Re: questions about auditing on a new RH 6 box
On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote:
I think that some of this is capturing that I was using the tail
command to
capture some of the logs to email to myself to post here. Obviously that
isn't typical, but hopefully there is some useful information here. Oh,
and my uid and gid are both 500.
This is coming from:
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F
auid=0 -F exit!=-11
Which says, audit mknod calls that are not successful and who's errno does not equal
EAGAIN for anyone that logged in as root.
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F
auid=-1 -F exit!=-11
Which says audit mknod calls that are not successful, its a system event meaning not
coming from a user session, and the exit code is not EAGAIN.
#Ensure that failed attempts at using the following system calls are
audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F
exit!=-11
Which says audit mknod calls that are successful and the exit code is not EAGAIN.
Are you sure this is what you intended?
-Steve