5.2 source code, opened the archive and looked at the nispom.rules. Two things:
1. auditd complained about using the -k (keyword) flag on lines that were not file watch lines. This could be a newer feature not supported by our audit subsystem (we are running RHEL4 update 4 with audit-1.0.14 I believe). Can you verify if this is a general syntax problem or a your-audit-version-doesn't-support-this problem ? Thanks. 2. We had two additional lines in out audit.rules to capture failed chown, chgrp, and chmod: -a exit,always -S 90 -F exit=-1 -a exit,always -S 92 -F exit=-1 I think these capture a few other events that aren't necessarily chown, chmod, or chgrp, so there may be a savvier way to write this so to exclude those extraneous items, but I haven't played with it. Let me know if these are picked up elsewhere in the sample NISPOM rules. If these actions aren't already being captured by another NISPOM audit rule, you might consider adding them since failed attempts to chown, chgrp, chmod are indications of someone possibly trying to open up access to files they don't have rights to which would fall into the "failed file access attempts" category. Let me know what you think. Thanks, Karen Wieprecht -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
