I downloaded the 1.5.2 source code, opened the archive and looked at the
nispom.rules. Two things:
1. auditd complained about using the -k (keyword) flag on lines that
were not file watch lines.
This could be a newer feature not supported by our audit subsystem (we
are running RHEL4 update 4 with audit-1.0.14 I believe). Can you verify
if this is a general syntax problem or a
your-audit-version-doesn't-support-this problem ? Thanks.
2. We had two additional lines in out audit.rules to capture failed
chown, chgrp, and chmod:
-a exit,always -S 90 -F exit=-1
-a exit,always -S 92 -F exit=-1
I think these capture a few other events that aren't necessarily chown,
chmod, or chgrp, so there may be a savvier way to write this so to
exclude those extraneous items, but I haven't played with it. Let me
know if these are picked up elsewhere in the sample NISPOM rules. If
these actions aren't already being captured by another NISPOM audit
rule, you might consider adding them since failed attempts to chown,
chgrp, chmod are indications of someone possibly trying to open up
access to files they don't have rights to which would fall into the
"failed file access attempts" category.
Let me know what you think.
Thanks,
Karen Wieprecht