From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: trouble with a number of audit rules Date: Mon, 29 Jan 2007 17:15:34 -0500 Message-ID: <200701291715.35261.sgrubb@redhat.com> References: <45BE6DDD.6080008@aa.usno.navy.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <45BE6DDD.6080008@aa.usno.navy.mil> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday 29 January 2007 16:57, Bill Tangren wrote: > 1) > # Ensures that any reads of the audit log by the current user that's logged > is # audited. It might be beneficial to create a rule for each of the 5 > logs # that are generated. > > RULE: > -w /var/log/audit/audit.log -p r -F auid=-1 On RHEL4, syscall auditing and file system auditing cannot be mixed on the same line. Watches can only take -p & -k parameters. > 2) > # Ensures that any user who mounts or unmounts a device is audited > > RULE: > -a exit,always -S mount -S umount Are you on x86_64? If so, you should use umount2. I believe this is documented in capp.rules. > 3) > # ensures auditing whenever the reboot command is sent to the kernel > > RULE: > -a always,entry -S socketcall -F a0=13 x86_64? If so use the syscall, shutdown. (offhand, I don't know why you would need to audit shutdown.) > 4) > # Ensures auditing of any unauthorized access to roots home directory. > > RULE: > -w /root -p rw -F uid!=0 see #1 above > 5) > #Ensure that failed use of the following system calls is audited > > RULE: > -a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0 > -F auid=-1 -F auid=0 stime is valid on i386. maybe settimeofday? -Steve