questions about auditing on a new RH 6 box
Tangren, Bill
bill.tangren at usno.navy.mil
Fri Jan 14 19:26:40 UTC 2011
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Friday, January 14, 2011 2:13 PM
To: linux-audit at redhat.com
Cc: Tangren, Bill
Subject: Re: questions about auditing on a new RH 6 box
On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote:
> I think that some of this is capturing that I was using the tail command to
> capture some of the logs to email to myself to post here. Obviously that
> isn't typical, but hopefully there is some useful information here. Oh,
> and my uid and gid are both 500.
This is coming from:
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F
auid=0 -F exit!=-11
Which says, audit mknod calls that are not successful and who's errno does not equal
EAGAIN for anyone that logged in as root.
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F
auid=-1 -F exit!=-11
Which says audit mknod calls that are not successful, its a system event meaning not
coming from a user session, and the exit code is not EAGAIN.
#Ensure that failed attempts at using the following system calls are
audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F
exit!=-11
Which says audit mknod calls that are successful and the exit code is not EAGAIN.
Are you sure this is what you intended?
-Steve
******************
The comments above each line are excerpts from the regulations. It is the requirements in those comments that the audit rules are supposed to be implementing.
Perhaps I need to study error codes and modify these rules. Do you have a suggestion on where I can learn the proper error commands?
Bill
More information about the Linux-audit
mailing list