From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Mathis, Jim" <jim.mathis@lmco.com>
Subject: NISPOM Auditing
Date: Wed, 21 May 2008 12:01:52 -0400
Message-ID: <673954B3D6E9A14199B78659C4AD37EE0422D137@emss04m05.us.lmco.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1683050050=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m4LG8BDt010708
	for <linux-audit@redhat.com>; Wed, 21 May 2008 12:08:11 -0400
Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m4LG7w10014634
	for <linux-audit@redhat.com>; Wed, 21 May 2008 12:07:58 -0400
Received: from emss03g01.ems.lmco.com (relay3.ems.lmco.com [141.240.4.144])by
	mailgw2a.lmco.com (LM-6) with ESMTP id m4LG0FLX008508for
	<linux-audit@redhat.com>; Wed, 21 May 2008 12:07:57 -0400 (EDT)
Received: from CONVERSION2-DAEMON.lmco.com by lmco.com (PMDF V6.3-x14 #31428)
	id <0K1800L0177ENZ@lmco.com> for linux-audit@redhat.com;
	Wed, 21 May 2008 12:02:02 -0400 (EDT)
Received: from EMSS04I00.us.lmco.com ([166.17.13.135]) by lmco.com (PMDF
	V6.3-x14 #31428)
	with ESMTP id <0K1800J5C778T0@lmco.com> for linux-audit@redhat.com;
	Wed, 21 May 2008 12:01:57 -0400 (EDT)
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============1683050050==
Content-type: multipart/alternative;
	boundary="Boundary_(ID_p4pGKFNWnmP4dOz+escrlA)"
Content-class: urn:content-classes:message

This is a multi-part message in MIME format.

--Boundary_(ID_p4pGKFNWnmP4dOz+escrlA)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT

Hello,
 
Is there a way to setup a watch log to report if a user attempted to
"cd" to a directory that they didn't have permission to access. I have
watch logs in place but it doesn't seem to report when a "cd" is
attempted and permission is denied. Thanks.
 
-Jim

--Boundary_(ID_p4pGKFNWnmP4dOz+escrlA)
Content-type: text/html; charset=US-ASCII
Content-transfer-encoding: 7BIT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN 
class=554305815-21052008>Hello,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=554305815-21052008></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=554305815-21052008>Is there a way to 
setup a watch log to report if a user attempted to "cd" to a directory 
that&nbsp;they didn't have permission to access. I have watch logs in place but 
it doesn't seem to report when a "cd" is attempted and permission is denied. 
Thanks.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=554305815-21052008></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=554305815-21052008>-Jim</SPAN></FONT></DIV></BODY></HTML>

--Boundary_(ID_p4pGKFNWnmP4dOz+escrlA)--


--===============1683050050==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1683050050==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: NISPOM Auditing
Date: Wed, 21 May 2008 13:14:32 -0400
Message-ID: <200805211314.32834.sgrubb@redhat.com>
References: <673954B3D6E9A14199B78659C4AD37EE0422D137@emss04m05.us.lmco.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <673954B3D6E9A14199B78659C4AD37EE0422D137@emss04m05.us.lmco.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 21 May 2008 12:01:52 Mathis, Jim wrote:
> Is there a way to setup a watch log to report if a user attempted to
> "cd" to a directory that they didn't have permission to access.

No, a watch applies to file ops and not the chdir syscall. However, you can 
create a syscall audit rule that works sometimes:

-a always,exit -S chdir -F path=/dir/dir1/dir2 -k evil-cd

This will catch the case where they have permission to cd into that directory. 
But if they don't have permission to go beyond dir in the above example, then 
you have to resort to something more like:

-a always,exit -S chdir -F exit=-EACCES -k evil-cd

Which gets it and every other cd that fails due to permissions. This is 
because the path lookup inside the kernel never completes due to permissions, 
so the audit system has no full path to check against. You can cut down the 
false positives by adding -F auid>=500. And also use the -F arch=b32   and 
b64 for biarch systems.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Mathis, Jim" <jim.mathis@lmco.com>
Subject: NISPOM Auditing
Date: Thu, 22 May 2008 16:28:41 -0400
Message-ID: <673954B3D6E9A14199B78659C4AD37EE0422D140@emss04m05.us.lmco.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1652703472=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m4MKTEVH018670
	for <linux-audit@redhat.com>; Thu, 22 May 2008 16:29:14 -0400
Received: from mailgw1a.lmco.com (mailgw1a.lmco.com [192.31.106.7])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m4MKSvr4018184
	for <linux-audit@redhat.com>; Thu, 22 May 2008 16:28:57 -0400
Received: from emss02g01.ems.lmco.com (relay2.ems.lmco.com [166.29.2.54])by
	mailgw1a.lmco.com (LM-6) with ESMTP id m4MKPOuS007509for
	<linux-audit@redhat.com>; Thu, 22 May 2008 14:25:24 -0600 (MDT)
Received: from CONVERSION2-DAEMON.lmco.com by lmco.com (PMDF V6.3-x14 #31428)
	id <0K1A00501ECGVQ@lmco.com> for linux-audit@redhat.com;
	Thu, 22 May 2008 14:31:28 -0600 (MDT)
Received: from EMSS04I00.us.lmco.com ([166.17.13.135]) by lmco.com (PMDF
	V6.3-x14 #31428)
	with ESMTP id <0K1A003ODEC0O2@lmco.com> for linux-audit@redhat.com;
	Thu, 22 May 2008 14:31:18 -0600 (MDT)
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============1652703472==
Content-type: multipart/alternative;
	boundary="Boundary_(ID_r35FBUNATOJvhrfAul1Kog)"
Content-class: urn:content-classes:message

This is a multi-part message in MIME format.

