From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: STIG issue with auditctl -l
Date: Thu, 20 Nov 2014 11:10:55 -0500
Message-ID: <2556417.QbYXNFcFXW@x2>
References: <CACv9p5r8kRxZxduZVCv7dzS2YKMJWcN1siMT8KQ1QNvVgXdYTA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CACv9p5r8kRxZxduZVCv7dzS2YKMJWcN1siMT8KQ1QNvVgXdYTA@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, November 20, 2014 10:42:04 AM leam hall wrote:
> The RHEL 6 STIG says:
> 
>   auditctl -l | grep syscall | grep chmod

This is a forensics check of the system. A configuration scan should do

cat /etc/audit/audit.rules

> Should return lines referring to chmod. Those lines are in my
> audit.rules. Just doing an:
> 
>   auditctl -l | grep syscall

The format of the output changed. But the STIG is not right for mixing a 
forensics check with a configuration checks. If you really needed to do a check 
using auditctl, then use this:

auditctl -l | grep chmod

Just grep on the syscall and leave system out of it. You should have never 
needed it unless

-Steve