Suppress messages from /var/log/audit.log via audit.rules
Steve Grubb
sgrubb at redhat.com
Tue Oct 4 13:18:24 UTC 2011
On Monday, October 03, 2011 10:36:31 PM Worsham, Michael wrote:
> About the rule that’s 'killing' us (which I totally agree it is), this is
> what the stig.rules project says about it (GEN002720):
>
> 78 ## (GEN002720-GEN002840: CAT II) (Previously G100-G106) The SA will
> 79 ## configure the auditing system to audit the following events for
> all 80 ## users and root:
> 81 ##
> 82 ## - Logon (unsuccessful and successful) and logout (successful)
> 83 ##
> 84 ## Handled by pam, sshd, login, and gdm
>
> But here is what the latest version of the Unix checklist says the
> vulnerability is, and how to check if its mitigated:
>
> Unix Checklist v5r1-30 20110729
> 3.2.1.119
> PDI: GEN002720 – Audit Failed File and Program Access Attempts
> PDI Description: The audit system is not configured to audit failed
> attempts to access files and programs. Reference: UNIX STIG: 3.16
> - Linux
I'll have to double check the numbering. Things may have shifted since I wrote the
stig.rules file.
> For LAUS:
> # grep “@open-ops” /etc/audit/filter.conf
>
> For auditd:
> # grep “-a exit,always –S open –F success=0” /etc/audit.rules
This would appear that you are using an old stig.rules file. You might want to update
it.
> The two don’t seem to jibe as to what the vulnerability is. I’m not sure
> how login, sshd, etc, can give information about failed attempts to access
> files.
The rules file is listing several requirements which has the rules in-between the
requirements. The first part is to satisfy the logon/off requirements. Farther down is
the unsuccessful access requirement.
> As to altering the rule, while I’m sure the results would be much more
> useful and relevant (you can tell DISA’s thinking is out-of-date by the
> mitigation steps above), my only concern is that it would no longer be
> STIG compliant, or something that would always come up as a finding, that
> we would have to explain each time.
I occassionally chat with the DISA FSO people. The intent is the stig.rules file in the
audit package is compliant. I think they have altered the auditing requirements to
match what is shipped. But you just need to update to a newer version of the file.
-Steve
More information about the Linux-audit
mailing list