RHEL 4, Auditing

RHEL 4, Auditing

[List Quest]

[-- Attachment #1.1: Type: text/plain, Size: 348 bytes --]

Hi All;

I trying RHEL 4.x series auditing.

Example:
Audit version: audit-1.0.15-3.EL4

-w /root -p w

config line added to audit.rules; but this config watch only "/root"
directory writes. Do not watch "/root/Desktop", "/root/test", etc...

I can't recusive directory watch; like audit version audit-1.7.17-3

How this?


Thank you
Best Regards.

[-- Attachment #1.2: Type: text/html, Size: 442 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: RHEL 4, Auditing

[Steve Grubb]

On Tuesday, July 20, 2010 08:04:02 am List Quest wrote:
> I trying RHEL 4.x series auditing.
> 
> Example:
> Audit version: audit-1.0.15-3.EL4
> 
> -w /root -p w
> 
> config line added to audit.rules; but this config watch only "/root"
> directory writes. Do not watch "/root/Desktop", "/root/test", etc...
> 
> I can't recusive directory watch; like audit version audit-1.7.17-3
> 
> How this?

That is correct. The first iteration of the audit system has some limitations 
that were fixed over time. For example, another thing you cannot do on the 
older kernels is add a key to syscall rules.

-Steve

Re: RHEL 4, Auditing

[List Quest]

[-- Attachment #1.1: Type: text/plain, Size: 925 bytes --]

Hi;

Ok. For example watch /root directory and subdirectories:

I can only -> Scan /root directory recursive(find /root/ -type d); and add
to audit.rules file all result lines.

This technic true?

Best Regards


On Tue, Jul 20, 2010 at 3:24 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tuesday, July 20, 2010 08:04:02 am List Quest wrote:
> > I trying RHEL 4.x series auditing.
> >
> > Example:
> > Audit version: audit-1.0.15-3.EL4
> >
> > -w /root -p w
> >
> > config line added to audit.rules; but this config watch only "/root"
> > directory writes. Do not watch "/root/Desktop", "/root/test", etc...
> >
> > I can't recusive directory watch; like audit version audit-1.7.17-3
> >
> > How this?
>
> That is correct. The first iteration of the audit system has some
> limitations
> that were fixed over time. For example, another thing you cannot do on the
> older kernels is add a key to syscall rules.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 1418 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: RHEL 4, Auditing

[Steve Grubb]

On Tuesday, July 20, 2010 08:53:43 am List Quest wrote:
>  For example watch /root directory and subdirectories:
> 
> I can only -> Scan /root directory recursive(find root -type d); and add
> to audit.rules file all result lines.
> 
> This technic true?

Yes, you can do that.

-Steve

Re: RHEL 4, Auditing

[List Quest]

[-- Attachment #1.1: Type: text/plain, Size: 428 bytes --]

Hi,

Thank you for your reply.

Best Regards.



On Tue, Jul 20, 2010 at 4:00 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tuesday, July 20, 2010 08:53:43 am List Quest wrote:
> >  For example watch /root directory and subdirectories:
> >
> > I can only -> Scan /root directory recursive(find root -type d); and add
> > to audit.rules file all result lines.
> >
> > This technic true?
>
> Yes, you can do that.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 808 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: RHEL 4, Auditing

[List Quest]

[-- Attachment #1.1: Type: text/plain, Size: 879 bytes --]

Hi;

Second lack for configuration.

RHEL 5.x can configure one directory watch; to all permissions and use key
name.
Example:

-w /root -p w -k writing
-w /root -p r -k reading
...

But, RHEL 4.x can't this rule. For one directory watch, only one line rule
accepting.
RHEL 4.x can't all permisions watch, and use key functionality.
Error: ( Error sending watch insert request (File exists) )

This subject true? And, how can i fix this issue?

Thank you, and sorry my serial posts.
Best Regards.



On Tue, Jul 20, 2010 at 4:00 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tuesday, July 20, 2010 08:53:43 am List Quest wrote:
> >  For example watch /root directory and subdirectories:
> >
> > I can only -> Scan /root directory recursive(find root -type d); and add
> > to audit.rules file all result lines.
> >
> > This technic true?
>
> Yes, you can do that.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 1315 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]