From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: no logging of successful events?
Date: Mon, 18 Aug 2008 16:52:24 -0400
Message-ID: <200808181652.24871.sgrubb@redhat.com>
References: <1219086574.6522.8.camel@orpheus.clinicomp.com>
	<200808181607.55239.sgrubb@redhat.com>
	<1219092199.6522.48.camel@orpheus.clinicomp.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1219092199.6522.48.camel@orpheus.clinicomp.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Brian LaMere <brianl@clinicomp.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday 18 August 2008 16:43:19 Brian LaMere wrote:
> -w /etc/auditd.conf
> -w /etc/audit.rules
> -a exit,always -S open -F success=3D0

Note that openat is being used more and more for secure apps that need to=
=20
ensure that a directory is not switched out during an operation.


> -a exit,always -S rmdir -S unlink -S chmod -S fchmod -S chown -S fchown
> -S lchown -F success!=3D0
> -a exit,always -S settimeofday -S setrlimit -S setdomainname -S
> sched_setparam -S sched_setscheduler -S acct -S reboot -S swapon
> -------------------------------------------------
>
> Was grouping by failed, successful, and both. =C2=A0Did this due to rea=
ding
> that every audit rule is tested for every syscall, which...yeah, makes
> me want to group things.

Yes. You can do that. In the stig.rules file I add a key so that you can =
see=20
exactly what part of the stig is being met whenever you encounter an even=
t.=20
And its also because sometimes it takes more than one rule to meet a=20
requirement fully.


> That being said, stig.rules is extensive; any warning on what the
> performance impact will be?

No idea. If you have to meet the letter of the law...not a whole lot you =
can=20
do but throw hardware at it. Depending on your situation, you may be able=
 to=20
do it with less rules. I wanted to illustrate as complete coverage as=20
possible with a real life security target people have to meet. I don't ha=
ve=20
any feedback from disa as to whether or not they like it. :)


> Also, when looking for the newer builds on your site
> http://people.redhat.com/sgrubb/audit/ - I noticed "1.7 -> 1.8 Remote
> logging and finishing up IDS/IPS plugin." =C2=A0That would be wonderous=
ly
> fabulous, and I look forward to it. =C2=A0 Any thoughts on whether it w=
ill be
> pulled into RHEL5, or whether I'd have to wait until RHEL6?

Remote logging should be in RHEL5.3/Fedora 10. IDS work is in Fedora 9.

-Steve