the meaning of this audit entry
Steve Grubb
sgrubb at redhat.com
Wed Nov 21 02:27:18 UTC 2007
On Tuesday 20 November 2007 10:08:08 am Bill Tangren wrote:
> Well, I'm just finding that out. Obviously I have to rewrite all my rules,
> or most of them, anyway. I'd like to blame someone else for the rules,
> since I was given these and told to use them, but I should know better.
> Obviously I have a lot to learn. I wish there was a tutorial or something
> I could read. I've gone over the man page, but I'm not learning enough
> from it.
Take a look at the capp.rules or nispom.rules file in the audit package. Those
are real working rules that have been commented. That is where I would start
if I were setting up a system.
> I'll star by splitting up the auid= rules, and observe what shows up in
> the logs.
I think your issues are more fundamental than that. I think you have more
rules than you shared with us and they are looking for unsuccessful calls and
not considering the exit codes. There are plenty of people on this mail list
that could help you with your rules if you told us what kinds of things you
were needing to audit.
-Steve
More information about the Linux-audit
mailing list