RE: questions about auditing on a new RH 6 box
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Friday, January 14, 2011 2:13 PM
To: linux-audit(a)redhat.com
Cc: Tangren, Bill
Subject: Re: questions about auditing on a new RH 6 box
On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote:
I think that some of this is capturing that I was using the tail
command to
capture some of the logs to email to myself to post here. Obviously that
isn't typical, but hopefully there is some useful information here. Oh,
and my uid and gid are both 500.
This is coming from:
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F
auid=0 -F exit!=-11
Which says, audit mknod calls that are not successful and who's errno does not equal
EAGAIN for anyone that logged in as root.
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F
auid=-1 -F exit!=-11
Which says audit mknod calls that are not successful, its a system event meaning not
coming from a user session, and the exit code is not EAGAIN.
#Ensure that failed attempts at using the following system calls are
audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F
exit!=-11
Which says audit mknod calls that are successful and the exit code is not EAGAIN.
Are you sure this is what you intended?
-Steve
******************
The comments above each line are excerpts from the regulations. It is the requirements in
those comments that the audit rules are supposed to be implementing.
Perhaps I need to study error codes and modify these rules. Do you have a suggestion on
where I can learn the proper error commands?
Bill