From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: How to learn the Message type?
Date: Mon, 25 Jan 2010 11:46:08 -0500
Message-ID: <201001251146.08950.sgrubb@redhat.com>
References: <246d04460912301859x422deb03m164ee813529df94e@mail.gmail.com>
	<201001211649.21891.sgrubb@redhat.com>
	<OF8C3DC9C9.B2818896-ON852576B6.005B06D7-852576B6.005B49B9@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <OF8C3DC9C9.B2818896-ON852576B6.005B06D7-852576B6.005B49B9@us.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: David Flatley <dflatley@us.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday 25 January 2010 11:37:01 am David Flatley wrote:
>     Your audit.rules file for STIG compliance is mostly geared towards RHEL
> 5 systems?

Yes.

> When I try to run it on a RHEL 4 system it complains about the filters (-k)
> and other things.

Yes, there is that and the fact that directory auditing is not recursive and 
you cannot write fancy rules that do file system watching without naming the 
syscall. It may be possible to make some adjustments to the RHEL5 rules, but I 
don't know if you would wind up with lots of unnecessary data as a result of 
RHEL4's audit capabilities.

-Steve