Closed stevegrubb closed 7 years ago
This is closely related to #62.
For reference, here is the current MAC_CONFIG_CHANGE record:
# ausearch -m MAC_CONFIG_CHANGE
time->Tue Aug 15 09:25:16 2017
type=PROCTITLE msg=audit(1502803516.009:263585): proctitle=...
type=SYSCALL msg=audit(1502803516.009:263585): arch=c000003e syscall=1 success=yes
exit=2 a0=3 a1=7ffd416a855e a2=2 a3=0 items=0 ppid=2055 pid=2123 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setsebool"
exe="/usr/sbin/setsebool"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=MAC_CONFIG_CHANGE msg=audit(1502803516.009:263585): bool=domain_fd_use val=0
old_val=1 auid=0 ses=1
Similar questions as in #62, would you prefer to see the information duplicated across records in the same event or are you happy with the information present in the SYSCALL record?
I always run with audit=1 on boot prompt and the full STIG setup. The STIG rules is what the majority of the people use and its how we should all be testing. There should not need to be a syscall record since this is not needing to be a compound event and sometimes the SYSCALL record is not there. The minimal required information should be in the MAC_CONFIG_CHANGE record.
Ungh, the same response @stevegrubb? At least you made sure to change the record name ;)
I'm just going to refer you to my previous comment in https://github.com/linux-audit/audit-kernel/issues/60#issuecomment-323099134, it applies here as well.
This appears to be fixed by https://github.com/linux-audit/audit-kernel/issues/66
This event should be a simple record with the following fields: pid, uid, auid, tty, session, context, comm, exe (in this order) + old value + new value if applicable.