From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bill Tangren Subject: Re: trouble with a number of audit rules Date: Mon, 29 Jan 2007 17:33:10 -0500 Message-ID: <45BE7626.6090108@aa.usno.navy.mil> References: <45BE6DDD.6080008@aa.usno.navy.mil> <200701291715.35261.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l0TMXCCg029400 for ; Mon, 29 Jan 2007 17:33:12 -0500 Received: from beatrix.usno.navy.mil (beatrix.usno.navy.mil [198.116.61.254]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l0TMXBom008966 for ; Mon, 29 Jan 2007 17:33:11 -0500 Received: from [10.1.5.58] (mach2.usno.navy.mil [10.1.5.58]) by aa.usno.navy.mil (Postfix) with ESMTP id 088F190404 for ; Mon, 29 Jan 2007 17:33:11 -0500 (EST) In-Reply-To: <200701291715.35261.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve Grubb wrote: > On Monday 29 January 2007 16:57, Bill Tangren wrote: >> 1) >> # Ensures that any reads of the audit log by the current user that's logged >> is # audited. It might be beneficial to create a rule for each of the 5 >> logs # that are generated. >> >> RULE: >> -w /var/log/audit/audit.log -p r -F auid=-1 This is in the capp.rules too. > > On RHEL4, syscall auditing and file system auditing cannot be mixed on the > same line. Watches can only take -p & -k parameters. > >> 2) >> # Ensures that any user who mounts or unmounts a device is audited >> >> RULE: >> -a exit,always -S mount -S umount > > Are you on x86_64? If so, you should use umount2. I believe this is documented > in capp.rules. Yes, x86_64. I missed this one in capp.rules. Damn. > >> 3) >> # ensures auditing whenever the reboot command is sent to the kernel >> >> RULE: >> -a always,entry -S socketcall -F a0=13 > > x86_64? If so use the syscall, shutdown. (offhand, I don't know why you would > need to audit shutdown.) > >> 4) >> # Ensures auditing of any unauthorized access to roots home directory. >> >> RULE: >> -w /root -p rw -F uid!=0 I'll have to think some more about how to do this one. > > see #1 above > >> 5) >> #Ensure that failed use of the following system calls is audited >> >> RULE: >> -a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0 >> -F auid=-1 -F auid=0 > > stime is valid on i386. maybe settimeofday? Yes, settimeofday worked. > > -Steve > Thanks, Steve.