9:42 a.m.
The RHEL 6 STIG says:
auditctl -l | grep syscall | grep chmod
Should return lines referring to chmod. Those lines are in my
audit.rules. Just doing an:
auditctl -l | grep syscall
Returns nothing. I've got no issues telling the STIG folks how to do
their work, but wanted to make sure I know what I'm talking about
first.
Am I missing something if there's no "syscall" line(s) returned?
Thanks!
Leam
--
Mind on a Mission
9:52 a.m.
On 11/20/2014 09:42 AM, leam hall wrote:
The RHEL 6 STIG says:
auditctl -l | grep syscall | grep chmod
Should return lines referring to chmod. Those lines are in my
audit.rules. Just doing an:
auditctl -l | grep syscall
Returns nothing. I've got no issues telling the STIG folks how to do
their work, but wanted to make sure I know what I'm talking about
first.
Am I missing something if there's no "syscall" line(s) returned?
Thanks!
Leam
The auditctl command returns the rules loaded into the kernel.
Looks to me as if you might not have a running auditd or else your rules
were not all successfully loaded.
This can happen if there was an error inside the ruleset and you didn't
have the "-c" or "-i" flag set to continue loading the rules.
Check your syslog for any errors on startup; also just auditctl -l and
compare the loaded rules against your file.
HTH,
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
10:03 a.m.
On Thu, Nov 20, 2014 at 10:52 AM, LC Bruzenak <lenny(a)magitekltd.com> wrote:
On 11/20/2014 09:42 AM, leam hall wrote:
> The RHEL 6 STIG says:
>
> auditctl -l | grep syscall | grep chmod
>
> Should return lines referring to chmod. Those lines are in my
> audit.rules. Just doing an:
>
> auditctl -l | grep syscall
>
> Returns nothing. I've got no issues telling the STIG folks how to do
> their work, but wanted to make sure I know what I'm talking about
> first.
>
> Am I missing something if there's no "syscall" line(s) returned?
>
> Thanks!
>
> Leam
>
The auditctl command returns the rules loaded into the kernel.
Looks to me as if you might not have a running auditd or else your rules
were not all successfully loaded.
This can happen if there was an error inside the ruleset and you didn't
have the "-c" or "-i" flag set to continue loading the rules.
Check your syslog for any errors on startup; also just auditctl -l and
compare the loaded rules against your file.
HTH,
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
Hmm... I played with chmod; removed fchmodat. The audit daemon says
it's running.
service auditd status
auditd (pid 609) is running...
Before the mod:
auditctl -l | grep chmod
-a always,exit -F arch=i386 -S chmod,fchmod,fchmodat -F key=perm_mod
-a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod
After editing audit.rules and restarting auditd:
auditctl -l | grep chmod
-a always,exit -F arch=i386 -S chmod,fchmod -F key=perm_mod
-a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod
Where's the best place to put debug flags?
Thanks!
Leam
--
Mind on a Mission
10:10 a.m.
On Thursday, November 20, 2014 10:42:04 AM leam hall wrote:
The RHEL 6 STIG says:
auditctl -l | grep syscall | grep chmod
This is a forensics check of the system. A configuration scan should do
cat /etc/audit/audit.rules
Should return lines referring to chmod. Those lines are in my
audit.rules. Just doing an:
auditctl -l | grep syscall
The format of the output changed. But the STIG is not right for mixing a
forensics check with a configuration checks. If you really needed to do a check
using auditctl, then use this:
auditctl -l | grep chmod
Just grep on the syscall and leave system out of it. You should have never
needed it unless
-Steve
11:08 a.m.
On Thursday, November 20, 2014 11:56:50 AM leam hall wrote:
Steve, as always I appreciate your fast response and awesome help!
I'm
collating stuff to send up the chain.
I discussed this a couple weeks back on the SCAP Security Guide mail list:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-October...
You might want to review that thread because I pointed out a couple more
mistakes that its making. Not to mention, if you have to STIG a box, wouldn't
you want to have a scanner to tell you that you are in compliance? SSG +
openscap solves this problem in an open source way.
-Steve
4002
days inactive
4002
days old
linux-audit@lists.linux-audit.osci.io
5 comments
3 participants
participants (3)
-
LC Bruzenak -
leam hall -
Steve Grubb