LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices


Reply
  Search this Thread
Old 05-14-2009, 09:53 AM   #1
p3t0rt
LQ Newbie
 
Registered: May 2009
Posts: 2

Rep: Reputation: 0
NISPOM audit requirement "failed access to objects" won't work-RHEL5 update1


The Defense Security Services' (DSS) National Industrial Security Program Operating Manual (NISPOM) require collection of specific audit events.

System Access: (This works)

Logon:Successful|Failed
Logoff:Successful:Failed
Account Lockout (due to too many failed attempts):Successful Passwd Change:Successful Useradd:successful Userdel:successful

-----------------------


Unauthorized File Access: (This does not work)

Rmdir,mkdir,mv,cp,rm,chmod,chown,ulink,link,etc:Failed


I need to be able to ausearch and find if any of the above failed attempts exist. However, upon testing any and all of the above, a failed audit does not appear in the /var/log/audit/audit.log file. Supposedly, the nispom.rules file that comes with Red Hat is designed to accomplish this requirement.

The nispom.rules file was copied from /usr/share/doc/audit-1.5.5/nispom.rules to /etc/audit/audit.rules and has NOT been modified.

Our audit version is: audit-1.5.5-7.el5. We verified that the audit.rules files is being read by placing a syntax error in the file. An error message was returned which confirms that the file is being read.
 
Old 05-14-2009, 11:36 AM   #2
*******
Member
 
Registered: Feb 2009
Posts: 63

Rep: Reputation: 16
If you grep -i for the necessary syscallnames or numbers: are they all in the rule file? No odd names like "-S mkdirat -S mknodat -S linkat -S symlinkat"? At least I can't remember syscallnames having "at" affixed but I got that from looking at http://svn.fedorahosted.org/svn/audi...b/nispom.rules so only that file may be wrong...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"failed to execute child process" "Input/output error" fl.bratu Fedora 4 12-15-2008 04:03 AM
"Failed Dependency error" while installing RPM for "DateTime" perl modules giridhargopal.cj Linux - Newbie 7 11-19-2008 12:05 AM
Any way to get "Alice"; "Call of Duty" series and "Descent 3" to work? JBailey742 Linux - Games 13 06-23-2006 01:34 PM
does failed using urpmi messed up my "Install Software" / "mandrake update" ??? sirpelidor Mandriva 1 11-02-2003 09:00 PM
Config problem: "Authorization failed: server rejected access" -- help please! womble_timsk Linux - Networking 0 05-22-2003 04:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat

All times are GMT -5. The time now is 12:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration