auditd rules

This is a discussion on auditd rules within the Linux Security forums, part of the System Security and Security Related category; Hello, I want to add some new rules to the auditing system of Linux at file filter.conf for example, ...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page auditd rules

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 01-17-2006
jb
 
Posts: n/a
Default auditd rules
Hello,

I want to add some new rules to the auditing system of Linux at file
filter.conf

for example, if I want to log the accesses to the squid log files thru
the following rule:


predicate is-squid-log = prefix(/var/log/squid)

tag "SQUID_logs"

syscall @file-ops = is-squid-log(arg0);


and reload service audit and test it reading one file at /var/log/squid
directory the audit system no log this access.

Is ok this rule?

Thank you in advance.

Other system config:

service
-------
audit 0:desactivado 1:desactivado 2:activo 3:activo
4:activo 5:activo 6:desactivado

sysctl
------
dev.audit.debug = 0
dev.audit.paranoia = 0
dev.audit.max-messages = 1024
dev.audit.allow-suspend = 1
dev.audit.attach-all = 1
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 09:07 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0