rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.41-audit_misc_improvements.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   28bffef986b6ca9568b967c5a33062b59bf8f513
  2.   SOURCES
  3.   scap-security-guide-0.1.41-audit_misc_improvements.patch
Blob History Raw
28bffe 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule
28bffe 
index 3fdcb3e89d..33b8371e91 100644
28bffe 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule
28bffe 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_rename.rule
28bffe 
@@ -42,5 +42,6 @@ warnings:
28bffe 
     - general: |-
28bffe 
         Note that these rules can be configured in a
28bffe 
         number of ways while still achieving the desired effect. Here the system calls
28bffe 
-        have been placed independent of other system calls. Grouping these system
28bffe 
-        calls with others as identifying earlier in this guide is more efficient.
28bffe 
+        have been placed independent of other system calls. Grouping system calls related
28bffe 
+        to the same event is more efficient. See the following example:
28bffe 
+        
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
28bffe 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule
28bffe 
index 848ea3256e..7f9093fcd2 100644
28bffe 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule
28bffe 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_renameat.rule
28bffe 
@@ -42,5 +42,6 @@ warnings:
28bffe 
     - general: |-
28bffe 
         Note that these rules can be configured in a
28bffe 
         number of ways while still achieving the desired effect. Here the system calls
28bffe 
-        have been placed independent of other system calls. Grouping these system
28bffe 
-        calls with others as identifying earlier in this guide is more efficient.
28bffe 
+        have been placed independent of other system calls. Grouping system calls related
28bffe 
+        to the same event is more efficient. See the following example:
28bffe 
+        
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
28bffe 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule
28bffe 
index 8a64a965ea..f898cc5686 100644
28bffe 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule
28bffe 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlink.rule
28bffe 
@@ -42,5 +42,6 @@ warnings:
28bffe 
     - general: |-
28bffe 
         Note that these rules can be configured in a
28bffe 
         number of ways while still achieving the desired effect. Here the system calls
28bffe 
-        have been placed independent of other system calls. Grouping these system
28bffe 
-        calls with others as identifying earlier in this guide is more efficient.
28bffe 
+        have been placed independent of other system calls. Grouping system calls related
28bffe 
+        to the same event is more efficient. See the following example:
28bffe 
+        
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete
28bffe 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule
28bffe 
index c89d7d880b..7c5403361c 100644
28bffe 
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule
28bffe 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modification/audit_rules_unsuccessful_file_modification_unlinkat.rule
28bffe 
@@ -42,5 +42,6 @@ warnings:
28bffe 
     - general: |-
28bffe 
         Note that these rules can be configured in a
28bffe 
         number of ways while still achieving the desired effect. Here the system calls
28bffe 
-        have been placed independent of other system calls. Grouping these system
28bffe 
-        calls with others as identifying earlier in this guide is more efficient.
28bffe 
+        have been placed independent of other system calls. Grouping system calls related
28bffe 
+        to the same event is more efficient. See the following example:
28bffe 
+        
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation