* Status of /etc/audit/filter.conf
@ 2007-04-23 20:09 Aaron Lippold
2007-04-23 20:38 ` Matthew Booth
2007-04-25 20:35 ` Bill Tangren
0 siblings, 2 replies; 3+ messages in thread
From: Aaron Lippold @ 2007-04-23 20:09 UTC (permalink / raw)
To: linux-audit
Hello All,
Silly question 1:
I have a security checking script that is complaining that my system
is not able to audit all discretionary access to control permission
modifications.
To verify this it is looking for /etc/audit/filter.conf
Is this still the correct place to look on RHEL4/5? I'd assume not
since I can't find a man page on audit-filter.conf anymore.
Silly Question 2:
If not, where and how would I add this feature to my audit configuration?
Thanks,
Aaron
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Status of /etc/audit/filter.conf
2007-04-23 20:09 Status of /etc/audit/filter.conf Aaron Lippold
@ 2007-04-23 20:38 ` Matthew Booth
2007-04-25 20:35 ` Bill Tangren
1 sibling, 0 replies; 3+ messages in thread
From: Matthew Booth @ 2007-04-23 20:38 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1349 bytes --]
On Mon, 2007-04-23 at 16:09 -0400, Aaron Lippold wrote:
> I have a security checking script that is complaining that my system
> is not able to audit all discretionary access to control permission
> modifications.
>
> To verify this it is looking for /etc/audit/filter.conf
>
> Is this still the correct place to look on RHEL4/5? I'd assume not
> since I can't find a man page on audit-filter.conf anymore.
filter.conf was a LAuS configuration file, which is no longer used.
Auditing in RHEL4 and RHEL 5 is entirely unrelated to LAuS. The
approximately corresponding information is in /etc/audit.rules (RHEL4)
or /etc/audit/audit.rules (RHEL5) iirc.
> If not, where and how would I add this feature to my audit configuration?
That really depends what 'discretionary access to control permission
modifications' actually means to the person who wrote it ;) I'm guessing
it refers to auditing the chmod family of system calls, in which case
you would add the following line to /etc/audit/audit.rules in RHEL 5:
-a entry,always -S chmod -S fchmod
and start the audit daemon. These calls will then be logged
in /var/log/audit.log.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Status of /etc/audit/filter.conf
2007-04-23 20:09 Status of /etc/audit/filter.conf Aaron Lippold
2007-04-23 20:38 ` Matthew Booth
@ 2007-04-25 20:35 ` Bill Tangren
1 sibling, 0 replies; 3+ messages in thread
From: Bill Tangren @ 2007-04-25 20:35 UTC (permalink / raw)
Cc: linux-audit
Aaron Lippold wrote:
> Hello All,
>
> Silly question 1:
>
> I have a security checking script that is complaining that my system
> is not able to audit all discretionary access to control permission
> modifications.
>
> To verify this it is looking for /etc/audit/filter.conf
>
> Is this still the correct place to look on RHEL4/5? I'd assume not
> since I can't find a man page on audit-filter.conf anymore.
>
> Silly Question 2:
>
> If not, where and how would I add this feature to my audit configuration?
>
> Thanks,
>
> Aaron
The Linux SRR script you are referring to (GEN002800, I think) was broken as of
the January version of the SRR. They might have fixed it in the March version, I
don't know.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-04-25 20:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-23 20:09 Status of /etc/audit/filter.conf Aaron Lippold
2007-04-23 20:38 ` Matthew Booth
2007-04-25 20:35 ` Bill Tangren
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox