On Mon, 2007-04-23 at 16:09 -0400, Aaron Lippold wrote: > I have a security checking script that is complaining that my system > is not able to audit all discretionary access to control permission > modifications. > > To verify this it is looking for /etc/audit/filter.conf > > Is this still the correct place to look on RHEL4/5? I'd assume not > since I can't find a man page on audit-filter.conf anymore.
filter.conf was a LAuS configuration file, which is no longer used. Auditing in RHEL4 and RHEL 5 is entirely unrelated to LAuS. The approximately corresponding information is in /etc/audit.rules (RHEL4) or /etc/audit/audit.rules (RHEL5) iirc. > If not, where and how would I add this feature to my audit configuration? That really depends what 'discretionary access to control permission modifications' actually means to the person who wrote it ;) I'm guessing it refers to auditing the chmod family of system calls, in which case you would add the following line to /etc/audit/audit.rules in RHEL 5: -a entry,always -S chmod -S fchmod and start the audit daemon. These calls will then be logged in /var/log/audit.log. Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
signature.asc
Description: This is a digitally signed message part
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
