From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit config for NISPOM req's
Date: Thu, 11 Jan 2007 14:42:20 -0500
Message-ID: <200701111442.20373.sgrubb@redhat.com>
References: <FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
Cc: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>, "Thomas,  Daniel J." <Daniel.Thomas@jhuapl.edu>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 11 January 2007 14:18, Wieprecht, Karen M. wrote:
> This makes a lot more sense, and I assume that this is the correct
> syntax. 

And its easy to determine empirically.  :)

> You might want to check to see if this has already been 
> corrected in the man pages for upcoming releases.

hmm...I'll check, thanks.

> I was hoping that this setting by itself (-a exit,always -S open -F
> success!=1) would show me any failed file opens on the whole machine,

It does for me.

> so I don't understand why I don't get any audit events  with this
> configuration.

What arch are you on?

> /etc/audit.rules :
>
> -D
> -w /etc/nsswitch.conf -rwxa
> -a exit,always -S open -F success!=1

You do not need both. The last rule by itself should do it.

> 	service auditd reload
> 	service auditd rotate
> 	autail -f /var/log/audit/audit.log

I don't use autail. I run ausearch to check results.

> Then in another window, as a non-prived user
> 	rm /etc/nsswitch.conf
> 	cat /dev/null > /etc/nsswitch.conf
> 	chown karen /etc/nsswitch.conf
> 	chmod 777 /etc/nsswitch.conf
> 	cat somefile >> /etc/nsswitch.conf
>
> I get lots of permission denied messages at the command line, but
> nothing in the audit log relating to karen messing around with
> /etc/nsswitch.conf.

Are your using ausearch or autail?

-Steve