Linux audit for Debian
Steve Grubb
sgrubb at redhat.com
Tue Feb 21 19:00:59 UTC 2006
On Tuesday 21 February 2006 13:44, Michael Fecina wrote:
> I understand that the distribution used is Redhat, and given this Debian
> topic, I'd like to ask what the major changes would be to make this
> available in Debian. A kernel patch,
You will likely need the file system auditing patch which is still being
developed. The RHEL4 kernel has a patch that lets it meet NISPOM but needed
rework to get upstream acceptance.
> some header changes,
Not really, libaudit.h takes care of a lot of it.
> and the client (user-space) tools?
Yes, you need to do some patching here and configuring. NISPOM seems mostly
concerned with login/logout, file access, blacklisting of accounts/terminals,
and audit reports.
The login/logout...we patched sshd, login, and gdm to provide the right audit
events. These are also pamified and have the pam_loginuid module added to
their config. Pam itself is modified to provide audit records. I think we've
submitted that upstream, but not 100% sure. If not, we intended it to go
upstream for everyone to use.
Blacklisting is done with pam_tally. It has been updated to provide anomaly
records when it blacklists an account.
As for audit reports, aureport was designed to meet this. It can be scripted
and put into a cron job.
There have been ABI changes in libaudit. If you use FC4 as a model...you want
the audit-1.0.14 package. If you use FC5 as a model, you want audit-1.1.4.
You cannot mix and match audit packages and trusted app patches.
-Steve
More information about the Linux-audit
mailing list