Re: questions about auditing on a new RH 6 box
On Friday, January 14, 2011 02:26:40 pm Tangren, Bill wrote:
#Ensure that failed attempts at using the following system calls are
audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F
success=1 -F exit!=-11
Which says audit mknod calls that are successful and the exit code is not
EAGAIN.
Are you sure this is what you intended?
******************
The comments above each line are excerpts from the regulations.
The last rule does not match the comment for starters. It would be something like
this:
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F
success=0
But this is overlapping the other rules right above it. Let's look:
#Ensure that the following system calls are audited for the current logged in
#user and for root
#Ensure that failed attempts at using the following system calls are audited
So the first is all use for anyone logged in except the system. The second one is all
failed use regardless of someone logged in or not, so that is just 2 rules (assuming
you don't want EAGAIN):
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F auid!=-1 -F
exit!=-11 -k user-root-syscalls
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F
exit!=-11 -k failed-syscalls
You may have other rules that do not match the requirements.
-Steve