Audit config for NISPOM req's
Steve Grubb
sgrubb at redhat.com
Thu Jan 11 19:42:20 UTC 2007
On Thursday 11 January 2007 14:18, Wieprecht, Karen M. wrote:
> This makes a lot more sense, and I assume that this is the correct
> syntax.
And its easy to determine empirically. :)
> You might want to check to see if this has already been
> corrected in the man pages for upcoming releases.
hmm...I'll check, thanks.
> I was hoping that this setting by itself (-a exit,always -S open -F
> success!=1) would show me any failed file opens on the whole machine,
It does for me.
> so I don't understand why I don't get any audit events with this
> configuration.
What arch are you on?
> /etc/audit.rules :
>
> -D
> -w /etc/nsswitch.conf -rwxa
> -a exit,always -S open -F success!=1
You do not need both. The last rule by itself should do it.
> service auditd reload
> service auditd rotate
> autail -f /var/log/audit/audit.log
I don't use autail. I run ausearch to check results.
> Then in another window, as a non-prived user
> rm /etc/nsswitch.conf
> cat /dev/null > /etc/nsswitch.conf
> chown karen /etc/nsswitch.conf
> chmod 777 /etc/nsswitch.conf
> cat somefile >> /etc/nsswitch.conf
>
> I get lots of permission denied messages at the command line, but
> nothing in the audit log relating to karen messing around with
> /etc/nsswitch.conf.
Are your using ausearch or autail?
-Steve
More information about the Linux-audit
mailing list