Sucess or failure?
yersinia
yersinia.spiros at gmail.com
Sun Jul 22 17:44:16 UTC 2012
Well, i am pretty sure that pci dss could consider this a success.
This is because the standard speak of "security" relevant event , in
the same vain of the common criteria standards does. And some distro
that include the linux audit subsystem are common criteria certified (
check in the doc of the audit, package some example configuration for
these standards, Well documented).
Hope this help
best regards
2012/7/22, Michael Mather <michael.mather at teksavvy.com>:
> Thanks for the replies.
>
> The problem is that the PCI requirements say:
>
> 10.3 Record at least the following audit trail entries for all system
> components for each event:
> ...
> 10.3.4 Success or failure indication.
>
> I don't know if PCI would accept the notion that this was success.
>
> Michael
> -------
>
> On Sun, 2012-07-22 at 07:52 +0200, yersinia wrote:
>> >From the point of view of the linux kernel, and of the audit, you have
>> the right to execute the cp, you don't have permission denied. So the
>> result is success.
>>
>> Best regards
>>
>> 2012/7/22, Michael Mather <michael.mather at teksavvy.com>:
>> > Hi,
>> >
>> > I enter the command "sudo cp qwerty /etc/xxx"
>> > and get the reply: "cp: cannot stat `qwerty': No such file or
>> > directory."
>> >
>> > A number of log entries are written. The last two are, in part:
>> >
>> > type=SYSCALL success=yes
>> > type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
>> >
>> > My problem is with "success=yes".
>> >
>> > What is happening?
>> >
>> > Thanks - Michael Mather
>> > -----------------------
>> >
>> >
>> >
>> > --
>> > Linux-audit mailing list
>> > Linux-audit at redhat.com
>> > https://www.redhat.com/mailman/listinfo/linux-audit
>> >
>>
>
>
>
--
Inviato dal mio dispositivo mobile
More information about the Linux-audit
mailing list