trouble with a number of audit rules
Bill Tangren
bjt at aa.usno.navy.mil
Mon Jan 29 21:57:49 UTC 2007
Hello all,
I am trying to add the following functionality to auditd (via audit.rules) using
the following rules, but the rules don't work on my RHEL ES 4 system (fully
patched). Could someone look at them and tell me what I am doing wrong, or where
I can read how to do it right?
1)
# Ensures that any reads of the audit log by the current user that's logged is
# audited. It might be beneficial to create a rule for each of the 5 logs
# that are generated.
RULE:
-w /var/log/audit/audit.log -p r -F auid=-1
ERROR:
List must be given before field
2)
# Ensures that any user who mounts or unmounts a device is audited
RULE:
-a exit,always -S mount -S umount
ERROR:
Syscall name unknown: umount
3)
# ensures auditing whenever the reboot command is sent to the kernel
RULE:
-a always,entry -S socketcall -F a0=13
ERROR:
Syscall name unknown: socketcall
4)
# Ensures auditing of any unauthorized access to roots home directory.
RULE:
-w /root -p rw -F uid!=0
ERROR:
List must be given before field
5)
#Ensure that failed use of the following system calls is audited
RULE:
-a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0 -F
auid=-1 -F auid=0
ERROR:
Syscall name unknown: stime
TIA,
Bill Tangren
More information about the Linux-audit
mailing list