[RFC] NISPOM audit rules - first draft
Steve Grubb
sgrubb at redhat.com
Wed Apr 18 21:16:06 UTC 2007
On Wednesday 18 April 2007 16:41, Wieprecht, Karen M. wrote:
> 1. auditd complained about using the -k (keyword) flag on lines that
> were not file watch lines.
Yes, this was mentioned on IRC last week and fixed in my development copy. It
will be in 1.5.3.
> This could be a newer feature not supported by our audit subsystem (we
> are running RHEL4 update 4 with audit-1.0.14 I believe). Can you verify
> if this is a general syntax problem or a
> your-audit-version-doesn't-support-this problem ? Thanks.
1.5.2 does not work with RHEL4.
> 2. We had two additional lines in out audit.rules to capture failed
> chown, chgrp, and chmod:
>
> -a exit,always -S 90 -F exit=-1
> -a exit,always -S 92 -F exit=-1
I think you want 90-94 on x86_64. I guess they do return -EPERM. The way that
we are doing this for 1.5.2 is using special syntax allowed by the newer
kernels:
-a exit,always -F perm=a -F exit=-13
This tells the kernel to select any syscall that changes file attributes. We
should probably add another line with -F exit=-1
> If these actions aren't already being captured by another NISPOM audit
> rule, you might consider adding them since failed attempts to chown,
> chgrp, chmod are indications of someone possibly trying to open up
> access to files they don't have rights to which would fall into the
> "failed file access attempts" category.
Yep, I'll add a line.
-Steve
More information about the Linux-audit
mailing list