<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style></style></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1>I am struggling here quite a bit trying to implement a ruleset to help us log PCI related events. I was able to get a good ruleset that I am using successfully on RHEL5 which consists of the following rules:<o:p></o:p><o:p> </o:p>-a exclude,always -F msgtype=CWD<o:p></o:p>-a exit,never -F arch=b32 -F path=/var/log/audit/audit.log<o:p></o:p>-a exit,never -F arch=b32 -F path=/var/log/messages<o:p></o:p>-a always,exit -F euid=0 -F perm=wxa -k ROOT_ACTION<o:p></o:p>-a exit,always -S all -F dir=/var/log -k LOG_ACCESS<o:p></o:p>-a exit,always -F arch=b32 -F dir=/var/log -S truncate -S unlink -S rename -S unlinkat -k LOGS_INIT<o:p></o:p>-a exit,always -F arch=b64 -F dir=/var/log -S truncate -S unlink -S rename -S unlinkat -k LOGS_INIT<o:p></o:p>-w /etc -p wa -k CONF_ACCESS<o:p></o:p><o:p> </o:p>However, when I started deploying this I ran into some RHEL4 servers, and it appears the version of audit on the RHEL4 servers is 1.0.16. This version doesn’t seem to like the rules above. For example, the first rule results in the following:<o:p></o:p><o:p> </o:p>Append rule - bad keyword exclude,always<o:p></o:p><o:p> </o:p>Changing this rule to -a entry,never -F msgtype=CWD results in:<o:p></o:p><o:p> </o:p>-F unknown field: msgtype=CWD<o:p></o:p><o:p> </o:p>And -a always,exit -S all -F euid=0 -k ROOT_ACTION results in:<o:p></o:p><o:p> </o:p>filterkey option needs a watch given prior to it<o:p></o:p><o:p> </o:p><o:p> </o:p>So clearly a lot has changed from this version to the version on the RHEL5 box (1.7.18). Anyhow, since upgrading the RHEL4 boxes for this isn’t an option, I am trying to figure out what I can do to possibly modify these rules to work with the older version, or replace the older version with a newer version for the sake of this project. From what I understand, the kernel on the RHEL4 box (2.6.9-103.EL) may not allow this since I understand that the versions of audit are generally kernel dependant. Additionally, just looking at some of the dependencies on the audit-libs package on the RHEL4 box I am seeing that a lot of critical things depend on it (e.g. PAM, passwd, shadow-utils, openssh-server, etc.) so removing it and replacing it will likely be quite a mess.<o:p></o:p><o:p> </o:p>If anyone has any input or suggestions I would greatly appreciate it. Ideally, we shouldn’t have any RHEL4 boxes today, but the case is that we do, and they cannot be upgraded for the sake of this project, so creative solutions are welcomed, and encouraged.<o:p></o:p><o:p> </o:p>Thanks!<o:p></o:p>-Pat<o:p></o:p><o:p> </o:p><o:p> </o:p><o:p> </o:p>------------------<o:p></o:p>Patrick Synor<o:p></o:p>Web Hosting Engineer<o:p></o:p>RouteOne<o:p></o:p><o:p> </o:p></div></body> <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p>CONFIDENTIALITY NOTE:<o:p></o:p> This message and any attachments are confidential, may contain information that is privileged and is intended only for the use of the addressee. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. This message is not meant to constitute an electronic signature or evidence intent to contract electronically.<o:p></o:p></o:p></html>