Audit config for NISPOM req's
Steve Grubb
sgrubb at redhat.com
Fri Dec 22 15:33:23 UTC 2006
On Friday 22 December 2006 10:08, Curtas, Anthony R. wrote:
> One thing that still confuses me is how "possible" is implemented.
Possible means to collect the information at entry in case its needed later.
Rules with possible will never trigger an event, they simply tell it to
collect the information. A watch or SE Linux AVC would actually use the
information collected.
> From what I've read in the documentation, it looks like if you set a rule
> for entry,possible -- the audit system waits until a file watch is thrown,
> then it writes the event. Do I have this right?
Yes.
> If I always want to see when /etc/shadow is opened:
>
> -w /etc/shadow -rwxa
> -a entry,possible -S open
That would be opened for write or execute.
> Will that work? And if I understand the mechanism correctly, that would
> log an open of ANY file that has a watch on it?
Not quite. It will collect the information for any open, but only emit an
event when shadow is opened for write or execute.
> One last thing, if I only want unsuccessful open attempts on the watch
> files, would this work?
> -a entry,possible -S open -F success!=1
It should collect the information for later use. If you wanted all
unsuccessful opens, I'd rewrite as:
-a exit,always -S open -F success!=1
-Steve
More information about the Linux-audit
mailing list