From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit config for NISPOM req's Date: Fri, 22 Dec 2006 10:33:23 -0500 Message-ID: <200612221033.23644.sgrubb@redhat.com> References: <954E3479CC27224785179CA04904214D1416CD@0668-its-exmp01.us.saic.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <954E3479CC27224785179CA04904214D1416CD@0668-its-exmp01.us.saic.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Curtas, Anthony R." Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday 22 December 2006 10:08, Curtas, Anthony R. wrote: > One thing that still confuses me is how "possible" is implemented. Possible means to collect the information at entry in case its needed lat= er.=20 Rules with possible will never trigger an event, they simply tell it to=20 collect the information. A watch or SE Linux AVC would actually use the=20 information collected. > From what I've read in the documentation, it looks like if you set a ru= le > for entry,possible -- the audit system waits until a file watch is thro= wn, > then it writes the event. =A0Do I have this right? =A0 Yes. > If I always want to see when /etc/shadow is opened: > > -w /etc/shadow -rwxa > -a entry,possible -S open That would be opened for write or execute. > Will that work? =A0And if I understand the mechanism correctly, that wo= uld > log an open of ANY file that has a watch on it? Not quite. It will collect the information for any open, but only emit an= =20 event when shadow is opened for write or execute. > One last thing, if I only want unsuccessful open attempts on the watch > files, would this work? > -a entry,possible -S open -F success!=3D1 It should collect the information for later use. If you wanted all=20 unsuccessful opens, I'd rewrite as: -a exit,always -S open -F success!=3D1 -Steve