* Audit rules keys @ 2007-08-21 15:21 Henning, Arthur C. (CSL) 2007-08-21 15:39 ` Linda Knippers 0 siblings, 1 reply; 5+ messages in thread From: Henning, Arthur C. (CSL) @ 2007-08-21 15:21 UTC (permalink / raw) To: linux-audit Using system-config-audit getting key (-k) configuration errors when saving changes. [root@localhost ~]# Stopping auditd: [ OK ] Starting auditd: [ OK ] key option needs a watch or syscall given prior to it There was an error in line 9 of /etc/audit/audit.rules cat /etc/audit/audit.rules -e 1 -f 2 -b 8192 -r 0 -D -a entry,always -S adjtimex -S settimeofday -a entry,always -S clock_settime -a entry,always -k kill -S kill -a exit,always -k system-locale -S sethostname -a exit,always -F exit=-13 -k creation -S creat -S mkdir -S mknod -S link -S symlink -a exit,always -F exit=-13 -k creation -S mkdirat -S mknodat -S linkat -S symlinkat If I remove the key from line 9 and save, get error reported line 10, etc. Started with NISPOM.rules contrib file. Art Henning (CSL) Enterprise IT Solutions Northrop Grumman Corp art.henning@ngc.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Audit rules keys 2007-08-21 15:21 Audit rules keys Henning, Arthur C. (CSL) @ 2007-08-21 15:39 ` Linda Knippers 2007-08-21 15:55 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: Linda Knippers @ 2007-08-21 15:39 UTC (permalink / raw) To: Henning, Arthur C. (CSL); +Cc: linux-audit Henning, Arthur C. (CSL) wrote: > Using system-config-audit getting key (-k) configuration errors when > saving changes. > > [root@localhost ~]# Stopping auditd: [ OK ] > Starting auditd: [ OK ] > key option needs a watch or syscall given prior to it This is telling you that the -k flag needs to be after a -S flag. I don't know why the order matters but apparently it does. > There was an error in line 9 of /etc/audit/audit.rules > cat /etc/audit/audit.rules > -e 1 > -f 2 > -b 8192 > -r 0 > > -D > -a entry,always -S adjtimex -S settimeofday > -a entry,always -S clock_settime > -a entry,always -k kill -S kill try: -a entry, always -S kill -k kill And for the rest, make the -k stuff to the end. > -a exit,always -k system-locale -S sethostname > -a exit,always -F exit=-13 -k creation -S creat -S mkdir -S mknod -S > link -S symlink > -a exit,always -F exit=-13 -k creation -S mkdirat -S mknodat -S linkat > -S symlinkat > > If I remove the key from line 9 and save, get error reported line 10, > etc. > > Started with NISPOM.rules contrib file. Are the options in the wrong order in the contrib file too? The draft I saw posted for comments was in the correct order but I haven't looked at what's currently shipped. -- ljk > > Art Henning (CSL) > Enterprise IT Solutions > Northrop Grumman Corp > art.henning@ngc.com > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Audit rules keys 2007-08-21 15:39 ` Linda Knippers @ 2007-08-21 15:55 ` Steve Grubb 2007-08-21 16:09 ` Henning, Arthur C. (CSL) 0 siblings, 1 reply; 5+ messages in thread From: Steve Grubb @ 2007-08-21 15:55 UTC (permalink / raw) To: linux-audit On Tuesday 21 August 2007 11:39:51 Linda Knippers wrote: > > Using system-config-audit getting key (-k) configuration errors when > > saving changes. > > > > [root@localhost ~]# Stopping auditd: [ OK ] > > Starting auditd: [ OK ] > > key option needs a watch or syscall given prior to it > > This is telling you that the -k flag needs to be after a -S > flag. I don't know why the order matters but apparently it does. Correct. It matters because originally keys were only associated with watches. So, I needed the rule writer to declare that this is going to be a syscall or watch rule so that I can error check appropriately. Keys do not apply to rules like, -b or -e, so I still want to see the rule type ahead of a key option so that errors are caught. -Steve ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Audit rules keys 2007-08-21 15:55 ` Steve Grubb @ 2007-08-21 16:09 ` Henning, Arthur C. (CSL) 2007-08-21 16:46 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: Henning, Arthur C. (CSL) @ 2007-08-21 16:09 UTC (permalink / raw) To: Steve Grubb, linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3882 bytes --] Here is what I am finding: Copy NISPOM.rules to /etc/audit/audit.rules Sample entries: -a entry,always -S adjtimex -S settimeofday -k time-change -w /etc/localtime -p wa -k time-change -a exit,always -S sethostname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale Using system-config-audit, I