Audit config for NISPOM req's
Curtas, Anthony R.
ANTHONY.R.CURTAS at saic.com
Fri Dec 22 13:38:33 UTC 2006
Hello all,
I've been a linux sysadmin for a while for a small network of systems
under the oversight of the Defense Security Service (DSS). They have
always given us grief over Linux's inability to log certain events. A
year ago, I implemented Snare with good results, but lack of a Kernel
panic on audit failure always had them second guessing our setup. So
I'm encouraged to see the progress made here and am preparing to try
again.
Basically, the requirements are to log improper read access to certain
files (audit logs, shadow) and write access to many others (most of
/etc), and in some cases attempts to execute programs like stunnel and
su.
My main confusion on getting started is the difference between syscalls
and watches. It seems watches can do almost all of what I need, but
they seem to be less "configurable" than the syscalls (like ignoring if
root changes anything). Can someone explain the difference and where
one is more appropriate than the other.
I have the CAPP documents from HP and IBM, which seem to be a good
starting point (especially the conf files) - but I'm trying to
understand it all before implementation in case I need to tweak it.
Thanks in advance for any help,
Anthony
_____________
Anthony Curtas
SAIC, Division 35
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20061222/45551ae8/attachment.htm>
More information about the Linux-audit
mailing list