The Defense Security Services' (DSS) National Industrial Security Program Operating Manual (NISPOM) require collection of specific audit events.

System Access: (This works)

Logon:Successful|Failed
Logoff:Successful:Failed
Account Lockout (due to too many failed attempts):Successful Passwd Change:Successful Useradd:successful Userdel:successful

-----------------------


Unauthorized File Access: (This does not work)

Rmdir,mkdir,mv,cp,rm,chmod,chown,ulink,link,etc:Failed


I need to be able to ausearch and find if any of the above failed attempts exist. However, upon testing any and all of the above, a failed audit does not appear in the /var/log/audit/audit.log file. Supposedly, the nispom.rules file that comes with Red Hat is designed to accomplish this requirement.

The nispom.rules file was copied from /usr/share/doc/audit-1.5.5/nispom.rules to /etc/audit/audit.rules and has NOT been modified.

Our audit version is: audit-1.5.5-7.el5. We verified that the audit.rules files is being read by placing a syntax error in the file. An error message was returned which confirms that the file is being read.

If you grep -i for the necessary syscallnames or numbers: are they all in the rule file? No odd names like "-S mkdirat -S mknodat -S linkat -S symlinkat"? At least I can't remember syscallnames having "at" affixed but I got that from looking at http://svn.fedorahosted.org/svn/audi...b/nispom.rules so only that file may be wrong...