no logging of successful events?
Steve Grubb
sgrubb at redhat.com
Mon Aug 18 20:52:24 UTC 2008
On Monday 18 August 2008 16:43:19 Brian LaMere wrote:
> -w /etc/auditd.conf
> -w /etc/audit.rules
> -a exit,always -S open -F success=0
Note that openat is being used more and more for secure apps that need to
ensure that a directory is not switched out during an operation.
> -a exit,always -S rmdir -S unlink -S chmod -S fchmod -S chown -S fchown
> -S lchown -F success!=0
> -a exit,always -S settimeofday -S setrlimit -S setdomainname -S
> sched_setparam -S sched_setscheduler -S acct -S reboot -S swapon
> -------------------------------------------------
>
> Was grouping by failed, successful, and both. Did this due to reading
> that every audit rule is tested for every syscall, which...yeah, makes
> me want to group things.
Yes. You can do that. In the stig.rules file I add a key so that you can see
exactly what part of the stig is being met whenever you encounter an event.
And its also because sometimes it takes more than one rule to meet a
requirement fully.
> That being said, stig.rules is extensive; any warning on what the
> performance impact will be?
No idea. If you have to meet the letter of the law...not a whole lot you can
do but throw hardware at it. Depending on your situation, you may be able to
do it with less rules. I wanted to illustrate as complete coverage as
possible with a real life security target people have to meet. I don't have
any feedback from disa as to whether or not they like it. :)
> Also, when looking for the newer builds on your site
> http://people.redhat.com/sgrubb/audit/ - I noticed "1.7 -> 1.8 Remote
> logging and finishing up IDS/IPS plugin." That would be wonderously
> fabulous, and I look forward to it. Any thoughts on whether it will be
> pulled into RHEL5, or whether I'd have to wait until RHEL6?
Remote logging should be in RHEL5.3/Fedora 10. IDS work is in Fedora 9.
-Steve
More information about the Linux-audit
mailing list