From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Re: Status of /etc/audit/filter.conf Date: Mon, 23 Apr 2007 21:38:21 +0100 Message-ID: <1177360701.6885.9.camel@localhost.localdomain> References: <39d2723b0704231309m3f4aaa64tf5e58477f15c2198@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0360245113==" Return-path: Received: from [192.168.1.8] (sebastian-int.corp.redhat.com [172.16.52.221]) by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id l3NKcUUe009566 for ; Mon, 23 Apr 2007 21:38:31 +0100 In-Reply-To: <39d2723b0704231309m3f4aaa64tf5e58477f15c2198@mail.gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0360245113== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Yy6wz+jHPjP60vBwIaCP" --=-Yy6wz+jHPjP60vBwIaCP Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, 2007-04-23 at 16:09 -0400, Aaron Lippold wrote: > I have a security checking script that is complaining that my system > is not able to audit all discretionary access to control permission > modifications. >=20 > To verify this it is looking for /etc/audit/filter.conf >=20 > Is this still the correct place to look on RHEL4/5? I'd assume not > since I can't find a man page on audit-filter.conf anymore. filter.conf was a LAuS configuration file, which is no longer used. Auditing in RHEL4 and RHEL 5 is entirely unrelated to LAuS. The approximately corresponding information is in /etc/audit.rules (RHEL4) or /etc/audit/audit.rules (RHEL5) iirc. > If not, where and how would I add this feature to my audit configuration? That really depends what 'discretionary access to control permission modifications' actually means to the person who wrote it ;) I'm guessing it refers to auditing the chmod family of system calls, in which case you would add the following line to /etc/audit/audit.rules in RHEL 5: -a entry,always -S chmod -S fchmod and start the audit daemon. These calls will then be logged in /var/log/audit.log. Matt --=20 Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --=-Yy6wz+jHPjP60vBwIaCP Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBGLRk9NEHqGdM8NJARAl71AJ0W0LE0Z/PqVERZ5zQ39/Ou+GluXQCfer+t 8mU/M+gv3CX0YmAoliY4Tx0= =7Y7R -----END PGP SIGNATURE----- --=-Yy6wz+jHPjP60vBwIaCP-- --===============0360245113== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0360245113==--