Audit log for user defines
Steve Grubb
sgrubb at redhat.com
Fri Oct 28 13:19:53 UTC 2005
On Friday 28 October 2005 08:19, Call, Tom H wrote:
> This audit capture ability is crucial to satisfy our auditing
> requirements for the NISPOM Chapter 8, which we must do.
>
> But back to the native audit daemon 1.0.3-6, what we have found is that
> both the user defined audit events, using auditctl, and the default
> audit events, coded in the audit daemon?, are both written to the same
> log file /var/log/audit/audit.log by default.
Yes. But you can separate them with the ausearch command. Basically, you just
want to find your events. It doesn't matter where they are located.
> This combining of all audit events into one log is not our preference
> because the audit events required to satisfy NISPOM Chapter 8 are not the
> same requirements of CAPP auditing.
This means you would need to create an /etc/audit.rules file tweaked for
NISPOM.
> The CAPP default audit events are not at all needed for NISPOM Chapter 8 and
> actually makes it harder to filter and manage the audit.log.
See above. I would like to provide a nispom.rules file in the contrib section.
If you want to work together on that, let me know.
> What we would like to see added to audit package is the ability to log
> the default CAPP audit events and the user defined audit events to
> separate log files. We would be pleased if you would consider making
> this change.
How about the above? Let's make a config that works for you.
-Steve
More information about the Linux-audit
mailing list