Status of /etc/audit/filter.conf

Status of /etc/audit/filter.conf

[Aaron Lippold]

Hello All,

Silly question 1:

I have a security checking script that is complaining that my system
is not able to audit all discretionary access to control permission
modifications.

To verify this it is looking for /etc/audit/filter.conf

Is this still the correct place to look on RHEL4/5? I'd assume not
since I can't find a man page on audit-filter.conf anymore.

Silly Question 2:

If not, where and how would I add this feature to my audit configuration?

Thanks,

Aaron

Re: Status of /etc/audit/filter.conf

[Matthew Booth]

[-- Attachment #1.1: Type: text/plain, Size: 1349 bytes --]

On Mon, 2007-04-23 at 16:09 -0400, Aaron Lippold wrote:
> I have a security checking script that is complaining that my system
> is not able to audit all discretionary access to control permission
> modifications.
> 
> To verify this it is looking for /etc/audit/filter.conf
> 
> Is this still the correct place to look on RHEL4/5? I'd assume not
> since I can't find a man page on audit-filter.conf anymore.

filter.conf was a LAuS configuration file, which is no longer used.
Auditing in RHEL4 and RHEL 5 is entirely unrelated to LAuS. The
approximately corresponding information is in /etc/audit.rules (RHEL4)
or /etc/audit/audit.rules (RHEL5) iirc.

> If not, where and how would I add this feature to my audit configuration?

That really depends what 'discretionary access to control permission
modifications' actually means to the person who wrote it ;) I'm guessing
it refers to auditing the chmod family of system calls, in which case
you would add the following line to /etc/audit/audit.rules in RHEL 5:

-a entry,always -S chmod -S fchmod

and start the audit daemon. These calls will then be logged
in /var/log/audit.log.

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Status of /etc/audit/filter.conf

[Bill Tangren]

Aaron Lippold wrote:
> Hello All,
> 
> Silly question 1:
> 
> I have a security checking script that is complaining that my system
> is not able to audit all discretionary access to control permission
> modifications.
> 
> To verify this it is looking for /etc/audit/filter.conf
> 
> Is this still the correct place to look on RHEL4/5? I'd assume not
> since I can't find a man page on audit-filter.conf anymore.
> 
> Silly Question 2:
> 
> If not, where and how would I add this feature to my audit configuration?
> 
> Thanks,
> 
> Aaron


The Linux SRR script you are referring to (GEN002800, I think) was broken as of 
the January version of the SRR. They might have fixed it in the March version, I 
don't know.