create a rule for the SYSCALL kill with a key of kill "Save" the configuration. Get the described error. The audit.rules now is configured: -e 1 -f 2 -b 8192 -r 0 -D -a entry,always -k kill -S kill -a entry,always -k time-change -S adjtimex -S settimeofday -a exit,always -k system-locale -S sethostname -a exit,always -F exit=-13 -k creation -S creat -S mkdir -S mknod -S link -S symlink -a exit,always -F exit=-13 -k creation -S mkdirat -S mknodat -S linkat -S symlinkat -a exit,always -F exit=-13 -k open -S open -a exit,always -F exit=-13 -k open -S openat -a exit,always -F exit=-13 -k close -S close -a exit,always -F exit=-13 -k mods -S rename -S truncate -S ftruncate -a exit,always -F exit=-13 -k mods -S renameat -a exit,always -p a -F exit=-13 -k mods -S all -a exit,always -p a -F exit=-1 -k mods -S all -a exit,always -F exit=-13 -k delete -S rmdir -S unlink -a exit,always -F exit=-13 -k delete -S unlinkat -w /etc/localtime -p wa -k time-change -S all -w /etc/issue -p wa -k system-locale -S all -w /etc/issue.net -p wa -k system-locale -S all -w /etc/hosts -p wa -k system-locale -S all -w /etc/sysconfig/network -p wa -k system-locale -S all -w /var/log/faillog -p wa -k logins -S all -w /var/log/lastlog -p wa -k logins -S all -w /var/log/messages -p wa -k logins -S all -w /var/log/wtmp -p wa -k logins -S all -w /var/log/authlog -p wa -k logins -S all -w /var/log/tallylog -p wa -k logins -S all -w /etc/group -p wa -k auth -S all -w /etc/passwd -p wa -k auth -S all -w /etc/gshadow -p wa -k auth -S all -w /etc/shadow -p wa -k auth -S all -w /etc/login.defs -p wa -k auth -S all -w /etc/security/opasswd -p wa -k auth -S all -w /var/log/audit/audit.log -k audit-logs -S all -w /var/log/audit/audit.log.1 -k audit-logs -S all -w /var/log/audit/audit.log.2 -k audit-logs -S all -w /var/log/audit/audit.log.3 -k audit-logs -S all -w /var/log/audit/audit.log.4 -k audit-logs -S all -w /var/log/audit/audit.log.5 -k audit-logs -S all -w /var/log/audit/audit.log.6 -k audit-logs -S all -w /var/log/audit/audit.log.7 -k audit-logs -S all -w /etc/audit/auditd.conf -k audit-conf -S all -w /etc/audit/audit.rules -k audit-conf -S all Would appear the system-config-audit GUI is rewriting the entire rule file then complaining it's not configured correctly. Art Henning (CSL) Enterprise IT Solutions Northrop Grumman Corp art.henning@ngc.com -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Tuesday, August 21, 2007 10:56 AM To: linux-audit@redhat.com Cc: Linda Knippers; Henning, Arthur C. (CSL) Subject: Re: Audit rules keys On Tuesday 21 August 2007 11:39:51 Linda Knippers wrote: > > Using system-config-audit getting key (-k) configuration errors when > > saving changes. > > > > [root@localhost ~]# Stopping auditd: [ OK ] > > Starting auditd: [ OK ] > > key option needs a watch or syscall given prior to it > > This is telling you that the -k flag needs to be after a -S > flag. I don't know why the order matters but apparently it does. Correct. It matters because originally keys were only associated with watches. So, I needed the rule writer to declare that this is going to be a syscall or watch rule so that I can error check appropriately. Keys do not apply to rules like, -b or -e, so I still want to see the rule type ahead of a key option so that errors are caught. -Steve [-- Attachment #1.2: Type: text/html, Size: 10145 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Audit rules keys 2007-08-21 16:09 ` Henning, Arthur C. (CSL) @ 2007-08-21 16:46 ` Steve Grubb 0 siblings, 0 replies; 5+ messages in thread From: Steve Grubb @ 2007-08-21 16:46 UTC (permalink / raw) To: Henning, Arthur C. (CSL); +Cc: linux-audit On Tuesday 21 August 2007 12:09:28 Henning, Arthur C. (CSL) wrote: > Would appear the system-config-audit GUI is rewriting the entire rule file > then complaining it's not configured correctly. Yes its re-writing the rules. But its probably auditctl that's complaining. Thanks for the feedback on this tool. I believe this is the first we've had so far. This tool is available for Fedora, but I have not enabled it on RHEL yet. -Steve ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-08-21 16:46 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-08-21 15:21 Audit rules keys Henning, Arthur C. (CSL) 2007-08-21 15:39 ` Linda Knippers 2007-08-21 15:55 ` Steve Grubb 2007-08-21 16:09 ` Henning, Arthur C. (CSL) 2007-08-21 16:46 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox