Re: audit.56 merged with audit-2.6.git

On Thursday 09 June 2005 09:21, serue(a)us.ibm.com wrote: I agree. This would help readability. User space is displaying it. What happened to it? What about changes of attributes? chmod, chown, chgrp, chattr, setfacl. [root@endeavor ~]# /etc/rc.d/init.d/auditd start Starting auditd: [ OK ] [root@endeavor ~]# auditctl -w /var/log/audit/audit.log -k test -p rwea No rules AUDIT_WATCH_LIST: dev=3:7, path=/var/log/audit/audit.log, filterkey=test, perms=rwea, valid=0 [root@endeavor ~]# ls -l /var/log/audit/audit.log -rw-rw---- 1 root root 381 Jun 9 09:44 /var/log/audit/audit.log [root@endeavor ~]# chmod 0644 /var/log/audit/audit.log [root@endeavor ~]# /etc/rc.d/init.d/auditd stop Stopping auditd: [ OK ] [root@endeavor ~]# ausearch -i -m ALL /var/log/audit/audit.log permissions should be 0660 [root@endeavor ~]# chmod 0660 /var/log/audit/audit.log [root@endeavor ~]# ausearch -i -m ALL ---- type=DAEMON_START msg=audit(06/09/05 09:44:16.353:485) auditd start, ver=0.9.3 format=raw auid=sgrubb auditd pid=3896 ---- type=CONFIG_CHANGE msg=audit(06/09/05 09:44:16.557:5004034) : audit_enabled=1 old=1 by auid=sgrubb ---- type=CONFIG_CHANGE msg=audit(06/09/05 09:44:17.171:5004344) : audit_backlog_limit=1024 old=1024 by auid=sgrubb ---- type=CONFIG_CHANGE msg=audit(06/09/05 09:44:24.423:5008663) : auid=sgrubb ---- type=DAEMON_END msg=audit(06/09/05 09:44:48.250:486) auditd normal halt, sending pid=3903 auid=sgrubb auditd pid=3896 No audit records are generated when I made the file world readable. I suppose you could hook the right syscalls, but that would provide way too much info. The reason I ask is Table 1 of CAPP, FMT_MSA.3 says that we should be able to audit all modifications to the initial value of security attributes & modifications to permissive or restrictive rules. Maybe I misunderstand the application of this requirement, but that seems like file permissions. -Steve