Can these rules apply to RHEL4 or just RHEL5? I, too, have to create a NISPOM compliant network and have written scripts to do so. However, I am just exploring the audit.rules settings in RHEL and wanted to know if these changes are particular to a specific version of Red Hat.
Thanks! Starr -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Grubb Sent: Thursday, May 22, 2008 4:20 PM To: [email protected] Subject: Re: NISPOM Auditing On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote: > I need to log file edit attempts when a user doesn't have permission to > edit a specific file. For example, a non-root user attempts to edit > "/var/log/audit/audit'log" which has a permission setting of 640. > Although the user won't be able to edit the file (permission denied) - > I'd still like to log the attempt. Here's a snippet of my audit.rules > file: Have you looked at the latest nispom.rules file in the audit package? I have a set of rules that should meet NISPOM requirements. If it doesn't I'd like to know what is wrong with it so we can fix it. This set of rules looks similar to it, but there are differences. The main difference is adding -F arch= to each syscall rule to make sure the numbers are correct. > ## unsuccessful creation > > -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 > -k creation > > -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 > -k creation -a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F exit=-EACCES -k creation -a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F exit=-EACCES -k creation -a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation -a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation > ## unsuccessful open > > -a exit,always -S open -F exit=-13 -k open -a exit,always -F arch=b32 -S open -F exit=-EACCES -k open -a exit,always -F arch=b64 -S open -F exit=-EACCES -k open -a exit,always -F arch=b32 -S open -F exit=-EPERM -k open -a exit,always -F arch=b64 -S open -F exit=-EPERM -k open > ## unsuccessful close > > -a exit,always -S close -F exit=-13 -k close > > ## unsuccessful modifications > > -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods > > -a exit,always -S renameat -F exit=-13 -k mods > > ## unsuccessful deletion > > -a exit,always -S rmdir -S unlink -F exit=-13 -k delete > > -a exit,always -S unlinkat -F exit=-13 -k delete > > ## unauthorized change directory (cd) > > -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd :) > ## Watch Files > > -w /var/log/audit/audit.log -p rwxa -k audit-log2 This rule only watches one file. There could be more. You might want a rule like: -w /var/log/audit -k audit-logs -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
