On Thu, Nov 20, 2014 at 10:52 AM, LC Bruzenak <[email protected]> wrote: > On 11/20/2014 09:42 AM, leam hall wrote: >> The RHEL 6 STIG says: >> >> auditctl -l | grep syscall | grep chmod >> >> Should return lines referring to chmod. Those lines are in my >> audit.rules. Just doing an: >> >> auditctl -l | grep syscall >> >> Returns nothing. I've got no issues telling the STIG folks how to do >> their work, but wanted to make sure I know what I'm talking about >> first. >> >> Am I missing something if there's no "syscall" line(s) returned? >> >> Thanks! >> >> Leam >> > > The auditctl command returns the rules loaded into the kernel. > Looks to me as if you might not have a running auditd or else your rules > were not all successfully loaded. > This can happen if there was an error inside the ruleset and you didn't > have the "-c" or "-i" flag set to continue loading the rules. > Check your syslog for any errors on startup; also just auditctl -l and > compare the loaded rules against your file. > > HTH, > LCB > > -- > LC (Lenny) Bruzenak > [email protected]
Hmm... I played with chmod; removed fchmodat. The audit daemon says it's running. service auditd status auditd (pid 609) is running... Before the mod: auditctl -l | grep chmod -a always,exit -F arch=i386 -S chmod,fchmod,fchmodat -F key=perm_mod -a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod After editing audit.rules and restarting auditd: auditctl -l | grep chmod -a always,exit -F arch=i386 -S chmod,fchmod -F key=perm_mod -a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod Where's the best place to put debug flags? Thanks! Leam -- Mind on a Mission -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
