public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
* AUDIT Rules
@ 2007-05-23 19:04 Paul Whitney
  2007-05-23 19:10 ` Steve Grubb
  2007-05-24 23:31 ` Mike Nixon
  0 siblings, 2 replies; 4+ messages in thread
From: Paul Whitney @ 2007-05-23 19:04 UTC (permalink / raw)
  To: linux-audit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Can someone tell me what is the correct syntax for successfully or failing
to modify a file using the chmod command?  I have :

- -a exit,possible -S chmod -F success=0 -F success!=0
- -a exit,possible -S fchmod -F success=0 -F success!=0

But I am not able to audit the event. As a regular user I try to change the
permissions of /etc/shadow. The action fails (as expected) but does not get
audited.

Any suggestions is greatly appreciated.


Paul Whitney
Information Systems Solutions
paul.whitney@mac.com

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRlSQSbdVg+viRqgEAQjJTAf8CHUY4lQMv7tJrdseTqe/l2n1oFwu8GNr
xrIPab5+iQtRWk4OwwOnmifz1yZRyA+tO+W0hXc7UFn5c1J8YKFooAYEiTK/DvBI
oE4Aeme5QDIW4MN/quq8qOeKieMUDr2oPt3ZqVW6F9u/pF/dlUaQ5OvdSchtdfLw
iYMsd2rS5xtUVa0fDYEsQqz6AAaKbpuBCa6+ksxWTnPOCjYec0jpVpT3unFLA7G3
FK34zc5nfzuGimEtPb3wGvZv32wPyDDV8aD/ghw9kBYT3Fobd4LF6ZT89MbWSlja
I5HW38q8elNn6an3FjWo+UV9r47tuMteIuFUatwed47yR/58xizoEg==
=yBwv
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: AUDIT Rules
  2007-05-23 19:04 AUDIT Rules Paul Whitney
@ 2007-05-23 19:10 ` Steve Grubb
  2007-05-24 13:03   ` Curtis, TS Troy @ IS
  2007-05-24 23:31 ` Mike Nixon
  1 sibling, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2007-05-23 19:10 UTC (permalink / raw)
  To: linux-audit

On Wednesday 23 May 2007 15:04, Paul Whitney wrote:
> -a exit,possible -S chmod -F success=0 -F success!=0
> -a exit,possible -S fchmod -F success=0 -F success!=0

 -a exit,always -S chmod -S fchmod -F success=0

You can combine the syscalls into 1 rule.

-Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: AUDIT Rules
  2007-05-23 19:10 ` Steve Grubb
@ 2007-05-24 13:03   ` Curtis, TS Troy @ IS
  0 siblings, 0 replies; 4+ messages in thread
From: Curtis, TS Troy @ IS @ 2007-05-24 13:03 UTC (permalink / raw)
  To: linux-audit

 I believe it is important to also not that the field values:

-F success=0 -F success!=0   

Effectively disable the rule.  A rule is generated if ALL the
expressions match.  This set of rules says "generate an event when the
call is BOTH successful AND unsuccessful" which of course cannot happen.
If your desire to have all chmod and fchmod calls, both successful and
unsuccessful, just leave off the '-F' fields.

Note that Steve's rule only monitors *unsuccessful* chmod and fchmod
calls. 


Troy Curtis, Jr.

-----Original Message-----
From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
Sent: Wednesday, May 23, 2007 2:10 PM
To: linux-audit@redhat.com
Subject: Re: AUDIT Rules

On Wednesday 23 May 2007 15:04, Paul Whitney wrote:
> -a exit,possible -S chmod -F success=0 -F success!=0 -a exit,possible 
> -S fchmod -F success=0 -F success!=0

 -a exit,always -S chmod -S fchmod -F success=0

You can combine the syscalls into 1 rule.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: AUDIT Rules
  2007-05-23 19:04 AUDIT Rules Paul Whitney
  2007-05-23 19:10 ` Steve Grubb
@ 2007-05-24 23:31 ` Mike Nixon
  1 sibling, 0 replies; 4+ messages in thread
From: Mike Nixon @ 2007-05-24 23:31 UTC (permalink / raw)
  To: 'Paul Whitney', linux-audit

Change the word possible to always and restart your auditd daemon.

	i.e.
		-a exit,always -S chmod -F success=0 -F success!=0
		-a exit,always -S fchmod -F success=0 -F success!=0

Mike Nixon, CISSP
LTC Engineering Assoc.
nixon@ltceng.com

-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
On Behalf Of Paul Whitney
Sent: Wednesday, May 23, 2007 3:05 PM
To: linux-audit@redhat.com
Subject: AUDIT Rules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Can someone tell me what is the correct syntax for successfully or failing
to modify a file using the chmod command?  I have :

- -a exit,possible -S chmod -F success=0 -F success!=0
- -a exit,possible -S fchmod -F success=0 -F success!=0

But I am not able to audit the event. As a regular user I try to change the
permissions of /etc/shadow. The action fails (as expected) but does not get
audited.

Any suggestions is greatly appreciated.


Paul Whitney
Information Systems Solutions
paul.whitney@mac.com

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRlSQSbdVg+viRqgEAQjJTAf8CHUY4lQMv7tJrdseTqe/l2n1oFwu8GNr
xrIPab5+iQtRWk4OwwOnmifz1yZRyA+tO+W0hXc7UFn5c1J8YKFooAYEiTK/DvBI
oE4Aeme5QDIW4MN/quq8qOeKieMUDr2oPt3ZqVW6F9u/pF/dlUaQ5OvdSchtdfLw
iYMsd2rS5xtUVa0fDYEsQqz6AAaKbpuBCa6+ksxWTnPOCjYec0jpVpT3unFLA7G3
FK34zc5nfzuGimEtPb3wGvZv32wPyDDV8aD/ghw9kBYT3Fobd4LF6ZT89MbWSlja
I5HW38q8elNn6an3FjWo+UV9r47tuMteIuFUatwed47yR/58xizoEg==
=yBwv
-----END PGP SIGNATURE-----


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.467 / Virus Database: 269.8.0/817 - Release Date: 5/24/2007
4:01 PM
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.467 / Virus Database: 269.8.0/817 - Release Date: 5/24/2007
4:01 PM
 

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-05-24 23:31 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-23 19:04 AUDIT Rules Paul Whitney
2007-05-23 19:10 ` Steve Grubb
2007-05-24 13:03   ` Curtis, TS Troy @ IS
2007-05-24 23:31 ` Mike Nixon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox