nixCraft

I have yet to find a truly comprehensive solution to auditing Linux to meet NISPOM or DCID government requirements.I have a Red Hat Enterprise 4 WS with SElinux enabled. When I tweak the /etc/audit.rules file using auditctl, I get "invalid argument" for "-w" and "-pa" even though the man pages say this should work. I even tried using the /usr/share/doc/audit-1.2.1/capp.rules file, same problems. not to mention my audit log gets so full so fast on garbage.I then installed Snare. Not impressed, glorified GUI which just regurgitates the raw audit log. How can I configure auditing to only look at FAILED executable access/run attempts?How can I configure auditing to look for FAILED attempts to access specific files?Am I missing a piece to this puzzle? Any help is appreciated.

You need to use ausearch and aureport commands to search log files. For example display all failed attempts
Read man page of above two command and try following resources:
Article about audit log visualization
Audit System FAQ
Linux audit files to see who made changes to a file | nixCraft

Let me know if you need any further help!

__________________
Vivek | My personal blog
Linux Evangelist
Play hard stay cool

Thanks. I'll try that. Still can't figure out why the rules I try to add to audit.rules won't take. Still get "invalid argument" to place watches on files.

Can you paste your complet rule here so that I can look at it...

I created a dummy account, tried deleted and modifying the /etc/shadow file (which I couldn't - got permission denied).

I then logged back in as root and did the command you suggested. it found nothing. Is the SElinux module screwing things up? I disabled it and rebooted, no change. I even removed SNARE. No change.

Thanks for any advice.

From # prompt, I did this and got the below messages:

auditctl -w /etc/auditd.conf -p wa
permission option no longer supported
error sending add rule request (invalid argument)

auditctl -w /etc/auditd.conf
error sending add rule request (invalid argument)

It won't let me add rules. The capp.rules file I found is full of the above commands for various security relevant files. Each line with -w or -p says invlaid argument when I restart AUDITD.

I restored the original audit.rules file 9whcih I saved) and did the above - No change.

audit.rules has these lines by default:
-D
-b 256

that's it.

FYI - With SNARE off (disabled dispatcher in auditd.conf), the audit log sizes are manageable. When I turn Snare back on, I get 30-40 MB on a reboot alone.

Here are some of the "failures" that Snare reports (on a reboot):

Failed File Summary Report
===========================
total file
===========================
699 /root/Templates
351 /dev/sda
10 /usr/share/locale/en_US.UTF-8/LC_TIME/coreutils.mo
10 /usr/share/locale/en_US/LC_TIME/coreutils.mo
10 /usr/share/locale/en.UTF-8/LC_TIME/coreutils.mo
10 /usr/share/locale/en.utf8/LC_TIME/coreutils.mo
10 /usr/share/locale/en/LC_TIME/coreutils.mo
10 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en_US/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en/LC_MESSAGES/coreutils.mo
9 /usr/share/locale/en_US.utf8/LC_TIME/coreutils.mo
2 /dev/tty
2 /lib/security/$ISA/pam_deny.so
2 /usr/share/locale/en/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en.utf8/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en.UTF-8/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en_US/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en_US.utf8/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/util-linux.mo
1 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo
1 /usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo
1 /usr/share/locale/en_US/LC_MESSAGES/libc.mo
1 /usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo
1 /usr/share/locale/en.utf8/LC_MESSAGES/libc.mo
1 /usr/share/locale/en/LC_MESSAGES/libc.mo
1 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en_US.utf8/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en_US/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en.UTF-8/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en.utf8/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en/LC_MESSAGES/initscripts.mo
1 /lib/security/$ISA/pam_env.so
1 /lib/security/$ISA/pam_unix.so
1 /lib/security/$ISA/pam_smb_auth.so
1 /lib/security/$ISA/pam_succeed_if.so
1 /lib/security/$ISA/pam_permit.so
1 /lib/security/$ISA/pam_cracklib.so
1 /lib/security/$ISA/pam_limits.so

I can't understand why these are failures. Right now I have to leave Snare (dispatcher) disabled.

This may be of importance - I did NOT install the SNARE Kernel because Security Alliance has not posted a version yet for my kernel version 2.6.9-42. All they have is 2.6.9-34. Could this be my problem? I am trying to erase Snare completely right now. I may have to rebuild without it and start from there.

Re-installed Redhat Linux 4 from scratch and re-traced some install steps. Not sure if issue between audit-1.0.15 an 1.2 or not. Discovered that you should NOT install the Snare CORE AND the agenct. Most likely the culprit. Thanks for the help anyway.

Now to see if I can get some files to pull in the audit log.