Fwd: Syscalls to use

warron.french warron.french at gmail.com
Wed Oct 26 20:16:20 UTC 2016 

Steve, would you mind giving me a little more guidance on this?

Is there anything more specific you can suggest?

I don't want to provide a false sense of security to my IA people.
--------------------------
Warron French


---------- Forwarded message ----------
From: warron.french <warron.french at gmail.com>
Date: Tue, Oct 11, 2016 at 2:58 PM
Subject: Syscalls to use
To: linux-audit at redhat.com


I apologize, but I am not sure how to go about determining the appropriate
syscalls to use for various audit goals.

I know that recently I learned to use the ausyscall --dump command to list
the ausyscalls; but apparently I mis-understood/interpreted the purpose of
1 or 2 of the syscalls and had to be corrected (thanks Steve).

Anyway, my organization has a goal to audit several things; of which I know
how to manage most, for examples:


   1. File & Object


   - Creation (Success/Failure)                                   |  w
   - Access (Success/Failure)                                    |  r
   - Deletion (Success/Failure)                                   |  w
   - Content Modification (Success/Failure)                 |  a
   - Permission Modification (Success/Failure)            |  a
   - Ownership Modification (Success/Failure)             |  a

For these I would have used a watch (*-w*) rule and set the -p flags to *r,
w* or *a* as shown above.  From what I understand though, correct me if I
am wrong Steve, we should be getting away from the watch rules and move
towards Syscalls and using *-F path=/path/to/file*, or
*-F path=/path/to/several_files/*   -- is this correct, both for RHEL6 and
RHEL7?

Also, I need to audit (Success/Failure) for the following sort of things:

*Authentications*
Logons
Logoffs


*Writes/downloads to external devices/media*
*Uploads from external devices/media *(
*such as DvD, thumbdrive, etc)*

*User & Group* *events*
User:  Creation, deletion, Modification, suspending/locking
Group/Role:  Creation, deletion, modification

*Use of Privileged/Special Rights events* (
*such as sudo, su, etc..)*

*Printing to a print-device*


*Printing to a file*
Thanks in advance for any steering someone could provide to get me moving
in the correct direction.

--------------------------
Warron French
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20161026/0125c1e4/attachment.htm>

More information about the Linux-audit mailing list