From: Trevor Vaughan <peiriannydd@gmail.com>
To: Starr-Renee Corbin <corbin@arlut.utexas.edu>
Cc: linux-audit <Linux-audit@redhat.com>
Subject: Re: Audit Log not capturing access to security related files
Date: Fri, 04 Dec 2009 05:59:37 -0500 [thread overview]
Message-ID: <4B18EB99.3060901@gmail.com> (raw)
In-Reply-To: <F290A936-757A-4DF5-BFB6-DA8F77864591@arlut.utexas.edu>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Starr,
The default rule set that comes with RHEL5 will not function properly on
a 32 bit system. It will, however, function properly on a 64 bit system.
If you have a mix of architectures, this may be your problem.
To fix it for the 32 bit systems, try the following:
sed -e '/arch=b64/d' /etc/audit/audit.rules > audit.rules.32
and use the resulting file as your primary audit rule set.
Trevor
On 11/25/2009 11:57 AM, Starr-Renee Corbin wrote:
> Hello,
>
> I am required (by NISPOM) to audit access to security related files. I
> am essentially using the nispom audit.rules provided by rhel5 to
> accomplish this.
>
> However, some of my systems are capturing access to /etc/shadow and some
> of my systems are not (when looking in /var/log/audit/audit.log.
>
> Worried that I might have differing audit.rules files between the
> systems I have even copied the audit.rules file from systems that were
> auditing right to systems that were not. But this has not resolved the
> auditing problem.
>
> HELP!
>
> Thank you!
>
> Starr
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksY65UACgkQyjMdFR1108DMmwCePtILlhUsKjwrEZQi2Dw2wwmt
aJsAn3uJtMYXDzB/w2Pq6grvIuuQJ9gE
=qFmA
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2009-12-04 10:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-25 16:57 Audit Log not capturing access to security related files Starr-Renee Corbin
2009-11-30 18:37 ` Steve Grubb
2009-12-04 10:59 ` Trevor Vaughan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B18EB99.3060901@gmail.com \
--to=peiriannydd@gmail.com \
--cc=Linux-audit@redhat.com \
--cc=corbin@arlut.utexas.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.