From mboxrd@z Thu Jan 1 00:00:00 1970 From: Brian LaMere Subject: Re: no logging of successful events? Date: Mon, 18 Aug 2008 13:43:19 -0700 Message-ID: <1219092199.6522.48.camel@orpheus.clinicomp.com> References: <1219086574.6522.8.camel@orpheus.clinicomp.com> <200808181518.34373.sgrubb@redhat.com> <1219088341.6522.24.camel@orpheus.clinicomp.com> <200808181607.55239.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0262103535==" Return-path: In-Reply-To: <200808181607.55239.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============0262103535== Content-Type: multipart/alternative; boundary="=-zWcsPBQITf5cQlW9jTWp" --=-zWcsPBQITf5cQlW9jTWp Content-Type: text/plain Content-Transfer-Encoding: 7bit > The recent versions of the audit system ships with a stig.rules file > that give > what I believe to be a correct rule set. What the official docs say to > do is > another thing. :) Take a look at that file and see how I do the > unauthorized > file access. Excellent! I had simply changed to the following, in a minimalistic approach: ---------------------------------------------------- -w /etc/auditd.conf -w /etc/audit.rules -a exit,always -S open -F success=0 -a exit,always -S rmdir -S unlink -S chmod -S fchmod -S chown -S fchown -S lchown -F success!=0 -a exit,always -S settimeofday -S setrlimit -S setdomainname -S sched_setparam -S sched_setscheduler -S acct -S reboot -S swapon ------------------------------------------------- Was grouping by failed, successful, and both. Did this due to reading that every audit rule is tested for every syscall, which...yeah, makes me want to group things. That being said, stig.rules is extensive; any warning on what the performance impact will be? Also, when looking for the newer builds on your site http://people.redhat.com/sgrubb/audit/ - I noticed "1.7 -> 1.8 Remote logging and finishing up IDS/IPS plugin." That would be wonderously fabulous, and I look forward to it. Any thoughts on whether it will be pulled into RHEL5, or whether I'd have to wait until RHEL6? Brian --=-zWcsPBQITf5cQlW9jTWp Content-Type: text/html; charset=utf-8
The recent versions of the audit system ships with a stig.rules file that give
what I believe to be a correct rule set. What the official docs say to do is
another thing. :)  Take a look at that file and see how I do the unauthorized
file access.

Excellent!  I had simply changed to the following, in a minimalistic approach:

----------------------------------------------------
-w /etc/auditd.conf
-w /etc/audit.rules
-a exit,always -S open -F success=0
-a exit,always -S rmdir -S unlink -S chmod -S fchmod -S chown -S fchown -S lchown -F success!=0
-a exit,always -S settimeofday -S setrlimit -S setdomainname -S sched_setparam -S sched_setscheduler -S acct -S reboot -S swapon
-------------------------------------------------

Was grouping by failed, successful, and both.  Did this due to reading that every audit rule is tested for every syscall, which...yeah, makes me want to group things.

That being said, stig.rules is extensive; any warning on what the performance impact will be?

Also, when looking for the newer builds on your site http://people.redhat.com/sgrubb/audit/ - I noticed "1.7 -> 1.8 Remote logging and finishing up IDS/IPS plugin."  That would be wonderously fabulous, and I look forward to it.   Any thoughts on whether it will be pulled into RHEL5, or whether I'd have to wait until RHEL6?

Brian --=-zWcsPBQITf5cQlW9jTWp-- --===============0262103535== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0262103535==--