Re: Audit config for NISPOM req's
On Thursday 11 January 2007 14:18, Wieprecht, Karen M. wrote:
This makes a lot more sense, and I assume that this is the correct
syntax.
And its easy to determine empirically. :)
You might want to check to see if this has already been
corrected in the man pages for upcoming releases.
hmm...I'll check, thanks.
I was hoping that this setting by itself (-a exit,always -S open -F
success!=1) would show me any failed file opens on the whole machine,
It does for me.
so I don't understand why I don't get any audit events with
this
configuration.
What arch are you on?
/etc/audit.rules :
-D
-w /etc/nsswitch.conf -rwxa
-a exit,always -S open -F success!=1
You do not need both. The last rule by itself should do it.
service auditd reload
service auditd rotate
autail -f /var/log/audit/audit.log
I don't use autail. I run ausearch to check results.
Then in another window, as a non-prived user
rm /etc/nsswitch.conf
cat /dev/null > /etc/nsswitch.conf
chown karen /etc/nsswitch.conf
chmod 777 /etc/nsswitch.conf
cat somefile >> /etc/nsswitch.conf
I get lots of permission denied messages at the command line, but
nothing in the audit log relating to karen messing around with
/etc/nsswitch.conf.
Are your using ausearch or autail?
-Steve