From: Trevor Vaughan <peiriannydd@gmail.com>
To: Starr-Renee Corbin <corbin@arlut.utexas.edu>
Cc: linux-audit <Linux-audit@redhat.com>
Subject: Re: Audit Log not capturing access to security related files
Date: Fri, 04 Dec 2009 05:59:37 -0500 [thread overview]
Message-ID: <4B18EB99.3060901@gmail.com> (raw)
In-Reply-To: <F290A936-757A-4DF5-BFB6-DA8F77864591@arlut.utexas.edu>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Starr,
The default rule set that comes with RHEL5 will not function properly on
a 32 bit system. It will, however, function properly on a 64 bit system.
If you have a mix of architectures, this may be your problem.
To fix it for the 32 bit systems, try the following:
sed -e '/arch=b64/d' /etc/audit/audit.rules > audit.rules.32
and use the resulting file as your primary audit rule set.
Trevor
On 11/25/2009 11:57 AM, Starr-Renee Corbin wrote:
> Hello,
>
> I am required (by NISPOM) to audit access to security related files. I
> am essentially using the nispom audit.rules provided by rhel5 to
> accomplish this.
>
> However, some of my systems are capturing access to /etc/shadow and some
> of my systems are not (when looking in /var/log/audit/audit.log.
>
> Worried that I might have differing audit.rules files between the
> systems I have even copied the audit.rules file from systems that were
> auditing right to systems that were not. But this has not resolved the
> auditing problem.
>
> HELP!
>
> Thank you!
>
> Starr
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksY65UACgkQyjMdFR1108DMmwCePtILlhUsKjwrEZQi2Dw2wwmt
aJsAn3uJtMYXDzB/w2Pq6grvIuuQJ9gE
=qFmA
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2009-12-04 10:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-25 16:57 Audit Log not capturing access to security related files Starr-Renee Corbin
2009-11-30 18:37 ` Steve Grubb
2009-12-04 10:59 ` Trevor Vaughan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B18EB99.3060901@gmail.com \
--to=peiriannydd@gmail.com \
--cc=Linux-audit@redhat.com \
--cc=corbin@arlut.utexas.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox