RE: Audit config for NISPOM req's
I have reset the watch line to be
=w /etc/passwd -p rwxa
Then, as a normal user I execute cat > /etc/passwd
And get a permission denied
Then when I execute aureport -w --failed, the auid field shows up as -1
as it does for every watch list. Am I missing something?
Thanks,
David A. Kirkwood
SAIC
david.a.kirkwood(a)saic.com
kirkwoodd(a)saic.com
Phone: (727) 502-8310
Fax: (727) 822-7776
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Friday, January 12, 2007 11:39 AM
To: linux-audit(a)redhat.com
Cc: Kirkwood, David A.
Subject: Re: Audit config for NISPOM req's
On Friday 12 January 2007 11:09, Kirkwood, David A. wrote:
I'm using RHEL4U4 and do not have autail. Where'd it come
from?
http://www.redhat.com/archives/linux-audit/2006-October/msg00035.html
Also, the doc I have does not metion the -rwxa option for watches.
That was a typo. It should have been -p rwxa. It should be in auditctl
man
page.
Separate question. With the watches I have enabled, I never am able
to
tie a user to an access violation. How do I do that?
It should be done automatically. The auid is the field that you would
look at.
We've configured the pam settings for sshd,login,gdm, cron,vsftpd,remote
to
include the pam_loginuid.so module. This is needed for it to work.
Unless you
changed them, it should be setup at installation.
-Steve