On Friday, January 14, 2011 02:26:40 pm Tangren, Bill wrote: > #Ensure that failed attempts at using the following system calls are > audited > -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F > success=1 -F exit!=-11 > > Which says audit mknod calls that are successful and the exit code is not > EAGAIN. > > Are you sure this is what you intended? > > ****************** > The comments above each line are excerpts from the regulations.
The last rule does not match the comment for starters. It would be something like this: -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 But this is overlapping the other rules right above it. Let's look: #Ensure that the following system calls are audited for the current logged in #user and for root #Ensure that failed attempts at using the following system calls are audited So the first is all use for anyone logged in except the system. The second one is all failed use regardless of someone logged in or not, so that is just 2 rules (assuming you don't want EAGAIN): -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F auid!=-1 -F exit!=-11 -k user-root-syscalls -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F exit!=-11 -k failed-syscalls You may have other rules that do not match the requirements. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
