On Thu, 2007-02-01 at 09:36 -0500, Steve Grubb wrote:
On Tuesday 30 January 2007 19:11, Matthew Booth wrote:
> I have a couple of requirements which on the face of it don't seem
> simple to achieve with auditctl. These are:
>
> * Audit changes to executables
> * Audit changes to configuration files
>
> I'll concentrate on the former as it's more obviously problematic. I
> believe this would require putting a watch explicitly on every
> executable in the system.
Assuming current generation of audit code...
auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables
Hmmm...on FC6, that yields an error from auditctl:
key option needs a watch or syscall given prior to it
Dropping the -k option avoids the error message, but overwriting a bin_t
file doesn't generate any audit message. Similarly, adding a -S open
avoids the error message while retaining the -k, but overwriting a bin_t
file doesn't generate any audit message. Not sure where the problem
lies there.
Also, he mentioned RHEL 4 as his platform, so I would tend to think that
his kernel and auditctl wouldn't support this anyway. So he may be
limited to using auditallow statements in policy, which is certainly
legitimate use of them (although I understand your goal of centralizing
audit configuration).
--
Stephen Smalley
National Security Agency