Audit Log not capturing access to security related files

Trevor Vaughan peiriannydd at gmail.com
Fri Dec 4 10:59:37 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Starr,

The default rule set that comes with RHEL5 will not function properly on
a 32 bit system.  It will, however, function properly on a 64 bit system.

If you have a mix of architectures, this may be your problem.

To fix it for the 32 bit systems, try the following:

sed -e '/arch=b64/d' /etc/audit/audit.rules > audit.rules.32

and use the resulting file as your primary audit rule set.

Trevor

On 11/25/2009 11:57 AM, Starr-Renee Corbin wrote:
> Hello,
> 
> I am required (by NISPOM) to audit access to security related files.  I
> am essentially using the nispom audit.rules provided by rhel5 to
> accomplish this.
> 
> However, some of my systems are capturing access to /etc/shadow and some
> of my systems are not (when looking in /var/log/audit/audit.log.
> 
> Worried that I might have differing audit.rules files between the
> systems I have even copied the audit.rules file from systems that were
> auditing right to systems that were not.  But this has not resolved the
> auditing problem.
> 
> HELP!
> 
> Thank you!
> 
> Starr
> 
> 
> 
> 
> -- 
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksY65UACgkQyjMdFR1108DMmwCePtILlhUsKjwrEZQi2Dw2wwmt
aJsAn3uJtMYXDzB/w2Pq6grvIuuQJ9gE
=qFmA
-----END PGP SIGNATURE-----




More information about the Linux-audit mailing list