Audit Log not capturing access to security related files
Trevor Vaughan
peiriannydd at gmail.com
Fri Dec 4 10:59:37 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Starr,
The default rule set that comes with RHEL5 will not function properly on
a 32 bit system. It will, however, function properly on a 64 bit system.
If you have a mix of architectures, this may be your problem.
To fix it for the 32 bit systems, try the following:
sed -e '/arch=b64/d' /etc/audit/audit.rules > audit.rules.32
and use the resulting file as your primary audit rule set.
Trevor
On 11/25/2009 11:57 AM, Starr-Renee Corbin wrote:
> Hello,
>
> I am required (by NISPOM) to audit access to security related files. I
> am essentially using the nispom audit.rules provided by rhel5 to
> accomplish this.
>
> However, some of my systems are capturing access to /etc/shadow and some
> of my systems are not (when looking in /var/log/audit/audit.log.
>
> Worried that I might have differing audit.rules files between the
> systems I have even copied the audit.rules file from systems that were
> auditing right to systems that were not. But this has not resolved the
> auditing problem.
>
> HELP!
>
> Thank you!
>
> Starr
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksY65UACgkQyjMdFR1108DMmwCePtILlhUsKjwrEZQi2Dw2wwmt
aJsAn3uJtMYXDzB/w2Pq6grvIuuQJ9gE
=qFmA
-----END PGP SIGNATURE-----
More information about the Linux-audit
mailing list