questions about auditing on a new RH 6 box

[Tangren, Bill]

-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com] 
Sent: Friday, January 14, 2011 2:13 PM
To: linux-audit at redhat.com
Cc: Tangren, Bill
Subject: Re: questions about auditing on a new RH 6 box

On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote:
> I think that some of this is capturing that I was using the tail command to
> capture some of the logs to email to myself to post here. Obviously that
> isn't typical, but hopefully there is some useful information here. Oh,
> and my uid and gid are both 500.

This is coming from:

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F 
auid=0 -F exit!=-11

Which says, audit mknod calls that are not successful and who's errno does not equal 
EAGAIN for anyone that logged in as root.

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F 
auid=-1 -F exit!=-11

Which says audit mknod calls that are not successful, its a system event meaning not 
coming from a user session, and the exit code is not EAGAIN.

#Ensure that failed attempts at using the following system calls are
 audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F 
exit!=-11

Which says audit mknod calls that are successful and the exit code is not EAGAIN.

Are you sure this is what you intended? 

-Steve

******************
The comments above each line are excerpts from the regulations. It is the requirements in those comments that the audit rules are supposed to be implementing. 

Perhaps I need to study error codes and modify these rules. Do you have a suggestion on where I can learn the proper error commands?

Bill