All,
I'm on an RHEL4u3
with Steve's preliminary 1.0.15 package (I built the RPM) under x86_64
2.6.9-34-ELsmp. I'm using the CAPP.rules sample fileset to great
success. NISPOM 8-602 requires that CLOSE operations on security-relevant
objects be logged. Well, I've got logging for OPEN on security-relevant
objects (with the watches) working VERY well (yeah!!!). The default
CAPP.rules file had nothing about close(2), so just to test it, I
ran:
auditctl -a
entry,possible -S close
and then as a normal
user typed: cat /etc/group (which is a security-relevant object that I have
permission to open, and thus eventually close)
However, when I
review the audit files, nothing is logged. If I change the
"entry,possible" to "entry,always" then lots of stuff gets logged, but not my
actual opening of the /etc/group file.
There is only
one other thing that could be a configuration issue: "auditctl -l |grep
/etc/group" reveals an additional "perm=wa" field that is set by the -p option
in CAPP.rules, but even if root writes to one of the watched files, close(2) is
still not logged.
Do I have a configuration problem or is something
deeper going on?
Thanks,
Charlie Todd
Ball Aerospace
& Technologies Corp.
ctodd- at
-ball.com