8:59 p.m.
Hello, my friends.
Every record contains a type field.It's about the message type such as
AUDIT_AVC, AUDIT_SYSCALL and so on.
Does AVC mean Mandatory Access Control ?
Is all the messag types listed in msg_typetab.h?
What do they mean exactly?
Where can I get the information about them ?
I look into the _LIBAUDIT_H_ , and find this sentence
* 1300 - 1399 audit event messages
But in this file , I find nothing about audit event message
Can anyone give me an URL or give a book for me about the audit event
message?
Thanks a lot ^_^
Jeedan
--
-----------------------------
陈洁丹 北京邮电大学软件学院
地 址: 北京邮电大学学二D12寝室
邮 编: 100876
Email: jeedan.chen(a)gmail.com
---------------------------------
7:47 a.m.
On Wednesday 30 December 2009 09:59:49 pm 陈洁丹 wrote:
Every record contains a type field.It's about the message type
such as
AUDIT_AVC, AUDIT_SYSCALL and so on.
Does AVC mean Mandatory Access Control ?
Specifically, its a SE Linux access control decision. You have to look at the
syscall record to see if it was actually successful.
Is all the messag types listed in msg_typetab.h?
Yes. There are a few more, but you will never see them since they are command
types rather than events.
What do they mean exactly?
Where can I get the information about them?
The header file usually has a brief 1 sentence comment about what its used for.
You would look in 1 of 2 places:
/usr/include/linux/audit.h
/usr/include/libaudit.h
I look into the _LIBAUDIT_H_ , and find this sentence
* 1300 - 1399 audit event messages
But in this file , I find nothing about audit event message
Can anyone give me an URL or give a book for me about the audit event
message?
The audit events are divided into broad categories so that similar events are
in the same range of numbers. This is what its referring to. But look at the 2
header files and you should know more about it.
-Steve
3:29 p.m.
Auditd fails to start due to -D in the /etc/audit/audit.rules file on
two of my RHEL 5.3 systems.
I am using Steve Grubb's STIG audit.rules file. Did I miss something with
5.3??
David Flatley CISSP
3:49 p.m.
On Thursday 21 January 2010 04:29:04 pm David Flatley wrote:
Auditd fails to start due to -D in the /etc/audit/audit.rules file
on
two of my RHEL 5.3 systems.
I am using Steve Grubb's STIG audit.rules file. Did I miss something with
5.3??
The very last command in that file puts the audit system in immutable mode -
meaning you cannot change the rules without rebooting. Comment out that line
if you want to let any changes into the audit system at any time.
-Steve
7:48 a.m.
My audit install script installs your rules file with the -e 2
uncommented so I will have to adjust the script to account for this.
Thanks Steve
David Flatley CISSP
From: Steve Grubb <sgrubb(a)redhat.com>
To: linux-audit(a)redhat.com
Cc: David Flatley/Burlington/IBM@IBMUS
Date: 01/21/2010 04:50 PM
Subject: Re: How to learn the Message type?
On Thursday 21 January 2010 04:29:04 pm David Flatley wrote:
Auditd fails to start due to -D in the /etc/audit/audit.rules file
on
two of my RHEL 5.3 systems.
I am using Steve Grubb's STIG audit.rules file. Did I miss something with
5.3??
The very last command in that file puts the audit system in immutable mode
-
meaning you cannot change the rules without rebooting. Comment out that
line
if you want to let any changes into the audit system at any time.
-Steve
10:37 a.m.
Steve:
Your audit.rules file for STIG compliance is mostly geared towards RHEL
5 systems?
When I try to run it on a RHEL 4 system it complains about the filters (-k)
and other things.
Thanks.
David Flatley CISSP
10:46 a.m.
On Monday 25 January 2010 11:37:01 am David Flatley wrote:
Your audit.rules file for STIG compliance is mostly geared
towards RHEL
5 systems?
Yes.
When I try to run it on a RHEL 4 system it complains about the
filters (-k)
and other things.
Yes, there is that and the fact that directory auditing is not recursive and
you cannot write fancy rules that do file system watching without naming the
syscall. It may be possible to make some adjustments to the RHEL5 rules, but I
don't know if you would wind up with lots of unnecessary data as a result of
RHEL4's audit capabilities.
-Steve
5444
days inactive
5469
days old
linux-audit@lists.linux-audit.osci.io
6 comments
3 participants
participants (3)
-
David Flatley -
Steve Grubb -
陈洁丹