atom feed3 messages in com.redhat.nahant-beta-listRe: CAPP Auditing with RHEL-4 U2 (fwd)
FromSent OnAttachments
Steve GrubbAug 23, 2005 6:08 pm 
Stephen J. SmoogenAug 24, 2005 8:34 am 
Steve GrubbAug 24, 2005 9:42 am 
Subject:Re: CAPP Auditing with RHEL-4 U2 (fwd)
From:Steve Grubb (
Date:Aug 23, 2005 6:08:02 pm

The instructions were a bit bare (i probably missed the obvious ones). I copied over the capp.rules to /etc/audit.rules and restarted the auditd.

This is good so far. Note, the audit subsystem requires kernel components to work correctly. This means you need to be running kernel-2.6.9-16. You probably are, but I want to make sure.

On our other systems if I do similar things and then do a 'cat /etc/shadow', I see a dmesg statement saying that I have been a bad boy. Nothing with this version of audit

I just tried this and I get the following:

ausearch -ts 20:50:00 -f shadow -i

---- type=PATH msg=audit(08/23/05 20:51:28.318:1249) : name=/etc/shadow flags=follow,open inode=213853 dev=03:02 mode=file,400 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(08/23/05 20:51:28.318:1249) : cwd=/root type=FS_INODE msg=audit(08/23/05 20:51:28.318:1249) : inode=213853 inode_uid=root inode_gid=root inode_dev=03:02 inode_rdev=00:00 type=FS_WATCH msg=audit(08/23/05 20:51:28.318:1249) : watch_inode=213853 watch=shadow filterkey=CFG_shadow perm= perm_mask=read type=SYSCALL msg=audit(08/23/05 20:51:28.318:1249) : arch=i386 syscall=open success=yes exit=3 a0=bffa0c1e a1=8000 a2=0 a3=8000 items=1 pid=2840 auid=sgrubb uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=cat exe=/bin/cat

This shows that the cat program was run by root who originally logged in as sgrubb and triggered a read file system watch on /etc/shadow and was successful.

I looked in /var/log/audit/audit.log.. nothing about me trying to open the file that I could see. An ausearch shows some action, but nothing as explicite as when I try to do something selinux says is bad.

Not sure what's wrong. Are you on the new kernel? Is auditd running? Does "auditctl -l | grep shadow" show any rule?

So what I am wondering is:

1) what extra capabilities will auditd have (syslog, logwatch support, etc?)

The idea is not to send events to syslog. Some information is lost letting things go there and CAPP style audit systems have many requirements that syslog doesn't begin to fulfill. For example, space checking and taking the system to maintenance mode (single user) if disk space gets below a certain threshold. But for the detection to be accurate, /var/log/audit should be its own partition.

2) what steps did I miss (do I need a supplemental Selinux strict for the box?)

No. Does auditctl -l show rules?

3) what can I do to better help this project?

We are always looking for feedback & testers. Most of the audit discussion is at the linux-audit mail list. You can find information about it here:

Its a fairly focused group working on just the audit aspect of linux.

Hope this helps... -Steve