From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [RFC] NISPOM audit rules - first draft
Date: Wed, 18 Apr 2007 17:16:06 -0400
Message-ID: <200704181716.06196.sgrubb@redhat.com>
References: <200703011333.10466.sgrubb@redhat.com>
	<200704131754.27644.sgrubb@redhat.com>
	<FC11D747323EB24493CDC753367EEB92019FA742@aplesnation.dom1.jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <FC11D747323EB24493CDC753367EEB92019FA742@aplesnation.dom1.jhuapl.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
List-Id: linux-audit@redhat.com

On Wednesday 18 April 2007 16:41, Wieprecht, Karen M. wrote:
> 1. auditd complained about using =A0the -k (keyword) flag on lines that
> were not file watch lines.

Yes, this was mentioned on IRC last week and fixed in my development copy=
. It=20
will be in 1.5.3.

> This could be a newer feature not supported by our audit subsystem =A0(=
we
> are running RHEL4 update 4 with audit-1.0.14 I believe). =A0Can you ver=
ify
> if this is a general syntax problem or a
> your-audit-version-doesn't-support-this problem ? =A0Thanks.

1.5.2 does not work with RHEL4.

> 2. We had two additional lines in out audit.rules to capture failed
> chown, chgrp, and chmod:
>
> -a exit,always -S 90 -F exit=3D-1
> -a exit,always -S 92 -F exit=3D-1

I think you want 90-94 on x86_64. I guess they do return -EPERM. The way =
that=20
we are doing this for 1.5.2 is using special syntax allowed by the newer=20
kernels:

-a exit,always -F perm=3Da -F exit=3D-13

This tells the kernel to select any syscall that changes file attributes.=
 We=20
should probably add another line with -F exit=3D-1

> If these actions aren't already being captured by another NISPOM audit
> rule, you might consider adding them since failed attempts to chown,
> chgrp, chmod are indications of someone possibly trying to open up
> access to =A0files they don't have rights to which would fall into the
> "failed file access attempts" category.=20

Yep, I'll add a line.

-Steve