-----Original Message----- From: Steve Grubb [mailto:[email protected]] Sent: Friday, January 14, 2011 2:13 PM To: [email protected] Cc: Tangren, Bill Subject: Re: questions about auditing on a new RH 6 box
On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote: > I think that some of this is capturing that I was using the tail command to > capture some of the logs to email to myself to post here. Obviously that > isn't typical, but hopefully there is some useful information here. Oh, > and my uid and gid are both 500. This is coming from: -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F auid=0 -F exit!=-11 Which says, audit mknod calls that are not successful and who's errno does not equal EAGAIN for anyone that logged in as root. -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=-1 -F exit!=-11 Which says audit mknod calls that are not successful, its a system event meaning not coming from a user session, and the exit code is not EAGAIN. #Ensure that failed attempts at using the following system calls are audited -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F exit!=-11 Which says audit mknod calls that are successful and the exit code is not EAGAIN. Are you sure this is what you intended? -Steve ****************** The comments above each line are excerpts from the regulations. It is the requirements in those comments that the audit rules are supposed to be implementing. Perhaps I need to study error codes and modify these rules. Do you have a suggestion on where I can learn the proper error commands? Bill -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
