RE: Audit config for NISPOM req's

I'm using RHEL4U4 and do not have autail. Where'd it come from? Also, the doc I have does not metion the -rwxa option for watches. Am I missing some Updates, or do I need to upgrade or is the documentation lagging? Separate question. With the watches I have enabled, I never am able to tie a user to an access violation. How do I do that? Sorry if I am a little behind. I can only look at this group's mail messages intermittently do to other responsibilities. I thought I was near submitting A system for government approval, but now I am not so sure. Thanks, David -----Original Message----- From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Wieprecht, Karen M. Sent: Thursday, January 11, 2007 2:19 PM To: Steve Grubb; Curtas, Anthony R. Cc: linux-audit(a)redhat.com; Thomas, Daniel J. Subject: RE: Audit config for NISPOM req's The auditctl man page for audit-1.0.14-1EL4 says the following (which appears to be incorrect): To see unsuccessful open calls's: auditctl -a exit,always -S open -F success!=0 but an email you sent out a bit ago says this: This makes a lot more sense, and I assume that this is the correct syntax. You might want to check to see if this has already been corrected in the man pages for upcoming releases. I was hoping that this setting by itself (-a exit,always -S open -F success!=1) would show me any failed file opens on the whole machine, so I don't understand why I don't get any audit events with this configuration. I thought that maybe I also have to have a watch set on a file, then tell auditd which events I want to collect with the "-a exit,always -S open -F success!=1" setting, but that didn't do it either. Here's what I was testing /etc/audit.rules : -D -w /etc/nsswitch.conf -rwxa -a exit,always -S open -F success!=1 Then service auditd reload service auditd rotate autail -f /var/log/audit/audit.log Then in another window, as a non-prived user rm /etc/nsswitch.conf cat /dev/null > /etc/nsswitch.conf chown karen /etc/nsswitch.conf chmod 777 /etc/nsswitch.conf cat somefile >> /etc/nsswitch.conf I get lots of permission denied messages at the command line, but nothing in the audit log relating to karen messing around with /etc/nsswitch.conf. I must still be missing some basic understanding of how this all works. Any helpful suggestions would be greatly appreciated. Karen Wieprecht Thanks, Karen Wieprecht -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit