cancel
Showing results for 
Search instead for 
Did you mean: 
JacquesW
Mission Specialist
Mission Specialist
  • 428 Views

Comprehensive Lab: Recording Events and Monitoring File-system Changes with PAM, Audit, and AIDE

In ch12s04:

When you get to point 11 in the solution you see the following:

Add a persistent Audit watch rule to generate Audit log entries whenever there is an attempt to read, write, execute, or change an attribute of the /etc/ssh directory. Use sshd_config_monitor as the filter key on the Audit rule.

[root@servera ~]# cat /etc/audit/rules.d/audit.rules
...output omitted...
-w /etc/ssh -p wa -k sshd_config_monitor

But this is wrong, cause it is missing the r and x for read and execute in the permissions like stated in the question

the correct line should be in that case:

-w /etc/ssh -p rwxa -k sshd_config_monitor

5 Replies
JacquesW
Mission Specialist
Mission Specialist
  • 422 Views

It might be me, but also when I follow exactly what the solution states the grade script seems to fail on the 'check PAM configuration' in this chapter. I have a feeling it might be happening on the ucredit check, cause when I run this manually this is the only check from the check script that just fails.

JacquesW
Mission Specialist
Mission Specialist
  • 408 Views

Yes it is the  ucredit = -1 check that lets it fail. I removed it from the /home/student/.venv/labs/libs/python3.9/site-packages/rh415/compreview-aide.py and then it goes through without issues.

Chetan_Tiwary_
Community Manager
Community Manager
  • 400 Views

@JacquesW You are right about the error regarding the audit rules , I will check and report it for rectification. But surprising why ucredit -1 is not working.

JacquesW
Mission Specialist
Mission Specialist
  • 397 Views

To test my own sanity I followed the solution from beginning to end and it kept failing on the same spot. Also when I test the grep command for the ucredit on the machine I will get a null result, until I remove the $ sign at the and of the grep line, then it seems to work fine on the server. I have not tested it in combination with ssh servera grep -e   etc.... but I suspect that it will work then. Anyway, it was something I also noticed

Chetan_Tiwary_
Community Manager
Community Manager
  • 395 Views

ok thanks, I will check that too!

Join the discussion
You must log in to join this conversation.