Here is what I am finding: Copy NISPOM.rules to /etc/audit/audit.rules
Sample entries: -a entry,always -S adjtimex -S settimeofday -k time-change -w /etc/localtime -p wa -k time-change -a exit,always -S sethostname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale Using system-config-audit, I create a rule for the SYSCALL kill with a key of kill "Save" the configuration. Get the described error. The audit.rules now is configured: -e 1 -f 2 -b 8192 -r 0 -D -a entry,always -k kill -S kill -a entry,always -k time-change -S adjtimex -S settimeofday -a exit,always -k system-locale -S sethostname -a exit,always -F exit=-13 -k creation -S creat -S mkdir -S mknod -S link -S symlink -a exit,always -F exit=-13 -k creation -S mkdirat -S mknodat -S linkat -S symlinkat -a exit,always -F exit=-13 -k open -S open -a exit,always -F exit=-13 -k open -S openat -a exit,always -F exit=-13 -k close -S close -a exit,always -F exit=-13 -k mods -S rename -S truncate -S ftruncate -a exit,always -F exit=-13 -k mods -S renameat -a exit,always -p a -F exit=-13 -k mods -S all -a exit,always -p a -F exit=-1 -k mods -S all -a exit,always -F exit=-13 -k delete -S rmdir -S unlink -a exit,always -F exit=-13 -k delete -S unlinkat -w /etc/localtime -p wa -k time-change -S all -w /etc/issue -p wa -k system-locale -S all -w /etc/issue.net -p wa -k system-locale -S all -w /etc/hosts -p wa -k system-locale -S all -w /etc/sysconfig/network -p wa -k system-locale -S all -w /var/log/faillog -p wa -k logins -S all -w /var/log/lastlog -p wa -k logins -S all -w /var/log/messages -p wa -k logins -S all -w /var/log/wtmp -p wa -k logins -S all -w /var/log/authlog -p wa -k logins -S all -w /var/log/tallylog -p wa -k logins -S all -w /etc/group -p wa -k auth -S all -w /etc/passwd -p wa -k auth -S all -w /etc/gshadow -p wa -k auth -S all -w /etc/shadow -p wa -k auth -S all -w /etc/login.defs -p wa -k auth -S all -w /etc/security/opasswd -p wa -k auth -S all -w /var/log/audit/audit.log -k audit-logs -S all -w /var/log/audit/audit.log.1 -k audit-logs -S all -w /var/log/audit/audit.log.2 -k audit-logs -S all -w /var/log/audit/audit.log.3 -k audit-logs -S all -w /var/log/audit/audit.log.4 -k audit-logs -S all -w /var/log/audit/audit.log.5 -k audit-logs -S all -w /var/log/audit/audit.log.6 -k audit-logs -S all -w /var/log/audit/audit.log.7 -k audit-logs -S all -w /etc/audit/auditd.conf -k audit-conf -S all -w /etc/audit/audit.rules -k audit-conf -S all Would appear the system-config-audit GUI is rewriting the entire rule file then complaining it's not configured correctly. Art Henning (CSL) Enterprise IT Solutions Northrop Grumman Corp [EMAIL PROTECTED] -----Original Message----- From: Steve Grubb [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 21, 2007 10:56 AM To: [email protected] Cc: Linda Knippers; Henning, Arthur C. (CSL) Subject: Re: Audit rules keys On Tuesday 21 August 2007 11:39:51 Linda Knippers wrote: > > Using system-config-audit getting key (-k) configuration errors when > > saving changes. > > > > [EMAIL PROTECTED] ~]# Stopping auditd: [ OK ] > > Starting auditd: [ OK ] > > key option needs a watch or syscall given prior to it > > This is telling you that the -k flag needs to be after a -S > flag. I don't know why the order matters but apparently it does. Correct. It matters because originally keys were only associated with watches. So, I needed the rule writer to declare that this is going to be a syscall or watch rule so that I can error check appropriately. Keys do not apply to rules like, -b or -e, so I still want to see the rule type ahead of a key option so that errors are caught. -Steve
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
