Audit rules keys

Tue Aug 21 16:09:28 UTC 2007

Here is what I am finding:

Copy NISPOM.rules to /etc/audit/audit.rules

Sample entries:

-a entry,always -S adjtimex -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change
-a exit,always -S sethostname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale 

Using system-config-audit, I create a rule for the SYSCALL kill with a key of kill
"Save" the configuration.
Get the described error.

The audit.rules now is configured:

-e 1
-f 2
-b 8192
-r 0

-D
-a entry,always -k kill -S kill
-a entry,always -k time-change -S adjtimex -S settimeofday
-a exit,always -k system-locale -S sethostname
-a exit,always -F exit=-13 -k creation -S creat -S mkdir -S mknod -S link -S symlink
-a exit,always -F exit=-13 -k creation -S mkdirat -S mknodat -S linkat -S symlinkat
-a exit,always -F exit=-13 -k open -S open
-a exit,always -F exit=-13 -k open -S openat
-a exit,always -F exit=-13 -k close -S close
-a exit,always -F exit=-13 -k mods -S rename -S truncate -S ftruncate
-a exit,always -F exit=-13 -k mods -S renameat
-a exit,always -p a -F exit=-13 -k mods -S all
-a exit,always -p a -F exit=-1 -k mods -S all
-a exit,always -F exit=-13 -k delete -S rmdir -S unlink
-a exit,always -F exit=-13 -k delete -S unlinkat
-w /etc/localtime -p wa -k time-change -S all
-w /etc/issue -p wa -k system-locale -S all
-w /etc/issue.net -p wa -k system-locale -S all
-w /etc/hosts -p wa -k system-locale -S all
-w /etc/sysconfig/network -p wa -k system-locale -S all
-w /var/log/faillog -p wa -k logins -S all
-w /var/log/lastlog -p wa -k logins -S all
-w /var/log/messages -p wa -k logins -S all
-w /var/log/wtmp -p wa -k logins -S all
-w /var/log/authlog -p wa -k logins -S all
-w /var/log/tallylog -p wa -k logins -S all
-w /etc/group -p wa -k auth -S all
-w /etc/passwd -p wa -k auth -S all
-w /etc/gshadow -p wa -k auth -S all
-w /etc/shadow -p wa -k auth -S all
-w /etc/login.defs -p wa -k auth -S all
-w /etc/security/opasswd -p wa -k auth -S all
-w /var/log/audit/audit.log -k audit-logs -S all
-w /var/log/audit/audit.log.1 -k audit-logs -S all
-w /var/log/audit/audit.log.2 -k audit-logs -S all
-w /var/log/audit/audit.log.3 -k audit-logs -S all
-w /var/log/audit/audit.log.4 -k audit-logs -S all
-w /var/log/audit/audit.log.5 -k audit-logs -S all
-w /var/log/audit/audit.log.6 -k audit-logs -S all
-w /var/log/audit/audit.log.7 -k audit-logs -S all
-w /etc/audit/auditd.conf -k audit-conf -S all
-w /etc/audit/audit.rules -k audit-conf -S all

Would appear the system-config-audit GUI is rewriting the entire rule file then complaining it's not configured correctly.

Art Henning (CSL) 
Enterprise IT Solutions
Northrop Grumman Corp
art.henning at ngc.com

-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com] 
Sent: Tuesday, August 21, 2007 10:56 AM
To: linux-audit at redhat.com
Cc: Linda Knippers; Henning, Arthur C. (CSL)
Subject: Re: Audit rules keys

On Tuesday 21 August 2007 11:39:51 Linda Knippers wrote:
> > Using system-config-audit getting key (-k) configuration errors when
> > saving changes.
> >
> > [root at localhost ~]# Stopping auditd: [  OK  ]
> > Starting auditd: [  OK  ]
> > key option needs a watch or syscall given prior to it
>
> This is telling you that the -k flag needs to be after a -S
> flag.  I don't know why the order matters but apparently it does.

Correct. It matters because originally keys were only associated with watches. 
So, I needed the rule writer to declare that this is going to be a syscall or 
watch rule so that I can error check appropriately.

Keys do not apply to rules like, -b or -e, so I still want to see the rule 
type ahead of a key option so that errors are caught.

-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070821/ca0dad90/attachment.htm>