RHEL 5 audit events
Henning, Arthur C. (CSL)
art.henning at ngc.com
Sat Aug 18 17:04:21 UTC 2007
> RHEL 5
>
> Have two events having difficulty capturing or reviewing with the
> audit sub-system.
>
> 1. su - "non_existent_account". Using the nispom.rules provided by
> audit 1.5.6-1. Using various ausearch parameters, am unable to find a
> corresponding failure when attempting to "su" to a non-existent
> account.
>
> 2. Non-privileged user attempting to change the date/time on the
> server. Of course the user fails to be able to do so, but am unable to
> capture or review the event.
>
> Not sure if these are audit rule configuration or search unknowns or
> audit sub-system limitations.
>
> Thank you
> Art Henning (CSL)
> Enterprise IT Solutions
> Northrop Grumman Corporation
> art.henning at ngc.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070818/cf9d3881/attachment.htm>
More information about the Linux-audit
mailing list