* Audit Log not capturing access to security related files
@ 2009-11-25 16:57 Starr-Renee Corbin
2009-11-30 18:37 ` Steve Grubb
2009-12-04 10:59 ` Trevor Vaughan
0 siblings, 2 replies; 3+ messages in thread
From: Starr-Renee Corbin @ 2009-11-25 16:57 UTC (permalink / raw)
To: linux-audit
Hello,
I am required (by NISPOM) to audit access to security related files.
I am essentially using the nispom audit.rules provided by rhel5 to
accomplish this.
However, some of my systems are capturing access to /etc/shadow and
some of my systems are not (when looking in /var/log/audit/audit.log.
Worried that I might have differing audit.rules files between the
systems I have even copied the audit.rules file from systems that were
auditing right to systems that were not. But this has not resolved
the auditing problem.
HELP!
Thank you!
Starr
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Audit Log not capturing access to security related files
2009-11-25 16:57 Audit Log not capturing access to security related files Starr-Renee Corbin
@ 2009-11-30 18:37 ` Steve Grubb
2009-12-04 10:59 ` Trevor Vaughan
1 sibling, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2009-11-30 18:37 UTC (permalink / raw)
To: linux-audit
On Wednesday 25 November 2009 11:57:10 am Starr-Renee Corbin wrote:
> I am required (by NISPOM) to audit access to security related files.
> I am essentially using the nispom audit.rules provided by rhel5 to
> accomplish this.
>
> However, some of my systems are capturing access to /etc/shadow and
> some of my systems are not (when looking in /var/log/audit/audit.log.
I guess the questions are:
what kernels?
what audit packages?
Are both the same arch?
How are you testing that one is not being recorded when it should?
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Audit Log not capturing access to security related files
2009-11-25 16:57 Audit Log not capturing access to security related files Starr-Renee Corbin
2009-11-30 18:37 ` Steve Grubb
@ 2009-12-04 10:59 ` Trevor Vaughan
1 sibling, 0 replies; 3+ messages in thread
From: Trevor Vaughan @ 2009-12-04 10:59 UTC (permalink / raw)
To: Starr-Renee Corbin; +Cc: linux-audit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Starr,
The default rule set that comes with RHEL5 will not function properly on
a 32 bit system. It will, however, function properly on a 64 bit system.
If you have a mix of architectures, this may be your problem.
To fix it for the 32 bit systems, try the following:
sed -e '/arch=b64/d' /etc/audit/audit.rules > audit.rules.32
and use the resulting file as your primary audit rule set.
Trevor
On 11/25/2009 11:57 AM, Starr-Renee Corbin wrote:
> Hello,
>
> I am required (by NISPOM) to audit access to security related files. I
> am essentially using the nispom audit.rules provided by rhel5 to
> accomplish this.
>
> However, some of my systems are capturing access to /etc/shadow and some
> of my systems are not (when looking in /var/log/audit/audit.log.
>
> Worried that I might have differing audit.rules files between the
> systems I have even copied the audit.rules file from systems that were
> auditing right to systems that were not. But this has not resolved the
> auditing problem.
>
> HELP!
>
> Thank you!
>
> Starr
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksY65UACgkQyjMdFR1108DMmwCePtILlhUsKjwrEZQi2Dw2wwmt
aJsAn3uJtMYXDzB/w2Pq6grvIuuQJ9gE
=qFmA
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-12-04 10:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-25 16:57 Audit Log not capturing access to security related files Starr-Renee Corbin
2009-11-30 18:37 ` Steve Grubb
2009-12-04 10:59 ` Trevor Vaughan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox