From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Henning, Arthur C. (CSL)" <art.henning@ngc.com>
Subject: (no subject)
Date: Sat, 18 Aug 2007 12:02:04 -0500
Message-ID: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D27@XMBTX113.northgrum.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0581706068=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l7IH2FO8005573
	for <linux-audit@redhat.com>; Sat, 18 Aug 2007 13:02:15 -0400
Received: from xmrt0101.northgrum.com (xmrt0101.northgrum.com [208.20.220.55])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l7IH2ARu009258
	for <linux-audit@redhat.com>; Sat, 18 Aug 2007 13:02:10 -0400
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============0581706068==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C7E1B9.80A18CDA"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C7E1B9.80A18CDA
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

RHEL 5

Have two events having difficulty capturing or reviewing with the audit
sub-system.

1. su - "non_existent_account". Using the nispom.rules provided by audit
1.5.6-1. Using various ausearch parameters, am unable to find a
corresponding failure when attempting to "su" to a non-existent account.

2. Non-privileged user attempting to change the date/time on the server.
Of course the user fails to be able to do so, but am unable to capture
or review the event.

Not sure if these are audit rule configuration or search unknowns or
audit sub-system limitations.

Thank you
Art Henning (CSL)=20
Enterprise IT Solutions
Northrop Grumman Corporation
art.henning@ngc.com


------_=_NextPart_001_01C7E1B9.80A18CDA
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">RHEL 5</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Have two events having difficulty =
capturing or reviewing with the audit sub-system.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">1. su - =
&quot;non_existent_account&quot;. Using the nispom.rules provided by =
audit 1.5.6-1. Using various ausearch parameters, am unable to find a =
corresponding failure when attempting to &quot;su&quot; to a =
non-existent account.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">2. Non-privileged user attempting to =
change the date/time on the server. Of course the user fails to be able =
to do so, but am unable to capture or review the event.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Not sure if these are audit rule =
configuration or search unknowns or audit sub-system limitations.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thank you</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Art Henning (CSL) </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Enterprise IT Solutions</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Northrop Grumman Corporation</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">art.henning@ngc.com</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C7E1B9.80A18CDA--


--===============0581706068==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0581706068==--