From mboxrd@z Thu Jan  1 00:00:00 1970
From: Trevor Vaughan <peiriannydd@gmail.com>
Subject: Re: Audit Log not capturing access to security related files
Date: Fri, 04 Dec 2009 05:59:37 -0500
Message-ID: <4B18EB99.3060901@gmail.com>
References: <F290A936-757A-4DF5-BFB6-DA8F77864591@arlut.utexas.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com
	[10.5.110.14])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id nB4Axwgn012904
	for <linux-audit@redhat.com>; Fri, 4 Dec 2009 05:59:58 -0500
Received: from mail-vw0-f191.google.com (mail-vw0-f191.google.com
	[209.85.212.191])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nB4Axfse017946
	for <Linux-audit@redhat.com>; Fri, 4 Dec 2009 05:59:42 -0500
Received: by vws29 with SMTP id 29so1005731vws.6
	for <Linux-audit@redhat.com>; Fri, 04 Dec 2009 02:59:41 -0800 (PST)
In-Reply-To: <F290A936-757A-4DF5-BFB6-DA8F77864591@arlut.utexas.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Starr-Renee Corbin <corbin@arlut.utexas.edu>
Cc: linux-audit <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Starr,

The default rule set that comes with RHEL5 will not function properly on
a 32 bit system.  It will, however, function properly on a 64 bit system.

If you have a mix of architectures, this may be your problem.

To fix it for the 32 bit systems, try the following:

sed -e '/arch=b64/d' /etc/audit/audit.rules > audit.rules.32

and use the resulting file as your primary audit rule set.

Trevor

On 11/25/2009 11:57 AM, Starr-Renee Corbin wrote:
> Hello,
> 
> I am required (by NISPOM) to audit access to security related files.  I
> am essentially using the nispom audit.rules provided by rhel5 to
> accomplish this.
> 
> However, some of my systems are capturing access to /etc/shadow and some
> of my systems are not (when looking in /var/log/audit/audit.log.
> 
> Worried that I might have differing audit.rules files between the
> systems I have even copied the audit.rules file from systems that were
> auditing right to systems that were not.  But this has not resolved the
> auditing problem.
> 
> HELP!
> 
> Thank you!
> 
> Starr
> 
> 
> 
> 
> -- 
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksY65UACgkQyjMdFR1108DMmwCePtILlhUsKjwrEZQi2Dw2wwmt
aJsAn3uJtMYXDzB/w2Pq6grvIuuQJ9gE
=qFmA
-----END PGP SIGNATURE-----