looking for help in coming up to speed with auditd
Steve Grubb
sgrubb at redhat.com
Wed Mar 9 13:07:06 UTC 2011
On Wednesday, March 09, 2011 06:33:30 am larry.erdahl at usbank.com wrote:
> I'm new to auditd, and have been assign to come up with a "best practice"
> standard for the deployment and audit settings for Linux servers using
> auditd, Other then the man pages does anyone have any suggestions for
> "best practices", books or training courses that would help me get a
> better understanding of auditd and its syntax?
There is a audit.rules man page that discusses some ideas about how to conduct and
investigation. Being able to do an investigation depends on the rules you give the
audit system. If you don't have a watch on a document that you really care about, then
you might get an event showing someone accessed it.
The rules are essentially the same as auditctl without its name. So, you can look at
its man page to get an idea of its syntax. I also would not start writing an
audit.rules file from scratch. There are 3 or 4 sample rule files in the package. I
would start with one of them and customize it to your needs. The stig.rules file is
probably the best one to start with.
As for additional information I have a couple presentations here:
http://people.redhat.com/sgrubb/audit/
that might be useful. Also you can look at the NSA SNAC guide for RHEL5 which should
have some discussion about the audit system.
-Steve
More information about the Linux-audit
mailing list