NISPOM Auditing

[Steve Grubb]

On Tuesday 27 May 2008 10:00:19 corbin wrote:
> Can these rules apply to RHEL4 or just RHEL5?

The rules are different between RHEL4 and 5. RHEL5 has more syscalls than 4 
did. It also has more options in auditctl & kernel to make rules capture just 
the required data. Some things you simply can't express in RHEL4. For 
example, the ability to audit only users (auid>=500) rather than everything 
including daemons. For RHEL4, you can get everything required for NISPOM, but 
you depend more on the reduction tools and eat more disk space doing so.

> However, I am just exploring the audit.rules settings in RHEL and wanted to
> know if these changes are particular to a specific version of Red Hat.

I believe that RHEL4 has a nispom.rules file also. It has not be updated in 
quite a while, but it should be a good starting point. It probably needs 
updating for arch=b32 and 64 so that biarch machines get the right syscalls 
being audited.

-Steve