nispom.rules for RHEL WS 4

nispom.rules for RHEL WS 4

[Harmon, Jeffrey D]

[-- Attachment #1.1: Type: text/plain, Size: 692 bytes --]

To all, 

 

 

Is there a version of nispom.rules that will work with "Audit-1.0.16"
on RHEL WS 4??

 

Tried moving working nispom.rules file from Centos 5 running audit-1.7.7
but auditd fails at startup with error:

 

"filter key option needs a watch given prior to it"

 

Jeff Harmon

IT Manager / Senior Network Administrator / FSO

Alion Science and Technology

Advanced Modeling and Simulation Technology Operation (AMSTO)

2602 Challenger Tech Court, Suite 230

Orlando, FL 32826

Tel: (407) 737-3599 x404

Fax: (407) 737-0847

Cell: (407) 353-7238

jharmon@alionscience.com

www.alionscience.com <http://www.alionscience.com/> 

 

 


[-- Attachment #1.2: Type: text/html, Size: 6336 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: nispom.rules for RHEL WS 4

[Steve Grubb]

On Thursday 28 January 2010 04:21:05 pm Harmon, Jeffrey D wrote:
> Is there a version of nispom.rules that will work with "Audit-1.0.16"
> on RHEL WS 4??

The nispom rules were written during RHEL5's lifetime. The earliest copy is 
found here:
 
http://people.redhat.com/sgrubb/audit/audit-1.5.tar.gz

Look in the contrib directory for nispom.rules. You might try editing each 
rule that starts with "-a" and remove the "-k name" at the end of each rule. 
If it complains that a syscall is unknown, then delete that syscall since the 
RHEL4 kernel doesn't know about it. Shouldn't take more than 2-3 minutes to 
get it working.

-Steve