Here is what I am finding:
Copy NISPOM.rules to /etc/audit/audit.rules
Sample entries:
-a entry,always -S adjtimex -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change
-a exit,always -S sethostname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
Using system-config-audit, I create a rule for the SYSCALL kill with a key of kill
"Save" the configuration.
Get the described error.
The audit.rules now is configured:
-e 1
-f 2
-b 8192
-r 0
-D
-a entry,always -k kill -S kill
-a entry,always -k time-change -S adjtimex -S settimeofday
-a exit,always -k system-locale -S sethostname
-a exit,always -F exit=-13 -k creation -S creat -S mkdir -S mknod -S link -S symlink
-a exit,always -F exit=-13 -k creation -S mkdirat -S mknodat -S linkat -S symlinkat
-a exit,always -F exit=-13 -k open -S open
-a exit,always -F exit=-13 -k open -S openat
-a exit,always -F exit=-13 -k close -S close
-a exit,always -F exit=-13 -k mods -S rename -S truncate -S ftruncate
-a exit,always -F exit=-13 -k mods -S renameat
-a exit,always -p a -F exit=-13 -k mods -S all
-a exit,always -p a -F exit=-1 -k mods -S all
-a exit,always -F exit=-13 -k delete -S rmdir -S unlink
-a exit,always -F exit=-13 -k delete -S unlinkat
-w /etc/localtime -p wa -k time-change -S all
-w /etc/issue -p wa -k system-locale -S all
-w /etc/issue.net -p wa -k system-locale -S all
-w /etc/hosts -p wa -k system-locale -S all
-w /etc/sysconfig/network -p wa -k system-locale -S all
-w /var/log/faillog -p wa -k logins -S all
-w /var/log/lastlog -p wa -k logins -S all
-w /var/log/messages -p wa -k logins -S all
-w /var/log/wtmp -p wa -k logins -S all
-w /var/log/authlog -p wa -k logins -S all
-w /var/log/tallylog -p wa -k logins -S all
-w /etc/group -p wa -k auth -S all
-w /etc/passwd -p wa -k auth -S all
-w /etc/gshadow -p wa -k auth -S all
-w /etc/shadow -p wa -k auth -S all
-w /etc/login.defs -p wa -k auth -S all
-w /etc/security/opasswd -p wa -k auth -S all
-w /var/log/audit/audit.log -k audit-logs -S all
-w /var/log/audit/audit.log.1 -k audit-logs -S all
-w /var/log/audit/audit.log.2 -k audit-logs -S all
-w /var/log/audit/audit.log.3 -k audit-logs -S all
-w /var/log/audit/audit.log.4 -k audit-logs -S all
-w /var/log/audit/audit.log.5 -k audit-logs -S all
-w /var/log/audit/audit.log.6 -k audit-logs -S all
-w /var/log/audit/audit.log.7 -k audit-logs -S all
-w /etc/audit/auditd.conf -k audit-conf -S all
-w /etc/audit/audit.rules -k audit-conf -S all
Would appear the system-config-audit GUI is rewriting the entire rule file then complaining it's not configured correctly.
Art Henning (CSL)
Enterprise IT Solutions
Northrop Grumman Corp
art.henning@ngc.com
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Tuesday, August 21, 2007 10:56 AM
To: linux-audit@redhat.com
Cc: Linda Knippers; Henning, Arthur C. (CSL)
Subject: Re: Audit rules keys
On Tuesday 21 August 2007 11:39:51 Linda Knippers wrote:
> > Using system-config-audit getting key (-k) configuration errors when
> > saving changes.
> >
> > [root@localhost ~]# Stopping auditd: [ OK ]
> > Starting auditd: [ OK ]
> > key option needs a watch or syscall given prior to it
>
> This is telling you that the -k flag needs to be after a -S
> flag. I don't know why the order matters but apparently it does.
Correct. It matters because originally keys were only associated with watches.
So, I needed the rule writer to declare that this is going to be a syscall or
watch rule so that I can error check appropriately.
Keys do not apply to rules like, -b or -e, so I still want to see the rule
type ahead of a key option so that errors are caught.
-Steve