question

David Flatley dflatley at us.ibm.com
Mon Nov 3 17:21:23 UTC 2008 


    I am actually using the suggested parameters from the STIG for UNIX
guide. I have searched and found
the stig.rules on the internet and we are going to try them. I also saw the
nispom.rules but apparently they are
for Red hat 5 Kernel 2.6.25 it says in the file?    We are not using keying
but will once we get the stig.rules installed
they appear to be using the -k flag.
    We are using audit 1.0.15 and I see 1.0.16 is on the Red Hat site, is
there a compelling reason to update to the
1.0.16 version of audit?.
     Thanks Steve.



                                                                           
                                                                           
                                                                           
                                                                           




On Sunday 02 November 2008 21:42:47 David Flatley wrote:
> Presently I am using the S.T.I.G. recommendations but I may
> have to use more extensive rules which I am in the process of testing.

Are you using the stig.rules from the audit package or something else? If I

were you, I'd spend some time making sure your rules are tuned. Assuming
that
you have keys on you rules, you can run a key report to see what is causing

you the most events: aureport --start this-week --key --summary.

Then you'd want to dig into some of those records and see what kinds of
things
are happening. Assuming you have a key of delete and you wanted to see what

syscalls are the most often logged:

ausearch --start this-week -k delete --raw | aureport --syscall --summary
-i

Assuming that shows unlinkat the most prevalent syscall:

ausearch --start this-week -k delete -sc unlinkat --raw |
aureport --user --summary -i

And so on until you see what is causing so much logging. This doesn't help
with the archiving, but could help you get the right audit data recorded.

-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081103/bffecd53/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081103/bffecd53/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic28634.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081103/bffecd53/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081103/bffecd53/attachment-0002.gif>

More information about the Linux-audit mailing list