From: Steve Grubb <sgrubb@redhat.com>
To: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit config for NISPOM req's
Date: Fri, 22 Dec 2006 10:33:23 -0500 [thread overview]
Message-ID: <200612221033.23644.sgrubb@redhat.com> (raw)
In-Reply-To: <954E3479CC27224785179CA04904214D1416CD@0668-its-exmp01.us.saic.com>
On Friday 22 December 2006 10:08, Curtas, Anthony R. wrote:
> One thing that still confuses me is how "possible" is implemented.
Possible means to collect the information at entry in case its needed later.
Rules with possible will never trigger an event, they simply tell it to
collect the information. A watch or SE Linux AVC would actually use the
information collected.
> From what I've read in the documentation, it looks like if you set a rule
> for entry,possible -- the audit system waits until a file watch is thrown,
> then it writes the event. Do I have this right?
Yes.
> If I always want to see when /etc/shadow is opened:
>
> -w /etc/shadow -rwxa
> -a entry,possible -S open
That would be opened for write or execute.
> Will that work? And if I understand the mechanism correctly, that would
> log an open of ANY file that has a watch on it?
Not quite. It will collect the information for any open, but only emit an
event when shadow is opened for write or execute.
> One last thing, if I only want unsuccessful open attempts on the watch
> files, would this work?
> -a entry,possible -S open -F success!=1
It should collect the information for later use. If you wanted all
unsuccessful opens, I'd rewrite as:
-a exit,always -S open -F success!=1
-Steve
next prev parent reply other threads:[~2006-12-22 15:33 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-22 13:38 Audit config for NISPOM req's Curtas, Anthony R.
2006-12-22 14:19 ` Steve Grubb
2006-12-22 15:08 ` Curtas, Anthony R.
2006-12-22 15:33 ` Steve Grubb [this message]
2006-12-22 16:22 ` Wieprecht, Karen M.
2006-12-22 16:25 ` Steve Grubb
2007-01-11 19:18 ` Wieprecht, Karen M.
2007-01-11 19:42 ` Steve Grubb
2007-01-12 16:09 ` Kirkwood, David A.
2007-01-12 16:38 ` Steve Grubb
2007-01-12 18:45 ` Kirkwood, David A.
2007-01-12 19:49 ` Steve Grubb
2007-01-16 15:51 ` Kirkwood, David A.
2007-01-16 16:15 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200612221033.23644.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=ANTHONY.R.CURTAS@saic.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox