Re: [RFC] NISPOM audit rules - first draft

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday 18 April 2007 16:41, Wieprecht, Karen M. wrote:
> 1. auditd complained about using  the -k (keyword) flag on lines that
> were not file watch lines.

Yes, this was mentioned on IRC last week and fixed in my development copy. It 
will be in 1.5.3.

> This could be a newer feature not supported by our audit subsystem  (we
> are running RHEL4 update 4 with audit-1.0.14 I believe).  Can you verify
> if this is a general syntax problem or a
> your-audit-version-doesn't-support-this problem ?  Thanks.

1.5.2 does not work with RHEL4.

> 2. We had two additional lines in out audit.rules to capture failed
> chown, chgrp, and chmod:
>
> -a exit,always -S 90 -F exit=-1
> -a exit,always -S 92 -F exit=-1

I think you want 90-94 on x86_64. I guess they do return -EPERM. The way that 
we are doing this for 1.5.2 is using special syntax allowed by the newer 
kernels:

-a exit,always -F perm=a -F exit=-13

This tells the kernel to select any syscall that changes file attributes. We 
should probably add another line with -F exit=-1

> If these actions aren't already being captured by another NISPOM audit
> rule, you might consider adding them since failed attempts to chown,
> chgrp, chmod are indications of someone possibly trying to open up
> access to  files they don't have rights to which would fall into the
> "failed file access attempts" category. 

Yep, I'll add a line.

-Steve