From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: NISPOM Auditing Date: Thu, 22 May 2008 17:19:52 -0400 Message-ID: <200805221719.53685.sgrubb@redhat.com> References: <673954B3D6E9A14199B78659C4AD37EE0422D140@emss04m05.us.lmco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <673954B3D6E9A14199B78659C4AD37EE0422D140@emss04m05.us.lmco.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote: > I need to log file edit attempts when a user doesn't have permission to > edit a specific file. For example, a non-root user attempts to edit > "/var/log/audit/audit'log" which has a permission setting of 640. > Although the user won't be able to edit the file (permission denied) - > I'd still like to log the attempt. Here's a snippet of my audit.rules > file: Have you looked at the latest nispom.rules file in the audit package? I have a set of rules that should meet NISPOM requirements. If it doesn't I'd like to know what is wrong with it so we can fix it. This set of rules looks similar to it, but there are differences. The main difference is adding -F arch= to each syscall rule to make sure the numbers are correct. > ## unsuccessful creation > > -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 > -k creation > > -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 > -k creation -a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F exit=-EACCES -k creation -a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F exit=-EACCES -k creation -a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation -a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation > ## unsuccessful open > > -a exit,always -S open -F exit=-13 -k open -a exit,always -F arch=b32 -S open -F exit=-EACCES -k open -a exit,always -F arch=b64 -S open -F exit=-EACCES -k open -a exit,always -F arch=b32 -S open -F exit=-EPERM -k open -a exit,always -F arch=b64 -S open -F exit=-EPERM -k open > ## unsuccessful close > > -a exit,always -S close -F exit=-13 -k close > > ## unsuccessful modifications > > -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods > > -a exit,always -S renameat -F exit=-13 -k mods > > ## unsuccessful deletion > > -a exit,always -S rmdir -S unlink -F exit=-13 -k delete > > -a exit,always -S unlinkat -F exit=-13 -k delete > > ## unauthorized change directory (cd) > > -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd :) > ## Watch Files > > -w /var/log/audit/audit.log -p rwxa -k audit-log2 This rule only watches one file. There could be more. You might want a rule like: -w /var/log/audit -k audit-logs -Steve