Audit Log not capturing access to security related files
Steve Grubb
sgrubb at redhat.com
Mon Nov 30 18:37:30 UTC 2009
On Wednesday 25 November 2009 11:57:10 am Starr-Renee Corbin wrote:
> I am required (by NISPOM) to audit access to security related files.
> I am essentially using the nispom audit.rules provided by rhel5 to
> accomplish this.
>
> However, some of my systems are capturing access to /etc/shadow and
> some of my systems are not (when looking in /var/log/audit/audit.log.
I guess the questions are:
what kernels?
what audit packages?
Are both the same arch?
How are you testing that one is not being recorded when it should?
-Steve
More information about the Linux-audit
mailing list