Re: no logging of successful events?
The recent versions of the audit system ships with a stig.rules file
that give
what I believe to be a correct rule set. What the official docs say to
do is
another thing. :) Take a look at that file and see how I do the
unauthorized
file access.
Excellent! I had simply changed to the following, in a minimalistic
approach:
----------------------------------------------------
-w /etc/auditd.conf
-w /etc/audit.rules
-a exit,always -S open -F success=0
-a exit,always -S rmdir -S unlink -S chmod -S fchmod -S chown -S fchown
-S lchown -F success!=0
-a exit,always -S settimeofday -S setrlimit -S setdomainname -S
sched_setparam -S sched_setscheduler -S acct -S reboot -S swapon
-------------------------------------------------
Was grouping by failed, successful, and both. Did this due to reading
that every audit rule is tested for every syscall, which...yeah, makes
me want to group things.
That being said, stig.rules is extensive; any warning on what the
performance impact will be?
Also, when looking for the newer builds on your site
http://people.redhat.com/sgrubb/audit/ - I noticed "1.7 -> 1.8 Remote
logging and finishing up IDS/IPS plugin." That would be wonderously
fabulous, and I look forward to it. Any thoughts on whether it will be
pulled into RHEL5, or whether I'd have to wait until RHEL6?
Brian
Attachments:
- attachment.html (text/html — 1.8 KB)