On Wednesday 18 April 2007 16:41, Wieprecht, Karen M. wrote: > 1. auditd complained about using the -k (keyword) flag on lines that > were not file watch lines.
Yes, this was mentioned on IRC last week and fixed in my development copy. It will be in 1.5.3. > This could be a newer feature not supported by our audit subsystem (we > are running RHEL4 update 4 with audit-1.0.14 I believe). Can you verify > if this is a general syntax problem or a > your-audit-version-doesn't-support-this problem ? Thanks. 1.5.2 does not work with RHEL4. > 2. We had two additional lines in out audit.rules to capture failed > chown, chgrp, and chmod: > > -a exit,always -S 90 -F exit=-1 > -a exit,always -S 92 -F exit=-1 I think you want 90-94 on x86_64. I guess they do return -EPERM. The way that we are doing this for 1.5.2 is using special syntax allowed by the newer kernels: -a exit,always -F perm=a -F exit=-13 This tells the kernel to select any syscall that changes file attributes. We should probably add another line with -F exit=-1 > If these actions aren't already being captured by another NISPOM audit > rule, you might consider adding them since failed attempts to chown, > chgrp, chmod are indications of someone possibly trying to open up > access to files they don't have rights to which would fall into the > "failed file access attempts" category. Yep, I'll add a line. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
