From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Brian K. Whatcott" Subject: RE: [RFC] NISPOM audit rules - first draft Date: Fri, 13 Apr 2007 15:45:10 -0600 Message-ID: <007201c77e15$02ad8e10$0c01a8c0@Whatcott2> References: <200703011333.10466.sgrubb@redhat.com><20070413132414.74b00f10@crumpet> <200704131431.39959.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l3DLiNKl007370 for ; Fri, 13 Apr 2007 17:44:24 -0400 Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64]) by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l3DLiMxr005258 for ; Fri, 13 Apr 2007 17:44:22 -0400 Received: from [63.172.215.70] (helo=Whatcott2) by elasmtp-curtail.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1HcTZ3-0003fz-3W for Linux-audit@redhat.com; Fri, 13 Apr 2007 17:44:17 -0400 In-Reply-To: <200704131431.39959.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve, I am a bit new at using mail lists, but I joined this one to get help on setting up auditd for NISPOM chapter 8. Below you say the nispom.rules has been updated several times. Where is = the latest version located? =20 In the nispom.rules version in your post in the archive, the comments sai= d several NISPOM audit requirements were met by other programs (1(b) by patches to login, gdm, and openssh; 1(d) by patches to libpam; 1(e) & 1(f= ) by patches to pam_tally). Can these patches be downloaded from somewhere= ? Do the patches work with SuSE 10.1 or 10.2? =20 Sorry I come from a non-RH distro background. Our choice of SuSE came fr= om the long historic past. I rather not have to switch several machines to = RH in order to meet NISPOM requirements, but I could if absolutely necessary= . Brian K. Whatcott Senior Software and Systems Engineer Millennium Engineering Integration (719) 264-4310, FAX (719) 264-4318 (719) 331-5100 (Cell) bwhatcott@meicompany.com=20 -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.c= om] On Behalf Of Steve Grubb Sent: Friday, April 13, 2007 12:32 PM To: Timothy R. Chavez Cc: Linux Audit Subject: Re: [RFC] NISPOM audit rules - first draft On Friday 13 April 2007 14:24, Timothy R. Chavez wrote: > Wow... finally just getting to these. =A0Just a couple quick comments b= elow. The nispom.rules file has been updated several times since this was initially posted. > > ## unsuccessful modifications > > -a exit,always -S rename -S truncate -S ftruncate -F exit=3D-13 -k=20 > > mods -a exit,always -S renameat -F exit=3D-13 -k mods -a exit,always=20 > > -F perm=3Da -F exit=3D-13 -k mods > > No system call specified... That's what the magic of "perm" is. It selects all syscalls that match th= e changing of attribute. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit