From: Steve Grubb <sgrubb@redhat.com>
To: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: 2nd Round AuditRules Questions
Date: Wed, 20 Jan 2021 18:08:44 -0500 [thread overview]
Message-ID: <7207971.EvYhyI6sBW@x2> (raw)
In-Reply-To: <316007965.1268500.1611102131083@mail.yahoo.com>
On Tuesday, January 19, 2021 7:22:11 PM EST Joe Wulf wrote:
> 1. The rules for monitoring '/etc/passwd', '/etc/shadow', '/etc/group',
> '/etc/gshadow' exist. Shouldn't corresponding rules also exist for the
> same four files which also have a dash/hyphen appended to them (i.e.
> '/etc/passwd-', etc...)?
You can add them if you want to. But I'm not planning to add them to the
audit repo. There are requirements around monitoring changes of security
attributes. This is covered by auditing events hardwired in the utilities
that update them such as shadow utils. However, an admin could also use vi or
nano to directly edit the files. That is all the watch is for. The files with
the '-' are not used for authentication or setting up any user subject
binding.
> 2. By adding 'audit=1' to grub kernel boot param's---can I then safely
> eliminate this piece from all audit rules: '-F auid!=4294967295'?
It depends on your intent. But this has nothing to do with audit=1.
> Conversely, what harm would it do to 'just leave it'?
Your logs will be flooded by daemon activity instead of things that people do.
> It would, in some cases, satisfy certain vulnerability scanning tools
> seeking exact syntax compliance, right?
I have no idea about what anyone would be compliant to. So, its hard to make
a blanket statement. If you need to audit daemon activity and users, then yes
you would want to remove the '-F auid!=4294967295'. But your logs will fill up
much quicker.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
parent reply other threads:[~2021-01-20 23:11 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <316007965.1268500.1611102131083@mail.yahoo.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7207971.EvYhyI6sBW@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.