NISPOM audit requirement "failed access to objects" won't work-RHEL5 update1
The Defense Security Services' (DSS) National Industrial Security Program Operating Manual (NISPOM) require collection of specific audit events.
System Access: (This works)
Logon:Successful|Failed
Logoff:Successful:Failed
Account Lockout (due to too many failed attempts):Successful Passwd Change:Successful Useradd:successful Userdel:successful
-----------------------
Unauthorized File Access: (This does not work)
Rmdir,mkdir,mv,cp,rm,chmod,chown,ulink,link,etc:Failed
I need to be able to ausearch and find if any of the above failed attempts exist. However, upon testing any and all of the above, a failed audit does not appear in the /var/log/audit/audit.log file. Supposedly, the nispom.rules file that comes with Red Hat is designed to accomplish this requirement.
The nispom.rules file was copied from /usr/share/doc/audit-1.5.5/nispom.rules to /etc/audit/audit.rules and has NOT been modified.
Our audit version is: audit-1.5.5-7.el5. We verified that the audit.rules files is being read by placing a syntax error in the file. An error message was returned which confirms that the file is being read.
|