Re: [RFC] NISPOM audit rules - first draft
On Wednesday 18 April 2007 16:41, Wieprecht, Karen M. wrote:
1. auditd complained about using the -k (keyword) flag on lines
that
were not file watch lines.
Yes, this was mentioned on IRC last week and fixed in my development copy. It
will be in 1.5.3.
This could be a newer feature not supported by our audit subsystem
(we
are running RHEL4 update 4 with audit-1.0.14 I believe). Can you verify
if this is a general syntax problem or a
your-audit-version-doesn't-support-this problem ? Thanks.
1.5.2 does not work with RHEL4.
2. We had two additional lines in out audit.rules to capture failed
chown, chgrp, and chmod:
-a exit,always -S 90 -F exit=-1
-a exit,always -S 92 -F exit=-1
I think you want 90-94 on x86_64. I guess they do return -EPERM. The way that
we are doing this for 1.5.2 is using special syntax allowed by the newer
kernels:
-a exit,always -F perm=a -F exit=-13
This tells the kernel to select any syscall that changes file attributes. We
should probably add another line with -F exit=-1
If these actions aren't already being captured by another NISPOM
audit
rule, you might consider adding them since failed attempts to chown,
chgrp, chmod are indications of someone possibly trying to open up
access to files they don't have rights to which would fall into the
"failed file access attempts" category.
Yep, I'll add a line.
-Steve