question
David Flatley
dflatley at us.ibm.com
Mon Nov 3 17:21:23 UTC 2008
I am actually using the suggested parameters from the STIG for UNIX
guide. I have searched and found
the stig.rules on the internet and we are going to try them. I also saw the
nispom.rules but apparently they are
for Red hat 5 Kernel 2.6.25 it says in the file? We are not using keying
but will once we get the stig.rules installed
they appear to be using the -k flag.
We are using audit 1.0.15 and I see 1.0.16 is on the Red Hat site, is
there a compelling reason to update to the
1.0.16 version of audit?.
Thanks Steve.
On Sunday 02 November 2008 21:42:47 David Flatley wrote:
> Presently I am using the S.T.I.G. recommendations but I may
> have to use more extensive rules which I am in the process of testing.
Are you using the stig.rules from the audit package or something else? If I
were you, I'd spend some time making sure your rules are tuned. Assuming
that
you have keys on you rules, you can run a key report to see what is causing
you the most events: aureport --start this-week --key --summary.
Then you'd want to dig into some of those records and see what kinds of
things
are happening. Assuming you have a key of delete and you wanted to see what
syscalls are the most often logged:
ausearch --start this-week -k delete --raw | aureport --syscall --summary
-i
Assuming that shows unlinkat the most prevalent syscall:
ausearch --start this-week -k delete -sc unlinkat --raw |
aureport --user --summary -i
And so on until you see what is causing so much logging. This doesn't help
with the archiving, but could help you get the right audit data recorded.
-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081103/bffecd53/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081103/bffecd53/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic28634.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081103/bffecd53/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081103/bffecd53/attachment-0002.gif>
More information about the Linux-audit
mailing list