Status of /etc/audit/filter.conf
Matthew Booth
mbooth at redhat.com
Mon Apr 23 20:38:21 UTC 2007
On Mon, 2007-04-23 at 16:09 -0400, Aaron Lippold wrote:
> I have a security checking script that is complaining that my system
> is not able to audit all discretionary access to control permission
> modifications.
>
> To verify this it is looking for /etc/audit/filter.conf
>
> Is this still the correct place to look on RHEL4/5? I'd assume not
> since I can't find a man page on audit-filter.conf anymore.
filter.conf was a LAuS configuration file, which is no longer used.
Auditing in RHEL4 and RHEL 5 is entirely unrelated to LAuS. The
approximately corresponding information is in /etc/audit.rules (RHEL4)
or /etc/audit/audit.rules (RHEL5) iirc.
> If not, where and how would I add this feature to my audit configuration?
That really depends what 'discretionary access to control permission
modifications' actually means to the person who wrote it ;) I'm guessing
it refers to auditing the chmod family of system calls, in which case
you would add the following line to /etc/audit/audit.rules in RHEL 5:
-a entry,always -S chmod -S fchmod
and start the audit daemon. These calls will then be logged
in /var/log/audit.log.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070423/c4a51b31/attachment.sig>
More information about the Linux-audit
mailing list