Sample Rules
Casey Schaufler
casey at schaufler-ca.com
Thu Feb 10 21:50:50 UTC 2005
--- Valdis.Kletnieks at vt.edu wrote:
> I can *guarantee* that something you will eventually
> be asked is:
You are correct. It won't even take long.
> "What auditctl rules do I need to split things into
> classes equivalent to
> the Solaris/AIX/Irix (pick one or more) audit
> classes?"
Chuckle. Irix does not have audit classes.
This is for the simple reason that Solaris
does and the lesson learned is that it is
impossible to find any two people who can
agree on what should be grouped together.
On Irix you have to tell it what events
you want.
> (Am pressed for time, don't have the Irix pointer
> handy)
http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi/srch5@audit/0650/bks/SGI_Admin/books/IA_BakSecAcc/sgi_html/ch06.html#LE77858-PARENT
Of course, neither system audits on a system
call basis. Events are selected by the policy
enforced. This may confound those who don't
realize that because of this policy perspective
turning on audit for chown() will also enable
audit for chmod().
Chown and chmod are controlled by the
file-system-object-attribute-write policy.
You can (on those U2X systems) monitor
that policy's enforcement in the kernel
but if you want to audit all calls to chmod
you need to watch that policy and filter
out all other system call records.
=====
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do more. Manage less.
http://info.mail.yahoo.com/mail_250
More information about the Linux-audit
mailing list