From: Steve Grubb <sgrubb@redhat.com>
To: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
Cc: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>,
"Thomas, Daniel J." <Daniel.Thomas@jhuapl.edu>,
linux-audit@redhat.com
Subject: Re: Audit config for NISPOM req's
Date: Thu, 11 Jan 2007 14:42:20 -0500 [thread overview]
Message-ID: <200701111442.20373.sgrubb@redhat.com> (raw)
In-Reply-To: <FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
On Thursday 11 January 2007 14:18, Wieprecht, Karen M. wrote:
> This makes a lot more sense, and I assume that this is the correct
> syntax.
And its easy to determine empirically. :)
> You might want to check to see if this has already been
> corrected in the man pages for upcoming releases.
hmm...I'll check, thanks.
> I was hoping that this setting by itself (-a exit,always -S open -F
> success!=1) would show me any failed file opens on the whole machine,
It does for me.
> so I don't understand why I don't get any audit events with this
> configuration.
What arch are you on?
> /etc/audit.rules :
>
> -D
> -w /etc/nsswitch.conf -rwxa
> -a exit,always -S open -F success!=1
You do not need both. The last rule by itself should do it.
> service auditd reload
> service auditd rotate
> autail -f /var/log/audit/audit.log
I don't use autail. I run ausearch to check results.
> Then in another window, as a non-prived user
> rm /etc/nsswitch.conf
> cat /dev/null > /etc/nsswitch.conf
> chown karen /etc/nsswitch.conf
> chmod 777 /etc/nsswitch.conf
> cat somefile >> /etc/nsswitch.conf
>
> I get lots of permission denied messages at the command line, but
> nothing in the audit log relating to karen messing around with
> /etc/nsswitch.conf.
Are your using ausearch or autail?
-Steve
next prev parent reply other threads:[~2007-01-11 19:42 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-22 13:38 Audit config for NISPOM req's Curtas, Anthony R.
2006-12-22 14:19 ` Steve Grubb
2006-12-22 15:08 ` Curtas, Anthony R.
2006-12-22 15:33 ` Steve Grubb
2006-12-22 16:22 ` Wieprecht, Karen M.
2006-12-22 16:25 ` Steve Grubb
2007-01-11 19:18 ` Wieprecht, Karen M.
2007-01-11 19:42 ` Steve Grubb [this message]
2007-01-12 16:09 ` Kirkwood, David A.
2007-01-12 16:38 ` Steve Grubb
2007-01-12 18:45 ` Kirkwood, David A.
2007-01-12 19:49 ` Steve Grubb
2007-01-16 15:51 ` Kirkwood, David A.
2007-01-16 16:15 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200701111442.20373.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=ANTHONY.R.CURTAS@saic.com \
--cc=Daniel.Thomas@jhuapl.edu \
--cc=Karen.Wieprecht@jhuapl.edu \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.