What Is AUDITD_DISABLE_CONTEXTS?
by Wyllie, Aaron
Sorry if this is a novice question, but in trying to gather up as much information on auditd I came across the Suse SLED 10/11 audit guides.
They reference setting a line in /etc/sysconfig/auditd to "auditd_disable_contexts=0". That line doesn't exist in my default /etc/sysconfig/auditd file on RHEL5.
I saw a past mailing list thread from Dec. 11 2006 where Steve said it didn't exist...so I'm a little confused. Is this a SLED-thing only? Was it ever part of the default auditd? Is it safe to ignore this? If it can be ignored, what functionality superseded it or delivered the same results in the first place?
Thanks in advance.
Aaron
________________________________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
14 years, 11 months
auditing activity where uid==0
by Rich Whitcroft
Hi,
Here's my current rule, which is working, but is producing a lot of
extra log that I'd like to suppress:
-a entry,always -S execve -F euid=0
I'm wondering if there's a way to limit this to only audit events that
happen from a real tty, e.g. a human user. I'm getting lots of
extraneous chatter from sshd, automount, and cron, all of which are from
tty=(none), but I'm not sure it's possible to filter on tty...
Thanks
14 years, 11 months
Audit Log not capturing access to security related files
by Starr-Renee Corbin
Hello,
I am required (by NISPOM) to audit access to security related files.
I am essentially using the nispom audit.rules provided by rhel5 to
accomplish this.
However, some of my systems are capturing access to /etc/shadow and
some of my systems are not (when looking in /var/log/audit/audit.log.
Worried that I might have differing audit.rules files between the
systems I have even copied the audit.rules file from systems that were
auditing right to systems that were not. But this has not resolved
the auditing problem.
HELP!
Thank you!
Starr
14 years, 11 months
check_second_connection stopping my recovery?
by LC Bruzenak
It appears to me as though the new connection code in auditd-listen.c
is stopping my recovery actions.
My aggregator is getting a constant stream of:
op=dup addr=192.168.10.10:43546 port=43546 res=no
I was going back through the events on disk, scooping them up and
sending them to the aggregation machine as Steve suggested a long
while back (using an ausearch then piping the results to
audisp-remote).
So it appears to me that this is now prohibited. Was this intentional?
Thx,
LCB.
--
LC (Lenny) Bruzenak
14 years, 11 months