close(2) not being audited?
Todd, Charles
CTODD at ball.com
Thu Dec 28 21:58:44 UTC 2006
All,
I'm on an RHEL4u3 with Steve's preliminary 1.0.15 package (I built the
RPM) under x86_64 2.6.9-34-ELsmp. I'm using the CAPP.rules sample
fileset to great success. NISPOM 8-602 requires that CLOSE operations
on security-relevant objects be logged. Well, I've got logging for OPEN
on security-relevant objects (with the watches) working VERY well
(yeah!!!). The default CAPP.rules file had nothing about close(2), so
just to test it, I ran:
auditctl -a entry,possible -S close
and then as a normal user typed: cat /etc/group (which is a
security-relevant object that I have permission to open, and thus
eventually close)
However, when I review the audit files, nothing is logged. If I change
the "entry,possible" to "entry,always" then lots of stuff gets logged,
but not my actual opening of the /etc/group file.
There is only one other thing that could be a configuration issue:
"auditctl -l |grep /etc/group" reveals an additional "perm=wa" field
that is set by the -p option in CAPP.rules, but even if root writes to
one of the watched files, close(2) is still not logged.
Do I have a configuration problem or is something deeper going on?
Thanks,
Charlie Todd
Ball Aerospace & Technologies Corp.
ctodd- at -ball.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20061228/abf2a237/attachment.htm>
More information about the Linux-audit
mailing list