Set SELinux to audit everithing?

geburah · 08-15-2006, 08:58 AM

Hello,

I run RHEL 4 2.6.9-22.ELsmp

I want to run SElinux in permisive mode but I want to audit as much as possible, not only the failed logins.

I want to log when users rename a file or try to rename a fine, copies, deletions, etc. And include root user as well.

Thanks in advance.

unSpawn · 08-15-2006, 10:29 AM

I want to log when users rename a file or try to rename a fine, copies, deletions, etc. And include root user as well.
Install LAuS ("audit" rpm AFAIK), check /etc/auditd.conf, add rules to /etc/audit.rules and run auditd.

geburah · 08-16-2006, 04:26 AM

Very well, I have audit running, but the audit.rules file only contains this:

cat /etc/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.

# First rule - delete all
-D

# Feel free to add below this line. See auditctl man page

# Increase the buffers to survive stress events
-b 256

I have been searching for a way to include rules but I don't find a single example of it. I don't find templates or example rules.

What's in you audit.rules file?

Thanks for your answer.

geburah · 08-16-2006, 06:17 AM

well i found the capp.rules in the docuementation, which is a good start.

Thank you!

geburah · 08-16-2006, 10:50 AM

Does anyone know a viewer or reader for the audit.log files?

or

can someone help me reading this:

type=SYSCALL
msg=audit(1155702961.442:7338):
arch=40000003
syscall=195
success=yes
exit=0
a0=8112ca
a1=bff92ffc
a2=b5dff4
a3=bff92ffc
ite
ms=1
pid=1998
auid=4294967295
uid=0
gid=0
euid=0
suid=0
fsuid=0
egid=0
sgid=0
fsgid=0
comm="crond"
exe="/usr/sbin/crond"

Thanks

affekt · 08-06-2008, 05:56 AM

Quote:

Originally Posted by geburah

type=SYSCALL
msg=audit(1155702961.442:7338):
arch=40000003
syscall=195
success=yes
exit=0
a0=8112ca
a1=bff92ffc
a2=b5dff4
a3=bff92ffc
ite
ms=1
pid=1998
auid=4294967295
uid=0
gid=0
euid=0
suid=0
fsuid=0
egid=0
sgid=0
fsgid=0
comm="crond"
exe="/usr/sbin/crond"

You logged SYSCALL, which caught uid 0 (root) executing syscall 195 (stat64) through crond in process id 1998.

Or in human readable form: your cron daemon checked some file information.