--Boundary_(ID_r35FBUNATOJvhrfAul1Kog)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT

Hello,
 
I need to log file edit attempts when a user doesn't have permission to
edit a specific file. For example, a non-root user attempts to edit
"/var/log/audit/audit'log" which has a permission setting of 640.
Although the user won't be able to edit the file (permission denied) -
I'd still like to log the attempt. Here's a snippet of my audit.rules
file:
 
## unsuccessful creation

-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
-k creation

-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
-k creation

## unsuccessful open

-a exit,always -S open -F exit=-13 -k open

## unsuccessful close

-a exit,always -S close -F exit=-13 -k close

## unsuccessful modifications

-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods

-a exit,always -S renameat -F exit=-13 -k mods

## unsuccessful deletion

-a exit,always -S rmdir -S unlink -F exit=-13 -k delete 

-a exit,always -S unlinkat -F exit=-13 -k delete

## unauthorized change directory (cd)

-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd

## Watch Files

-w /var/log/audit/audit.log -p rwxa -k audit-log2

 

Thanks 

-Jim


--Boundary_(ID_r35FBUNATOJvhrfAul1Kog)
Content-type: text/html; charset=US-ASCII
Content-transfer-encoding: 7BIT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN 
class=333201420-22052008>Hello,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN 
class=333201420-22052008></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><SPAN class=333201420-22052008>I need to log file 
edit attempts when a user doesn't have permission to edit a specific file. For 
example,&nbsp;a non-root user attempts to edit "/var/log/audit/audit'log" which 
has a permission setting of 640. Although the user won't be able to edit the 
file (permission denied) - I'd still like to log the&nbsp;attempt. Here's a 
snippet of my audit.rules file:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=333201420-22052008></SPAN></FONT><FONT 
face=Arial size=2><SPAN class=333201420-22052008></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT><SPAN class=333201420-22052008>
<P><FONT face=Arial size=2>## unsuccessful creation</FONT></P>
<P><FONT face=Arial size=2>-a exit,always -S creat -S mkdir -S mknod -S link -S 
symlink -F exit=-13 -k creation</FONT></P>
<P><FONT face=Arial size=2>-a exit,always -S mkdirat -S mknodat -S linkat -S 
symlinkat -F exit=-13 -k creation</FONT></P>
<P><FONT face=Arial size=2></FONT></P>
<P><FONT face=Arial size=2>## unsuccessful open</FONT></P>
<P><FONT face=Arial size=2>-a exit,always -S open -F exit=-13 -k open</FONT></P>
<P><FONT face=Arial size=2>## unsuccessful close</FONT></P>
<P><FONT face=Arial size=2>-a exit,always -S close -F exit=-13 -k 
close</FONT></P>
<P><FONT face=Arial size=2>## unsuccessful modifications</FONT></P>
<P><FONT face=Arial size=2>-a exit,always -S rename -S truncate -S ftruncate -F 
exit=-13 -k mods</FONT></P>
<P><FONT face=Arial size=2>-a exit,always -S renameat -F exit=-13 -k 
mods</FONT></P>
<P><FONT face=Arial size=2>## unsuccessful deletion</FONT></P>
<P><FONT face=Arial size=2>-a exit,always -S rmdir -S unlink -F exit=-13 -k 
delete </FONT></P>
<P><FONT face=Arial size=2>-a exit,always -S unlinkat -F exit=-13 -k 
delete</FONT></P>
<P><FONT face=Arial size=2>## unauthorized change directory (cd)</FONT></P>
<P><FONT face=Arial size=2>-a exit,always -S chdir -F path=/var/log/audit -k 
evil2-cd</FONT></P>
<P><SPAN class=333201420-22052008><FONT face=Arial size=2>## Watch 
Files</FONT></SPAN></P>
<P><FONT face=Arial size=2>-w /var/log/audit/audit.log -p rwxa -k 
audit-log2</FONT></P>
<P><FONT face=Arial size=2></FONT>&nbsp;</P>
<P><SPAN class=333201420-22052008><FONT face=Arial size=2>Thanks 
</FONT></SPAN></P>
<P><SPAN class=333201420-22052008><FONT face=Arial 
size=2>-Jim</FONT></SPAN></P></SPAN></FONT></DIV></BODY></HTML>

--Boundary_(ID_r35FBUNATOJvhrfAul1Kog)--


--===============1652703472==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1652703472==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: NISPOM Auditing
Date: Thu, 22 May 2008 17:19:52 -0400
Message-ID: <200805221719.53685.sgrubb@redhat.com>
References: <673954B3D6E9A14199B78659C4AD37EE0422D140@emss04m05.us.lmco.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <673954B3D6E9A14199B78659C4AD37EE0422D140@emss04m05.us.lmco.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
> I need to log file edit attempts when a user doesn't have permission to
> edit a specific file. For example, a non-root user attempts to edit
> "/var/log/audit/audit'log" which has a permission setting of 640.
> Although the user won't be able to edit the file (permission denied) -
> I'd still like to log the attempt. Here's a snippet of my audit.rules
> file:

Have you looked at the latest nispom.rules file in the audit package? I have a 
set of rules that should meet NISPOM requirements. If it doesn't I'd like to 
know what is wrong with it so we can fix it. This set of rules looks similar 
to it, but there are differences. The main difference is adding -F arch=  to 
each syscall rule to make sure the numbers are correct.


> ## unsuccessful creation
>
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
> -k creation
>
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
> -k creation

-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation



> ## unsuccessful open
>
> -a exit,always -S open -F exit=-13 -k open

-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open



> ## unsuccessful close
>
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
>
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
>
> -a exit,always -S renameat -F exit=-13 -k mods
>
> ## unsuccessful deletion
>
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
>
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## unauthorized change directory (cd)
>
> -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd

:)

> ## Watch Files
>
> -w /var/log/audit/audit.log -p rwxa -k audit-log2

This rule only watches one file. There could be more. You might want a rule 
like:

-w /var/log/audit -k audit-logs

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "corbin" <corbin@arlut.utexas.edu>
Subject: RE: NISPOM Auditing
Date: Tue, 27 May 2008 09:00:19 -0500
Message-ID: <200805271400.m4RE0III031345@ns5.arlut.utexas.edu>
References: <200805221719.53685.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200805221719.53685.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: 'Steve Grubb' <sgrubb@redhat.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Can these rules apply to RHEL4 or just RHEL5?  I, too, have to create a
NISPOM compliant network and have written scripts to do so.  However, I am
just exploring the audit.rules settings in RHEL and wanted to know if these
changes are particular to a specific version of Red Hat. 

Thanks!
Starr

-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
On Behalf Of Steve Grubb
Sent: Thursday, May 22, 2008 4:20 PM
To: linux-audit@redhat.com
Subject: Re: NISPOM Auditing

On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
> I need to log file edit attempts when a user doesn't have permission to
> edit a specific file. For example, a non-root user attempts to edit
> "/var/log/audit/audit'log" which has a permission setting of 640.
> Although the user won't be able to edit the file (permission denied) -
> I'd still like to log the attempt. Here's a snippet of my audit.rules
> file:

Have you looked at the latest nispom.rules file in the audit package? I have
a 
set of rules that should meet NISPOM requirements. If it doesn't I'd like to

know what is wrong with it so we can fix it. This set of rules looks similar

to it, but there are differences. The main difference is adding -F arch=  to

each syscall rule to make sure the numbers are correct.


> ## unsuccessful creation
>
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
> -k creation
>
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
> -k creation

-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation



> ## unsuccessful open
>
> -a exit,always -S open -F exit=-13 -k open

-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open



> ## unsuccessful close
>
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
>
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
>
> -a exit,always -S renameat -F exit=-13 -k mods
>
> ## unsuccessful deletion
>
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
>
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## unauthorized change directory (cd)
>
> -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd

:)

> ## Watch Files
>
> -w /var/log/audit/audit.log -p rwxa -k audit-log2

This rule only watches one file. There could be more. You might want a rule 
like:

-w /var/log/audit -k audit-logs

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: NISPOM Auditing
Date: Tue, 27 May 2008 10:19:25 -0400
Message-ID: <200805271019.26172.sgrubb@redhat.com>
References: <200805271400.m4RE0III031345@ns5.arlut.utexas.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200805271400.m4RE0III031345@ns5.arlut.utexas.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: corbin <corbin@arlut.utexas.edu>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 27 May 2008 10:00:19 corbin wrote:
> Can these rules apply to RHEL4 or just RHEL5?

The rules are different between RHEL4 and 5. RHEL5 has more syscalls than 4 
did. It also has more options in auditctl & kernel to make rules capture just 
the required data. Some things you simply can't express in RHEL4. For 
example, the ability to audit only users (auid>=500) rather than everything 
including daemons. For RHEL4, you can get everything required for NISPOM, but 
you depend more on the reduction tools and eat more disk space doing so.

> However, I am just exploring the audit.rules settings in RHEL and wanted to
> know if these changes are particular to a specific version of Red Hat.

I believe that RHEL4 has a nispom.rules file also. It has not be updated in 
quite a while, but it should be a good starting point. It probably needs 
updating for arch=b32 and 64 so that biarch machines get the right syscalls 
being audited.

-Steve