rhel5 server auditing
I've been working on getting my RHEL5 system to perform successful auditing. The workstations work fine, but the servers do not. I get errors when I restart the auditd daemon. It restarts, however it states that there's error in line 102...specifically the "arch=ARCH machine type not found". I'm not familiar with this error nor can I find anything out there. Even when I comment all of these out I still get "There's an error in /etc/audit/audit.rules". I've only been working with auditing for a short time. Any help would be great!
Code:
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
#
#last updated 09SEP10
#
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 16384
# Feel free to add below this line. See auditctl man page
# Failure of auditd causes a kernel panic and halts system if sets to 2
-f 1
# Enable auditing
-e 1
# Audit1: audit accesses to security relevant files
# watch passwd databases
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/group -p wa
# pam configuration
-w /etc/pam.d
# auditd configuration
-w /etc/auditd.conf
-w /etc/audit.rules
-w /etc/audit/auditd.conf
-w /etc/audit/audit.rules
# watch system log files
-w /var/log/messages
-w /var/log/audit/audit.log
-w /var/log/audit/audit[1-4].log
# watch audit subsystem's configuration files
-w /etc/auditd.conf -p wa
-w /etc/audit.rules -p wa
# SELinux configuration
-w /etc/selinux/config -p wa
# login records
-w /var/log/lastlog
-w /var/log/faillog
# login configuration
-w /etc/login.defs
# init configuration
-w /etc/rc.d/init.d
-w /etc/inittab -p wa
# sshd configuration settings
-w /etc/ssh/sshd_config
# audit creating new directories
-a exit,always -S mkdir -F auid!=0
# audit chmod,chown for non-root users
-a exit,always -S chmod -S fchmod -F auid!=0
-a exit,always -S chown -S fchown -S lchown -F auid!=0
# changes to security labels
-a exit,always -S setxattr -S lsetxattr -S fsetxattr
-a exit,always -S removexattr -S lremovexattr -S fremovexattr
#inserted 09052010
# privileged commands
-a exit,always -S chroot -S mount -S umount -S umount2 -S adjtimex -S kill
-a entry,always -S chmod
-a entry,always -S fchmod
-a entry,always -S chown
#-a entry,always -S chown32
-a entry,always -S fchown
#-a entry,always -S fchown32
-a entry,always -S lchown
-a entry,always -S umask
# system administration actions
# these two lines could be the cause of problems with filling audit logs and preventing system usage after installation
-w /etc/audit/auditd.conf -p wa
-w /etc/audit/audit.rules -p wa
-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setdomainname -S setrlimit -S settimeofday -S stime -S swapon
# security personnel actions
-a exit,always -S init_module -S delete_module -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-w /bin/su
#record events that modify the system's date or time
-a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=ARCH -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
#record events that modify accounts on the system
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
#record events that modify network settings
-a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
#record events that modify MAC policy
-w /etc/selinux/ -p wa -k MAC-policy
#record logon and logout events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
#record process and session information
#THIS MAY INCREASE LOG SIZE
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
#record file permission changes for all users and root
-a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#record unauthorized file accesses
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
#record execution of privileged commands
-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
#record media exportation events
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
#record file deletion events
-a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
#record system administrator actions
-w /etc/sudoers -p wa -k actions
#Critical system files and directories
-w /var/log/audit/
-w /etc/ntp.conf
-w /etc
-w /var/spool/at
-w /etc/at.allow
-w /etc/at.deny
-w /etc/cron.deny
-w /etc/cron.d/
-w /etc/cron.daily/
-w /etc/cron.hourly/
-w /etc/cron.monthly/
-w /etc/cron.weekly/
-w /etc/crontab
-w /etc/anacrontab
-w /etc/group
-w /etc/passwd
-w /etc/gshadow
-w /etc/shadow
-w /etc/security/opasswd
-w /etc/sudoers
-w /etc/securetty
-w /etc/shells
-w /etc/profile
-w /etc/bashrc
-w /etc/csh.cshrc
-w /etc/csh.login
-w /etc/hosts
-w /etc/sysconfig/
-w /etc/inittab
-w /etc/rc.d/init.d/auditd
-w /etc/rc.local
-w /etc/rc.sysinit
-w /etc/xinetd.d/
-w /etc/ld.so.conf
-w /etc/ld.so.conf.d/
-w /etc/localtime
-w /etc/sysctl.conf
-w /etc/modprobe.conf
-w /etc/pam_smb.conf
-w /etc/aliases
-w /etc/mail/access
-w /etc/mail/access.db
-w /etc/mail/domaintable
-w /etc/mail/domaintable.db
-w /etc/mail/helpfile
-w /etc/mail/local-host-names
-w /etc/mail/mailertable
-w /etc/mail/mailertable.db
-w /etc/mail/Makefile
-w /etc/mail/sendmail.cf
-w /etc/mail/sendmail.mc
-w /etc/mail/submit.cf
-w /etc/mail/submit.mc
-w /etc/mail/trusted-users
-w /etc/mail/virtusertable
-w /etc/mail/virtusertable.db
-w /etc/httpd/conf/
-w /etc/httpd/conf.d/
-w /etc/issue
-w /etc/issue.net
-w /etc/samba/smb.conf
-w /etc/syslog.conf
-w /etc/resolv.conf
-w /etc/nsswitch.conf
-w /etc/host.conf
-w /etc/yp.conf
-w /var/yp/binding
-w /etc/ldap.conf
-w /etc/krb5.conf
-w /etc/initlog.conf
-w /etc/default/
-w /etc/firmware/microcode.dat
-w /etc/fstab
-w /etc/auto.master
-w /etc/auto.misc
-w /etc/hosts.allow
-w /etc/hosts.deny
-w /etc/exports
|